Piyush Pandey, managing director at Deloitte's Risk & Financial Advisory practice, talks about how to guard against cyberattacks on smart cities' web of interconnected technologies and constant data flow.
“How do you collect the data? How do you secure the data? How do you categorize the sensitivity of the data and make sure that the right level of security is in place for the information that you're collecting?”
—Piyush Pandey, managing director of Deloitte & Touche LLP’s Risk & Financial Advisory practice and Smart Cities Cybersecurity leader
Tanya Ott: I’m Tanya Ott and today on the Press Room we’re talking about how “smart cities” can protect themselves. What’s a smart city? It’s a city that uses data, digital, and design thinking to make intelligent decisions about how to provide services to its residents. A while back I had Tom Davenport on the show and he shared an example from Singapore that explains it well.
Tom Davenport: They have sensors all around the city. They use data from taxi cabs, [and] they’re putting sensors in the streets. And they manage to pull a lot of it together, and they have a descriptive-analytics display—a dashboard—of what’s happening around the city at a centralized location in terms of traffic activity. But beyond that, you have to start talking: Are we going to close off certain streets if it gets too congested? Are we going to give people certain economic incentives or disincentives to drive certain streets?
Tanya Ott: So—lots of Internet of Things devices gathering data from all over and sending it back to a central system that can then make decisions about deploying resources. My guest today spends a lot of time in this space.
Piyush Pandey is a managing director with Deloitte & Touche LLP’s Risk & Financial Advisory practice. His focus is cyber risk—helping smart cities understand how to protect interconnected technologies and Internet of Things devices from being hacked. He does a lot of work around smart cities, and he dives into these issues in an article in Deloitte Insights called Making smart cities cybersecure.
Piyush Pandey: The idea is to create a community which is sharing the information and using that information to make intelligent decisions about transportation, about the movement of people, about water supply, and [about] many areas of the cities’ services that are currently delivered in a more mechanical and nonautomated session. But underneath these cities, or these smart ecosystems and domains, whatever you want to call it, are a massive network of digital connections with trillions of systems and devices and sensors and actuators that are connected to each other. They are transmitting data and controlling the physical environments. So essentially you have IT systems, cyber systems controlling and manipulating the physical environment and making a decision about it—whether it's switching on and switching off the traffic lights, manipulating the traffic light to make sure that the emergency vehicles can pass through, or communicating to the health care facility that there is a passenger coming through who has a specific treatment requirement or medical requirement. These types of things which are very fundamental or basic examples of smart cities or connected cities, where things can be done quickly by sharing the information—[they can] make a decision instantly instead of waiting for it and losing time and efficiency.
Tanya: It creates efficiency. It also can create customer experience if you're talking about forward-facing, customer-facing services that a city provides. What are the underlying technologies that are making all this possible?
Piyush: There are three architectural layers of these smart cities. There is the edge layer, which is about the devices, the data-collection mechanisms like the sensors and actuators and applications, the smart phones, and all those devices which are either being used to collect information or process the information. And then there is a core, which is kind of the data platform where all this information [goes], all these devices are collecting the information and sending it to this centralized data platform. The data platform is where all these decisions are being made by applying the logic to the data, processing the data, analyzing it, applying analytics, and so forth. And then there is the communication layer, which is a constant through the connection between this core and the edge. There is communication there, which sits in between. So, these are the kind of three technological or architectural layers that constitute a smart city.
Tanya: You've got this massive amount of data that's being transmitted back and forth all of the time and that's a good thing because, as we said, it allows cities to serve their constituents more seamlessly or efficiently, whether it's in something you know like traffic or health care or whatever. But it also opens up a door to cyberattackers. And you write that there has been an explosion in cyberattacks in the last several years. What kinds of attacks are we talking about?
Piyush: This massive web of interconnected devices and this constant flow of data between them opens up countless entry points for attackers who are seeking to compromise the system. This massive number of devices also poses privacy [risks], by the way. This is another topic to discuss by itself. We are seeing more and more of the issues and risks associated with the convergence of the cyber and physical systems. And what that really means is that people using cyber systems—the software, the IT systems—to manipulate the physical environment.
Tanya: Piyush says one example is a case from Germany, where hackers sent a booby-trapped email to targeted employees of a steel mill. An employee opened the email and essentially gave the hackers the logins to be able to access the mill’s control systems … including the blast furnace.1
Piyush: And through that they were able to actually shut down the furnace, which caused millions of dollars in loss. Luckily there were no other issues with that attack, but there was obviously a massive loss from the financial perspective.
And then we are seeing the denial-of-service attacks and malware and identity theft and some of those traditional attacks which we are seeing in [standard] IT systems. But the challenge with smart cities and IoT (Internet of Things) technologies is that the magnitude of these attacks and the consequences are drastically different. They are no longer limited to the financial losses or reputational losses as we used to see in the IT systems. If you attack a banking system, obviously there is a financial loss. Or if there is a credit card hack, then there is a loss of reputation for the organization who is collecting that information. But here, the risk is the physical threat which can impact the human life. A simple example is, somebody can manipulate the traffic data, disrupting the traffic lights operations, which can lead to serious accidents.
