Getting smarter about building smart cities

Is the security industry ready to meet George Jetson?

smart city pins iot navigation

I remember watching the Jetsons when I was a kid and thinking about how cool it would be to live in a world where cars could fly and robots delivered my daily meals.

As the industrial Internet of Things and IlT evolve, I'm growing more concerned about the fictionalized cartoon becoming a living reality.

Every city in the country runs on a massive infrastructure that connects citizens to water, electricity, transportation, and other critical resources. These “smart” systems designed with these Jetson-like futuristic technologies can manage power grids and waste management, street lighting, even public transportation systems.

Beyond sounding cool, it also (in theory) sounds like a blueprint for a more efficient world, but there are major security risks to consider.

If enterprises are supposed to work on the assumption that they have been breached, smart cities are no different. One major assumption they should make, then, is that the sensors can -- and mostly likely will -- be hacked.

Accessing the sensors gives cybercriminals the ability to feed the systems false data, information that could be used to cause serious harm. Without getting too dramatically driven by FUD, the reality is that hacking critical infrastructure could result in lots of harmful scenarios from poisoning the water supply to shutting down transportation systems.

Seth Robinson, director of technology analysis for CompTIA, said an estimated 1.6 billion connected things will be used in smart cities by year end 2016, a figure projected to grow 42 percent through 2017, according to Gartner.

"CompTIA’s IoT Ecosystem Framework, which can be applied to smart cities, reinforces the need to think beyond simply the number of connected things and focus on the interdependencies between the hardware, software, services, and rules components," Robinson said.

Attitudes about security are changing. "It's moving from seeing cyber as a purely technology issue into an understanding that we need to use technology processes that try to ensure best secure practices and end user education," Robinson said.

With regard to the evolution of smart cities, a lot needs to happen around processes and organizational structures. 

Robinson said, "The technology is something a lot of people are working on, particularly when it comes to looking at data security as that data is very mobile. Data doesn't live behind a firewall. It's moving all over the place."

Still, the processes and structures are something new for cities where they have technology being applied to different functions that might spread through a municipal government.

"All of those are getting technology incorporated in, and they need to understand what questions to ask and what objectives need to be met. These advancements are huge undertakings for cities," said Robinson. 

Any given city is going to have different departments that have different objectives. "They need to know what are they trying to achieve. Likely, it's the same objective as in past, but now they are adding in technology," said Robinson.

The trick to mitigating risks, though, is understanding that they are not just providing technology. "They need to also understand how that technology impacts the business objectives. There is a lot of consumer technology that can appear as an app on the smartphone, but municipalities will need a little more thought and more privacy for public implementation," said Robinson.

Getting ahead of risks means looking before taking that leap. Sure, Hollywood makes a futuristic world look amazingly convenient, easy, and flashy, but what things might slow down, complicate, or even threaten the creation of that world?

"These are agencies that have traditionally dealt with a lot fewer interconnected devices, so they need to be thinking about implementing the best practices around cybersecurity along with implementing technology," said Robinson.

Historically, threats to critical infrastructure have primarily been in physical attacks. "Now we are adding connectivity and intelligence into it. Part of the challenge with cities will be to see how they adopt the mindset of a lot of corporations. Securing the perimeter is not feasible with data moving all over the place," Robinson said.

We've seen the shift in corporate security mentality go from trying to prevent every attack to focusing more on how quickly they can detect and respond. "Cities are going to want to be more on the side of preventing every attack, but implementing modern technology means their ability to do that goes down," Robinson said. 

Perhaps that is why the level of adoption of "smart cities" is a little slower than expected. Robinson said, "I think that's OK because people are pausing a little bit before they rush in. Some of this still has to be played out. It's better to move with caution because there are potentially serious consequences."

Taking the time now to understand what questions they need to ask of the vendors providing them devices or infrastructure is critical to the future security of smart cities. There has been a trend across all sectors to first adopt technology then figure out security. 

Copyright © 2017 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!