Securing the digital city

The Internet of Things (IoT), particularly in the smart city context, is viewed as both a vulnerability and an opportunity.

The rise of ‘smart cities’ is likely a probable source of their concern. While the term ‘smart cities’ is often used loosely to describe various municipal IT infrastructure projects, smart cities are most commonly thought of by critical infrastructure managers as cross-sector integration initiatives which link up the information technology platforms of private and public critical infrastructure providers, usually with a focus on healthcare, public safety and utilities. “Smart city architecture is built upon two fundamental principles” says Saibal Chowdhury, CEO of Urbanetic, a Singaporean firm which designs planning software for smart city projects. “One, data is transparent to as many participants as possible, and two, as many sources of intelligent, Internet-connected sensors and mobile devices as possible are connected to the integrated platform.”

That these two principles are often in conflict further complicates cyber-security efforts. Data transparency, the first principle, is only facilitated by more cross-network integration, which, by its very nature, increases vulnerability. “Security guys only seek to lock things down,” Mr Chowdhury says, “and the business and operations guys want to set all data free.” He notes that, in order for cross-sector initiatives, like the creation of smart cities, to be successful, urban planners and municipal governments must establish a leadership hierarchy wherein a chief decision-maker co-ordinates and balances the needs of the various cyber-security architects and those responsible for data analytics and insights.

Increasing connections, increasing risk

The second of Mr Chowdhury’s principles—that critical infrastructure IT systems must rely on an increasing number of Internet-connected sensors, appliances and other devices, otherwise known as the IoT—is also increasing cyber-security risks. It is shifting connectivity landscapes tremendously: analysts at Gartner estimate that 20.8bn ‘things’ (such as vehicles, sensors and appliances) will be connected to IT networks in 2020. The more potential points of entry to a network, and the more sources of valuable data, the more potential there is for attacks. The IoT’s rise will increase the organisation’s vulnerability to cyber-attacks.

At the same time, the IoT is seen as an inevitable—and essential—part of building critical infrastructure. Data-gathering sensors that monitor traffic flows and energy consumption help make city streets safer and facilities more efficient, among other benefits. Gathering and parsing insight from Internet-capable vehicles or consumer devices will assist critical infrastructure managers in planning and improving how ports, hospitals and public safety facilities function.

The rise of big data and the IoT is part of the security solution, at least in the long term, as the focus of cyber-security methodology shifts from building robust defenses towards more proactive detection of the sources of threats and where they might occur. Deployment of a variety of sensors and analytic engines provides IT managers with the tools they need to build up those detection capabilities.

However, a shifting regulatory environment could present a roadblock to the use of various tools, says Hosuk Lee-Makiyama, director at the Brussels-based think tank, European Centre for International Political Economy. “The problem with critical infrastructure and cyber-security is that it’s becoming this huge grey area when it comes to regulation,” says Mr Lee-Makiyama. “Do the cloud services offered by a telecoms operator qualify as critical infrastructure? Is search critical infrastructure? There’s a tendency to expand the definition of critical infrastructure and that’s creating difficulties.”

Many vertical vulnerabilities, one horizontal

Telecom and Internet services providers are most at risk, followed by banking systems. Public safety, utilities and services are seen to be much less vulnerable. It is unsurprising that telecoms infrastructure is viewed as most likely to suffer a cyber-attack— it is, in the words of Mr Babu of PCCW “the horizontal platform that enables the technology platforms of all other critical infrastructure ‘verticals’.” Mr Babu points out that “The level of dependency that other critical infrastructure providers have on ITC connectivity places a unique burden on the telco provider”, and heightens their risk as a first point of incursion.

Similarly, banking is viewed as the next most likely victim of cyber-attack, as “banking is a more ‘high value’ target” says Mr Jin of Schneider Electric. Yet he also feels that the finance industry is more resilient than most other critical infrastructure providers. PCCW’s Mr Babu agrees, noting “banking is quite an advanced sector, in large part because it has no choice—it is an industry that is completely dependent on IT systems” to deliver its services. Banking’s cyber-security prowess also means that its threats are more contained. “There are still cyber-thefts, but usually at an individual bank level, involving a physical system incursion or ATM hack,” says Mr Jin. “Attacks are isolated and rarely at a global level.” This is because banking cyber-security teams have learned how to isolate and insulate their various system interfaces better, and are large adopters of analytics tools, which helps filter out weaknesses in systems.

Cyber-attacks are a clear, constant threat to all organisations, and advances in information technology benefit perpetrators as much as the organisations who seek to thwart them. Critical infrastructure providers are not unique in their inherent vulnerability to attacks, but the fact that the services they provide underpin the very workings of civil society and the economy means the consequences of failing to defend against attacks are far greater. Moreover, the fact that critical infrastructure providers increasingly depend upon cross-platform integration with each other—and all intersect with the primary, ‘horizontal’ infrastructure of telecommunications and Internet networks—means that an attack on one can have magnifying effects on all of them.

Yet critical infrastructure managers are not resigned to constant, grinding cyber-warfare. In fact, the threats are serving as a catalyst for cyber-innovation—leaders are increasingly committed to integrating cyber-security-centric processes into their overall operational strategies, while also trying to build integrated smart systems that can learn from each other. This commitment is in large part an attempt to address the central challenge they face, says Mr Jin of Schneider Electric. “We are managing security in an IT environment defined by two diametrically opposing trends: we want our systems to be open so that we leverage the synergies and insight they provide, and yet network integration is a process directly opposed to security.”

The ‘insulation’ of integrated systems will remain a challenge for critical infrastructure providers. It is further complicated by a lack of senior executives and government officials with the cross-sector leadership experience needed to implement this approach to security. But being open to external expertise and input from other critical infrastructure providers can help organisations to overcome these constraints by creating a proactive cyber-security that evolves and succeeds.