How Secure Is Smart Infrastructure?

Many cities are rapidly deploying "smart" infrastructure technologies that promise to preserve and even enhance quality of life in an increasingly congested and urbanized world. Networked through fiber optics and wireless broadband, sensors embedded in buildings, in roadways, and in water, waste and energy systems generate enormous quantities of data used to reduce traffic congestion, optimize water and energy use, and make the environment more comfortable and safe.

But as useful as this technology is proving, its growing presence is raising new questions in a world in which cyberbreaches are beginning to seem like a daily occurrence: Just how secure are these systems and the data they hold?

In response to this perceived threat, a group of experts recently launched a not-for-profit global initiative called Securing Smart Cities to help government leaders reduce the liabilities of implementing the technology. "Every day we depend more and more on technology," says Cesar Cerrudo, a founding board member for the initiative. "If that technology is not secure and protected, it will get attacked, and people and businesses will suffer the consequences."

A chief concern is that sensors can intentionally be fed bad data that leads to faulty analysis and action. Automated elevators, lighting and building security systems, for example, could be disrupted. Roadway sensors connected to a smart traffic light system could be hacked and used to bring vehicle movement in a city to a halt. One needn't look any further than the impact of last winter's snowstorms on cities like Boston to see how this could disrupt businesses, schools and emergency services.

 
Potential outcomes like these raise important governance issues. "Who's responsible when a smart city crashes?" futurist Simon Moores asked during his keynote session at a recent conference in London. That question might be glibly answered with "the mayor" or "the city manager," but these responses are at best inadequate. Unlike during a severe snowstorm, the cause of such a debacle would be invisible and a mayor or city manager would be unable to mobilize an immediate solution. "Integrating an entire city full of these networks," Moores elaborated, "presents an almost intractable problem with two really, really big challenges: security and a lack of standards."

While these challenges might call into question the open design of the Internet, there's little chance of changing its basic framework. What will be needed instead are new regulations and standards to enable disparate systems to be securely connected.

With that need in mind, last year the National Institute of Standards and Technology (NIST) established a working group for what it calls "Cyber-Physical Systems" (CPS), and this March NIST released a preliminary discussion draft of a proposed standards framework.

But these standards, once they are in place, will raise new questions. Will cities seeking to broadly deploy CPS technologies, for instance, mandate that all equipment connected to their systems meets or exceeds the NIST security specifications? If the answer is yes, will there be the political will to enforce standards despite protests that the cost of compliance are too burdensome?

The answer to at least one question is clear: This must be a collaborative effort. "The cybersecurity of a modern, smart city is not something you can solve on your own," says Cerrudo. "The concept involves so many different technologies communicating with each other in so many ways that the only way to predict and eliminate all possible security issues is through collaboration between experts around the world."

Smart cities are, after all, connected cities. Trying to build one on your own is simply not a realistic or prudent option.

This article was originally published by Governing.