Making Smart Video Resilient to Cyber-Threats in Smart Cities

In 2016, IDC predicted that: “By 2019, countries with 50% of their midsize to large cities in the repeatable stage or higher of smart city maturity will be more successful in country digitization efforts” and that: “City government systems will become attractive cyberattack targets and in 2017 at least one major city will suffer a cyberattack that will impact its short-term ability to effectively function”.

The first prediction simply means that the most innovative smart cities will lead the way for their countries in the pursuit of the benefits of the digital economy. In fact, cities represent an increasing share of population, GDP, and resource consumption across the globe. Hence, their ability to use technology and data in innovative ways, will create a competitive differentiation that drives sustainable economic development or revitalization by creating jobs, increasing the standard of living, and attracting investment.

The second prediction succinctly states cities’ increasing dependence on technology – 21% of local government interviewed by IDC in 2016 that were investing in the Internet of Things had already deployed a solution and were planning to expand their IoT footprint, 68% were planning to initiate investing in IoT in the next 2 years and only 11% were not planning to invest further (see figure below). To increase efficiency, customer-centricity and safety of services, such as public safety, traffic and transportation, street lighting, education, health and social care, tourism and more – will create new cyber vulnerabilities that can impact the safety of people, the finances of a city and the trust of citizens. These cyber risks will be mainly driven by:

  • Blurring boundaries of the ecosystem: Smart Cities are evolving and morphing as new systems are developed and as additional nodes are added to the networks that compose Smart Cities. This will further blur the boundary between public and private, and in doing so will increase the attack surface that Smart Cities present.
  • Opening of digital architectures: by embedding IoT sensors into traffic lights, water and wastewater pipes, energy distribution networks, lighting poles, or GPS devices into buses, police cars, drones, private cars, cities are improving operational efficiency, citizen service and urban planning, but also creating new points of vulnerability.

IoT Adoption and Investment Plans for Local Government Globally

Smart city cyber security IoT Adoption and Investment Plans for Local Government Globally
Source: Global IoT Decision Maker Survey, IDC, August 2016, N= 129 local government respondents

Unfortunately, the second prediction proved right already on April 8th, 2017, when all 156 emergency sirens in Dallas, Texas, were activated around 11:40 p.m. by a hacker attack, spreading panic among the population. So, that 911 emergency call center received around 4,400 calls causing a backlog, forcing some callers to wait up to six minutes to speak with emergency personnel.

How Should Smart Cities Protect Themselves from Cyber Risks

Cities IT and line-of-business executives that focused in the past six or seven years on the promises of smart cities, are not gearing up to counter the perils. They are pointing their attention towards a broader perimeter of security, where cloud, mobile and IoT devices play an important role (see figure below). Nonetheless, IDC research indicates that there is still limited awareness, particularly among non-IT employees in local government and across the broader smart city ecosystem about security risks.

Top security concerns for European Local Government IT Executives

Smart city cyber security Top security concerns for European Local Government IT Executives
Source: European Industry IT Executive Survey, 2015, N= 177 local government respondents

City executives that want to protect not only data and IT system continuity, but also digitally-connected critical physical services, such as electricity, water treatment, traffic systems, public safety, and public lighting must adopt a new approach, including:

  • Architecting solutions that are secure through all layers of the technology stack. Including the interdependencies across layers. Rather than just applying security as an add-on network protection, or a patch to a piece of software.
  • Implementing comprehensive, but easy to understand policies that can be applied across the ecosystem.
  • Coordinating cyber-defense across public and private sector, for example by leveraging the expertise of law enforcement units dedicated to cybersecurity and national computer emergency response teams (CERTS). For example in December 2016, the US Department of Energy led a simulation of a cyber-attack on the energy infrastructure of Northeastern US, in partnership with the utility industry, and state and local governments.
  • Proactively monitoring and analyzing sources of vulnerability.
  • Investing in resilience, response and forensic processes and tools, because no city can be totally immune from attacks.

Making Video Cybercrime-Resilient

Video cameras and feeds are critical assets for Smart Cities’ situational awareness, emergency response and dispatch, and investigation and enforcement. Smart city services like public security and safety, and traffic and transportation management are increasingly dependent on video. And their usage is expanding with the addition of body-worn, vehicle, private/corporate, and drone mounted cameras.

Video-surveillance solutions are not immune from the above described risks, so, to make video surveillance solutions cybercrime-resilient, city executives should:

  • Ensure that all city departments and ecosystem partners that are involved in implementing or using city-owned cameras, or feeding data to city command and control centers comply with a standard set of security policies and guidelines.
  • Architect the configuration and deployment of the end-to-end video solution, from device, to video management system, to video analytics to reduce security loopholes.
  • Establish business continuity strategies for dealing with downtime.
  • Collaborate with video-solution suppliers to understand how to leverage the most granular security capabilities, such as checking and upgrading firmware, setting user permissions, disabling services that may not be strictly necessary for certain use cases, enabling encryption, setting IP address filters, configuring SNMP monitoring, and more.
  • Conduct regular penetration tests to assess unknown gaps and vulnerabilities of the expanding digital boundaries of the city ecosystem.

Author: Massimiliano Claps, Research Strategy Lead, Government Insights, IDC