Smart cities promise to improve the lives of residents via data and technology that deliver faster and more efficient traffic patterns, increased connectivity and safer streets, among other benefits. Yet as cities deploy Internet of Things sensors, they become increasingly vulnerable to cyberattacks, including distributed denial of service and botnet attacks.
A report released in July by Forrester Research takes aim at this problem, identifying several reasons why smart cities face security challenges and what civic leaders and IT managers can do to overcome them.
The report — and a blog post summarizing it from Merritt Maxim, a Forrester vice president and research director — notes that city planners are putting cybersecurity on the back burner even though the city’s connected devices are vulnerable to attack, and that decentralized smart city projects undermine a centralized approach to cybersecurity defenses.
Additionally, IT security professionals in city governments are not tackling the physical security threats to IoT devices. City IT leaders are simply overwhelmed with the amount of data they are collecting from IoT devices, and they are unable to accurately determine if their smart city data and algorithms have been compromised.
Forrester advises city IT leaders to add in zero-trust security elements to smart city infrastructure and offers “practical recommendations to determine your current security and privacy posture and identify what needs to be done to empower smart city cyber readiness against the expanding threat surface,” Maxim says.
Smart Cities Face Cybersecurity Hurdles
Smart cities have inherently large attack surfaces, given all of the connected devices that combine to make city infrastructure smart in the first place. Any one of those devices may be vulnerable, and it is difficult to ensure that they are all secured against a cyberattack, Network World reports, discussing the Forrester report.
Smart cities are also left vulnerable because of legacy software that is not patched and because some facilities may be remote or have lax physical security. “The report gives the example of wastewater treatment plants in remote locations in Australia, which were sabotaged by a contractor who accessed the SCADA systems directly,” Network World reports.
The decentralized nature of smart city projects spread across a wide geographic area and potentially managed by different city departments also represents an IT security risk, the report notes. “Without a centralized security approach, any initiative that leaves a gap in security policy or control in a smart city implementation increases the risk,” Maxim says.
IoT devices may also be collecting too much information on residents, including personally identifiable information, the report says. And that data may be tampered with, which could alter how services are run and detract from the benefits of the smart city project.
“Security teams are just gaining maturity in the IT environment with the necessity for data inventory, classification, and flow mapping, together with thorough risk and privacy impact assessments, to drive appropriate protection,” the report says.
“In OT environments,” meaning operational technology environments, which is the hardware and software that monitors and controls how physical devices perform, “they’re even further behind.”
How can city IT leaders increase their defense posture? One basic tactic is to conduct careful log monitoring to spot suspicious traffic, Network World reports.
Another tactic is to conduct a robust inventory of IoT assets and have centralized control and security, which should make it more difficult for attackers to compromise smart city networks or devices.
Further, alerts that truly provide contextual information about threats should help IT managers respond more effectively if an attack should materialize, according to Network World.