How to Make Smart Cities Secure by Design
For cities pursuing smart city strategies, whether that involves connected streetlights with sensors or technology at intersections to make them safer and ease traffic congestion, IT leaders have a responsibility to understand how their vendors are securing the solutions they are providing.
IT security teams should be involved in all requests for proposals to ensure there is an audit trail and proper certification that vendors are conducting their own security reviews of components and following industry standards for securing Internet of Things devices.
CIOs, CTOs and other IT leaders must be aware of the solutions cities are selecting and make sure security is baked into them from the start. They should work proactively to understand how their vendors are encrypting data and ensuring there is multifactor authentication for network access control. Vendors must provide documentation that their connected devices are secure.
Further, security patches and updates for connected devices should not be reliant on the city or town having a valid warranty for those products; they need to be continuous and ongoing. Vendors must be able to provide a quick checklist to show what those updates mean. Are they for software or embedded firmware? Can devices be updated over the air? Such questions should be answered before cities deploy new technologies.
Additionally, cities should conduct regular audits — quarterly, if possible — to ensure their IoT devices are being patched. IT leaders should prioritize them from the highest to lowest risk for a given city. For example, a city that is prone to flooding likely will want to ensure that water leak or flood detection sensors are not at risk of being tampered with during a cyberattack.
Partnerships Can Help Close the Cybersecurity Gap for Smart Cities
City leaders should reach out to nearby or peer cities to explore best practices for securing smart city devices.
Larger localities and agencies likely will have the budget and staff to do much of this work, and they should. Smaller ones will probably need to connect with trusted third parties to help them do some of this necessary cybersecurity work.
The first priorities in such exercises should be to conduct an audit of the city’s networked devices, perform a gap analysis to determine where security holes might exist and then establish an ongoing threat mitigation strategy with continuous support from third parties if necessary.
Cities and towns should also be realistic about their IT security staffing and what can be accomplished in-house. If staffers are stretched too thin, security across the board is likely to suffer.
Agencies will have to start thinking of cybersecurity budgets in much the same way they think about budgets for standard commodity items. While establishing a budget line for smart city cybersecurity may be costly, the cost of a successful cyberattack that cripples a city or harms residents is likely to be exponentially higher. Investing in security is always worth it.