Joining forces to mitigate smart city cybersecurity threats

Stefan Alfredsson

Cities are becoming smarter as we speak. With an ambition to achieve livability, cities deploy new, innovative technologies to enable them to manage their assets and resources more efficiently. But the technology cornerstones of smart cities – connectivity, big data and IoT devices – not only offer possibilities to develop more livable cities, they also make cities more vulnerable.

In its Global Risks Report 2018, the World Economic Forum ranks cybersecurity as the third largest global threat. They also conclude that the number of potential cybercrime targets grow exponentially with the acceleration of cloud services and Internet of Things.

Many smart city projects – regardless of focus area – are potential targets for cyber criminals. To manage this threat is not a one-man job, but a collaborative effort that goes across organizations and stakeholders.

Security policies are key

Many of us wish for a universally applicable solution, but as each organization has specific and unique cybersecurity needs, there is no such cybersecurity configuration. Instead, it is important to have a set of information security policies in place to define the scope of security required.

However, it’s not only about having a policy in place. As IDC pointed out in their Smart City: Secure by design report from last year, ‘it is also about ensuring that all the parties involved in the city ecosystem management follow the security policy standards’.

A shared responsibility

Considering all the above, it’s clear we need to join forces to ensure that the links of the chain are as strong as possible. In a recent blog post, Timo Sachse highlights, that cybersecurity is a shared responsibility and stresses the need for end users, like cities, to work closely together with the following stakeholders:

  • Integrators & installers. They  need to ensure that all installed equipment is patched with the latest updates and run a sophisticated virus scanner. It is also a joint effort with these stakeholders to e.g. ensure a solid strategy for passwords, management of remote access, and maintenance of software and connected devices over time.
  • Distributors. For distributors, who do not directly touch the products they are handling, the process of cybersecurity becomes relatively simple. Value-add distributors, however, need to consider the same aspects as integrators and installers, especially when they buy equipment from a manufacturer and relabel under another (or own) brand – so called OEM/ODM equipment. Transparency is key. The origin of the equipment must be clear to the user.
  • Consultants. They help to specify the systems should also be part of specifying maintenance for the system’s lifetime and be transparent about the potential costs associated. The challenges of using OEM/ODM equipment, where cybersecurity responsibilities often are unclear, should be a part of the overall discussion around cybersecurity as well.
  • Device manufacturers. They carry several responsibilities – ranging from not including intentional backdoors and hard coded passwords, to supplying tools for affordable device management and informing channels and partners regarding vulnerabilities.
  • Researchers. They often discover device vulnerabilities. If the vulnerability is not intentional, the researcher typically informs the manufacturer and gives them a chance to fix it before publishing it. However, if a critical vulnerability has an intentional character, they often approach the public to raise awareness amongst the users.

It will happen – it’s all about being ready

The number of connected devices in cities will continue to grow rapidly and cities will be affected by more or less severe cybersecurity incidents. Therefore, it is necessary to be well prepared, and this can only be achieved in the following manner:

  • Having a clear cybersecurity policy in place that is shared and known by internal and external parties.
  • Ensuring a close collaboration with the above stakeholders, to ensure all procedures of implementing a cybersecurity solution are correctly conducted and considered such as system design, installation, maintenance and preparedness.
  • Scalable and efficient device management. When you have hundreds, or even thousands of connected devices – whether street lights, garbage cans or cameras, it is critical that you can perform upgrades and configurations automatically in bulk, rather than manually.

By working together, we can ensure that cities are better prepared to address the constantly evolving cybersecurity threat, and remain capable of reacting fast if the threat materializes.

Get further insights on cybersecurity best practices for device management in the How to maintain cybersecurity across all your devices blogpost.

Please continue the discussion with us at Smart City Expo World Congress on 13 – 15 November 2018 in Barcelona, Spain:

Smart City Expo