• United States




What happens if… disaster recovery for the smart city and beyond

Feb 20, 20184 mins
Critical InfrastructureData and Information SecurityDisaster Recovery

Using disaster-recovery-as-a-service (DRaaS) for smart distributed data.

lighthouse beam beckons to a businessman in a boat on a sea of red tape
Credit: Thinkstock

Crisis planning is integral to many cities across the planet and we see it in use when natural disasters strike. When the magnitude 9 earthquake hit Japan in 2011, previous disaster planning kicked in. But the response has been criticized because of the predictive limitations that informed the disaster recovery attempts. Other criticisms highlighted too much emphasis on using ‘hazard maps’ which were inaccurate. If our starting points are off point, then our disaster recovery will also be lacking.

In our smart cities, which are intrinsically dependent on data, disaster recovery has to include data as a critical infrastructure in its own right or as my previous article outlined—the data superstructure.

Controlling catastrophe

We are never going to stop catastrophic events, be they natural or human-made. So, all we can do is be well-prepared for them.

In a smart city, our very infrastructure is dependent on the data generated by citizens and our daily lives. For example, smart water is a critical infrastructure that needs lots of data to improve our city living. Smart water needs to analyze water flow, distribution, use metrics and pressure. It is also intrinsically linked to weather and perhaps other, more behavioral-based data.

Smart cities need to provide clean, always available, water to many millions of city dwellers. Critical infrastructures, like smart water, are also likely to be a sweet target for hackers. We have already seen the ‘testing of the waters’ in energy CIs like the attack on Ukraine’s energy grid by the CrashOverride malware. Or the unnamed water treatment plant where hackers adjusted the chemical mix used to treat tap water.

Our critical infrastructures are under serious threat from cyberattacks and according to the World Energy Council are now amongst the top concerns of energy companies in North America and Europe.

Having disaster recovery and planning in place is all part of creating a smart city. But modeling it so it is as accurate as possible, is part of the planning process. We have already built up a knowledge-base of information on our weak points. And, there is a lot of research on where the likely attack points in smart city critical infrastructure attacks will occur. Utilizing these will help towards more effective control, post-catastrophe.

Smart disaster recovery in the smart city—extended PEN testing?

Smart cities are built on big data analytics—much of which is cloud-based. These data have to be not only managed and organized well but protected too. These data run the city. They will ultimately be behind water clean enough to drink, heating to keep us warm in winter, and roads that are not continuously grid-locked.

The cogs and wheels behind the smart city will be cloud-based data and having a disaster recovery plan in place for these data is crucial to keeping the city running smoothly. Disaster-Recovery-as-a-Service (DRaaS) is a new era way to manage cloud data. In a useful article by Disaster Recovery specialists NetApp, they set out the main criteria for smart disaster recovery using a service model such as Azure Site Recovery (ASR)—it is analogous to having an umbrella over your data superstructure.

One of the key steps is preparation and planning. But to plan accurately, you need to have an understanding of the infrastructure and model behind it. I believe that as part of this planning stage, a new extended version of traditional Penetration testing needs to be developed that can follow the data across its use in a smart city context to take into account both natural and human-made disasters. This data lifecycle testing should be able to incorporate both security and privacy checks.

We should take heed of the mistakes we have already made when a disaster occurs. Having an accurate way of modeling a disaster and its aftermath will help us to a better laid out disaster recovery plan. As our smart cities begin to mature and take root, we need to lay down the expectations for managing the city when disaster strikes.

Having a mental map of the data driving the city will go a long way towards having an accurate plan to recover critical infrastructures, if and when, these data are compromised. We are already experiencing the touch of cybercrime on critical infrastructures as they become ever more Internet-connected. We need to put full effort into the disaster recovery plans of smart cities now or sit back and watch the cybercriminals take us hostage.


Formerly a scientist working in the field of chemistry, Susan Morrow moved into the tech sector, co-founding an information security company in the early 1990s. She have worked in the field of cybersecurity and digital identity since then and helped to create award winning security solutions used by enterprises across the world.

Susan currently works on large scale, citizen and consumer identity systems. Her focus is on balancing usability with security. She has helped to build identity solutions that are cutting edge and expanding the boundaries of how identity ecosystems are designed. She has worked on a number of government based projects in the EU and UK. She is also interested in the human side of cybersecurity and how our own behavior influences the cybercriminal.

The opinions expressed in this blog are those of Susan Morrow and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author