By: Shrikant Shitole, Managing Director, India, Symantec
The concept of smart cities has evolved from being a futuristic idea into a dream taking shape. By engaging more effectively and actively with citizens, Smart cities intends to enhance the quality and performance of urban services. To realize this, consistent efforts being made towards digital advancements or information and communication technologies (ICT) is most important. It would require a collaborative effort drawing on the experiences, ideas and skills from industry stalwarts, coupled with global innovation and expertise to ensure steady progress of the initiative. From an infrastructure standpoint, smart cities will require smart grids, energy efficiency, intelligent transportation, connected healthcare, public safety and security along with wireless communications and hotspots. Critical in shaping the future of smart cities will be various devices like sensors, gateways, communication infrastructure and servers which will collectively form the ‘Internet of Things’. While this is will offer benefits but will also expose vulnerabilities in the form of information security challenges.
Such an aspiring initiative will provide benefits but will at the same time, expose vulnerabilities in the form of information security challenges. With digital transformation, information security needs to be considered as an integral part of the plan rather than an afterthought.
Smart city security – Combating vulnerabilities
As Internet of Things (IoT) becomes the bedrock of smart cities, administrators will have greater security challenges to grapple with. With increased data generation within the city infrastructure, the smart city soon becomes a tempting proposition for cybercriminals because of its technological diversity and sophistication. Any system, after all, is only as good as its weakest link.
The connected India of tomorrow is set to see an unprecedented level of advancement in technology and infrastructure. This increase in ICT complexity would mean heightened vulnerability (hyper-vulnerability) to both malicious attacks and unintentional incidents. Symantec’s Internet Security Threat Report (ISTR) Vol. 21, highlights that with increasing integration of ICT in critical infrastructure, India continues to be a top source as well as destination of cyber attacks. It continues to rank as the third top source of overall malicious activity including spam, malware, phishing hosts and bots, etc. What’s alarming in this situation is, the tactical and organizational shift cyber attackers have taken. They are adopting corporate best practices and establishing professional businesses in order to increase the efficiency of their attacks against enterprises and consumers. This new class of professional cybercriminal spans the entire ecosystem of attackers, extending the reach of enterprise and consumer threats and fueling the growth of online crime.
With traditional control systems, exploitation of vulnerabilities can potentially disrupt the data exchange between control centers and end users, thus compromising service delivery. Intruders can also install malware to take control of networks and cause a denial-of-service situation. In the EU, for example, smart meters are expected to be installed in two-thirds of all homes by 2020. But as things stand, they lack security controls. It is possible to manipulate smart meters even in large-scale metering infrastructures. At the end-user level, smart meters may simply be hacked to ‘steal’ energy from other users or for other fraudulent purposes.
In a scenario of overlapping functions like in a smart city infrastructure, the processing and information exchange in the city needs to be interconnected using common middleware. The systems need to be standardized, interoperable and open, taking into consideration third-party information. And above all they need to be completely secure.
Creating a cyber-resilient smart city
Worldwide, smart cities are on the rise with city planners competing to attract business and talent without placing excessive demands on the environment. However, increasing ICT complexity means increasing vulnerability to malicious attacks- making the safety and well-being of citizens and business a top priority for city administrators. Smart cities can securely thrive and prosper if cybersecurity and information security are fundamental components in the smart city blueprint.
Establishing a governance framework – This will help identify and engage key stakeholders
Ensure governance, risk and compliance (GRC) – This is will make sure IT departments are able to monitor their environment and meet compliance regulations
Enabling service continuity – Cities aspiring to be “smart” must learn to secure and manage diverse environments. There is as yet no alternative to deploying up-to-date solutions for security, backup, data loss prevention, archiving and disaster recovery
Protecting information proactively – People responsible for modeling the city’s information backbone must embrace an information-centric approach, which includes using content-aware information tools that consider users’ context before sharing information with them
Authenticating users – By ensuring the true identity of a smart device, system or application, strong authentication techniques can ensure protection for an organization’s public-facing assets
Balancing traditional v. cloud delivery – All the smart services mentioned so far can be accessed along the traditional client-server route or as a cloud-based “pay as you go” services; smart cities must work toward achieving a happy balance between the two models
Managing security services – Cities should seriously consider outsourcing cybersecurity services to minimize security disruption and data loss
Protecting infrastructure – Top priorities for IT administrators in smart cities include securing endpoints, messaging and web environments, and critical internal servers as well as providing for improved data backup and faster recovery
Ensuring 24x7 availability of critical infrastructure – There is need to ensure resilience in case of an incident by way of adequate backup and recovery software or appliances, policies, processes and tools
Developing an information management strategy – This will include information retention plans and policies, and implementation of deduplication techniques in as many places as possible to free up resources. A full-featured archive, an eDiscovery system and data loss prevention technologies would be the other components of this strategy.
Working with seasoned partners for security and information protection – On the security front, cities can’t dilly-dally for too long. Given that there is insufficient in-house expertise, city planners must tap expertise from external partners with worldwide visibility of cyber threats and attacks.
Security threats are now an integral consideration in the private sector boardroom, and for policy making within the public sector. Public administrators know that any serious incident or breach could result in devastating outcomes in terms of financial, data, credibility and reputation loss.
Choosing reputable, experienced thought leaders as partners in conceiving such complex developments is an important step in the right direction towards building resilient smart cities for the digital India of the twenty-first century.