Security

How to Make Cybersecurity a Priority for Smart Cities

Ensuring vendors are securing connected devices and performing internal audits is key to securing smart city technologies.

John Powers

John Powers is a Senior Business Development Strategist for Public Safety with CDW•G.

The global smart city market is expected to grow in terms of revenue from an estimated $129 billion in 2021 to $241 billion in 2025, according to data from Statista.

At the same time, experts are warning that cybersecurity cannot fall by the wayside as cities continue to roll out technologies to improve city services and make life easier for residents.

A report issued in summer 2021 from the research firm Guidehouse Insights found that the growth in smart city technologies could lead to new cybersecurity threats and “the risk of cascading failure across key city systems.” Even more worrisome, according to the report, is that securing connected devices and smart city systems is “often an afterthought.”

To address these cybersecurity concerns, government leaders and top IT decision-makers in cities and towns should be doing several things to make their connected infrastructure as secure as possible.

Cities and towns must ensure their vendors are securing their devices and technologies by design and not slapping on security protections after the fact. They should have IT staff dedicated to cybersecurity for smart city devices and deployments and they should be conducting audits to find any security gaps.

Click the banner below to get a customized smart city content experience by becoming an Insider.

How to Make Smart Cities Secure by Design

For cities pursuing smart city strategies, whether that involves connected streetlights with sensors or technology at intersections to make them safer and ease traffic congestion, IT leaders have a responsibility to understand how their vendors are securing the solutions they are providing.

IT security teams should be involved in all requests for proposals to ensure there is an audit trail and proper certification that vendors are conducting their own security reviews of components and following industry standards for securing Internet of Things devices.

CIOs, CTOs and other IT leaders must be aware of the solutions cities are selecting and make sure security is baked into them from the start. They should work proactively to understand how their vendors are encrypting data and ensuring there is multifactor authentication for network access control. Vendors must provide documentation that their connected devices are secure.

Further, security patches and updates for connected devices should not be reliant on the city or town having a valid warranty for those products; they need to be continuous and ongoing. Vendors must be able to provide a quick checklist to show what those updates mean. Are they for software or embedded firmware? Can devices be updated over the air? Such questions should be answered before cities deploy new technologies.

Additionally, cities should conduct regular audits — quarterly, if possible — to ensure their IoT devices are being patched. IT leaders should prioritize them from the highest to lowest risk for a given city. For example, a city that is prone to flooding likely will want to ensure that water leak or flood detection sensors are not at risk of being tampered with during a cyberattack.

Partnerships Can Help Close the Cybersecurity Gap for Smart Cities

City leaders should reach out to nearby or peer cities to explore best practices for securing smart city devices.

Larger localities and agencies likely will have the budget and staff to do much of this work, and they should. Smaller ones will probably need to connect with trusted third parties to help them do some of this necessary cybersecurity work.

The first priorities in such exercises should be to conduct an audit of the city’s networked devices, perform a gap analysis to determine where security holes might exist and then establish an ongoing threat mitigation strategy with continuous support from third parties if necessary.

EXPLORE: How can smart city tech improve community safety?

Cities and towns should also be realistic about their IT security staffing and what can be accomplished in-house. If staffers are stretched too thin, security across the board is likely to suffer.

Agencies will have to start thinking of cybersecurity budgets in much the same way they think about budgets for standard commodity items. While establishing a budget line for smart city cybersecurity may be costly, the cost of a successful cyberattack that cripples a city or harms residents is likely to be exponentially higher. Investing in security is always worth it.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.