The Internet of Things (IoT) is coming to cities, spreading sensors and networks across streets and parks and throughout buildings. Cities throughout and around the world are implementing systems designed to control traffic, monitor water waste, improve safety, and provide a host of other civic benefits.
In practice, this means cities are setting up extensive new networks and connecting many devices to them—and in doing so, are creating a target-rich environment for hackers.
”The attack surface is growing faster than the protections,” says Cesar Cerrudo, chief technology officer (CTO) of security consultancy IOActive Labs. “In technology, it seems that the problems repeat over and over again. The problems with the IoT nowadays are the same problems we used to have with software 15 years ago.”
Incidents like the attack on San Francisco’s public transit system last November underscore the seriousness of the potential threat. “Probably this year and in following years, we’ll start to see more and more attacks on city services and infrastructure,” Cerrudo says.
Unfortunately, says Cerrudo, city governments have been slow to recognize the seriousness of the issue. Several years ago, he recruited friends and other companies in the security field to form the Securing Smart Cities (SSC) initiative, with an eye towards helping cities prepare for an insecure future. The organization’s mission: “We are here to help the world build smart cities with cybersecurity in mind.”
Cerrudo says SSC has “had contact with some city officials, but it’s governments, so it’s bureaucratic and it’s very difficult to engage people to start working together.”
That is changing, however. One of the SSC’s recommendations is that cities establish “smart city departments” to oversee security planning and evaluation. Several cities have taken steps in that direction; in San Francisco, for example, Joe Voje was named the City Chief Information Technology Officer in November 2015. “I’m the first citywide CISO (chief information security officer),” he says. “Before, there was just a department-level position.”
Voje’s first order of business has been figuring out where the city’s systems already stand. “We need to understand the environment, as it’s grown organically over many years,” he says.
Voje has also worked with his counterparts in other cities to share information and planning. Last August, he joined CISOs from New York, Washington D.C., and The Hague in a two-day cybersecurity working group. The group produced a Cyber Security Resiliency Framework for how cities should address smart city security risks, covering such issues as governance, survivability, device prioritization, and privacy.
That list of concerns demonstrates how decisions about smart city technology demand juggling sometimes-conflicting imperatives. “Since the technology used by smart cities is often very new, cybersecurity may not yet be its main focus,” says Kees Wassenaar, The Hague’s Corporate Information Security Officer. “This means that an analysis or limited risk assessment is in order. Then the ‘process owner’ has to decide whether the risks outweigh the benefits, and of course has to always abide by laws and government regulations concerning personal data and privacy. There is no exemption for that.” According to Wassenaar, it is possible to get an exemption for a pilot or proof-of-concept situation, “but that should be scoped and be valid for a limited time only.”
John MacMichael, CISO in Washington, D.C.’s Office of the Chief Technology Officer (OCTO), says the U.S. capital is focused on risk assessment as well. “Washington is applying a risk-based model to identify the risks and threats associated with the IOT and smart city cybersecurity,” he says. “When implementing a new technology or a process that changes an existing technology, a risk management approach is used to reduce or optimize the risk profile, and existing or new controls are applied as appropriate.“
OCTO also leads a “SmarterDC Tiger Team” with representatives from key municipal agencies. “The focus of the team is to create a common strategy across agencies, other government entities, academia and research communities, industry partners, and stakeholders to harmonize current activities and to drive participation and progress,” explains MacMichael.
Concerns over smart city security are not confined to major cities, either. “Cybersecurity is one of our main knowledge areas,” says Tanja Oksa, project manager in Jyväskylä, a city of 130,000 in central Finland. “We are building a smart city, and with all this digitalization we need to be more focused on keeping the area secure.” For example, the city is constructing an optical fiber network, and businesses will be able to lease their own fiber. The smart city project (called Kangas) is educating participants, such as construction firms, on cybersecurity issues “phase by phase,” says Oksa. The city is not neglecting the vulnerabilies presented by users, either: “In Kangas, one focus is to raise the knowhow of people because users are always the biggest risk.”
Raising awareness across the board is a focus of those dealing with smart city cybersecurity. MacMichael says, “The Cyber Resilience Framework was shared at the Global Parliament of Mayors that was held in The Hague and hosted mayors from more than 70 cities around the globe.” He also cites the Council of Global City CIOs (CGCC), which was formed last September and will be led by Washington D.C.’s chief technology officer (CTO) and San Francisco’s chief information officer (CIO), with participation by similar officials from New York, The Hague, Boston, Seattle, Chicago, Atlanta, Austin, and Dubai. “Some of the early goals of CGCC will be developing a smart cities model, bringing broadband connectivity to everyone, and accelerating the digitization of government through open source code-sharing,” says MacMichael.
Cerrudo warns there is still a long way to go. He moderated panels at the Smart City Expo World Congress in Barcelona last November, which was attended by more than 16,000 people from 600 cities. “There were hundreds of vendors, but very few talked about security,” he says. “If you have vendors that aren’t pushing security, it means that governments aren’t requiring it much.”
The first priority for smart cities, Cerrudo continues, is to start paying more attention to a system’s vulnerabilities before deployment. “There is a lot of testing for functionality, for the features, but there’s not enough security testing,” he says.
He also points out that a smart city is a “huge ecosystem of different solutions, different vendors, devices, cloud infrastructure; it’s complex.” That requires a citywide approach to the issue, he adds: “if you don’t have a general security approach, it doesn’t matter that you protect a small system.”
Jake Widman is a San Francisco, CA-based freelance writer focusing on connected devices and other Smart Home and Smart City technologies.