It is the year 2030, and you have had another busy day. As you finish what you thought would be your last espresso and grab your laptop to leave work, your colleague tells you that you need to stay late for an urgent meeting. Panic sets in, but you push past it and put a plan into motion. To pick your daughter up from school, you call a driverless car. With a quick tap on your phone, the app sends a code to the after-school program supervisor so the car can be accessed at pickup.
As you grab yet another espresso, your daughter is safely escorted to the driverless rideshare pick-up zone to find a red SUV waiting for her with the interior temperature at her preferred setting. Before you walk into the conference room for your last-minute meeting, you are notified that your daughter’s car was rerouted to avoid congestion on the freeway, but she should be home well in time for her piano lesson. You breathe a sigh of relief!
This scenario seems smart, but is it secure? With this seamless interaction of the latest IoT technologies, “smart cities” are redefining the way we live and work. There’s just one problem…these massive, radical, interconnected technology systems also raise serious privacy and security concerns. For example, by requesting the route from school to home, personal details about your daughter’s schedule, preferences, and whereabouts are being provided to the driverless car technology company. Clearly, it is worrisome to know that someone could gain knowledge of when and where your daughter goes and how to follow her home.
As smart cities move from concept to reality, securing their foundation will become a top priority to ensure trust and privacy while providing improved city services and a higher quality of life.
The cost of a security failure
The potential security failure of a smart city initiative could have grave consequences. A report by US cyber-security firm Recorded Future published last May highlighted a spike in ransomware attacks targeting US cities. In June 2019, Riviera Beach in FL paid $600,000 to hackers to restore its email system and public records. Atlanta, Baltimore, Port of San Diego, and the island of Saint Maarten were subjected to wide scale cyber-attacks affecting vital government services and costing these municipalities millions of dollars. The surge in attacks makes clear that many cities are unprepared for cybersecurity threats. And, according to eMazzanti Technologies, “Often, information technology (IT) accounts for less than 0.1% of the overall municipal budget.”
The rapid hyper-connectivity and digitalization of cities are accelerating cyber threats. To tackle the challenge, government leaders, urban planners, and other key stakeholders should make cybersecurity best practices an integral part of the smart city governance, design, and operations, and not just an afterthought.
Best practices to secure smart cities
The security goals of a smart city—confidentiality, integrity, availability, safety, and resiliency—should be grounded on both the objectives of traditional information technology (IT) to secure data as well as those of operation technology (OT) to ensure safety and resiliency of systems and processes. These combined security objectives can help cities maintain a more secure and resilient operating environment. Historically, IT and OT networks have been completely separate, with separate protections as well as separate groups to manage and control them. Now, OT networks are moving to more standard transmission control protocol/internet protocol (IP) networks, and digital information monitoring is needed to meet increasing energy demand, regulatory compliance, and business efficiency requirements.
This new environment calls for a different approach to data security, that includes:
- Access control to make it difficult for cyber criminals to get into systems;
- User access logging that connects to SIEM systems, so system administrators can identify unusual access that indicates a potential attack;
- Encryption key management to ensure the ongoing security of the system; and,
- Encryption (of course), that ensures breached data is unreadable and useless to those who might steal it.
All these measures are considered best practices for data protection.
Balancing the promise against the potential of cyber risks of smart cities will be critical to realizing their potential. Cities should begin by engaging all the stakeholders and entities in the broader ecosystem. It is clear that smart cities are vulnerable to security attacks. Equally clear, however, is that there are tools to fight back. What is needed is the political will to give cities the resources necessary to obtain these tools.
For more information on Thales’s data encryption technologies, please visit our website to learn about “Advanced Data-at-rest Encryption, Access Control and Data Access Audit Logging”.