With the world’s population set to hit 9.7 billion by 2050 and the UN predicting that 68% of us will be city dwellers by that same time, it is unsurprising that there is growing demand for sustainable infrastructure across the globe. As nations and governments look to counter the effects of this change, they are re-assessing how they view urban dwelling and increasingly looking at it via the prism of the smart city.
The term “smart city” is typically used to describe centers and concentrations of people that use various integrated IoT-based technologies to exchange data in an urban setting. By facilitating the optimisation of assets, resources and services in a sustainable manner, smart cities can deliver benefits such as smarter urban transport networks, upgraded water supply and waste disposal facilities and more efficient ways to light and heat buildings. It also means a more interactive and responsive city administration, safer public spaces and meeting the needs of an aging population, whilst also improving sustainability.
Powered by the growth in IoT and 5G technologies as well as a relaxing of global government regulation, the market size of the global smart city industry is set to hit nearly $9 billion by 2025, with an annual growth rate of 24.2% between now and 2030. No longer the stuff of science fiction and fantasy novels, smart cities are fast becoming a reality for many countries.
However, those responsible for these new modern cities are also faced with a number of challenges, especially around the area of security. Smart cities, by their very nature, represent a unique combination of cybersecurity risks that must be overcome to ensure security, safety, and data privacy of their users / residents. The root of this problem can often be ascribed to the issue of interoperability between the disparate organisations and technologies that power smart cities. Different parties will have different prioritsations and focuses when it comes to cyber risk and, as a result, when combined, vulnerabilities that target one element can affect all.
Exacerbating things is the simple fact that quite often, the ecosystems behind them ie: the network of sensors, data analytics and decision makers, are often not sufficiently cyber resilient to protect the very people they are working for. Despite guidance and recommendations on security, many IoT devices are often released with a lack of encryption or a massive dependency on OTA patches / updates. IoT security differs from traditional IT security in that the devices are often limited and embedded computer systems; frequently single-purpose devices performing specific functions within a broader, more complex ecosystem. With a lack of security testing in place, vulnerabilities become apparent only after IoT manufacturers put smart city devices into production, which can further increase potential areas of attack.
Think about it like this – to function properly, smart cities have to collect, share, analyse, protect and manage huge amounts of data. This information travels across highly interconnected and distributed environments and will be used to deliver services to citizens that are often safety-critical. It doesn’t take a genius to see how potentially devastating a security vulnerability could be at any one of those points. These issues can be exacerbated if a city relies on a central technological hub to control its core smart city infrastructure. Hackers will continue to attack IoT devices by either taking control of them, stealing information or disrupting the services being offered. And we already have several examples of what that looks like in real life.
So what can be done from a cyber-security perspective to protect smart cities, keep our data safe, and ensure services stay up and running when inevitable challenges arise?
Firstly, as previously stated, a lot of the risk relates to interoperability and synchronisation between different stakeholders within the IoT ecosystem, as opposed to a specific vulnerability within a specific device or system. Therefore, smart city designers must adopt a principles-based approach that will ensure the correct protections to address both the likelihood and impact of key security risks. Alongside this, it must also provide flexibility for those same stakeholders to alter their approach in the event of specific situations and circumstances. Addressing these considerations from the outset is crucial to avoid having to retrospectively apply security controls in the future, which is less effective and often very costly.
Both suppliers and vendors should also develop systems to be ‘secure by design’ and then test security as part of the development cycle so they can understand and address any security flaws. Encryption, authentication methods and communication inputs and outputs must have strict measures built in that determine what messages can be sent and received. Certification frameworks must be made mandatory across the board, as manufacturers may not implement security when it only adds to the time to market, cost and complexity of the product. In addition, systems should be designed to be manually overridden should a hack or malfunction make it necessary to retake control.
Linked with this is the importance of cybersecurity training that is specific to smart cities. As hackers and cybercriminals become increasingly sophisticated, the possible dangers of having cities so connected grows and those working with and installing the smart technology must be adequately trained in their response; as well as making informed security decisions for the devices they install. The UK government, for example, has already proposed mandatory cybersecurity training to prevent smart devices from being exploited by criminals and this training can take many forms. They, and many other stakeholders in this space, are increasingly looking at cyber ranges as their tool of choice, owing to their ability for practice against the latest attack methods via special virtual machines that are intentionally designed with vulnerabilities and technical challenges reflecting real world deployments. These vulnerabilities and challenges are updated periodically to stay current and ahead of criminals.
The growth of smart cities has huge potential to benefit both current and future urban citizens across the globe. However, for it to be successful, those involved must be aware of the security issues facing their smart environments and systems if they’re to manage the risks before incidents occur. IoT security, the foundation of smart cities, will only be effective with better collaboration between vendors, device manufacturers and governments to develop better regulation, guidance and training around IoT security.