Tony Burton, director of Protection Systems at Thales UK, discusses how smart and safe cities have challenges ahead in the road to security
London, Bristol, Milton Keynes. These are some of the cities pioneering the smart city revolution in the UK with initiatives such as city-wide WiFi and smart parking coming into effect. With the increasingly widespread adoption of the Internet of Things (IoT) – it won’t be long until we will see more smart initiatives implemented across the country to provide numerous services to improve city life.
We must be careful, however, not to assume that ‘smart city’ concepts encompass ‘safer city’ benefits and even more importantly we must assess the importance of security across both models. Let’s face it, security initiatives may not even register on a wet Monday morning as you are trying to find the closest available parking space to the office but they would soon be brought into sharp focus should the traffic control system fail on the journey in. Security cannot be treated as an afterthought and must be at the core of city-wide, and indeed national inter-connectivity ambition.
What is the ‘safe’ city?
It’s important to clearly differentiate between the smart city and the safe city- two terms that have typically been confused or used interchangeably to date.
Safe City projects typically focus on improving the safety of citizens. One of example of this in practice is Thales’ work in Mexico City. By gathering intelligence and integrating public address, communications, public call kiosks and CCTV, Thales was able to help reduce crime by 22 per cent over a three year period, recover one of every two stolen vehicles and increase operational efficiency by 20 per cent.
Smart cities, on the other hand, tend to have different drivers. Improved public transportation and intelligent infrastructure are amongst these key components. For example, since 2010 the smart city of Santander has installed 12,500 sensors in the downtown district to measure everything from the amount of rubbish in bins, to the number of free parking spaces. They have even placed sensors on taxis to monitor air pollution levels and traffic congestion.
The motives may be different, but the need for trust in both the smart city and the safe city is crucial.
Does ‘safe’ mean ‘secure’?
Hacktivists, those in organised crime, ‘script-kiddies’ and even terrorists may see smart and safe city systems as an attractive target with their abundance of new possible attack vectors. After all, street-lights, sensors and control systems are all hackable given enough resources and just because a system is protected or even air gapped from the internet it doesn’t necessarily mean it is secure. The threats are very real and all around us and so we must be able to ‘Trust’ the services provided.
Trust must be earned and so significant attention needs to be paid to all aspects of the security of smart and safe city services including the policies/processes deployed, physical infrastructure protection, people vetting and of course, cyber security. All of these security elements must be managed in tandem so that consumers of the various city services can truly trust and engage with the city-wide service concepts.
The element of trust is nothing new, but never has it been needed more than in the interconnected, IoT world that we now live in. One only has to look to the banking sector to see how it has developed the highest level of trust in its electronic systems over many years, maintaining the security of global transactions and introducing smart cards, chip & pin and internet banking onto the consumer market. Trust in smart or safe cities, on the other hand, must be earned by the operators by including all of the security capabilities and necessary safeguards.
Physical security has been well researched for many years, with notable progression in the integration of boundary CCTV, number plate recognition and intrusion detection for example. The challenge today, however is that these systems themselves now present a security risk- with each device a potential attack vector into the integrated network.
The lines between ‘physical’ and ‘cyber’, software and hardware are increasingly becoming harder to define- they are no longer mutually exclusive. Supervisory Control and Data Acquisition (SCADA) systems, Industrial Control Systems (ICS) and Remote Telemetry Units (RTU) are now embedded into the fabric of city life and these are obvious targets for hackers who wish to disrupt and destroy these services.
Add to this the security challenges around people, policy and process, and we can swiftly understand the scale of the security challenge facing smart and safe city implementation.
No system is unbreakable. But any smart or safe city initiative must aim to reduce the security risk to acceptable levels, so that citizens can Trust and enjoy the benefits that it can bring.
Authentication and encryption techniques can play an important role in safeguarding data within and between sub-systems. However, risk-based arguments are required to ensure that these measures are focused in on the most needed areas. For example, the temperature parameters for a building may be considered less critical than number plate recognition data.
Disaster management and emergency planning are also an essential part of any smart or safe city implementation. This must however go beyond deploying a Security Operations Centre with a Security Information and Event Management (SIEM) tool (those which provide many essential capabilities to maintain the security aspects of the network and identify problems or attacks when they arise). The main challenge is in understanding how the attack has occurred: what were the access points and to what extent did malware affect the system? How does the service recover and how are the consumers of the services engaged to ensure that Trust is not lost.
Smart and safe cities both have security challenges ahead. We must develop new techniques to build trust and mitigate the threats posed by sophisticated hackers. Safety and Smartness must be rethought in the context of security to protect citizens.
How much do you know about the Internet of Things? Take our quiz!