10-Step
Cybersecurity Checklist for Smart Cities
We have
already discussed how smart cities are being designed to fit the culture and
needs of citizens worldwide. We have also delved into how smart technology
implementations in critical sectors can be attacked. We have also learned how
the absence of well-defined security standards and regulations, can turn
projected benefits into unforeseen problems.
already discussed how smart cities are being designed to fit the culture and
needs of citizens worldwide. We have also delved into how smart technology
implementations in critical sectors can be attacked. We have also learned how
the absence of well-defined security standards and regulations, can turn
projected benefits into unforeseen problems.
In order to guide smart city developers, we have come up with a
quick 10-step cybersecurity checklist they can refer to when implementing smart
technologies.
quick 10-step cybersecurity checklist they can refer to when implementing smart
technologies.
1. Perform
quality inspection and penetration testing
Smart technologies have to undergo strict inspection and testing
before any kind of city-wide implementation. This step allows the implementing
body to catch any security issues (e.g. data leaks) or maintenance concerns
(e.g. service malfunctions) before any smart device, infrastructure, or service
is made available to the public.
before any kind of city-wide implementation. This step allows the implementing
body to catch any security issues (e.g. data leaks) or maintenance concerns
(e.g. service malfunctions) before any smart device, infrastructure, or service
is made available to the public.
Municipalities should hire independent contractors to run
penetration tests on a regular basis. Since penetration testing only puts
emphasis on vulnerability scanning, standard product testing procedures such as
quality assurance (QA) or quality testing (QT) should also be mandatory. QA
focuses on spotting defects in smart technologies, while QT zooms in on their functionality.
penetration tests on a regular basis. Since penetration testing only puts
emphasis on vulnerability scanning, standard product testing procedures such as
quality assurance (QA) or quality testing (QT) should also be mandatory. QA
focuses on spotting defects in smart technologies, while QT zooms in on their functionality.
2. Prioritize
security in SLAs for all vendors and service providers
Smart city adopters should draft service level agreements (SLAs)
that list the security criteria smart technology vendors and service providers
need to meet. It should be clear to both parties that non-compliance to the
specified conditions has corresponding penalties. The criteria could include a
guarantee on the data privacy of citizens, a 24×7 response team in case of
problems, or the abovementioned regular penetration testing and security
audits.
that list the security criteria smart technology vendors and service providers
need to meet. It should be clear to both parties that non-compliance to the
specified conditions has corresponding penalties. The criteria could include a
guarantee on the data privacy of citizens, a 24×7 response team in case of
problems, or the abovementioned regular penetration testing and security
audits.
3. Establish
a municipal CERT or CSIRT
When any security incident involving smart implementations
arise, a dedicated municipal computer emergency response team (CERT) or
computer security incident response team (CSIRT) should be readily available to
respond. These teams need to be adept at performing appropriate countermeasures
in case of attacks, or service recovery in case of system failures. These teams
may also be in charge of vulnerability reporting and patching, vendor
coordination, and sharing best security practices.
arise, a dedicated municipal computer emergency response team (CERT) or
computer security incident response team (CSIRT) should be readily available to
respond. These teams need to be adept at performing appropriate countermeasures
in case of attacks, or service recovery in case of system failures. These teams
may also be in charge of vulnerability reporting and patching, vendor
coordination, and sharing best security practices.
4. Ensure
the consistency and security of software updates
Once software and firmware updates are available for the devices
used in smart cities, they should be deployed immediately. Both municipalities
and vendors must make sure that updates are delivered in a secure manner—with
encryption and digital signatures—to ensure software integrity. Digital
signatures are used to verify if the updates are authentic and not corrupted or
tampered with before installation.
used in smart cities, they should be deployed immediately. Both municipalities
and vendors must make sure that updates are delivered in a secure manner—with
encryption and digital signatures—to ensure software integrity. Digital
signatures are used to verify if the updates are authentic and not corrupted or
tampered with before installation.
5. Plan
around the life cycle of smart infrastructures
Smart infrastructures have longer service life than of the
run-of-the-mill consumer products. However, it is important that municipalities
create detailed procedures they need to take once the infrastructure becomes
obsolete and vendor support for it ends. End-of-support may lead to serious
vulnerabilities that can be exploited and attacked.
run-of-the-mill consumer products. However, it is important that municipalities
create detailed procedures they need to take once the infrastructure becomes
obsolete and vendor support for it ends. End-of-support may lead to serious
vulnerabilities that can be exploited and attacked.
