Civic leaders around the world are looking to automate the infrastructures that make their cities run in a drive to reduce costs and cope with rising populations. From transit networks and utilities, through to refuse collection and streetlighting, making services “smart” by connecting devices to the Internet is appealing to those managing cities and large towns. In fact, UBS predicts that Asia’s smart city market could reach US$800b in 2025. The UN projects that 66% of the population in Southeast Asia will be living in urban areas by 2050, and many of its cities are looking to smart solutions to address their challenges.
However, in their rush to automate their cities, civic managers need to ensure that they also build in cybersecurity to protect them from threats.
The severity of the threat
The benefits of generating data-based insights from IoT-powered smart cities, as well as the convenience of remote operations, hinge on the convergence of IT and OT (operational technology) for maximum connectivity.
However, IoT devices often run on operating systems that have vulnerabilities that are challenging to patch, or simply no longer supported. For instance, IPnet is still an integral part of the operating systems of smart devices used in connected cities, despite being unsupported since 2006. Combined with the reality that there are likely to be hundreds of thousands of these devices connecting to an OT network, that presents a huge, exposed attack surface for attackers to exploit.
Already, 88% of organisations in Asia Pacific have experienced at least one IoT-related security breach, the highest rate in the world. This is likely to be exacerbated by the rollout of 5G networks, which provides a better way for not only devices to connect to OT networks, but also cybercriminals.
What might be attacked?
Public services can be made more time- and cost-efficient through automation and connectivity. However, with each service that is brought online, smart cities are exposing themselves and their citizens to the risk of large-scale threats.
Take streetlighting for example. By 2026, Asia Pacific is set to be home to a third of all smart streetlight installations worldwide, the bulk of which include central management systems. In Jakarta, remote monitoring and control of streetlights has allowed the city to save energy during off-peak hours, and to deploy repair crews only when necessary.
Streetlighting is vital for towns and cities as it helps enhance quality of life, improve public safety, and reduce traffic accidents. Conversely, a cyberattack knocking out an entire streetlighting system could endanger commuters.
There is also the reality that alongside the potential to cause widespread chaos, cybercriminals are likely to want to break into these systems to steal the data, including personally identifiable information, on which they run.
While IoT could transform how cities are managed, these advantages can be wiped out by a single cyberattack. As such, cybersecurity must be a priority when making any infrastructure “smart”.
However, public servants often lack cybersecurity expertise. In 2018, Singapore faced what authorities dubbed its "most serious personal data breach" when the personal information of 1.5 million patients was leaked in a cyberattack, which has been attributed to system vulnerabilities and weak passwords. This should be of concern to smart city managers, as it doesn’t take long once a threat actor is in an IT network to move laterally into the OT that a smart city runs on if there is not proper segmentation between the two.
Local authorities must also ensure existing staff are trained to be “cyber aware”, so that their actions don’t compromise their networks’ security. They must also recruit or train a cybersecurity team that understands the difference between managing and protecting IT and OT networks.
The other piece of the puzzle is to invest in technology that provides detailed oversight into everything on a city’s IT and OT networks. Knowing granular details such as a device’s make, model, OS and IP address through to risk level and update schedule, the IT security team will be able to identify and mitigate any vulnerabilities on their networks. As IoT and OT environments use unique communication protocols, this requires specialised solutions that can recognise them.
Once they know what is running on the network, security professionals also need to know how assets should be running, so that they can detect any anomalies. This requires continuous automated monitoring that can present contextualised alerts ranked by level of severity, providing security teams with all the information they need to tackle potential risks in priority order. Such solutions also help reduce time wasted dealing with false positives and low risk alerts.
When building physical infrastructures, a key consideration for civic managers and leaders has always been safety and security. The same now has to be true when building OT infrastructures in the age of IoT.