Limited functionality available
Smart cities face many risks as digital and physical infrastructure converge. To help address this challenge, cities should embed cybersecurity and privacy principles in each stage of their development.
Smart cities are the future of urban living, harnessing the power of three Ds—digital technologies, data, and design thinking—to boost the efficiency and effectiveness of city services. However, this new wave of digital transformation also brings new cyber risks that could fundamentally impact the existence of smart cities. Cyber threats have been on the rise for years, but the last few years have seen an explosion in cyberattacks that target both data and physical assets.1
As connected devices proliferate at a breakneck speed—the number of IoT devices is expected to rise from 8.4 billion today to almost 20 billion by 20202—cyberattacks and vulnerabilities in one area can have a cascading effect on numerous other areas. The consequences could extend beyond just data loss, financial impact, and reputational damage risks—severe enough as they are—to include disruption of crucial city services and infrastructure across a broad range of domains such as health care, transportation, law enforcement, power and utilities, and residential services. Such disruptions can potentially lead to loss of life and breakdown of social and economic systems.
In March 2018, the city of Atlanta faced a ransomware attack that hit some of its customer-facing applications.3 At one point, the city had to shut down its free Wi-Fi network at the Hartsfield-Jackson Airport as a precautionary measure. Overall, the attack hit 5 out of 13 city departments, and it took the city weeks to get back to normalcy.4 Such attacks are also growing in frequency: According to a 2016 survey of chief information officers of cities and counties, about a quarter of local governments were facing attempted cyberattacks every hour.5
The rapid hyperconnectivity and digitization of cities are accelerating cyber threats. To tackle the challenge, government leaders, urban planners, and other key stakeholders should make cybersecurity principles an integral part of the smart city governance, design, and operations, not just an afterthought. In this paper, we examine the key factors that influence cyber risks in a smart city ecosystem and a broad approach that city leaders can adopt to manage these risks.
A smart city is a complex ecosystem of municipal services, public and private entities, people, processes, devices, and city infrastructure that constantly interact with each other. The underlying technology infrastructure of the ecosystem comprises three layers: the edge, the core, and the communication channel (figure 1). The edge layer comprises devices such as sensors, actuators, other IoT devices, and smartphones. The core is the technology platform that processes and makes sense of the data flowing from the edge. The communication channel establishes a constant, two-way data exchange between the core and the edge to seamlessly integrate the various components of the ecosystem.
This massive amount of data exchanges, integration between disparate IoT devices, and dynamically changing processes creates new cyber threats, compounded by complexities in the other components of the ecosystem that wrap around the technology infrastructure. For instance, data governance can be a thorny issue for cities as they need to think about whether the data is internal or external; whether it is transactional or personalized; whether the transactional data is collected via IoT devices; and how the data is stored, archived, duplicated, and destroyed. In addition, due to a lack of common standards and policies, many cities are experimenting with new vendors and products, which create interoperability and integration problems on the ground and exacerbate cyber risks.
Three factors influence the potential cyber risk in a smart city ecosystem (figure 2):
Convergence of the cyber and physical worlds
Interoperability between legacy and new systems
Integration of disparate city services and enabling infrastructure
To begin to understand how to manage the cyber risk landscape, it helps to explore each of these factors further.
Smart cities blur the lines between the physical and cyber worlds. In this environment, people, processes, and places are integrated via both information technology (IT) systems used for data-centric computing and operational technology (OT) systems used to monitor events, processes, and devices and adjust city operations. Such convergence allows cities to control and govern technology systems through remote cyber operations.
However, this convergence, where many devices in the edge could be cyber threat vectors, gives rise to the risk of malicious actors entering the system and disrupting operations on the ground—thus exponentially expanding the cyber risk landscape.6 With the proliferation of IoT devices, attackers now have countless entry points to compromise a city’s systems and take advantage of the resulting vulnerabilities.
