Cyber Security

Protecting Smart Cities From Cyber Attacks

James Hingley

As technology becomes more advanced, protecting the data it collects becomes more complex.

The world we live in today is dominated by technology. Whether it is our smartphones or no-till grocery stores, few areas of life remain untouched by technology. Yet, the presence of technology is more pervasive than it might first appear. Everything we do provides instant information about transit, traffic, health services, safety alerts, and puts community news into millions of hands. Now, this information is being put to use.

Technology helps to create a city that lives, breathes and adapts to the ways and habits of those living in it. However, no form of technology is infallible and therefore requires protection. The same is true of smart cities, especially since they collect and store the data of the citizens. Accordingly, the National Cyber Security Centre (NCSC) has provided some guidelines on how smart cities should go about best protecting themselves.

What is a smart city?

Although a smart city may appear fairly simple in principle, forming a concrete definition is more complex. In a 2018 report on the future of smart cities, McKinsey & Company offered a description of a smart city:

‘Smart cities put data and digital technology to work to make better decisions and improve the quality of life. More comprehensive, real-time data gives agencies the ability to watch events as they unfold, understand how demand patterns are changing, and respond with faster and lower-cost solutions.’

This provides a basic understanding of what a smart city does and, as a result, it is more possible to define a smart city. In fine, a city that uses the data collected from electronic sources and sensors to improve how the city functions can be defined as a smart city. On a more nuanced level, a smart city looks to develop, deploy, and promote sustainable development practices to address growing urbanisation challenges. For a smart city to fulfil its maximum potential, the city’s inhabitants need to engage with the smart ecosystems already existing. In doing so, it is possible to decrease traffic congestion, improve air quality and optimise the collection of rubbish and thereby improve the cleanliness of streets.

Based on all this information, the potential benefits of smart cities are overwhelming. With the increasingly rapid technological advancements, different areas are being optimised to improve the quality of life therein. However, technology comes with the risk that it can be compromised and smart cities are no exception. To that end, the relevant bodies are providing information to help preserve the integrity of the data collected by smart cities.

Staying safe

Although it comes under the general rubric of safety, the guidance issued by the NCSC looks to create awareness and build an understanding of the issues at hand. In particular, the NCSC highlights traffic light management, CCTV, waste management, streetlight management, parking management, transport services and public services (such as health/social care, or emergency services) as areas in need of enhanced cyber-security measures.

The element that makes smart cities an attractive target for hackers and other threat actors are the large quantities of sensitive, personal information. Likewise, given that the systems are interconnected, the concern is that, if one is compromised, they will all be compromised. To that end, the NCSC lays heavy stress on the importance of understanding. This is not simply a case of having an advanced understanding of the threats faced but also of the systems:

‘You need to have a clear understanding of your connected place infrastructure by identifying, understanding, and assessing inter-dependencies.’

When mentioning understanding the infrastructure of a connected place, it is not simply a question of understanding the system itself but also the people who have access to it. On this last aspect, the NCSC mentions the option of using Zero Trust Principles. It centres around the core belief that organisations should not trust anything inside or outside their perimeters. Rather, access should only be granted once it has been verified and authorised. Given the name of the policy, implementing it could be misconstrued as overly draconian. Yet, when it is remembered that the systems in question contain personal data, then the measures seem reasonable.

On another level, if there is a breach in the Zero Trust Principles, then the system must be constructed in such a way that it can also provide some level of protection according to the NCSC:

‘You need to ensure that your connected place architecture is designed securely. Your designs need to take into consideration the logical separation (or ‘zones of trust’) of your connected place network and identify critical security boundaries. This should not be limited to the cyber domain but also the cyber-physical (dual redundant sensors and/or actuators), and the physical space (such as diverse power supplies or communication routes).’

The subsequent instructions address the architecture of a connected place on a more nuanced level. However, similar to the advice concerning Zero Trust Principles, the recommendations are grounded in a basic principle of prioritising safety and security.

So, the resounding message is that smart cities, for all their usefulness, are vulnerable and, for that reason, steps must be taken to protect them. The NCSC did not name any particular threat actors, but that does not make the threat any less serious. A cyber attack against smart city infrastructure can happen at any time and, to that end, it is critical for the appropriate defence measures to be in place.

About the Author: James Hingley

James Hingley is a contributing Features Writer with extensive expertise in International Relations, Politics and Culture.