A recent report from ABI Research predicted 1.3 billion wide-area network smart city connections by the year 2024. While investment expectations for critical infrastructure cybersecurity amount to about $135 billion by 2024, only 44 percent of that figure will cover energy, healthcare, public security, transport, and water and waste.
The report suggested this will be insufficient to protect these sectors properly. An even more concerning disclosure stated that cybersecurity investments are rarely discussed during a smart city’s strategic process. As smart cities become more complex, governments may be forced to play a continuous game of catch-up.
What can governments do today to prevent severe threats to critical public services? Is it as simple as throwing money at the problem? Regardless, there are sure to be consequences for not giving enough consideration to cybersecurity.
The Importance of Smart City Cybersecurity
Ted Ross, chief information officer (CIO) for the city of Los Angeles, is well-versed in smart city planning and strategy and recognizes the importance of cybersecurity for a city’s future success. I’ve spoken with him several times before; he’s the perfect fit to help us understand what governments need to address from a cybersecurity perspective.
Although he can only speak for his city, Ross is not surprised that other organizations and industries may underinvest in cybersecurity.
“Cybersecurity is kind of like insurance,” Ross said. “Many see it as simply spending money on something to prevent a bad outcome. If that’s the only way that you view it, then likely you’ll find yourself spending as little as possible to avoid that outcome.”
To Ross, not devoting enough financial resources is akin to saying that you only need cheap brakes on your car so you can stop in time. Moreover, even when organizations or governments invest heavily in cybersecurity, they may not know how to invest in creating smart cybersecurity infrastructure.
“Even though they’re putting money into the problem, they still may find themselves with a considerable amount of risk, because cybersecurity is about know-how as well as having the right tools to secure yourself.”
Widespread IoT and 5G Adoption May Come Tomorrow, But Digital Is Here Today
As smart cities increasingly rely on internet technologies for critical infrastructure, addressing cybersecurity now for new innovations is exceptionally critical. Just one internet of things (IoT) botnet could breach the power grid and cause widespread blackouts. What if cybercriminals hacked a city’s transportation infrastructure? Not only must cities worry about bad actors, but the threat of extreme weather cannot be underestimated.
In LA, it could be an earthquake. In Kansas, a tornado. It could be a devastating flood. Even the smallest of municipalities probably have some of their services online today.
“To not strongly utilize cybersecurity as a part of your digital portfolio means you’re putting all your eggs into a basket, and you’re not protecting the basket,” Ross said. “And I think that’s where cities and states and counties need to wise up, because we are digitizing as a nation, which means we also need to protect our digitized services.”
Where to Start When Securing a Smart City
In larger cities, residents and businesses are engaging with the government much more digitally than they would in an analog sense. For any government or municipality today, digital trust is paramount.
In LA, if the city’s digital services give off the appearance that they can’t be trustworthy, one of the most important tenets is undermined. And if you’re an elected official, you don’t want to be perceived as somebody with a major data breach under their watch.
“We find that cybersecurity ties very well into the mindset of our elected officials and our city managers, because they don’t want to be seen as the people who violate the public’s trust,” Ross said. “When we look at it that way, it allows us to look at it a little bit differently. Once you lose the public’s trust, it’s very hard to earn it back.”
So how does a city this large approach cybersecurity from a strategic standpoint? It can start simply enough with the National Institute of Standards and Technology (NIST)’s cybersecurity framework.
According to Ross, the city uses the framework to identify, protect from, detect, respond to and recover from security incidents, and leverages it across every department. While the city invests significantly in the main hardware tools such as appliances and firewalls, it’s the heavy investment in procedures and policies that makes the most impact.
“We have to make sure that if something does happen, we know how to respond to it and train employees so they know what to do,” Ross said. “Being secure is not the kind of thing where you just take something and say, ‘Now let’s put a layer of cybersecurity on top of it.’ Cybersecurity should be woven all the way through.”
Ross likens it to a castle, where once you get past the moat, you hit a wall. Get past the wall, and there’s a second layer of walls to protect the critical stuff. Governments — or any organization for that matter — need to have these defensive layers in place.
“At a high level, I think it’s how Los Angeles secures our digital services,” he added.
Cybersecurity Basics Never Fail
While this all may sound daunting, managing risk for cities doesn’t have to be complicated. By following security basics, governments can be miles ahead of their counterparts.
When I look back at the root cause of cyberattacks against cities, human error is a major factor. The good news is a city or town can prevent an overwhelming majority of hacks by applying simple security mechanisms and hygiene. Patching, operating system updates, data backups, antivirus tools, security awareness training — you know, the basics. Don’t forget about backups, because if your data isn’t backed up, an attack goes from annoyance to disaster.
Ross’s first suggestion for any government that doesn’t understand new technology enough to secure it is to take time before implementation. Secondly, start small.
“If you start with the proof of concept or pilot, it allows you an opportunity for cybersecurity staff, or even others to do a red team-blue team to see if somebody can penetrate it,” he advised. “Before you deploy something, see if you can take it down with the cyberattack yourself, and just use some of the basic methods.”
Third, always ensure that your security team is involved. Because, sometimes, Ross noted, relatively small configuration changes or adjustments can make you much more secure.
“Your ability to contain a problem and contain it early, assuming you do get breached, is extremely important to prevent something much larger from happening,” he said. “If you don’t detect and don’t respond to an attack on an asset, it can grow and gain access to many assets. That’s the nature of cybercrime.”
Get Everyone Motivated and Engaged
I write about red team-blue team exercises often, and nobody has ever told me that they considered it a waste of time. It makes you and your team smarter and gets them more invested. While most municipalities don’t have funding to offer bug bounties to attack their systems like Los Angeles, internal testing to challenge defenses can go a long way.
“We do red team-blue team exercises a couple of times a year, so we can ensure that what we assume is correct is correct,” Ross said. “For participants, it’s a week of their job that they look forward to. It pays off.”
Cities have become very complex organizations. As the IoT and other new technologies come into play, cybersecurity investment will be critical.
But I don’t think money can solve everything. Not to belabor the point, but humans are, and always will be, the weakest link in the security chain. Cities and governments are no different, and may even be more susceptible than private organizations. If smart cities want to be truly smart, they should invest in cybersecurity now to prepare for what comes next.