Tanya: I was working and living in Atlanta in March of last year when the city of Atlanta was attacked, and I remember they had to shut down the Wi-Fi at Hartsfield Jackson International Airport, which calls itself the busiest airport in the world. And that may have caused some issues.
Piyush: If you think about the IT system, the majority of operations in the traditional sense work in a very siloed fashion. So, there is a system which is going to perform certain operations, but any issues or challenges with that system or related devices will be in the confinement of that system. But in the cases of smart cities, the promise there is that systems will be interconnected, and why would they will be interconnected? Because data needs to be shared. So, from transportation to the water-supply system to the emergency system, all of this information needs to be shared and systems need to be connected. As soon as the systems are connected the vulnerability and issues in one system can cascade into another system.
And that's a classic example that you just mentioned. The problem wasn't one system, [it was that it] quickly got into another system and created widespread disruption.
Tanya: It becomes almost like a disease. So, do we have a sense of who's waging these attacks and what do they want out of them?
Piyush: The ultimate goal of any attack is obviously the monetary gains or the need to make a political statement—so there are state-based actors who are organizing these attacks or one-off hackers who just want to steal money or steal the data, which is the new gold, as they say. Or now, since these things are interconnected and also impacting physical life and human life, the intent could be to impact the overall state of the city and operations. There are a number of different reasons why the attackers are attacking these systems and creating this. The commonality is that they are pretty organized in their pursuit.
Tanya: I would imagine one of the other places where smart cities are vulnerable is that they may be running new systems in concert with legacy systems and there may be some interoperability issues between the systems.
Piyush: Yeah, absolutely. Typically, cities are procuring these devices and technologies from different vendors. They generate data in different formats. They use different communication protocols. The adoption of these radically innovative technologies and capabilities goes on at different rates for different cities or different departments within the cities. Millions of IoT devices from different manufacturers interconnect through multiple different network infrastructures. Whether it's a newly updated device or a device which is old and legacy, the vulnerability in one device—you just need a one vulnerable device—can quickly impact the entire network unless it is done in a real segmented manner.
Tanya: The question then is what do government leaders and urban planners and others do to protect their existing systems and the systems that they're building? You have written about an integrated approach to cybersecurity that's based on five core components, starting with a digital trust platform. What does that mean?
Piyush: This integrated cyber-risk framework is essentially about creating a holistic approach which needs to be incorporated in the planning of the smart city, the design and transformation stages as well. Because as the cities are evolving, the corresponding technologies and solutions to secure those technological evolutions have to be implemented as well. One of the very first things which is essential is digital trust. What that means is with these millions and trillions of devices, as they are interacting with each other, the authenticity of these devices, the data they are sending, the validity of that information, the integrity of that information is critical because decisions are being made on the information sent by these devices. It is critically important to have a right level of digital trust between these devices. So as these devices are put into the smart-city network, they need to make sure that the right level of authentication and identification of these devices takes place before these devices gets into the system.
Tanya: Trust is a really important thing between devices, but also between the consumer and the smart cities. You have this idea of “privacy by design” and who owns the data. Tell us a little bit about that.
Piyush: These devices are exchanging this information and collecting a variety of data and information about the citizens. An example: You're in a smart city, [and] the cameras and microphones and many of those sensors collect abundant and comprehensive data about residents—the physiological, the mental, economical, cultural, and locational states as they [residents] move around in the cities. So even though this is obviously for the benefit of citizens to increase the efficiencies of services that they will get, there is a legitimate public concern about the privacy implications of this data, what is being collected, and what is the purpose of this data.
When we talk about privacy by design, the idea is to integrate the data privacy principles right from the start when we are conceptualizing the solutions. So, for example, if we are putting a camera in a public place to collect information about the traffic, there has to be an understanding of what is the purpose of this data. Is the purpose of this data to collect information about just the traffic flow, not really identifying the actual citizens? [People] need to understand what are the controls in place to obfuscate the not-required information about the citizens, whether it's a facial recognition or the license plate number or anything which can identify the citizens. A very simple example, but the point here is that all those principals do understand the data which is being collected, the purpose of that data, and where the data will be used to make sure that the right information is being collected and not anything extra, which can infringe into the rights of citizens' privacy.
Tanya: You have a really interesting example in Los Angeles as it relates to cyber-threat intelligence and their analysis platforms. What's Los Angeles doing?
