IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Securing the Smart City

As cities grow smarter and more connected, what implications does that have for cybersecurity?

What does it mean to be a “smart city” in 2018?   

All over the world, smart trash cans are turning what used to be 14 trash collections a week into just three pick-ups by utilizing smart compactors. Philadelphia has installed more than 1,100 smart trash cans around the city and saved about $1 million.

To curb gun violence, Boston has deployed a sensor-based gunfire detection system that can alert officers to precise crime scenes within seconds.

What’s common in these smart city examples? Governments rely on constant connectivity to volumes of data from stationary and moving sensors. This data is transformed into useful information using data analytics to provide better overall business value, effective customer service and better quality of life.

And exponentially more data is coming soon via Internet of Things (IoT) advances with smart lighting, building automation, emergency management systems, security and access control systems, intelligent grids, renewable power, connected water treatment and supply, transportation sensors, and many other smart sensors in every area of life.

Put simply, global governments foresee a new information renaissance transforming public services.

How big is this effort? Experts at the SmartAmerica Challenge predict that approximately $41 trillion will be spent on smart cities over the next 20 years to upgrade infrastructure to benefit from IoT advances.

A Smart Step Back

What could derail these efforts? I’ve seen two smart city camps emerge. On one side, smart city planners share thousands of stories, conferences and case studies advocating smart cities in various channels.

But within the cybersecurity community, the messages are much more negative. In fact, some are saying the sky is already falling.

In this debate, like so many others, both sides passionately believe what they are saying. However, there isn’t much listening to the other side to reach a workable middle ground.

I raise these security questions as an advocate who believes smart cities projects can solve problems like overcrowded cities, lack of resources, insufficient transportation choices and more. At the same time, I’ve also seen cybersecurity ignored for decades when new government strategies are announced — until a major incident occurs or it’s too late.

So can these two sides find common ground? What are the right questions that need to be answered?

Microsoft has published an excellent paper on securing the IoT, which includes seven properties of highly secure devices. Here’s a condensed view of IoT security topics, and the cybersecurity questions that should be asked for smart city project implementations.

  • The hardware-based root of trust: Does each device have a unique identity that’s inseparable from the hardware?
  • Small, trusted computing base: Is most of the device’s software outside its trusted computing base?
  •  Defense in depth: Does your device software have multiple layers of protection built in?
  •  Compartmentalization: Are you using hardware-enforced barriers to stop failures from propagating to other components?
  • Certificate-based authentication: Do your devices use certificates rather than passwords?
  • Renewable security: Can the device’s software be updated automatically to a more secure state?
  • Failure reporting: Do you have a solution in place to report software failures to the manufacturer?

Resources to Help

The challenge of bridging the smart cities security divide won’t be easy. But there are organizations trying to help, such as Its mission is to “help the world build smart cities with cybersecurity in mind.”

The National Institute of Standards and Technology (NIST) kicked off a Global City Teams Challenge (GCTC) in February 2018, with the goal of encouraging participating teams to have additional primary focus on cybersecurity and privacy, in addition to existing GCTC goals like replicability, scalability and sustainability.

Finally, many individual companies such as Deloitte, Cisco, IBM, Schneider Electric, Siemens, Microsoft and others have smart cities efforts. The difficulty will be to overcome proprietary solutions that may not work well together.

Vince Lombardi once said, “Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.”

Let’s apply that commitment to smart cities. 

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.