Securing a smart city approach: the ecosystem of cybersecurity
In an increasingly digital world, this article from WORKTECH Academy Global Partner Signify champions a collaborative approach to ensuring robust and secure smart cities in the future
To secure connected lighting in the smart city, you need a vision that penetrates the fog produced by fast-evolving and persistent threats. You also need to focus on long-term prevention in addition to speedy responses to contingencies. Security is a responsibility shared by an ecosystem of players from system users, vendors, and cloud providers; so it’s important to understand the obligations of all involved.
Users need convenient access to features consistent with their roles. Vendors need to address security in each component they bring to the table, and coordinate to prevent cracks from forming at integration points. And cloud providers need to harden their physical data centres while providing encryption and network protection.
Securing the smart city
Many of the underlying technologies powering smart cities already have security protocols, but not all are created alike. Practices that suit consumer-grade IoT devices with limited numbers of users and short lifespans may not translate to smart city infrastructure. Unlike consumer devices, components of smart city infrastructure can potentially impact millions of people on any given day. These components may also need to function reliably for a decade or more. A would-be ransomware attacker must never be allowed to literally turn out the lights on a metropolis.
Because smart city systems such as connected lighting are mission-critical for citizen safety and satisfaction, deployments should include robust, rapid failover and disaster recovery plans. There are no substitutes for many of the services a city provides its residents, and approaches to cybersecurity should honour the city’s obligation to keep providing those services, whatever it takes.
Sharing responsibility for security
Ironically, there is a risk of taking on too much internal responsibility for smart city security. Assuming control over and exclusive ownership of data, systems, and processes cuts down on potential failure points, but you have to make sure not to overlook the bigger picture. Cybercrime is a full-time job, and fighting it requires both intense focus and an expansive vision.
‘Cybersecurity attacks are evolving fast, and there is no playbook that can neutralise every act of aggression…’
Many of today’s attack vectors are the same ones we’ve been dealing with for decades. Unpatched vulnerabilities, misconfigurations, and compromised passwords remain significant problems and many malware attacks start inside the organisation, whether an employee is malicious or the unwitting dupe of a social engineer. That said, cybersecurity attacks are evolving fast, and there is no single playbook that can neutralise every act of aggression.
Instead of trying to build an impregnable wall around your systems and processes, work with vendors who take a larger share of responsibility to protect your systems. Such processes should mandate clear vendor responsibility for encryption and data security, as well as for threat monitoring and incident reporting to city leadership. Ongoing risk analysis, impact assessments, and regular penetration tests and vulnerability assessments should also be on the table.
At the user level, it’s vitally important to carefully delegate access by role. Everyone should have convenient – but secure – access to the data and features that they need, and should have no access where they don’t. Making sure that your vendors offer a sufficiently granular role-based access approach will forestall a variety of security-related misfortunes.
Embrace end-to-end security designs
In addition to sharing responsibility across multiple partners, you must embed security measures into your network from one end to the other. Important considerations include on-premise vs. software-as-a-service (SaaS), human error, data residency, and data redundancy. While each of these concepts are distinct and must be considered separately, they can affect one another in complex ways.
For example, relying solely on on-premise systems and data storage doesn’t add up to an effective risk reduction strategy. Most attacks are launched remotely, regardless of where data or applications reside. Additionally, strict on-premise policies introduce other risks, including lack of redundancy and the need for manual management, which is notoriously error-prone.
Comprehensive smart city solutions typically integrate several different system infrastructures, from connected lighting to enhanced mass transit, and many of these use cloud technologies to improve accessibility, availability, and security. Cloud services can be continually backed up to separate data centres with automatic capacity management and switchovers in periods of high demand or unanticipated service interruption.
These services ensure that data is securely encrypted offsite, where a major weather event or other catastrophe can’t wreak havoc. Leading vendors often coordinate security among several different offerings within their smart city portfolios, using cloud integration layers to ensure careful and properly vetted communications and data sharing.
End-to-end security should also include failsafe operation modes for essential services in the unlikely event that the broader infrastructure goes offline. For example, connected streetlights compatible with Interact IoT lighting systems from Signify are designed to failover to a pre-loaded schedule when the control infrastructure is unavailable, and to store operational data locally until it can be reported to the back-end platform. This approach ensures that basic services remain uninterrupted even if a security exploit or other interruption occurs.
The virtues of collaboration
An open, collaborative approach to cybersecurity gives smart cities the best chance for successful rollout and growth. Experienced vendors and partners that make security integral to their designs can minimise threats at the device and infrastructure levels, and can work with you to define appropriate access privileges, segregation of duties, and other operational elements that can improve cybersecurity across all layers of your connected systems.