A failure of internal systems might be a private misfortune, but failure of connected city systems can be catastrophic. At some situations, it might brings about even more dangerous situations than terrorist attacks because the impact of an extensive cyber attack has a significant potential to create social unrest and to disturb every individual at all ages to your innocent little baby lying on his/her cradle.
A new data processed by Juniper Research Ltd indicated that the number of IOT (Internet of Things) connected devices will rise to 38.5 billion in 2020 from 13.4 billion in 2015, which is a rise over 285%.
It means that we are getting more connected to each other at cyber level and not only are you connected, but also all city infrastructures providing vital functions at the back-side.
We’re still at an early stage of IOT world. Knowing what information to integrate, or integrating those information into back office systems – in a secured way – still remain as a huge challenge. Think about a wide-scale of IOT penetration into public water systems, power grids, waste management, traffic control systems, street lightings, public transportations, physical security systems and so on. If some critical infrastructures do not work for days or weeks at a wide-scale in metropolitan areas or strategic locations, it would be even likely to bring about public riots or big economic losses. Therefore, smart city security issues are not only intellectual discussion subjects, but also highly related to homeland security, economic security and securing the sustainability of all city services.According to the CTO of IOActive, there are at least 200,000 vulnerable systems just even for traffic control purposes all around the world including New York, Washington, London, Istanbul etc.
Priority of companies regardless of their size is to sell their products and governments are releasing those products without any security testing. We understand that functionality outpaces cyber security requirements at a global scale.
By 2020, potential market for smart cities will be more than $1 trillion and many cities are in more danger as they are getting smarter. Unfortunately, we have not been ready yet for the oncoming threaten.
There are four biggest challenges every cities face with all over the world;
Four biggest challenges
(i) Insecure products and insufficient testing: Smart cities can be hacked and fed by fake data, which may cause to problems to be able to paralyze vital city functions such as signal failures, shutting down of public transportation vehicles (subways, tramways etc.), allowing contamination in water supplies, manipulation of traffic control systems, city-wide or country-wide blackouts etc. As Cesar Cerrudo wrote in a report on Apr-15, even vendors do not know anything about cyber security. They do not have sufficient skills and continue not to attach importance on security. For example, many vendors do not object to giving full privileged access to anyone on local network because they think of local networks as safe.
(ii) Cascade effect: There are operational interdependencies in a city. If rail system does not work, people may not go to their works, traffic is paralyzed and all other city services might be locked. In other words, it creates a chain effect. Critical systems may change city to city. However, if attackers/terrorists launch an attack on a small, poorly secure infrastructure seeming unimportant, it might even create a snow ball effect to fall apart the whole city system. Moreover, all smart city solutions are delicate systems and they are getting more vulnerable over time against human capabilities, which requires a continuous oversight forever all over the systems and even processes (please, see the next item).
In 2015, futurist Dr. Simon Moores uttered the thoughts sticking in everybody’s mind at IFSEC London: “Integrating an entire city full of these networks (IOT) presents an almost intractable problem. Until now, smart city development has focused on technology, not people; cost-savings, not security; and top-down, not bottom-up approaches. A long, messy, and incremental process is ahead and the winners and losers will depend upon how well they can adapt.”
(iii) Lack of oversight and organization: Each city should have a separate cyber security organization around a central coordination & oversight body not to only generate security reports, but also check all cross-function vulnerability assessments, provide security coordination and develop incident/emergency response planning.
Furthermore, this is also an issue correlated with securing the all smart city processes because current attitudes/actions may not be suitable for the security requirements of a near future. For example, giving out all strategy & vision plans of your city to big tech companies by contracts due to cost-benefit concerns is like handing over the audit of your security future into the hands of tomorrow’s defendant. Just think about it (!) Who would be really responsible when a smart city crash and a failure lead to enormous losses? Therefore, city governments should think of the all processes from end-to-end in terms of build up a sustainable security future.
(iv) Shifting politics & shifting budgets: Security policies of a city or budget of which might be delicate issues since they are highly dependent on elected officials. Besides, getting budget for security concerns requires a process of educating city leaders. Any change in election results may lead all pre-established policies go to waste, or leaders’ attitudes may severely change according to the extent of their risk awareness or recent developments, and you might have to re-start again to educate them. It is a complicated situation, but security problems of cities are real. Furthermore, almost all of the best professionals are working for private companies instead of governments. In this regard, the best option is to create sustainable security policies and approaches above politics.