In 2014, a German steel mill was a victim of a spear phishing attack. Through targeted emails appearing to be from a trusted source with a malicious attachment, the attackers first obtained access to the business network and then to the production network lacking required separation. The attackers remotely disabled the blast furnace by taking over the control systems, resulting in massive physical damage to the furnace system, costing millions of dollars.7
In another example, as an experiment, University of Michigan researchers successfully targeted the Intelligent Traffic Signal System (I-SIG), which is one of a series of CV-based transportation systems being deployed, tested, and implemented under the US Department of Transportation's CV Pilot Deployment Program. The researchers used data spoofing and fake messages from a nearby connected vehicle to create a traffic jam in a simulated environment, increasing average delays by 38 percent.8 This attack turned out to be quite easy to do, highlighting the expanding cyber risk landscape.
Often, organizations that pursue digital transformation need to integrate new digital technologies with legacy systems, which can create significant challenges and risks. These challenges include inconsistent security policies and procedures and disparate technology platforms, resulting in hidden security vulnerabilities throughout the smart city ecosystem.
In 2015, the US Office of Personnel Management’s (OPM’s) systems suffered a data breach, giving hackers access to personnel file records of 4.2 million employees. This breach was primarily due to the OPM’s old network’s inability to encrypt data.9 The OPM has spent millions of dollars since then to accelerate the modernization process.10
This situation is exacerbated as many cities increasingly use IoT solutions, but within a retrofitting model. For instance, large, established gas and water systems within a city have deployed sensors on a large scale. These sensors need to connect to a broader network for the data to be aggregated and analyzed centrally. However, these sensors have minimal security protocols.11 In the long run, retrofitting may not be a viable option as many devices could become physically incapable of upgrades.12
Another challenge is the lack of generally accepted standards governing the functioning of IoT-enabled devices. City departments and agencies typically use sensor technologies from different vendors that generate data in different formats and use different communication protocols. Creating interoperability in such situations can be difficult, and cities may face a trade-off between interoperability and security. Each new device added to an IoT ecosystem adds a new attack surface or opportunity for malicious attack.13
Traditionally, cities have offered a wide range of services that were largely independent of each other (e.g., power, water, sewer, transportation, public works, law enforcement, firefighting, and social services). Each of these services was typically provided by an agency using its own systems, processes, and assets. Now, these services are slowly being integrated and linked through an interconnected web of digital technologies.
As cities gain opportunities for new services and efficiencies, this comingling of services and systems comes with its own set of challenges. The increasing integration, interconnectedness, and data exchange create shared vulnerabilities where a problem in one service area can quickly cascade into other areas—potentially leading to widespread and catastrophic failures. In addition, cities need to rethink regulatory requirements, rationalize varied security protocols, and address data ownership and usage challenges.
The Emotet malware virus struck the city of Allentown, Pennsylvania, in February 2018. The virus quickly multiplied in a week and rendered the city’s finance department system unusable by not allowing it to make external bank transactions. Also, the police department could not access databases controlled by the Pennsylvania state police. Containing the virus and getting back to operational status is estimated to have cost the city US$1 million.14
Furthermore, data stored in different systems can be susceptible to misuse, potentially affecting citizens’ privacy. For instance, it is a leading practice to mask or delete personal identifiers in data. However, techniques and methods that allow malicious attackers to match different datasets to reidentify an individual are becoming increasingly sophisticated. So, a breach that compromises multiple systems and datasets can become a serious privacy incident for cities.
Cyber risk will continue to evolve in the coming years, as many cities plan to integrate a wide variety of services and infrastructure, connecting even more data, systems, and devices.
Most smart cities follow a four-stage evolutionary path that relies on varying mixes of new and legacy technologies. With each step up the curve, the scale of technology infrastructure and the potential attack vectors can significantly increase, necessitating corresponding maturity in the cybersecurity strategy (figure 3).
During the initial stage, when data is being collected through a small number of city-controlled, hard-wired sensors, the potential breach points are generally limited. However, at the next (intentional) stage, when a city starts to collect data from citizens’ smartphones and connected infrastructure, there are suddenly millions of uncontrolled potential breach points, most of which are beyond the city’s control. In the most advanced stages, when software bots at the core use artificial intelligence to make decisions and act without human involvement, the potential attack vectors are nearly endless—and continuous.
