Securing the Smart City.

 How smart can turn dumb -

A smart city uses technology to automate and improve city services, ultimately making citizens’ lives better. It describes a city full of connections, where information technology and the Internet of Things (IoT) is embedded into everyday life. The problem is, for each connection, there’s a risk. Data is shared across networks that, if poorly encrypted, can be accessed. Each connection, however remote or seemingly innocuous, could provide an entry point for a hacker who could potentially manipulate that system for their own devices.

Digital security experts like Cesar Cerrudo, CTO for IOActive Labs, have concerns about how robust this encryption is. Cerrudo points out that many use weak encryption algorithms, and others have poor key encryption generation or fixed keys that hackers can gain access to. It’s not just fragile encryption or weak connection security - citizens in a smart city have a part to play too. Simple or shared passwords and lost memory sticks could potentially offer hackers the opportunity to access personal and business information that we hold. Malware can be stored within apps we freely download.

And how many of us ever read the terms and conditions when we sign up for apps or do much checking before clicking the button to allow our apps to access our data? Given that many of them are longer than novels (Apple’s Terms and Conditions are notoriously longer than Shakespeare’s Macbeth), it’s not surprising we don’t, but it could have implications for our security.

“If that technology is not secure and if it’s not properly protected, city infrastructure and citizens won’t be safe and will suffer cyber attacks,” Cerrudo says, warning that smart cities run the risk of becoming dumb cities if they continually suffer cyber attacks because of weak infrastructure.

Cerrudo himself has demonstrated how simple our cities’ systems can be to hack. Using a laptop and hardware that cost under $100, he was able to access individual traffic lights, changing them at will. Pushing further, he could access these systems from up to a mile away and even from an airborne drone.

The technology used for managing traffic lights in New York is also used to manage the traffic infrastructure in cities across the world, including Washington DC, New York, Seattle, San Francisco, London, Lyon, and Melbourne. Cerrudo’s example illustrates just how incredibly fragile our cities are, with small incidents having big consequences. It’s the principle of the ‘cascade’ effect. In a cyber attack, hackers may use the cumulative impact of a number of small intrusions that, when multiplied together, can cause havoc.

As an example of what can be achieved, in 2006 two aggrieved Los Angeles traffic operators remotely accessed four traffic lights at busy intersections. This seemingly minor interruption caused gridlock that lasted for days. Even more concerning was that it took three years for the perpetrators to be found, after they owned up to the crime.

Hyper-Cat -

If multiple entry points and unsecured data sharing across systems is the biggest risk for our smart cities, then surely the answer must be in having one system that manages everything?

The idea of the Urban Operating System (UOS) has in the past been a key part of the concept of a Smart City. From one single operating system, the entire infrastructure of a city can be connected, organised and managed. But it’s increasingly viewed negatively by smart-city experts like Tom Saunders, senior researcher at Nesta, who believe we’re actually safer if systems are fragmented.

“Companies are still pushing the one-system model,” says Saunders, who is also the author of ‘Rethinking Smart Cities from the Ground Up’. But for him at least, it’s not the answer: “To be secure you want lots of separate systems that compete. That way, the whole city network can’t be hacked.”

One of the main reasons Saunders believes the UOS model won’t take hold is that, contrary to claims made, there are no real smart cities, just a collection of individual projects. “In the UK, we can’t afford to roll out 100,000 sensors across the city,” he says. Smart Cities like Bristol, Milton Keynes and most recently Manchester are investing in small-scale smart projects, not imposing a complete smart system upon the city. The infrastructure and technology behind the projects aren’t linked, meaning hacking them all would be complex and time-consuming.

If we’re unable to build our Smart Cities from the bottom up, then it’s essential that we impose security upon the systems that we already have. Symantec is one of a number of organisations working together to develop a secure communications standard that it hopes will do just that.

Called Hyper-Cat, the standard is a JavaScript Object Notation (JSON) catalogue that securely shares IoT asset information across the web, making it much more difficult for hackers to access. “The system isn’t a UOS,” says Sian John, Symantec’s head of resilience. “It’s a set of standards that enables the safe communication between IoT devices”.

At the moment, many city systems enjoy ‘security through anonymity’. As these systems are increasingly introduced to Smart City elements, experts like those at Hyper-Cat are calling for the introduction of a safe operating standard that can ensure that minimum security conditions are met.

Cerrudo agrees that securing this communication is the biggest challenge for a smart city, but he’s critical of the industry. “Most smart city technology vendors are immature and don’t have enough cyber security knowledge,” he says.

Rather than developing new communication standards, Securing Smart Cities - a non-profit organisation that brings together academics and businesses - creates resources and guidance for public and private sector organisations to help cities protect themselves. Securing Smart Cities is increasingly calling on governments to take a much greater involvement in smart cities. “Right now governments are blindly trusting vendors and deploying technology without making sure it’s secure,” says Cerrudo.

Smart crime-fighting -

Security in a smart city often focuses on the big threats to the population, and on how critical infrastructure can be protected. But smart, connected cities also play a key role in protecting the citizens. After all, smart cities thrive on ‘big data’. This mountain of seemingly unconnected data is being processed by sophisticated computer programs to help predict real crimes. It may sound like science fiction, but the concept - dubbed predictive analytics - is actually in development and being trialled in many places around the world.

In 2011, the Santa Cruz Police Department introduced such ‘predictive policing’ to the force, and saw arrests increase by 57 per cent. The system divides the city into cells 450m square, with a computer algorithm assigning a probability of crime based on an analysis of previous crime data, social media and other local data sources.

The technique is being further developed by companies like Hitachi, whose Visualization Predictive Crime Analytics system blends real-time event data captured from public safety systems and sensors with historical and contextual crime data from record management systems and other sources. Spatial and temporal prediction algorithms are used to assign threat levels for every city block and also to create threat level predictions, forecasting where crimes are likely to occur or additional resources may be needed. Hitachi estimates that the system can predict crimes to within a 200-metre radius.

New technology has always been used by police forces to tackle crime, with GPS trackers in cars, mobile phone records, bridge toll passes and more being used as evidence in cases. As our cities become increasingly connected, law enforcement agencies will be able to use this data to prosecute criminals. But information can also be misused. The police have strict rules defining how they investigate crimes and name suspects, but the general public doesn’t. In April 2013, Boston was shaken by the detonation of two bombs at its annual marathon. After the incident, the entire city went into lock-down as the perpetrators went on the run.

During this time, CCTV images, social media and a variety of other open sources were used by concerned citizens and media outlets to identify and name potential suspects. The problem was, these people were innocent bystanders and, in one case, a participant in the marathon. The smart city can help protect its citizens, but access to information should come with some responsibilities.