By: Dick Bussiere, Technical Director for APAC at Tenable
The pandemic has required us to rethink how we live and smart city solutions are proving vital in minimising the spread, helping with transitions back to the workplace and ensuring safety. Smart solutions can help organisations easily manage the number of people in a building, level or room to ensure social distancing measures are met as well as support contact tracing efforts.
The closer smart city initiatives get to being operational, the more significant the challenges are of maintaining cybersecurity due to the heightened threat surface the increased number of connected devices brings. While the prevalence of IoT and connected technology enhances the efficiency and livability of urban spaces, it also opens new doors for cybercriminals to enter.
This wider attack surface means that smart cities truly are a double-edged sword – increased purposeful automation bringing with it an increased likelihood of exploitation. Before embracing new innovations, we must first address the distinct risks and secure our Australian cities of the future.
Converging worlds and roles
Smart cities draw both the physical and digital worlds closer. The convergence of data (traditionally within the realm of IT) and operational technology (OT) has revolutionised our physical spaces. It removes the need for a person to be on-site to manually react to changes in service requirements and allows for external intelligent Internet of Things to effect these changes instead.
As we continue to navigate COVID-19, smart cities can play an important role in minimising the spread through applications such as automated occupancy counting, remote temperature monitoring and real-time heat maps of crowding in public spaces. The solutions are endless and are only going to become increasingly embedded within our lives. The current challenge lies in the blurring lines of the responsibility and ownership of security measures.
When it comes to smart cities, the line between security and functionality can often be a tension point. Leaders in architecture and planning tend to have different considerations to those within security, IT and OT. Ensuring a dialogue about standards is especially crucial but not enough on its own.
In order to make the smart city model stronger, and ensure public safety, all stakeholders need to band together to ensure that security is taken into account at every step of the smart city architecture, design and build-out process. Security IS an intrinsic part of this process. It’s critical to establish where organisational responsibilities lie to have the correct balance between effective service delivery, security and privacy. While this may be difficult and indeed confrontational to address at first, it’s only by tackling the security issue as part of the service definition process that it will become inherent to the deployed system.
Security at the forefront
The Australian security industry has been working closely with the federal government agencies to develop codes of conduct and strengthen the security of emerging technologies. The industry has been a strong advocate for fostering a culture of security in people, process and technology. However, it’s critical that the industry doesn’t rest on its laurels. Technology continues its relentless change, and security must adapt along with it. For example, security vendors have started to work with manufacturers to ensure devices are secure by design and address the privacy needs of end-users from the ground up. We can no longer view such devices as individual endpoints but instead must consider them in the context of a wider ecosystem and attack surface for private and public organisations. Only by doing this can we truly address the issue of privacy and security at a macro system-wide level.
The biggest challenge facing the security teams tasked with managing this complex, sensitive and expanded attack surface is visibility. We cannot rely on costly, error-prone manual network inventories that may be out of date soon after they are collected. Instead, automated solutions are needed to inventory and baseline converged IT/OT systems. These systems will facilitate a unified, risk-based view detailing what is exposed, where and to what extent across combined IT and OT environments. As cities become smarter and more connected, those responsible across all areas will need to rethink cybersecurity strategies to deflect attacks.
Ultimately, the risks are too great not to.