In today’s connected world, smart cities are transforming the way people travel, communicate and engage with society. While the advancements in IoT technology have improved our way of life, it’s important to assess the security of the devices we’re using. This conversation has been up-leveled to local, state and federal government officials who are discussing the most efficient and secure way to regulate the growing number of smart cities. Peter Tran, GM and senior director at RSA Security, weighs in on the risks that smart cities pose, in addition to security measures that need to be implemented to protect our cities.
How long before the majority of metropolitan areas start implementing some form of smart city, connected devices?
Whether metropolitan areas have realized it yet or not, most if not all, major cities have begun the process of becoming a Smart City merely by leveraging information systems to increase efficiencies across critical “smart city services” such as public works/safety, transportation, and healthcare. When you pop that coin or credit card into that “smart parking meter”, you are using an IoT technology that has been around since 1995 that’s been a city revenue generator, tracker and analyzer of parking congestion and patterns. Cities are well connected now and we are in position to grow the global IoT footprint to well over 50 Billion connected devices by 2020. The big question is whether cities will be ready to interact with and integrate the sheer scale of connected platforms. This will be the inflection point when a city goes from just being connected to truly smart.
What are a few of the biggest risks associated with smart cities and connected living (i.e. mass power outages)?
In a smart city, data is the absolute king in order to function across virtual payment platforms, tax/revenue, in-app mobile commerce and quality of living connected platforms and services that cannot, in any circumstance, have a material data breach that is disruptive and/or destructive in nature. What would keep a city leader up at night is not so much if his/her city had a data breach or power outage, but if the interconnected smart infrastructures such as payroll processing, banking, local, state/federal tax and revenue collection systems are also affected, bringing multiple smart cities down to its knees. In this scenario, data disruption or destruction of tax payments, payroll and/or supply chain infrastructures can cause local, state and/or federal governments to run out of operating revenue within days. It’s a massive virtual drought condition that can be unrecoverable.
What cyber security guidelines have you seen be put in place to protect smart city initiatives (i.e. authentication)?
Although the Smart City train has already left the station, a number of effective guidelines have been published by the U.S. Department of Homeland Security (DHS) Office of Cyber Infrastructure and Analysis (OCIA), Cloud Security Alliance (CSA) and the European Union Agency for Network and Information Security (ENISA). The guidelines help connected/smart city initiatives anchor themselves on foundational areas for identity protection, authentication, authorization and access controls (AAA) as well as information security table stakes such as continuous monitoring, early detection and response. What’s very important to remember is the application of established information security best practices still apply to smart city environments and it’s a matter of adapting to design and architecture considerations.
How do you see local, state, federal and private industries working together to secure smart cities?
To date, there isn’t a unified model or governing body for securing the smart city on a national level. However, the good news is that there have been significant efforts at the federal level to begin this process both through the U.S. Department of Homeland Security (DHS) funding of local and state smart city projects as well as cross information sharing initiatives through joint working groups and information sharing analysis centers (ISACs). Over time, we see a tighter integration across local, state and federal governments mainly driven by the fact that smart cities and connected living will naturally bring shared platforms, efficiencies and broader risk/security requirements both virtual and physical.
From your perspective, are there any specific security measures or regulations the government can take to protect connected devices?
This is a very tricky area and not all IoT connected devices are created equal. By nature, an IoT device is defined by function and connectivity, NOT security….better, faster, cheaper but not secure. Connected devices will need to go through a testing and certification “funnel” that is comprised of design, security and manufacturing standards, regulatory requirements (particularly those relating to medical devices and others), unified independent verification/validation such as models employed by UL and similar tech underwriting/certification organizations. We are far from the “good housekeeping seal” of approval for IoT, but a balanced approach will get us there.
Is there a specific region or country you think is paving the way for smart cities and IoT security?
Singapore is in the top 10 of smart cities paving the way as a model for innovative use of IoT and data technology to drive connected living and efficient, quality city services. Data analytics and key performance indicators are core to Singapore’s smart city with visitors being able to clear immigration and receive their baggage within 15 minutes from the time the airplane stops at the arrival gate. I myself experienced this first hand. However, the best-kept secret in smart cities is Dubai in the United Arab Emirates (UAE). Their Dubai Smart City initiative, in conjunction with being the host of the 2020 World Expo, Dubai is the model for the “art of the possible” for smart cities with 50 different smart services across 26 government agencies all built as “greenfield” which gives the UAE a distinct advantage over other regions wrestling with aging legacy infrastructure.
How is artificial intelligence being applied to smart cities (i.e. smart lighting, traffic lights)?
The application of Artificial Intelligence (AI) within smart cities boils down to the use of computing power and data analysis to aggregate unstructured data from connected devices and sensors to trend, identify inefficiencies and adapt to changing conditions based on data driven inputs and outputs. Lighting systems and traffic control systems adapt to “crowd clusters” and movements of people, cars, air quality sensors and other sensors collecting data around the clock. AI begins to learn from each senor input and output and makes relationship and functional assumptions across the smart city as to whether there may be trending “hot spot” areas to be mindful of across public safety, transportation, healthcare, commerce and entertainment. Using AI and machine learning, smart cities can realize significant cost savings….but it comes at a price, with projected global smart city technology investments reaching $174 Billion by 2023.
How should cities be including cyber security in their smart city strategy?
Cyber security considerations should be on par with every design and architecture requirement when considering smart city strategies well before implementation. It’s not just connecting devices like a traditional IT project or running a large network. The absence of security in any design consideration can have serious breach exposure considerations as the city becomes more interconnected locally and nationally. Bottom line….cyber security is a smart city enabler and should drive and focus on continuous and integrated virtual/physical security monitoring, early data anomaly detection, proactive response, risk reduction, compliance and governance.
Peter Tran, GM and Senior Director at RSA Security
Image Credit: Jamesteohart / Shutterstock