A recent report from ABI Research predicted 1.3 billion wide-area network smart city connections by the year 2024. While investment expectations for critical infrastructure cybersecurity amount to about $135 billion by 2024, only 44 percent of that figure will cover energy, healthcare, public security, transport, and water and waste.

The report suggested this will be insufficient to protect these sectors properly. An even more concerning disclosure stated that cybersecurity investments are rarely discussed during a smart city’s strategic process. As smart cities become more complex, governments may be forced to play a continuous game of catch-up.

What can governments do today to prevent severe threats to critical public services? Is it as simple as throwing money at the problem? Regardless, there are sure to be consequences for not giving enough consideration to cybersecurity.

The Importance of Smart City Cybersecurity

Ted Ross, chief information officer (CIO) for the city of Los Angeles, is well-versed in smart city planning and strategy and recognizes the importance of cybersecurity for a city’s future success. I’ve spoken with him several times before; he’s the perfect fit to help us understand what governments need to address from a cybersecurity perspective.

Although he can only speak for his city, Ross is not surprised that other organizations and industries may underinvest in cybersecurity.

“Cybersecurity is kind of like insurance,” Ross said. “Many see it as simply spending money on something to prevent a bad outcome. If that’s the only way that you view it, then likely you’ll find yourself spending as little as possible to avoid that outcome.”

To Ross, not devoting enough financial resources is akin to saying that you only need cheap brakes on your car so you can stop in time. Moreover, even when organizations or governments invest heavily in cybersecurity, they may not know how to invest in creating smart cybersecurity infrastructure.

“Even though they’re putting money into the problem, they still may find themselves with a considerable amount of risk, because cybersecurity is about know-how as well as having the right tools to secure yourself.”

Widespread IoT and 5G Adoption May Come Tomorrow, But Digital Is Here Today

As smart cities increasingly rely on internet technologies for critical infrastructure, addressing cybersecurity now for new innovations is exceptionally critical. Just one internet of things (IoT) botnet could breach the power grid and cause widespread blackouts. What if cybercriminals hacked a city’s transportation infrastructure? Not only must cities worry about bad actors, but the threat of extreme weather cannot be underestimated.

In LA, it could be an earthquake. In Kansas, a tornado. It could be a devastating flood. Even the smallest of municipalities probably have some of their services online today.

“To not strongly utilize cybersecurity as a part of your digital portfolio means you’re putting all your eggs into a basket, and you’re not protecting the basket,” Ross said. “And I think that’s where cities and states and counties need to wise up, because we are digitizing as a nation, which means we also need to protect our digitized services.”

Where to Start When Securing a Smart City

In larger cities, residents and businesses are engaging with the government much more digitally than they would in an analog sense. For any government or municipality today, digital trust is paramount.

In LA, if the city’s digital services give off the appearance that they can’t be trustworthy, one of the most important tenets is undermined. And if you’re an elected official, you don’t want to be perceived as somebody with a major data breach under their watch.

“We find that cybersecurity ties very well into the mindset of our elected officials and our city managers, because they don’t want to be seen as the people who violate the public’s trust,” Ross said. “When we look at it that way, it allows us to look at it a little bit differently. Once you lose the public’s trust, it’s very hard to earn it back.”

So how does a city this large approach cybersecurity from a strategic standpoint? It can start simply enough with the National Institute of Standards and Technology (NIST)’s cybersecurity framework.

According to Ross, the city uses the framework to identify, protect from, detect, respond to and recover from security incidents, and leverages it across every department. While the city invests significantly in the main hardware tools such as appliances and firewalls, it’s the heavy investment in procedures and policies that makes the most impact.

“We have to make sure that if something does happen, we know how to respond to it and train employees so they know what to do,” Ross said. “Being secure is not the kind of thing where you just take something and say, ‘Now let’s put a layer of cybersecurity on top of it.’ Cybersecurity should be woven all the way through.”

Ross likens it to a castle, where once you get past the moat, you hit a wall. Get past the wall, and there’s a second layer of walls to protect the critical stuff. Governments — or any organization for that matter — need to have these defensive layers in place.

“At a high level, I think it’s how Los Angeles secures our digital services,” he added.

Cybersecurity Basics Never Fail

While this all may sound daunting, managing risk for cities doesn’t have to be complicated. By following security basics, governments can be miles ahead of their counterparts.

When I look back at the root cause of cyberattacks against cities, human error is a major factor. The good news is a city or town can prevent an overwhelming majority of hacks by applying simple security mechanisms and hygiene. Patching, operating system updates, data backups, antivirus tools, security awareness training — you know, the basics. Don’t forget about backups, because if your data isn’t backed up, an attack goes from annoyance to disaster.

Ross’s first suggestion for any government that doesn’t understand new technology enough to secure it is to take time before implementation. Secondly, start small.

“If you start with the proof of concept or pilot, it allows you an opportunity for cybersecurity staff, or even others to do a red team-blue team to see if somebody can penetrate it,” he advised. “Before you deploy something, see if you can take it down with the cyberattack yourself, and just use some of the basic methods.”

Third, always ensure that your security team is involved. Because, sometimes, Ross noted, relatively small configuration changes or adjustments can make you much more secure.

“Your ability to contain a problem and contain it early, assuming you do get breached, is extremely important to prevent something much larger from happening,” he said. “If you don’t detect and don’t respond to an attack on an asset, it can grow and gain access to many assets. That’s the nature of cybercrime.”

Get Everyone Motivated and Engaged

I write about red team-blue team exercises often, and nobody has ever told me that they considered it a waste of time. It makes you and your team smarter and gets them more invested. While most municipalities don’t have funding to offer bug bounties to attack their systems like Los Angeles, internal testing to challenge defenses can go a long way.

“We do red team-blue team exercises a couple of times a year, so we can ensure that what we assume is correct is correct,” Ross said. “For participants, it’s a week of their job that they look forward to. It pays off.”

Cities have become very complex organizations. As the IoT and other new technologies come into play, cybersecurity investment will be critical.

But I don’t think money can solve everything. Not to belabor the point, but humans are, and always will be, the weakest link in the security chain. Cities and governments are no different, and may even be more susceptible than private organizations. If smart cities want to be truly smart, they should invest in cybersecurity now to prepare for what comes next.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today