Smart city adopters should also consider the physical state of
these infrastructures. Years of deployment, lack of maintenance, and overuse
can wear them out. By planning around an infrastructure’s life cycle, it will
be easier for municipalities to fix or replace them in the future.
these infrastructures. Years of deployment, lack of maintenance, and overuse
can wear them out. By planning around an infrastructure’s life cycle, it will
be easier for municipalities to fix or replace them in the future.
6. Process
data with privacy in mind
As a rule of thumb, any data collected in a smart city should be
anonymized in order to protect the privacy of citizens, especially if it’s
going to be published as open government data (OGD). If any portions of the
dataset have no relevance to smart city projects, they should be completely
discarded.
anonymized in order to protect the privacy of citizens, especially if it’s
going to be published as open government data (OGD). If any portions of the
dataset have no relevance to smart city projects, they should be completely
discarded.
Access to sensitive data should be restricted to only those
accredited by the municipality, such as service providers who are bound by
SLAs. A clear information-sharing plan should be in place. This should cover
what data can be shared, to whom, and what privacy controls will be implemented
for the data. The plan must also include data backup provisions and a recovery
strategy in case of disasters.
accredited by the municipality, such as service providers who are bound by
SLAs. A clear information-sharing plan should be in place. This should cover
what data can be shared, to whom, and what privacy controls will be implemented
for the data. The plan must also include data backup provisions and a recovery
strategy in case of disasters.
7. Encrypt,
authenticate, and regulate public communication channels
All communications—both wired and wireless—should be protected
against eavesdropping, interception, and modification, especially if the data
contains sensitive information. Strong cryptography should be in place while
encryption keys should also be well-kept and protected.
against eavesdropping, interception, and modification, especially if the data
contains sensitive information. Strong cryptography should be in place while
encryption keys should also be well-kept and protected.
All smart communication systems should at least require a
username and password to be accessed. Strong authentication mechanisms such as
one-time passwords, biometrics, and two- or multi-factor authentication can be
adopted to enhance security.
username and password to be accessed. Strong authentication mechanisms such as
one-time passwords, biometrics, and two- or multi-factor authentication can be
adopted to enhance security.
Municipalities should also regulate communication protocols and
traffic to decrease the risk of knocking a centralized system or several
interconnected devices offline. Unnecessary functions and features on smart
communication systems should be disabled. This limits their attack surface and
deters attackers from abusing them.
traffic to decrease the risk of knocking a centralized system or several
interconnected devices offline. Unnecessary functions and features on smart
communication systems should be disabled. This limits their attack surface and
deters attackers from abusing them.
8. Always
have a manual override ready
Despite the allure of fully automated smart systems, keeping the
ability of a manual override is still very important. In case of a serious
system malfunction or compromise by a malicious actor, the manual override
offers municipalities the ability to perform incident response regardless if
there is no internet connection or if the attacker locks out their remote
access capabilities.
ability of a manual override is still very important. In case of a serious
system malfunction or compromise by a malicious actor, the manual override
offers municipalities the ability to perform incident response regardless if
there is no internet connection or if the attacker locks out their remote
access capabilities.
9. Design a
fault-tolerant system
When smart infrastructures and applications continue to operate
properly even if one or more of its components fail, you have a fault-tolerant
system. Smart city services may experience reduced response or performance, but
the system ensures continued functionality rather than failing completely. This
will require redundancy techniques
(hardware, software, and time) to tolerate operational faults and perform
needed functions.
properly even if one or more of its components fail, you have a fault-tolerant
system. Smart city services may experience reduced response or performance, but
the system ensures continued functionality rather than failing completely. This
will require redundancy techniques
(hardware, software, and time) to tolerate operational faults and perform
needed functions.
10. Ensure
the continuity of basic services
In the unfortunate scenario where all systems fail, citizens
should always have access to basic utilities (e.g. electricity, water) and
services (e.g. emergency response). If the primary electric delivery system
fails, for example, there has to be an alternative source of power.
should always have access to basic utilities (e.g. electricity, water) and
services (e.g. emergency response). If the primary electric delivery system
fails, for example, there has to be an alternative source of power.
Cities will get smarter
over time. This is inevitable as governments slowly move towards
techno-utopianism. Whether these cities are built from the ground up or built
around and over established metropolises, it is always important to balance
functionality with security. Cities are created by citizens to meet the needs
of its citizens. It’s only right to protect them.
over time. This is inevitable as governments slowly move towards
techno-utopianism. Whether these cities are built from the ground up or built
around and over established metropolises, it is always important to balance
functionality with security. Cities are created by citizens to meet the needs
of its citizens. It’s only right to protect them.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
