No longer is the smart city concept a far-off, futuristic idea, it is a very real initiative that governments all over the world are embracing. However, as the internet of things (IoT) continues to spur the growth of smart cities, it also elevates the need to address the security concerns that come with them.
When the initial wave of IoT implementations began rolling out a few years ago, the core focus was understandably, on communication and connectivity. Giving ‘dumb’ objects such as televisions, lightbulbs and thermostats network connectivity was a huge technical achievement. So great were the rewards being reaped from these new connected ‘things’, that the identity, and access management aspect was often overlooked. As the maturity and stability of IoT communications increases, we now have gained a better understanding of the potential risks and vulnerabilities with respect to data loss.
The sheer volume of IoT devices provides a large attack vector for malicious operators. When considered on a citywide scale, where thousands of devices are communicating with both operators and each other simultaneously, the security implications are significant. Smart cities present the ideal target for hackers to create bot-net style networks of compromised devices, and use them to perform tasks other than those they were originally designed for.
For example, imagine if a hacker was able to compromise a city’s traffic flow system, turned all of the traffic lights around the city centre to red during rush hour. Team this with interference to local radio stations meaning there is no way for citizens to be warned. As commuters take their usual routes to work, unaware of the issues, the entire city could become gridlocked in minutes. Not only does this cost the city money from a productivity perspective, but it also means the emergency services cannot get to call-outs quickly, potentially costing lives.
How can threats be mitigated?
The first step to preventing threats of this nature is to understand where they are coming from. The best way to do this is to ensure that every connected device within the smart city infrastructure, be it a car, a street lamp or a earthquake sensor, has a validated identity and is correctly attached to the network. If a device can be identified, it is that much easier to confirm that the data it is generating is genuine and can be trusted. Importantly, it also means if the device is trying to do something that it is not permitted to do, it can be identified and prevented.
Focus on effective risk management
It is unrealistic to expect any network to be entirely free from malicious behaviour. Even with the best security measures in place, with so many attack vectors and threats out there, eventually something/somebody will get through. As such, effective risk management is a key component in evaluating and responding to threats in any smart city. Controls and, more importantly, recovery plans should also be put in place to not only reduce the risk window, but to also actively respond once any issue is discovered.
Public infrastructure will always be a highly attractive target for criminals and terrorists. As such, it is fundamentally important that the steps taken to secure smart cities will be effective at that scale. Any smart city security programme needs to be regularly reviewed, to ensure new innovations are incorporated, and compliance is always met. This, when teamed with identity management and a sound knowledge of threat vectors, should be enough to protect the ever-growing smart city.
By Simon Moffatt; Solutions Director, ForgeRock