Smart cities should, ideally, work as a well-oiled clock, but we’re still far, far away from that.
First of all, smart cities are still being built, one siloed segment at a time, and it will take decades to set up a well-functioning, harmonious whole. Secondly, there are many, many operational, cybersecurity and privacy issues to be solved in the process.
“To achieve a true smart city and improve the quality of life for citizens, it should be a citywide effort. This entails sharing data for collaboration and coordination between previously disconnected people and organizations, including both public and private entities,” says Jack Williams, Director of Industry & Portfolio Marketing at the Safety & Infrastructure division of Hexagon, a multinational supplier of smart cities software, sensors, and other technology.
“Take for example a water main break. When this occurs, many organizations across a city must be informed and involved: the port authority reroutes public transportation, the department of transportation shuts down roads, water utilities implement crisis procedures, the list goes on. By sharing information in one place between all organizations, response can be improved, and impact can be reduced on resources, citizens, and the community.”
In this interview, Williams talks about cybersecurity challenges for smart cities and possible solutions.
What are the key cybersecurity challenges for smart cities? What is “the weakest link”?
Data governance, data ownership, and privacy concerns are the key challenges for any smart city project.
Historically, data-sharing initiatives have been one-way streets with a central entity capturing most of the value and others being limited to a specific type of data or workflow. That’s because cities, regions, and organizations, understandably, don’t want to risk losing ownership and control of their data. Additionally, there are a host of liability and security concerns when it comes to sharing data. For example, is the data placed in a big central repository, or does it come straight from the source? What information is retained by the smart city entity, if any? What audit trail capabilities are available?
These fears lead to siloed workflows where only a select few are privy to vital information and cause organizations to worry about uncontrolled access and data copied or used out of context. Users need a system in which they maintain ownership and control of their data. It’s imperative that each participant be able to decide how and when data is shared, who has access to it, and where it lives.
In terms of the weakest link, as with any system, it’s the human element. Any cybersecurity expert would agree. Providing adequate training to administrators of the data or entities providing data, incorporating checks and balances for data access (2FA, encryption, etc.), and eliminating single points of failure are just some examples of the steps organizations can take to address cybersecurity challenges when sharing data with others.
Are local governments demanding better security? Is awareness of cybersecurity best practices top-of-mind in the community (i.e., smart city vendors and policy makers)?
Data privacy and fear of “big brother” surveillance of citizens and private organizations is a major concern. It oftentimes stands in the way of creating the ecosystem of partners necessary to enable a truly smart city.
However, when you peel back the onion, a lot of times the issue can be resolved through transparency on how data is used, taking extra steps to protect privacy, like incorporating anonymization techniques to protect personally identifiable information (PII), and using best-of-breed cybersecurity policies and solutions that come with native SaaS solutions (e.g., Microsoft’s Azure GovCloud).
Smart cities depend on huge amounts of data shared between departments/agencies, and much of it is sensitive. How should those in charge make sure that this data is protected at all times, against hacking, accidental sharing, and so on?
First, entities sharing data should take responsibility and ownership of what is shared from their source systems. Second, constraint-based sharing rules should be defined at both the “edge” (the source system; on-site) and the application level (the smart city collaboration workspace) to ensure that the data is properly filtered/anonymized and only shared with whom you want, when you want, and how you want. This multi-agent, constraint-based sharing approach provides multiple levels of security to help mitigate potential security issues and ensures compliance with privacy standards (such as GDPR).
Additionally, sharing data with no granular controls can lead to security breaches and clog the UI with unnecessary data that is not useful to other participants in the space. Users need to set rules for what data they share and with whom. However, as events unfold, users should be able to quickly change rules to restrict or grant access to their data. But there should be strict guidelines and policies in place to guide this action.
What are some examples of the wrong approach to securing data in smart cities projects that you’ve witnessed?
Some smart city collaboration approaches (aka interoperability or data sharing initiatives) architect their solutions whereby all the data is stored in a central repository. This is a huge data governance and liability issue for cities and regions trying to establish such initiatives.
Additionally, projects that follow the “forced cooperation” approach, where one single entity is in control of the whole system, are almost always destined to fail. Instead, projects should take a “true collaboration” approach where people and entities choose how they want to engage, with whom they want to engage, and what information they want to share. Having these parameters can prevent a lack of trust from stakeholders and gives control to all participants. A neutral, cloud-based collaboration workspace helps to break down the political and people barriers that derail projects before they get off the ground.
What are some current good approaches to securing the data smart cities depend on?
Start small and build out. It takes an ecosystem of citizens, public and private entities, and NGOs to create a smart city, but it doesn’t happen all at once.
Starting with too many players can be overwhelming and make the scope of integrations too complex. Instead, begin with a small group of organizations, or even a specific city department as there are many sub-departments that often don’t communicate, to build out the proof of concept. By doing so, you can develop champions within organizations who can establish a vision and effectively message the benefits to others to bring them onboard.
Secondly, as I mentioned before, leave participants in charge of their own data. Organizations need to have full control over when and how data is shared and who has access to it.
How do we keep smart cities’ data safe while also preserving the functionality and collaborative benefits of what that data is to be used for?
This is where cloud solutions can help. A cloud-based subscription service that treats data on a “need to know,” or more specifically, “need to use”-only basis gets you up and running in a matter of weeks and gives stakeholders full ownership and control of their data in a workspace where they set their own rules for engagement. Instead of publishing or allowing others to download data, users can access information from the source. Each organization retains ownership and control of its data and who can use it. There is also less risk of uncontrolled copies or information used out of context.
Accountability is another major factor because harnessing data comes with the challenge of protecting citizens’ privacy. To overcome this challenge, data inputs should be depersonalized. There should be defined parameters set and recorded by an agreed human-led process with an individual signing off and being accountable.
Lastly, cities must be transparent with citizens about all projects and the data involved, giving residents a chance to provide feedback and concerns.