Co-Chair of the IOT Security Foundation’s Smart Building Group & CEO, Virtually Informed, on behalf of IFSEC Global
Security is just one of several challenges faced today by smart cities. However, if a smart city is not inherently secure, the whole project can collapse with devastating consequences.
When bringing existing infrastructure together with new lead edge technologies, there are likely to be some unexpected vulnerabilities in people, processes and the technologies. Good security governance of what and how things will be dealt with is therefore imperative for success.
Making cities both smart and secure
It is also important to define a ‘smart city’. Research has demonstrated that vendor definitions are often too inclusive – a city doesn’t become ‘smart’ when there are a small number of non-integrated ‘smart’ infrastructures working independently of each other, for instance. Within this definition, cyber security must be considered, which is something the IoT Security Foundation has agreed upon when defining the Smart Built Environment.
As part of this process, it is imperative that partners, suppliers and third-parties must be committed to the cyber security of their contributions and overall project outcome. There remain many vendors who do not have, or care about, their cyber security track record, so the project must build cyber secure processes into the requirements of products and services supplied.
Ensuring ongoing support by way of vulnerability disclosure and timely updates is vital to the success of a smart city project.
Consideration must also be given to citizen privacy. A debate that continues to gain traction across the globe, many physical security vendors, such as surveillance camera specialists, have incorporated data analytics into their devices. The collection of such data, be it biometrics or behavioural analysis, must be closely scrutinised to ensure that anonymity is protected at the ‘edge’ before it leaves the device for further processing. Data processing models for doing this should be developed early, as should approaches to engage with end users.
Finally, the project will need to consider both physical and cyber security disciplines in the management of the technology and smart infrastructure. The amount of real-time data being collected to support the operation of a smart city leaves operations at a greater risk to potential terrorist or disruption attacks. For several years, IFSEC has provided a good example of the kind of technology that can be used to monitor both cyber and physical attacks with its Converged Security Theatre, exploring how a converged security operations centre is necessary to provide a full threat assessment for security teams.
The issues associated with each of these challenges are far wider than we can fully explore here, but consideration of security early and throughout all stages of a smart city project is a good starting point.