Cities must be secure, not just smarter and safer

We’re on the edge of a Smart City revolution. The Internet of Things (IoT) and Smart Cities are starting to transcend the realms of the technical into the mainstream, and we’re seeing increasing discussion and implementation of their innumerable opportunities.

London, Bristol and Milton Keynes are pioneering the trends in the UK but it won’t be long till we’re seeing smart initiatives, like city-wide WiFi and smart-parking, implemented across the country.

But smarter doesn’t necessarily mean safer – the well know cartoon-image of the scientist whose experiment blows up in his face is as good a reminder as any! And while safety may not capture the imagination and attention as some of the smart initiatives do, it is essential that it isn’t treated as a bolt on but remains at the heart of nation and city-wide connectivity. 

Re-introducing safe cities

Often when discussing Smart City safety, Safe Cities are cited with the two terms sometimes used interchangeably. But the purpose of these two initiatives can be very different depending on the requirement of the city. And beyond its slightly misleading name, Safe Cities actually face many of the same challenges as Smart Cities.

> See also: Smart cities: how do we get there?

It is important to start by differentiating between Smart Cities and Safe Cities.

One example of Safe City installation is Thales’ work in Mexico City, which is focused on improving the safety of citizens. By integrating CCTV, intelligence gathering, communications, public address, public call kiosks and many different organisations and agencies, the company were able to help reduce crime by 22% over three years, recover one in two stolen cars, decrease insurance costs, and increase operational efficiency by 20%.

By contrast Smart Cities largely have different drivers at their source such as ecological ambitions and citizen services through improved public transportation, smarter power consumption and intelligent infrastructure.

For example, in Santander since 2010, 12,500 sensors have been installed in the city’s downtown district, measuring everything from the amount of rubbish in bins, to the number of parking spaces available, and even placing them on taxis to monitor air pollution levels and traffic condition.

But despite their different motives, one theme that combines both Smart and Safe Cities is the need for trust.

Safe doesn’t mean secure

It is the integration of multi-agency collaborators which makes Smart and Safe City systems an increasingly attractive target for hactivists, ‘script-kiddies’, organised crime perpetrators and potentially even more ambitious terrorists. As the number of incentives to would-be-hackers increase, so the number of potential attack vectors rises exponentially.

This real threat environment means that significant attention needs to be paid to all aspects of the security of these Smart and Safe City installations including physical, process, people and cyber security.

Only once all of these security aspects are managed can the consumers of the various services really trust and engage with the city-wide concepts.

Trust, as a concept, is nothing new but as more and more of us adapt to the interconnected world around us it takes on ever greater significance.  The banking industry has developed the highest degree of trust in its electronic systems over many years as they have maintained the security of global transactions and introduced consumers to smart cards, chip & pin, internet banking, etc.

Trust in Smart or Safe City services, however, must be earned by the operators by including all the necessary safeguards and security capabilities.

Physical security has been well explored for many years, with impressive developments in the integration of CCTV, intrusion detection, number plate recognition, etc. to deliver the most effective security capability.

But the challenge today is these systems themselves now pose a security threat, with each device a potential attack vector into the integrated network and operations centres.

The previously clear demarcation between physical and cyber security is now completely blurred and one aspect cannot be considered without the other. Industrial Control Systems (ICS), Supervisory Control And Data Acquisition (SCADA) systems and Remote Telemetry Units (RTU) are now embedded into every aspect of city life and these are increasingly the target of people and organisations who wish to disrupt, destroy and deny these services.

Once you then add the security challenges around people, policy and process we can quickly understand the magnitude of the security challenge facing Smart and Safe City implementations.  

Safety 2.0

It is safe to assume that no system is unbreakable. And to that end, any Smart or Safe City initiative must aim to reducing the security risk to acceptable levels, such that citizens can enjoy the significant benefits that it can bring.

Encryption and authentication techniques can play an important part in protecting data within and between sub-systems, but risk based arguments are required to ensure that these measures are focused in the most appropriate areas.

For example, the temperature parameters for a building may be considered less critical and sensitive than number plate recognition data for congestion management.

Emergency planning and disaster management are also an essential part of any Smart or Safe City implementation. But this must get beyond deploying a Security Operations Centre with a Security Information and Event Management (SIEM) tool (those which provide many essential capabilities to maintain the security aspects of the network and identify problems or attacks when they occur).

> See also: How the UK can lead the world at smart cities

The greater and essential challenge is understanding how the attack has occurred: what the access points were, how far has the malware got into the system, how it is stopped, how it is recovered and how the consumers are informed.  

Smart and Safe Cities both have significant security challenges ahead. We can no longer rely on what we knew or our old techniques to build trust. As more initiatives are employed, with the real advantages we will also find a real threat environment building. Security and safety must be completely rethought with new initiatives concentrating on building trust rather than the traditional goal of prevention.

Every aspect of the integrated Smart and Safe City is a potential vector from which aggressors could launch an attack on the systems and services. Decision makers must ensure any programmes prioritise security so citizens can enjoy the significant benefits that Smart Cities can bring without fear of compromise. 

Sourced from Tony Burton, director of protection systems, Thales UK

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...