Smart City security: is it time to start worrying?


The Smart City concept has been mulled over for decades, starting with early 20th century science fiction (if not even earlier) – A city where total automation is streamlining and improving customer/urban services, transport and traffic management, energy, water and waste utilities, and thus reduces overall expenditures, and enhancing citizen safety. This sounds somewhat Utopian, but today levels of technology development allows it to be a reality. A Smart City isn’t going to be a futuristic Garden of Eden from a 1950s magazines, but automatization and informatization of cities may help make them a more inhabitable place than they are now.

Firmly established

Over the last decade or so, the Smart City topic has established itself firmly in IT media, next to the Internet of Things (the topic which it is incapsulating). Cybersecurity reservations are well-pronounced for both concepts, too.

For a long time cybersecurity experts asked a tough question: What if? What happens if water utilities or waste disposal controls come under a successful cyberattack? The question is easy to answer. Unfortunately, the same is true for another question: Is it easy to attack critical infrastructure?

So far, we haven’t seen any really major incidents causing casualties. This is fortunate given that old infrastructure is often retrofitted with connectivity which wasn’t supposed to be there when those systems were built, and no cybersecurity “by design” is there. It is almost universally accepted that the security of critical infrastructure systems is woeful.

What we do see – all the time – is intrusions, APTs, data stealing, etc. with attacks targeting all possible economy sectors.

Last year, Cesar Cerrudo, CTO of IOActive, presented at DEF CON his research about serious vulnerabilities in vehicle traffic control systems, one of the backbones of a Smart City paradigm. These vulnerabilities looked serious enough to start a global campaign, which resulted in the creation of the Securing Smart Cities initiative, actively supported by a number of organizations world-wide, including Kaspersky Lab.

“We are here to help the world build smart cities with cybersecurity in mind” is the SSC motto.


Mission: Possible

The initiative’s proclaimed mission is to identify the cybersecurity challenges facing smart cities and to propose workable solutions to address them. This includes promotion of cybersecurity best practices and cyber-solutions for all the technologies used by smart cities.

Many organizations in the world work on these technologies; the global Smart Cities market is expected to grow from $411.31 billion in 2014 to $1,134.84 billion by 2019. Far fewer, however, think about cybersecurity. So while these intelligent solutions are supposed to make urban areas energy efficient, comfortable, environmentally friendly, and safe, one of the root causes of safety – information security of these IT systems – is often overlooked. And the more IT is there, the higher the risk.

“If not addressed early on, the cost and complexity of creating a smart city could make it far more difficult to address security problems further down the line. In the end, the city would be left vulnerable,” the mission statement reads.

Guidelines to make cities smart

Action is being taken now. Late in November, the Securing Smart Cities initiative released guidelines jointly developed by Securing Smart Cities and the Cloud Security Alliance (CSA) for the adoption of smart city technology. The guide provides organizations with an overview of the key elements needed in order to implement the best technological solutions with a lower risk and exposure to cyber threats.

It is not a detailed information security testing program, but rather “an overview of the key elements that organizations need to look for in order to implement the best technological solutions with a lower risk and exposure to cyberthreats”, a number of practical recommendations on how to select, implement, maintain and dispose of solutions both during and after the process of acquiring new smart technologies.

The full document is available here.

Previously on the Smart City security | To be continued…