• United States




Data as a smart superstructure: a warning to the wise

Feb 14, 20184 mins
Critical InfrastructureData BreachRegulation

Only by having a robust data governance stance can we hope to, not only protect our individual critical infrastructure sectors but the city and its citizens.

smart city pins iot navigation
Credit: Thinkstock

In “Identity and the smart city,” I wrote about how we need to build a smart identity for a smart city. The article, hopefully, pointed to building a perspective on what smart actually means.

But, smart cities are built up from many smart pieces. These smart pieces are really just an evolution of our current critical infrastructures (CI).

The U.S. government has named 16 essential sectors that come under the heading of critical infrastructure – including transportation, energy, healthcare, and water.

We are currently living through a movement from once disconnected and distinct sets of CIs, to highly connected entities. Each area of CI, each sector in the smart city, will be directly, or indirectly linked. And, the glue that binds them is data.

I believe that because of the criticality of data within the context of a smart city, perhaps data should be viewed as a critical infrastructure in its own right and even given ‘superstructure status’.

The trouble with being big

Critical infrastructures are like the gold at the end of the rainbow for cybercriminals and hacktivists. Hit a CI, then sit back and watch the repercussions roll in. This is what happened to the energy sector in Ukraine which was infected by the CrashOverride malware designed to attack substation automation technologies. The lights went out for an hour only, this time; but as we all know, cybercriminals like to play with us and test the water.

Imagine the action of a similar mindset within a hyperconnected infrastructure based on data. It would be like children in a sweet shop.

The smart city has to use data to make it work better.

In doing so, smart cities have to connect up the underlying CIs in a collaborative feedback matrix of data sharing, analysis, and optimization of services. This is a positive and vital move forward in a world that is rapidly changing. But in doing so, we are opening up massive holes in those infrastructures. An attack on the data superstructure may well bring down, not just one area of a CI, but the entire city.

Bringing down the city

A smart city is only as smart as the data governance it has in place. This has to cover the entire lifecycle of these data, from collection, through to storage, analysis and dissemination. Regulations like GDPR, which may seem onerous now, are actually a good way to discipline ourselves for data governance on a hyperconnected scale.

If an adversary decides they want to cause havoc within a smart city, they would need to look no further than attacking or disrupting the data sources. An attack would happen, just like in Ukraine by carrying out an initial test on the smart data vulnerabilities.

Cybercriminals are, even now, building up a model of how to apply multiple attacks across the data surface to get the most devastating outcome. The interconnected nature of the smart city is both its superpower and its Achilles Heel; the data that city depends upon is its weakest link.

Building the smart city walls with good data governance for smart cities

In the smart city, disaster isn’t just about the lights going off in your home for an hour. It has the potential to cause mayhem in hospitals, cause gridlock on roads, change the settings in a water treatment plant to allow sewage into rivers, close off our communications channels and override security systems in chemical plants.

NetApp alongside analysts IDC produced an interesting global survey about how data is driving digital transformation – citing as an example, GE’s digital wind farm which can produce a 20% increase in efficiency.  The report concludes with a list of industries impacted by the new era of data-driven industry. The list coincides with the current view of what constitutes a critical infrastructure.

This is no coincidence. In the smart city, data is the new critical superstructure that operates across our traditional CIs and in doing so, creates a funnel into them all.

Protecting the smart city walls is not just about the protection of individual CI components, it is also about ensuring that we protect the data that allows those components to operate. We have watched as the enterprise perimeters smashed wide open when we connected across organizational digital barriers.

Now data is creating a new perimeter. Only by having a robust data governance stance can we hope to, not only protect our individual critical infrastructure sectors but the city and its citizens.


Formerly a scientist working in the field of chemistry, Susan Morrow moved into the tech sector, co-founding an information security company in the early 1990s. She have worked in the field of cybersecurity and digital identity since then and helped to create award winning security solutions used by enterprises across the world.

Susan currently works on large scale, citizen and consumer identity systems. Her focus is on balancing usability with security. She has helped to build identity solutions that are cutting edge and expanding the boundaries of how identity ecosystems are designed. She has worked on a number of government based projects in the EU and UK. She is also interested in the human side of cybersecurity and how our own behavior influences the cybercriminal.

The opinions expressed in this blog are those of Susan Morrow and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author