The term "smart city" is used in many ways. According to StrategITcom, the definition of a smart city is "a collection of applications that use common secure infrastructures, data center(s) and device level data repositories for communication of critical and noncritical data." Smart cities are not just a novel idea. Addressing the delivery of services and improving the quality of life for city dwellers is a social imperative, as 70% of the world's population is expected to live in urban centers by 2050.
Examples of the benefits of smart cities include low- or no-cost public transportation, environmental quality improvement, better access to healthcare, broader access to educational opportunity and learning, and improved standard of living. The concept of technology enabling a better life comes with a duty of care that makes it essential we don't deploy innovations with security problems under the assumption that we'll fix them later. The potential human toll that comes from disruption of city services, reduced access to healthcare, and loss of sensitive personal information is too great to risk deploying smart-city technology without commensurate protection of systems and data across the board.
Unfortunately, there are many barriers to the kind of "common secure infrastructure" in this context. Security in smart cities is by no means a given, and it's time we address this now.
My friend and colleague, Tyler Svitak, is executive director of Colorado Smart Cities Alliance, the first statewide alliance of government, business, and allied organizations dedicated to advancing smarter communities in the US. As Tyler puts it, smart-city security breaches have potentially very serious consequences beyond just data breaches. They can be economically devastating and even life-threatening, if not handled appropriately.
Smart cities are often focused on what applications or use cases can benefit the community, which takes significant time, engagement, and resources to plan and implement. Security is rarely at the forefront of the discussion. Why? The way I see it, the answer comes down to a few different reasons.
The first is that, simply put, security has not been top of mind when these technologies were being developed. Historically, one of the biggest challenges with deploying complex emerging technology has been just getting it to work in the first place. By introducing security controls, it becomes a significantly more difficult and lengthy process.
The second reason is that a significant portion of the systems that make up municipal infrastructure doesn't fall under the category of traditional information technology (IT). Operational technology (OT), also known as industrial control systems (ICS), are in use throughout public services like the systems that protect our water supply or that handle waste management.
The Attack Surface Continues to Grow
The attack surface in municipalities is on the verge of growing exponentially as more Internet of Things (IoT) devices are deployed. Today, we interact with our city infrastructure through smart phone apps, interconnected streetlights, traffic control systems, and autonomous vehicles. Soon, a wider range of cameras and sensors will be interacting with the municipal grid deployed by 5G infrastructure. Expectations are that the IoT device numbers will increase into the billions. Threat reports indicate that it is exceptionally easy to gain unauthorized access through the vast array of sensors deployed in smart city infrastructure in order to cause physical destruction, interruption of services, and disruption of the rhythms of city life.
Finally, the third reason is siloes and organizational constraints. Take, for example, a metropolitan region with cross-city services such as regional transportation and traffic control grids. It's made up of many municipalities, and they are governed independently. Smart city technology is far from standardized. How do you effectively get all these municipalities to agree and implement interoperable solutions that impose both capital and operating expenses on already strained municipal budgets? According to Tyler, many smaller cities also don't have cyber professionals on staff due to small budgets and varied priorities.
Smart cities, done securely, should be a shared vision between our computer science research groups in academia, the private sector tech companies, the public sector, and innovative niched solution providers. Together, we can holistically address the security challenges from the data center to multi-cloud high availability solutions to the security of the far edge.
As we envision what's possible and prioritize our smart city initiatives, we need to bring together CX, UX, engineering, and security in smart city tabletop exercises as part of an iterative DevOps cycle that puts security considerations far to the left. Our cities deserve future-ready security and the capacity to identify vulnerabilities on a timeline that is preventative as much as possible and effective at stopping breaches once they do occur. Secure smart city design, implementation and sustainability is a set of people, process, and technology that needs our attention today.