Piyush: As we talk about the digital trust and privacy by design, one of the things in this security community is you can put all sorts of controls in place, but an attack can happen any time. So, you need to have an ability to continuously monitor and use advanced technologies to not only do reactionary monitoring but to [also] proactively understand the risk and threats which are evolving. And this is where Los Angeles and some of the other [entities] have started to put together this cyber-threat intelligence platform, which is really about looking at the global threats which are emerging. Understanding the audits and logs of the existing systems and devices and trying to create a pattern and understand if anything is going to be a risk to the systems which that city or organization is managing. [It creates] this advanced intelligence platform which will allow you to monitor and react to that threat in real time rather than trying to clean up after the attack.
It's predictive analytics. It's about looking at the existing data as well as the emerging trends which are happening. This is where the human and artificial intelligence also comes into play: not just looking at the technological aspect, but looking at the behavioral and other aspects as well. Because in smart cities, one of the blind spots is that since the systems are interconnected, the attack can happen on one system and that system can be used as a conduit to attack on some other system, not necessarily on the system where that attack has originated. This is where the artificial intelligence and some of the more intense analysis comes into play to really understand where the threat is, rather than where you are seeing it right now.
Tanya: Then the next thing of course is response. Once you see something happening, how [does one] respond and how do you become resilient in that kind of situation? What should folks be thinking about on that front?
Piyush: One of the common things, which we are seeing more and more, is that the response has to be not just about the technological aspect—oh, let's clean up and let's make sure that the systems are intact and operations. It is about a very concerted way of responding to an event, which includes understanding how the communication will go out, how the communication will happen between the various different stakeholders, and in this case we are not just talking about one organization. We are talking about the city, which has multiple different stakeholders involved. These are all not part of the same organization. This is an ecosystem. So how will the communication happen between these ecosystem players, what kind of information they will be sharing, how they will quickly respond. and how they will segment their network or their infrastructure to allow this to be contained in a limited way?
Also, how will the backup and recovery and data strategy will take place? One of the challenges which we have seen more and more is ransomware, where real people encrypt information, the data, and then ask for the ransom. So how we can quickly get the data back up and running and create a good business-continuity plan and backup and disaster-recovery strategy without having to pay ransom.
Piyush: So you've got to look at the threats from various different angles, analyze the different scenarios, where and how the threats can materialize, and then become a threat, and then that can impact your operations and systems. Then, based on those threat scenarios, create the resiliency plan which will address your most critical systems first.
Tanya: As you're talking with industry leaders or you're talking with city leaders—where do they start? If they look at an example like Atlanta and they don't want that to happen to them—what are the first steps to take if they are feeling a little insecure about it?
Piyush: The way we look at this is security is not something which comes after the fact. Cybersecurity has to be part of your planning for smart cities, the design, the processes that you are trying to innovate and improve in your smart cities project. Make sure that the cybersecurity is integral part of those initiatives. What that really means is if somebody's trying to, let's say, modernize a process which deals with the traffic congestion, for example—now you need to put a lot of sensors around and devices and then connect those sensors to the systems, which will manage those sensors and traffic lights and so on. The security comes into play right away, because you need to understand the digital trust between these devices, what kind of data they will be collecting, the privacy considerations, how these devices will be interacting with each other. What is the security level of each of these devices? If some of these devices are dealing with the sensitive commands or interaction, [how do you make] sure that there is the extra added authentication for those devices? Those are the basic security considerations, but it needs to start right from the conceptual stage or your smart city planning.
Then, hand in hand, goes the governance aspect because of the massive numbers of devices and systems and assets. This was much easier when people were sitting in the confinement of one organization and they would have a visibility over the assets and devices that they need to manage, from the security standpoint. Now we are talking about a city in which devices are literally anywhere within the city and connected to each other and everything. So how do you set up a governance model for these assets? How do you identify these assets? How do you create a risk assessment of these assets to understand what function they are serving and how secure they are? And then along with that goes the data management, because all these devices or many of these are collecting the information, the data. How do you govern that data? How do you collect the data? How do you secure the data? How do you categorize the sensitivity of the data and making sure that the right level of security is in place for the information that you're collecting? So, security by design, the privacy by design are an integral part of this smart city strategy.
Tanya: That was Piyush Pandey, a managing director with Deloitte & Touche’s Risk & Financial Advisory practice. His new article Making smart cities cybersecure suggests ways to head off the threats that come with an increasingly connected urban future. You’ll find it at deloitte.com/insights.
We on Twitter at @deloitteinsight and I’m on Twitter at @tanyaott1. Thanks for checking us out today! If you’re not already a subscriber, it’s free and you’ll get the latest podcast sent directly to your device. We’ve got a new every two weeks, so subscribing is a great way to make sure you don’t miss anything. I’m Tanya Ott. Have a great day!
This podcast is provided by Deloitte and is intended to provide general information only. This podcast is not intended to constitute advice or services of any kind. For additional information about Deloitte, go to Deloitte.com/about.
As the world becomes more connected, cyber threats are growing in number and complexity. Cyber is moving in new directions—beyond an organization’s walls and IT environments and into the products they create and the factories where they make them.