There is an emerging importance of Smart City/Internet of Things (IoT) cyber security across local government.
Smart cities are comprised of a highly complex,
interdependent network of devices, systems, platforms, and users. Smart energy,
utilities, water and wastage, parking and automotive, industrial and
manufacturing, building automation, e-government and telemedicine, surveillance
and public safety are just some of the verticals that vendors and governments
need to secure.
Councils too use IoT and Smart City initiatives to
provide better services to their LGAs in areas such as Industrial Control
Systems (ICS), water and sewer mechanisms (pumps, valves etc), road and asset
condition tracking, sprinklers and lights, CCTVs, building management systems
and the like. All these devices are internet enabled and hence susceptible to
attack.
Smart cities are increasingly under attack by
various threats. These include sophisticated cyberattacks on critical
infrastructure (water and sewer), bringing industrial control systems (ICS) to
a grinding halt, abusing low-power wide area networks (LPWAN) and device
communication hijacking, system lockdown threats caused by ransomware,
manipulation of sensor data to cause widespread panic (e.g., disaster detection
systems) and compromising personally identifiable information (PII), among many
others.
Councils need to ensure "security by
design" when embarking upon any type of Smart City/IoT initiative.
In practical terms, this means:
- Conduct a Privacy Impact Assessment, a Business
Impact Assessment and a Cyber Security Threat Assessment
at the start of any such project. This will help identify the potential risks
to security, privacy and availability before the system is built/designed. Once
these assessments are conducted, specify the controls that must be built into
the system/s. Don't forget that it's not just about breaching cyber security.
Attackers are equally interested in denying service to smart city systems for
fun (i.e. bringing the systems down).
- Embed the controls. Ensure the
specified controls are built into the system from the start. It's far more
costly and disruptive to try to retrofit controls once a system is built....so
make sure they are "baked in" from the beginning.
- Independently validate the controls prior to
implementation. This means engaging an independent party (i.e.
independent of the people that "built" the system) to validate the
adequacy of the controls. This may include vulnerability scanning, penetration
testing, cyber security audits and/or code reviews.
- Ensure ongoing validation.
Systems don't stay static. They are continually enhanced, upgraded, modified
and uplifted. New vulnerabilities are found every other day. Councils should
therefore be subjecting their Smart City technologies to independent security
assessment following any significant change to a system and/or at least every year.
- Test Council's Cyber Incident Response Plan.
Despite a Council's best efforts, adversaries will (unfortunately) often find a
way through. Sometimes, it'll be as silly as switching sprinklers on and off,
but other times it'll be as destructive as opening sewerage valves or disabling
building management systems. Councils must have a documented Cyber Security
Incident Response Plan, and these must be regularly tested (like testing a
Business Continuity Plan).
For any further info, please contact us
