By Muhammad Yahya Patel, Lead Security Engineer at Check Point Software Technologies
Smart cities are becoming a reality rather than a concept and integrating technology into everyday infrastructure has become the norm. They present local authorities with a vast number of opportunities, including data-driven decision making, enhanced engagement between citizens and government, and a reduced environmental footprint. Though, as with any new technologies there are many risks to consider when becoming a smart city.
Arguably one of the biggest threats is their vulnerability to cyberattacks. This is because using large, connected networks gives cybercriminals more entry points than ever before and the perfect opportunity to jump from one exposed system to the next. Now, while we should never let fear get in the way of innovation, it’s essential that we adequately prepare ourselves with robust security protocols.
Smart cities face unique challenges when it comes to cybersecurity. Networks are used by public and private entities, people and thousands of IoT devices each day. The massive amount of data exchanged across these networks requires a stringent security strategy. Some of the main challenges include:
Connected devices: A multitude of IoT devices that control everything from CCTV and traffic light management to organizations personal and financial data could be connected to a network at any one time. In theory this sounds ideal for seamless communication and management, but in practice it offers hackers thousands of potential entry points to launch an attack.
Automation of infrastructure operations: Automation brings many benefits for all kinds of operations for smart cities, reducing the need for direct human control over such operational systems. The increase of sensors means more connections to monitor and manage. These could be seen as more targets to compromise through vulnerabilities.
Sub-standard data management processes: Data is at the heart of any smart city and is critical to everyday operations. However, many lack the correct processes to ensure this information is managed safely and securely. If a database is not policed correctly, it can be simple for hackers to target and compromise, which leads to sensitive data being leaked or stolen.
Risks from the ICT supply chain and vendors: We know the risks posed by the supply chain and third parties. This was particularly evident during the recent zero-day vulnerability found in file transfer software MOVEit, which was subsequently exploited as part of a large-scale ransomware attack. Threat actors continue to target the weakest links and therefore attacking smart infrastructure systems are bound to be a lucrative target for any cybercriminal. To combat this, it is key that we adopt and adhere to secure-by-design and default practices to minimise these risks.
Outdated technology: Many cities have infrastructure and networks built on outdated technology which leaves them susceptible to cyberattacks. Ensuring systems are up to date with the latest software updates and security patches is paramount. Technology is central to the success of any smart city and having resilient systems should be a priority.
Inefficient security: Linked directly to outdated technology, having inefficient security protocols in place exposes smart cities to malicious threats. This leaves citizens and organizations vulnerable to data breaches, identify theft and loss of sensitive information. Protecting existing infrastructure with robust security measures could prevent a potentially disastrous breach. So, how do we ensure that the safety, security and privacy of those who live and work in smart cities is not compromised?
Research suggests that by 2024 there will be over 1.3 billion wide-area network smart city connections. The level of complexity within these digital infrastructures is only increasing which means any digital services implemented by a government or organization are vulnerable to cyberattacks. To realize their potential, smart cities need to find an effective balance between managing risk and enabling growth.
Building resilience to protect your city against these attacks is key, but how is this achieved? The starting point should be developing a cybersecurity strategy that maps on to the broader objective of your smart city. This will help mitigate risks arising from the interconnectedness of city processes and systems. Part of any effective strategy should be the requirement to carry out an assessment of current data, systems and cyber defenses as this will help to give an idea of current posture and quality of infrastructure.
Creating a formal relationship between cybersecurity and the governance of data will also be extremely beneficial. This essentially creates an agreed approach to cybersecurity between all parties within a smart city, meaning all stakeholders work together to ensure data is secure across the networks it’s being exchanged. The policies put in place will mature alongside a city’s cyber strategy and add transparency to processes.
Finally, building strategic partnerships to help address the cybersecurity skills shortage is key to any successful security strategy. This is a good way to develop skills and increase your knowledge base which in turn bolsters overall security posture and resilience. For example, recently the CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a document with guidance on best practices for smart cities. The aim is not only to protect these connected spaces from malicious threats but also to share expertise and educate us on the importance of cybersecurity within smart cities.
It goes without saying, smart city technologies need to adopt a proactive methodology to ensure cyber security risks are the forefront of planning and design of technologies. Being ‘secure by design’ is strongly recommended in conjunction with a defense in depth approach. There may be some legacy infrastructure connecting to the smart infrastructure, and this may require a redesign to make sure secure connectivity and integration is possible.
Hackers will continue to exploit vulnerabilities. An overwhelming number of cyberattacks against businesses could be avoided if supply chain and third-party security is taken seriously. Attackers are exceptionally quick to start exploiting vulnerabilities in well-known products. Invest in the resources to help combat the everyday struggle of security patches and updates. You don’t want to get caught out by the very thing you expect to protect your business.
Underpinning the implementation of smart city technology is operational resilience. To make sure organizations are well prepared, contingencies are put in place for different types of incidents, which could have operational impact or disruption. Autonomous functionality and isolation tools should exist to help minimize these types of disruption.
Risk, privacy and legality all play an important role in smart cities, making sure data being collected, stored and processed is in accordance with regulations. It’s critical that city leaders, developers and business owners don’t see securing cyber risk within their smart city as a one-time objective. It’s an ongoing, evolving process that could be the difference between a major breach or major growth.