Smart Cities mean connected cities
Smart Cities mean that most of the infrastructure, utilities and it’s citizens are connected on a inter-connected network. From parking sensors to traffic lights, smart waste bins to building management systems, e-governance portals to power grids and maybe self driving vehicles as well in the near future– everything connected and accessible to all.
In a smart city, you will most likely be able to track when your bus is reaching the stop you are waiting, board it and pay using your debit card through a mobile payment gateway which verifies your identity checking your Aadhar Number. Similarly, you are likely to use a mobile app to find vacant beds in an hospital for an emergency admission and then share the digitized medical records securely with doctors. For all of these, the free Wifi zone planned across most smart cities is going to be the preferred choice of connectivity.
Something similar which is already offered is when we book a movie ticket through a popular ticketing app, we are offered whether we want to book a cab to the multiplex. Both the movie ticketing and radio cab service are linked with our online payment wallets which in turn have access to saved credit cards.
Life seems to be so easy when different services are connected. Somewhere very close to the lure of better life in a smarter connected city, lurks the danger of security breaches, identity thefts, data sabotages, denial of service attacks, etc.
Disaster may be just around the corner
Smart traffic management where automated signals are controlled by analytical software calculating traffic loads may mean less stopping at red lights. But at the same time, it is not too hard to imagine a movie scene go real where a teenage hacker use a security loophole to turn every light in a city green at once. The result will be a city wide chaos with accidents throwing the police and emergency medical services into a disarray. With more users trying to find a way out of the chaos looking for help online, the huge bandwidth requirement other critical systems may also suffer downtime. But consider a situation where it is not a teenage hacker showing off his skills, but a terrorist group hacking into smart grids plunging wide areas of a city into darkness or trying to divert attention of police elsewhere so they could strike an unguarded location. With cities planning to implement various ideas, it is not a question if the systems will come under attack, but when. According to the 2013 Symantec Internet Security Threat Report, of targeted attacks are aimed at governments and energy/utilities companies, while governments and healthcare institutions are the target of identity breaches.
Loophole in a “not so critical system” may have a cascading effect
It is important to understand that hackers try to use the weakest link in the chain. One app or device may be secure in isolation but when connected to another system, it may be open up to the first person who finds the backdoor to enter. With the myriad of devices connected often using proprietary technologies, it is undoubtedly a daunting task. A seemingly not so critical system deployed today may be breached not today but few years down the line resulting in a cascading affect resulting in a catastrophic breakdown. Imagine a situation where a clogged roads due to hacked traffic lights may result in emergency services not reaching on time resulting in more damage.
Important to look at security from Day 1
Data security needs to be an important criteria from technology selection and early planning stages to ensure systems are not only smart but resilient against attacks. Technology should be chosen with proper cyber security controls and protections in mind. Startups with innovative solutions that solve urban problems may look attractive to tested out today. However, they may be totally ignoring security concerns in their rush to create a workable solution. Civic authorities may be lured to test out the solutions as it may look as minor sub system but it may be the loophole that lures hackers in future in the otherwise secured network.
Planning in advance for a secured Smart City
Cities should have a team of security experts led by a Chief Information Officer who vets all systems. With proper frameworks and policies in place for each solution provider to follow, cities may reach their goals of making urban lives more comfortable and yet not compromising on security. For example, each new solution being tested for deployment should first prove their compliance to security requirements through third-party testing, certifications, etc.
A cyber security cell should be created which continuously monitor threats on deployed systems and track any attack. A crisis management team has to be created which take control of a situation in case of an attack before the cascading effect of more breakdowns paralyses the city infrastructure.
Securing Smart Cities, the not-for-profit global initiative addressing the cyber security challenges of smart cities, released last year guidelines jointly developed by Securing Smart Cities and the Cloud Security Alliance (CSA) for the adoption of smart city technology. The guide provides organizations with an overview of the key elements needed in order to implement the best technological solutions with a lower risk and exposure to cyber threats. For a full copy of the guidelines, please click here. This is one of the better documents available online which details on how cities should plan for a secured and resilient smart city.
Another a good document to refer is a research paper titled “Cyber-security in smart cities: the case of Dubai” by Marios-Panagiotis Efthymiopoulos, Assistant Professor of Strategy and Security, College of Mass Media and Communication, American University in the Emirates published on 27.02.16 in the Journal of Innovation and EntrepreneurshipA Systems View Across Time and Space. The document is accessible here.