SMART cities are the future of urban living, harnessing the power of three Ds—digital technologies, data, and design thinking—to boost the efficiency and effectiveness of city services. However, this new wave of digital transformation also brings new cyber risks that could fundamentally impact the existence of smart cities. Cyber threats have been on the rise for years, but the last few years have seen an explosion in cyberattacks that target both data and physical assets.¹

As connected devices proliferate at a breakneck speed—the number of IoT devices is expected to rise from 8.4 billion today to almost 20 billion by 2020²—cyberattacks and vulnerabilities in one area can have a cascading effect on numerous other areas. The consequences could extend beyond just data loss, financial impact, and reputational damage risks—severe enough as they are—to include disruption of crucial city services and infrastructure across a broad range of domains such as health care, transportation, law enforcement, power and utilities, and residential services. Such disruptions can potentially lead to loss of life and breakdown of social and economic systems.

The rapid hyperconnectivity and digitization of cities are accelerating cyber threats. To tackle the challenge, government leaders, urban planners, and other key stakeholders should make cybersecurity principles an integral part of the smart city governance, design, and operations, not just an afterthought. In this paper, we examine the key factors that influence cyber risks in a smart city ecosystem and a broad approach that city leaders can adopt to manage these risks.

Smart cities face unique cyber risks

A smart city is a complex ecosystem of municipal services, public and private entities, people, processes, devices, and city infrastructure that constantly interact with each other. The underlying technology infrastructure of the ecosystem comprises three layers: the edge, the core, and the communication channel (figure 1). The edge layer comprises devices such as sensors, actuators, other IoT devices, and smartphones. The core is the technology platform that processes and makes sense of the data flowing from the edge. The communication channel establishes a constant, two-way data exchange between the core and the edge to seamlessly integrate the various components of the ecosystem.

This massive amount of data exchanges, integration between disparate IoT devices, and dynamically changing processes creates new cyber threats, compounded by complexities in the other components of the ecosystem that wrap around the technology infrastructure. For instance, data governance can be a thorny issue for cities as they need to think about whether the data is internal or external; whether it is transactional or personalized; whether the transactional data is collected via IoT devices; and how the data is stored, archived, duplicated, and destroyed. In addition, due to a lack of common standards and policies, many cities are experimenting with new vendors and products, which create interoperability and integration problems on the ground and exacerbate cyber risks.

Three factors influence the potential cyber risk in a smart city ecosystem (figure 2):

1. Convergence of the cyber and physical worlds

2. Interoperability between legacy and new systems

3. Integration of disparate city services and enabling infrastructure

To begin to understand how to manage the cyber risk landscape, it helps to explore each of these factors further.

Convergence of the cyber and physical worlds

Smart cities blur the lines between the physical and cyber worlds. In this environment, people, processes, and places are integrated via both information technology (IT) systems used for data-centric computing and operational technology (OT) systems used to monitor events, processes, and devices and adjust city operations. Such convergence allows cities to control and govern technology systems through remote cyber operations.

However, this convergence, where many devices in the edge could be cyber threat vectors, gives rise to the risk of malicious actors entering the system and disrupting operations on the ground—thus exponentially expanding the cyber risk landscape.⁶ With the proliferation of IoT devices, attackers now have countless entry points to compromise a city’s systems and take advantage of the resulting vulnerabilities.

Interoperability between legacy and new systems

Often, organizations that pursue digital transformation need to integrate new digital technologies with legacy systems, which can create significant challenges and risks. These challenges include inconsistent security policies and procedures and disparate technology platforms, resulting in hidden security vulnerabilities throughout the smart city ecosystem.

This situation is exacerbated as many cities increasingly use IoT solutions, but within a retrofitting model. For instance, large, established gas and water systems within a city have deployed sensors on a large scale. These sensors need to connect to a broader network for the data to be aggregated and analyzed centrally. However, these sensors have minimal security protocols.¹¹ In the long run, retrofitting may not be a viable option as many devices could become physically incapable of upgrades.¹²

Another challenge is the lack of generally accepted standards governing the functioning of IoT-enabled devices. City departments and agencies typically use sensor technologies from different vendors that generate data in different formats and use different communication protocols. Creating interoperability in such situations can be difficult, and cities may face a trade-off between interoperability and security. Each new device added to an IoT ecosystem adds a new attack surface or opportunity for malicious attack.¹³

Integration of disparate city services and infrastructure

Traditionally, cities have offered a wide range of services that were largely independent of each other (e.g., power, water, sewer, transportation, public works, law enforcement, firefighting, and social services). Each of these services was typically provided by an agency using its own systems, processes, and assets. Now, these services are slowly being integrated and linked through an interconnected web of digital technologies.

