Smart Cities & Cyber Security

October 8, 2019

There is an emerging importance of Smart City/Internet of Things (IoT) cyber security across local government.

Smart cities are comprised of a highly complex, interdependent network of devices, systems, platforms, and users. Smart energy, utilities, water and wastage, parking and automotive, industrial and manufacturing, building automation, e-government and telemedicine, surveillance and public safety are just some of the verticals that vendors and governments need to secure.

Councils too use IoT and Smart City initiatives to provide better services to their LGAs in areas such as Industrial Control Systems (ICS), water and sewer mechanisms (pumps, valves etc), road and asset condition tracking, sprinklers and lights, CCTVs, building management systems and the like. All these devices are internet enabled and hence susceptible to attack.

Smart cities are increasingly under attack by various threats. These include sophisticated cyberattacks on critical infrastructure (water and sewer), bringing industrial control systems (ICS) to a grinding halt, abusing low-power wide area networks (LPWAN) and device communication hijacking, system lockdown threats caused by ransomware, manipulation of sensor data to cause widespread panic (e.g., disaster detection systems) and compromising personally identifiable information (PII), among many others.

Councils need to ensure "security by design" when embarking upon any type of Smart City/IoT initiative.

In practical terms, this means:

  • Conduct a Privacy Impact Assessment, a Business Impact Assessment and a Cyber Security Threat Assessment at the start of any such project. This will help identify the potential risks to security, privacy and availability before the system is built/designed. Once these assessments are conducted, specify the controls that must be built into the system/s. Don't forget that it's not just about breaching cyber security. Attackers are equally interested in denying service to smart city systems for fun (i.e. bringing the systems down).
  • Embed the controls. Ensure the specified controls are built into the system from the start. It's far more costly and disruptive to try to retrofit controls once a system is built....so make sure they are "baked in" from the beginning.
  • Independently validate the controls prior to implementation. This means engaging an independent party (i.e. independent of the people that "built" the system) to validate the adequacy of the controls. This may include vulnerability scanning, penetration testing, cyber security audits and/or code reviews.
  • Ensure ongoing validation. Systems don't stay static. They are continually enhanced, upgraded, modified and uplifted. New vulnerabilities are found every other day. Councils should therefore be subjecting their Smart City technologies to independent security assessment following any significant change to a system and/or at least every year.
  • Test Council's Cyber Incident Response Plan. Despite a Council's best efforts, adversaries will (unfortunately) often find a way through. Sometimes, it'll be as silly as switching sprinklers on and off, but other times it'll be as destructive as opening sewerage valves or disabling building management systems. Councils must have a documented Cyber Security Incident Response Plan, and these must be regularly tested (like testing a Business Continuity Plan).

For any further info, please contact us

Our Clients

Top