According to recent research by KPMG, almost half of all local councils in Australia are planning to implement smart city strategies. Moreover, the introduction of 5G networks is expected to further drive the use of Internet of Things (IoT) technology across urban communities from sensors used in traffic control and air quality monitoring to smart street lamps and bins.
While citizens can expect to enjoy better services and greater efficiencies, smart city infrastructure also introduces new avenues for attack, with more connected networks, more cloud and more data leaving cities infinitely more vulnerable to cyber threats.
The networks of critical infrastructure providers are particularly at risk, as they increasingly add Internet-enabled components to their industrial control networks. What was once “air-gapped” suddenly becomes part of the corporate network, which in turn is connected to the Internet.
While an attack on a corporate network may bring down applications, a cyber-attack on the industrial control networks of critical infrastructure providers could result in even greater disruption, such as citywide blackouts and traffic control outages.
Key barriers to resilient smart cities
The cyber security challenges of a smart city can be broken down into two key issues: a lack of security culture, and insufficient cyber education.
An improved culture of security led by governments, and potentially aided by regulation, will go a long way towards improving the security of IoT devices. The majority of IoT devices currently ship with little or no security. In addition, any consideration in terms of protecting the privacy of citizens in the design of devices or smart, connected systems is often ignored. This is particularly concerning given the increasing reliance on data analytics as IoT devices are deployed to public services.
When it comes to cyber education, today’s rapid rate of change makes it more challenging than ever to keep up with the potential ways cybercriminals conduct their attacks on the unsuspecting public.
While governments and industry need to play their part in helping to better educate people, citizens must also take the initiative to prioritise cyber education. A better-educated public increases the cost of business for cybercriminals, and forces manufacturers of smart devices to include security and privacy-by-design principles into their way of doing business.
How to build a cyber-resilient smart city
Smart cities do not build themselves, nor will they protect themselves. Without collaboration between government and industry bodies, they will remain unsafe. All involved parties should focus on two main goals: cyber resilience and safety. However, these goals need to balance with convenience and digital innovation.
Governments and industry alike must reframe conventional thinking about security in the context of smart cities. Safety in the design of a smart city is a non-negotiable.
Singapore is a good example of how governments can aim for, and build cyber resilience into their plans, yet remain highly convenient. One component of the nation’s Digital Government Blueprintis “operating reliable, resilient and secure systems,” and it outlines initiatives to strengthen the resilience of critical systems and heighten cybersecurity awareness among public officers.
Yet the incidence of cyber-attacks across all sectors proves that no system is impenetrable. Smart cities must therefore prepare for the inevitability of an attack, but aim to minimise the impact when it occurs. If we assume everything in a smart city is insecure, we have fewer expectations about the security of the infrastructure, and instead design controls around safety, availability, and continuity in the face of presumptively successful cyber-attacks.
Cyber resilience focuses on the concept that controls are implemented in a prioritised manner based on non-negotiable core principles, and a resilience-based approach will give us the best chance of ensuring smart cities are safe, agile and operational before, during and after a cyber-attack.