It is important to note that as a city moves up the evolutionary curve, the degree of convergence, scale of technology infrastructure and corresponding interoperability, and integration of services increase. For instance, while a city might have a few hundred connected devices in the initial or intentional stage, the same number can be in thousands or millions in the integral and transformed stages and will require better infrastructure to support such growth. The situation, in turn, drives more complexity in the core, edge, and communication layers of the smart city ecosystem. Therefore, the maturity of cyber risk capabilities should be directly proportional to the degree of integration of smart city ecosystem components, and the cyber risk management approach should consider all these components.
The convergence of physical and digital infrastructure, the ensuing interoperability, and interconnectedness between city systems and data is an ongoing effort in many cities. The security goals of a smart city—confidentiality, integrity, availability, safety, and resiliency—should be grounded on both the objectives of traditional IT (to secure data) as well as those of OT (to ensure safety and resiliency of systems and processes). These combined security objectives can help cities maintain a more secure and resilient operating environment (figure 4).
An integrated cyber risk framework can provide cities with management principles to incorporate into their smart city planning, design, and transformation stages. It comprises industry standards, legal, and regulatory requirements to determine how cyber risk may affect all the ecosystem participants, including users, government, services, infrastructure, and processes, as well as assess each system’s and asset’s influence on each other. Such an integrated approach can enable city stakeholders to view threats and vulnerabilities in their entirety rather than react to specific services or operational impact, eventually allowing them to develop the core capabilities of a cybersecurity program described in figure 5.
Balancing the promise of smart cities against the potential of cyber risks—and managing the associated risks effectively—will be critical to realizing the potential of smart cities. Cities should begin by engaging all the stakeholders and entities in the broader ecosystem. The next steps that cities should consider include the following:
Syncing smart city and cyber strategy. Cities should define a detailed cybersecurity strategy that is in line with their broader smart city strategy and that can mitigate challenges arising from the ongoing convergence, interoperability, and interconnectedness of city systems and processes. Cities should consider carrying out an extensive impact assessment of their data, systems, and cyber assets to identify, assess, and mitigate the risks associated with technology processes, policies, and solutions. The integrated view of the risks and knowledge of interdependencies of the critical assets can enable cities to develop a comprehensive cybersecurity strategy. For instance, Singapore launched its National Cyber Security Master plan in 2013 and followed it with a new cyber security bill in 2016. Both initiatives were an integral part of Singapore’s smart nation strategy.24
Formalizing cyber and data governance. Cities need to formalize the governance approach to data, assets, infrastructure, and other technology components. A comprehensive governance model should spell out responsibilities and roles for each critical component in the smart city ecosystem. To implement an ecosystem approach to tackling cyber issues, various entities will need to work together with a strong governance model as the foundation. Cities can establish a network among other cities, state agencies, academia, and corporations to share threat information, capabilities, and contracts to strengthen cyber defenses.25 Additionally, data management—including robust data sharing and privacy policies, data analytics skills, and monetization models that facilitate the sourcing and usage of “city data”—constitutes a critical aspect of this governance. Policies, legislation, and technology must be continuously aligned to maintain the right balance of protection, privacy, transparency, and utility. The governance, policies, and processes must mature along with the city’s overall cyber strategy. For instance, the city of Hague is home to the “Hague Security Delta,” an ecosystem of more than 200 organizations working in the national security, cyber and urban security, critical infrastructure, and forensics.26
Build strategic partnerships to grow cyber capabilities. The cyber skills gap is not going away anytime soon, so cities need to be innovative and proactive in plugging the cyber skills gap in their cities. This approach may require city administration to explore nontraditional efforts to tap into cyber talent such as crowdsourcing, prizes, and challenges to solve cyber-related issues. A smart city requires new skills and competencies across the various ecosystem layers. Cities can augment existing capabilities through strategic partnerships and contracts with service providers.
It is critical for city leadership to realize that securing cities from cyber risk is not a one-time event where cyber strategy evolves as cyber threats evolve; instead, it is also important to be able to recover when a cyberattack happens. Also, this is not a battle that cities can or should fight alone, but instead with an ecosystem of city governments, academia, the private sector, and startups. Technology can be one part of the cybersecurity solution, but the latter also needs a comprehensive governance model toward data and assets. More importantly, cities need an integrated approach to managing cyber risk with cybersecurity principles baked into every stage of the smart city development process (i.e., from strategy and design to implementation and operations). Cybersecurity is just too important to be treated as an afterthought.