With the holiday season approaching, it’s difficult not to notice the substantial amount of smart devices available. From home assistants and security cameras, to thermostats, light bulbs, and cooking devices, just about everything is being designed to make our lives easier.

Earlier this year, we discussed the security risks accompanying smart devices and how their increasing ubiquity is making them prime targets of cyberattacks. However, looking back, it seems we may not have emphasized enough just how widespread the Internet of Things (IoT) has become.

As noted in the previous blog, IoT devices are projected to exceed more than 75 billion devices by 2025, which is an astounding amount. However, these devices aren’t solely being used by consumers to make their homes smarter—they’re beginning to be implemented across entire cities.

Beyond smart devices

Smart cities are essentially urban communities using distributed cameras, sensors, and data analytics to inform decision making of city administrators or to directly improve the quality of life and services of its citizens. Currently, these sensors are really just IoT devices, being used for industrial or municipal purposes, in addition to individual home needs.

No less than 66% of the world’s population is expected to reside in urban areas by 2050, a problem that could only get worse with growing global population. Although only a few cities around the world are considered smart cities so far, their rise is inevitable. As more people flock to urban areas and ultimately reside there, local governments have to implement innovative solutions to address the accompanying surge in pollution, traffic, and crime. One of the most promising solutions is a smart initiative that leverages the capabilities of IoT devices and big data analytics.

For example, a smart city can deploy parking sensors that wirelessly feed information to a mobile app, which in turn enables end users to determine the nearest available parking space. This alone can greatly improve traffic flow and reduce fuel emissions. Sewer sensors are another example. These devices can be used to monitor water levels in sewers and send alerts of potential flooding and fast leakage. Sensors deployed by utility companies like water, power, and gas can help manage consumption and reduce waste.

The data collected by these different sensors, including those used by private companies, can be combined to enrich one another and provide early detection of issues. This information also can provide additional insights as well as enhance or even spawn new services.

These are just a few of the many smart city projects that city governments are taking on. By collecting massive amounts of data through smart cameras and sensors and then gleaning actionable information through big data analytics, city administrators and citizens can make proactive decisions that make their city greener, economical, efficient, and safe.

But, as with consumer IoT devices in our homes and offices, the devices in smart cities also pose potential risks.

What new threats exist in smart cities?

As cities become more connected, the easier it becomes for malicious individuals to inflict physical harm through a cyberattack. In fact, we’ve already been offered a glimpse of this type of threat when WannaCry struck in 2017. Some of the infected systems in the U.K. were machines in National Health Service (NHS) hospitals used in medical procedures. Meaning some patients were deprived access of critical healthcare services.

Imagine if, in a smart city, an attacker targeted public transportation, communications, or the power grid. People could be subjected to incidents like blackouts, denial of access to services, or—if the attacker tinkered with traffic lights, air traffic control towers or railroad tracks—even catastrophic accidents.

Due to the sheer size of the network infrastructure as well as the number of sensors and components that make it up, a smart city naturally lends itself to an expansive attack surface. Also, depending on how connected each sensor is with one another and how the network is architected, one infected sensor could potentially lead to more compromises across the entire network.

The impact of attacks on smart cities comes at a much larger scale than attacks on consumer devices because the systems used in smart cities are typically designed to serve the general public.

As with consumer IoT devices, the devices used in smart cities are likewise plagued by the usual trivial security issues (i.e., they still need to be patched, properly maintained and configured, not to mention they still run on networks that can be potentially compromised).

Securing smart cities

Generally speaking, the controls required to secure a smart city should be no different from the controls needed to secure a corporate network. You need to have:

  • Encryption of data-in-transit and rest
  • Verification of systems talking to each other
  • Strong access controls

Establishing security controls to prevent potential blackouts, roadside accidents and the like isn’t the only major concern. Because the underlying fabric that makes up a typical smart city is a sprawling network of cameras and sensors that captures a significant portion of the day-to-day activities of its citizenry, it also raises major privacy concerns.

All those sensors have the capability of collecting a considerable amount of data. But, unless the citizens want to live in a dystopian future, there must be some level of anonymization applied to the collected data.

For example, the system used in a typical smart city, through its street cameras, can easily capture images of your car as soon as you leave your house and determine that you left your house on Tuesday at 7:03 a.m. Later on, once you arrive at the first traffic light, it can also determine that you were at a particular intersection exactly 44 minutes after.

However, city officials probably don’t really need to know that much detailed information about what each individual is doing at a given time in order to make informed decisions to improve the quality of life of its residents. So, in designing systems for smart cities, certain rules of data anonymization, encryption, and retention have to be applied.

In addition, city governments must determine beforehand who can access the data. There must be restrictions and well-thought-out methods to enforce those restrictions. Otherwise, loads of personal information can easily fall into the wrong hands.

Issues pertaining to third-party access to data already have popped up in a smart city project spearheaded by Sidewalk Labs (an Alphabet Inc. subsidiary), in Toronto’s Quayside neighborhood. A privacy consultant for that project resigned because the project was granting third-party access to stores of identifiable information.

Therefore, as with any IoT device, security must be baked in from the get-go, and it shouldn’t be applied only to the sensors, devices, and networks, but also to the overarching policy governing the entire infrastructure. You can’t completely rely on private companies, whose top priority would more often be to get the most profit, to implement security. Instead, city officials should enact strict laws that would ensure the security of their citizenry.

We have a long way to go until the majority of major urban areas are considered smart cities. However, several major metropolitan areas, including Dallas, Las Vegas, and Atlanta already are testing smart technology in their streets or in Smart City Living Labs to determine how to best roll out the technology. Smart cities certainly have the potential to improve the quality of life of its residents. But at the same time, it opens the doors to a whole new range of threats. Thus, the right balance between these two opposite goals should be established right from the start.