Securing Smart Cities

Securing Smart Cities

A significant part of a smart city’s budget is taken up by
security costs. Dr Ryad Soobhany, Associate Professor in the
School of Mathematical and Computer Sciences, Heriot-Watt
University Dubai, looks at the security risks of smart cities.

According to analysis from Frost & Sullivan, technology spending related to smart cities will reach $327 billion by 2025 – and a significant part of that cost is related to the security of smart cities. Smart cities rely on interconnected physical infrastructure and data-driven decision-making, which is achieved by a set of cyber-physical systems (CPS) – merging of operational technology (OT) and information technology (IT). The CPS manages devices and systems that collect and analyse data using ICT components – such as Internet of Things (IoT) devices, cloud computing, artificial intelligence (AI) and 5G. The inherent interconnectedness of smart cities however, creates an expanded attack surface, which is more attractive for cyber threat actors to exploit vulnerabilities in the system.

Smart City Cyber Risks

The interconnectivity of CPS can lead to security issues, where for example a cybercriminal gains access to an IoT network, through device hijacking, that is connected to the traffic management system (TMS) of the city. In this scenario the attacker can infiltrate the TMS and deregulate the smart traffic lights system or the variable speed limit system. The vast amount of sensitive data being generated, analysed, shared and stored provides challenges and concerns about the security and privacy of the data and how to protect the data in the data processing pipeline. Moreover, any successful attack can lead to disruption of governmental services, cause financial losses or expose citizen’s data (which can lead to erosion of trust in the system). Additionally, interference with physical infrastructure can endanger the physical wellbeing of people. Man-in-the-middle (MITM) attacks can occur by breaching, spoofing or interrupting communication between CPS. Distributed Denial of Service (DDoS) attacks and Permanent Denial of Service.

(PDoS) are on the rise and in the case of PDoS can lead to sensing devices (video cameras, speed sensors) being damaged beyond repair, with a huge cost for service downtime and replacement. The storage of the acquired data from various IoT devices can be targeted by ransomware attacks that can encrypt the data and demand a ransom payment for the decryption of the data. This attack can disrupt critical infrastructure operations and endanger public health & safety if CPS rely on the data to provide services.

Overcoming Interoperability Issues

Smart cities usually have a combination of state-of-the-art IoT sensors/ systems (albeit not designed to be security-oriented) and legacy systems. Interoperability issues between these systems will lead to an increase in the risk of cyberattacks. Another weakness is the integration of services with the need to reconcile various security protocols and develop new ones. The use of AI by bots to make independent decisions can lead to attacks that will lead to an external actor controlling the bots, without being detected by security professionals. Any attack that threatens the privacy and sensitive data of people will lead to a loss of trust by citizens and can lead to refusal to share data and ultimately rejection of smart cities.

Since smart cities are heavily interconnected and data-driven, it is critical to have robust security protocols, regular audits and a security-aware public. The traditional security triad of Confidentiality, Integrity and Availability is very much legitimate to describe the security risks to smart cities, where the confidentiality of data will enhance the trust of the public and availability of the system is crucial for real-time data sharing (e.g. street lighting, traffic control). From the perspective of OT security, the concept of resilience and safety is important, with more focus on the integrity and availability of the system. Transparency is essential to enhance public trust and support for smart cities, which can be achieved by allowing citizens to have access to their data and a clear explanation of how their data is being used.

The holistic approach

Due to the presence of different networks and sub-systems within the smart city, only a fragmented view of the security requirements can be accessible. Therefore, a holistic approach to the cybersecurity of smart cities must be adopted, which can be achieved by designing and implementing security frameworks for smart cities that can provide an overall view of the cybersecurity needs of the smart city. Some components of such a security framework can be:

Security policy: the smart city needs
a robust security policy that will provide
macro and micro security processes and
procedures that administrators can use.

Privacy-by-design: protect citizens’
privacy by anonymising personal data,
restrict the collection of data, encrypt data
and provide citizens control over their data.

Access control system: enforce
multifactor authentication on access
to local and remote devices/systems.
Provide devices/users with the least security
the privilege they require to perform their
functions. Create a tighter security-oriented
network design with zero trust
architecture that requires authentication
for each new connection. Secure backup
data repositories.

Keep all systems up to date with
security patches and perform system
updates on a regular basis. Implement
tighter security protocols for unsecured
IoT devices/systems.

Security education: employees of
smart cities should be educated and
trained to be security aware around
integrated and autonomous operations.
Training should be updated regularly. The
citizens should be educated about their
privacy and sharing their personal details.

Incident management: Develop
incident response and recovery plans with
clear responsibilities and roles so that
the smart city is prepared to respond to
cybersecurity incidents.
The implementation of secure smart
cities requires different stakeholders,
such as policymakers, regulators,
software/hardware manufacturers/
vendors, to collaborate and work in
partnership. The security of smart cities
should be aligned to the cybersecurity
strategy of the government while aligning
with standardised security frameworks.