As cities gain opportunities for new services and efficiencies, this comingling of services and systems comes with its own set of challenges. The increasing integration, interconnectedness, and data exchange create shared vulnerabilities where a problem in one service area can quickly cascade into other areas—potentially leading to widespread and catastrophic failures. In addition, cities need to rethink regulatory requirements, rationalize varied security protocols, and address data ownership and usage challenges.

Furthermore, data stored in different systems can be susceptible to misuse, potentially affecting citizens’ privacy. For instance, it is a leading practice to mask or delete personal identifiers in data. However, techniques and methods that allow malicious attackers to match different datasets to reidentify an individual are becoming increasingly sophisticated. So, a breach that compromises multiple systems and datasets can become a serious privacy incident for cities.

Cyber risk will continue to evolve in the coming years, as many cities plan to integrate a wide variety of services and infrastructure, connecting even more data, systems, and devices.

A holistic approach to cybersecurity

The convergence of physical and digital infrastructure, the ensuing interoperability, and interconnectedness between city systems and data is an ongoing effort in many cities. The security goals of a smart city—confidentiality, integrity, availability, safety, and resiliency—should be grounded on both the objectives of traditional IT (to secure data) as well as those of OT (to ensure safety and resiliency of systems and processes). These combined security objectives can help cities maintain a more secure and resilient operating environment (figure 4).

An integrated cyber risk framework can provide cities with management principles to incorporate into their smart city planning, design, and transformation stages. It comprises industry standards, legal, and regulatory requirements to determine how cyber risk may affect all the ecosystem participants, including users, government, services, infrastructure, and processes, as well as assess each system’s and asset’s influence on each other. Such an integrated approach can enable city stakeholders to view threats and vulnerabilities in their entirety rather than react to specific services or operational impact, eventually allowing them to develop the core capabilities of a cybersecurity program described in figure 5.

Securing cities for growth

Balancing the promise of smart cities against the potential of cyber risks—and managing the associated risks effectively—will be critical to realizing the potential of smart cities. Cities should begin by engaging all the stakeholders and entities in the broader ecosystem. The next steps that cities should consider include the following:

• Syncing smart city and cyber strategy. Cities should define a detailed cybersecurity strategy that is in line with their broader smart city strategy and that can mitigate challenges arising from the ongoing convergence, interoperability, and interconnectedness of city systems and processes. Cities should consider carrying out an extensive impact assessment of their data, systems, and cyber assets to identify, assess, and mitigate the risks associated with technology processes, policies, and solutions. The integrated view of the risks and knowledge of interdependencies of the critical assets can enable cities to develop a comprehensive cybersecurity strategy. For instance, Singapore launched its National Cyber Security Master plan in 2013 and followed it with a new cyber security bill in 2016. Both initiatives were an integral part of Singapore’s smart nation strategy.²⁴

• Formalizing cyber and data governance. Cities need to formalize the governance approach to data, assets, infrastructure, and other technology components. A comprehensive governance model should spell out responsibilities and roles for each critical component in the smart city ecosystem. To implement an ecosystem approach to tackling cyber issues, various entities will need to work together with a strong governance model as the foundation. Cities can establish a network among other cities, state agencies, academia, and corporations to share threat information, capabilities, and contracts to strengthen cyber defenses.²⁵ Additionally, data management—including robust data sharing and privacy policies, data analytics skills, and monetization models that facilitate the sourcing and usage of “city data”—constitutes a critical aspect of this governance. Policies, legislation, and technology must be continuously aligned to maintain the right balance of protection, privacy, transparency, and utility. The governance, policies, and processes must mature along with the city’s overall cyber strategy. For instance, the city of Hague is home to the “Hague Security Delta,” an ecosystem of more than 200 organizations working in the national security, cyber and urban security, critical infrastructure, and forensics.²⁶

• Build strategic partnerships to grow cyber capabilities. The cyber skills gap is not going away anytime soon, so cities need to be innovative and proactive in plugging the cyber skills gap in their cities. This approach may require city administration to explore nontraditional efforts to tap into cyber talent such as crowdsourcing, prizes, and challenges to solve cyber-related issues. A smart city requires new skills and competencies across the various ecosystem layers. Cities can augment existing capabilities through strategic partnerships and contracts with service providers.

It is critical for city leadership to realize that securing cities from cyber risk is not a one-time event where cyber strategy evolves as cyber threats evolve; instead, it is also important to be able to recover when a cyberattack happens. Also, this is not a battle that cities can or should fight alone, but instead with an ecosystem of city governments, academia, the private sector, and startups. Technology can be one part of the cybersecurity solution, but the latter also needs a comprehensive governance model toward data and assets. More importantly, cities need an integrated approach to managing cyber risk with cybersecurity principles baked into every stage of the smart city development process (i.e., from strategy and design to implementation and operations). Cybersecurity is just too important to be treated as an afterthought.

Cybersecurity

As the world becomes more connected, cyber threats are growing in number and complexity. Cyber is moving in new directions—beyond an organization’s walls and IT environments and into the products they create and the factories where they make them.