• United States



Bridging the smart cities security divide

Feb 01, 20186 mins
Internet of ThingsSecurity

There are plenty of organizations that seem to be working on answers to secure smart cities, but in many ways it's like the early days of cloud computing with everyone building their own solutions.

gap stretching
Credit: Thinkstock

In an earlier post about smart city security, I made the case that there are two entrenched sides that, almost like the current political divide, are appealing to different audiences. I said that even when talking about a single city, the two sides seem to talking about very different places.

That piece ended with a promise for a (presumably quick) “pragmatic middle ground that I hope can help enable better dialogue between the divided smart city camps.”

That middle ground was harder to find than I had imagined, and it has taken me well over half a year to write this “Part 2.”


In addition to my waffling procrastination, I started and stopped writing about “workable solutions” five or six times – before hitting the delete button (and starting over) each month.

Finally, over the holidays, I came to the realization that the two smart city sides may not really want to reach a deal. Even if they do compromise, the result will likely be similar to the budget resolutions that kick the can down the road a few weeks or months to keep the federal government open.  

I wondered: Are token cybersecurity sessions at smart city conferences really progress or just politically-correct posturing to appear to care about cybersafety? (No one want to be “anti-security.”)

And will self-proclaimed (hopefully white hat) hackers ever (truly) feel (even a little more) safe with new cars, roads, trash cans, smart homes, street signs, office building utilities, street lights and more developing new relationships with off-the-shelf smart phones?     

The answer to both questions: Probably not. But I still need to finish what I started.

Middle ground – or not?

There are plenty of organizations that seem to be working on answers to secure smart cities.

For example: Securing Smart Cities at offers the promise to make smart cities cyber-safe. Their mission is to “help the world build smart cities with cybersecurity in mind.”

The web portal has well-written research, references relevant news articles and highlights various events. In particular, I really like some of their research pieces “Fooling the Smart City” and “(Ab)using Smart Cities.” 

This not-for-profit global initiative first appeared to be a near-perfect one-stop shop to solve problems. They include a long list of respected contributors, researchers and support organizations like IOActive, Kaspersky, the Cloud Security Alliance (CSA), Institute for Critical Infrastructure Technology (ICIT), the Center for Internet Security (CIS) and many others.     

In fact, I liked this initiative so much I wanted to make it the highlight (and main solution) for this smart city security “answers” article.

But wait…., when I was about to go live with Part 2 in December, I noticed that their website hadn’t been updated since September 2017. Content was becoming stale. I decided not to publish that piece.

(And… still no web updates as of this writing in late January, 2018.)

It is not clear to me that this organization has financial staying power or the ear of the global organizations that are propelling the internet of things (IoT) and smart cities forward. For example, where are the smart cities highlights from the Consumer Electronics Show (CES)? Or, try comparing the Securing Smart Cities website to this No More Ransom Project website as far as global support and you will see what I mean.

Another potentially promising set of solutions comes from the Smart Cities Council. They offer robust content and very large global engagement with myriad companies. They do a great job of highlighting their resources in many different channels, and their content and engagement is always fresh.

The trouble I find with the Smart Cities Council is their lack of cybersecurity details and specifics in their case studies. While there are exceptions, it can be tough to find security answers from them. However, they do sponsor events like this Smart City 360 Conference in Finland, and they touch on security in their technology tracks.

One would think that the United Nations would offer global smart city security solutions, but they seem more interested in pointing to individual country efforts like India or the lack of country cybersecurity plans. 

NIST has developed some helpful smart cities resources, but it has lacked the national push for adoption seen in areas such as the cybersecurity framework.

Finally, individual companies are offering smart city solutions that include security. Here are three examples:

PwC also offers this article and assorted links to help. There are several internet of things (IoT) security frameworks floating around that vendors such as Google, Cisco and Sprint are supporting as well as IEEE committees who worry about important topics like patching hardware.  

Still, one gets the sense that this is like the early days of cloud computing with everyone building their own solutions that are proprietary and/or include a few partners. Will this work in New York, Amsterdam and Dubai?

Final thoughts

I want to highlight one more aspect to this smart city security divide.  

Back in December, the Harvard Business Review (HBR) offered this article entitled: The Internet of Things is Going To Change Everything About Cybersecurity, and I certainly agree with the article title and the premise that IoT is a gamer-changer for the world, including smart cities.

However, I disagree with author Yevgeny Dibrov’s premise that the way to get to better IoT security and “move towards a more intelligent, secure future” is by removing people from the process. I wrote a blog post in response arguing that “no security message is more central than this: People, and their actions, will always matter in cybersecurity.”

In summary, I see many efforts to propel smart city technologies forward, but a large percentage of these efforts are missing cybersecurity. The articles about Puerto Rico being rebuilt with smart city technology are encouraging. The infrastructure investments that are coming with 5G will enable amazing new breakthroughs and opportunities.

What’s needed?  To redouble efforts to bridge the smart city security divide, because I believe the gap is currently growing wider between the two sides.

In politics we saw a government shutdown. Will we see a smart city shutdown?

Only time will tell, but the clock is ticking.     


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author