Checklist: 10 steps for securing a smart city

The reality of smart cities will soon be realised in many metropolises today, such as the likes of New York, London, Singapore, Tokyo and Hong Kong. Technology-driven movements are happening at an unprecedented rate. Usage of drones, autonomous cars and digital payment is increasingly pervasive; and most of us are only now beginning to grapple with the oft-unseen pervasiveness of technologies such as interconnected systems, sensor networks, data analytics and real-time location tracking.

Yet, in the relentless pursuit of technological advances, last year’s WannaCry and Petya ransomware attacks serve as a bleak reminder that smart cities still have a long way to go before cyber walls are fortified.

Many technology experts caution that most indexes measuring the success and maturity of smart cities do not typically involve a cybersecurity metric, thus undermining the importance of building strong cyber defenses. In reality, a smart city cannot truly be smart if its defence against cyberattacks is weak.

Researchers and security experts from Trend Micro have devised a simple 10-step cybersecurity guide providing security considerations for smart city developers – including governments and urban developers – so smart city structures and technologies can be fortified without putting a toll on innovation.

1. Perform quality inspection and penetration testing

Conducting strict penetration tests and inspections on smart technologies before implementation can help to detect security issues or maintenance concerns, such as data leaks or service malfunctions, before the service is made available to the public. Municipalities should hire independent contractors to run the penetration tests on a regular basis. Apart from these, standard product testing procedures such as quality assurance (QA) and quality testing (QT) should also be made mandatory. QA focuses on spotting defects in smart technologies while QT zeroes in on their functionality.

2. Prioritize security in service level agreements for all vendors and service providers

Service level agreements should expressly list the security criteria that have to be met by smart technology vendors and service providers. This step not only provides clarity on responsibility but also spells out penalties that will be incurred should any party fail to comply with the agreed conditions. The clause could also benefit citizens with a guarantee on their data privacy; a 24/7 response team in case of security problems; and aforementioned regular penetration tests and security audits.

3. Establish a CERT or CSIRT

The establishment of a dedicated and readily available government computer emergency response team (CERT) or computer security incident response team (CSIRT) during an infrastructure cybersecurity crisis will help provide immediate relief in case of attacks or system failures. The team should also be responsible for reporting vulnerabilities and needs for patching, vendor coordination, and sharing security best practices.

4. Ensure the consistency and security of software updates

Firmware and software updates should be evaluated to ensure they are delivered in a safe manner with encryption and digital signatures to ensure software integrity. Digital signatures help with verification of the authenticity of updates and should not be corrupted or tampered with before installation.

5. Plan around the life cycle of smart infrastructures

Smart infrastructures have a longer service life than run-of-the-mill consumer products. Therefore, it is critical that developers plan for specific steps to be taken once these infrastructures become obsolete or when vendor support ends, otherwise systems will be rendered vulnerable to cyberattacks.Other related considerations are the physical state of these infrastructures, which would be affected by factors such as the number of years of deployment, lack of maintenance, and overuse. By planning around an infrastructure’s lifecycle, government and urban developers can easily fix or replace them in the future.

6. Process data with privacy in mind

As a rule of thumb, any data collected in a smart city should be anonymised in order to protect the privacy of the citizens, especially when published as open government data. If the data have no relevance to the smart city project, it should be completely discarded.

In addition, access to the data should only be granted to vendors and contractors authorised by the governments. A thorough plan detailing user rights and responsibilities on data sharing can also be implemented.

7. Encrypt, authenticate, and regulate public communication channels

All communications – wired and wireless – need to be protected against eavesdropping, interception and modification, especially when the information in question is sensitive. Strong encryption should be applied and the decryption keys should be handed to trusted personnel.

Also, all communications should be guarded by passwords minimally. Other forms of strong authentication include one-time passwords, biometrics, and two- or multi-factor authentication.

Governments should also regulate communication protocols and traffic to minimise the risk of destabilising a centralised system or several interconnected systems. Inactive functions and features on smart communication systems should be disabled. to reduce opportunities for attacks.

8. Always have a manual override ready

The availability of a manual override will give governments an option to regain control and perform incident response even when the system is disconnected from the Internet or when the attacker locks the system operator’s remote access capabilities.

9. Design a fault-tolerant system

A fault-tolerant system allows the smart infrastructures to continue functioning properly when one or more of its components fail, although there might be reduced responsiveness or performance. To do so, redundancy techniques are required, such as those pertaining to hardware, software, and time, to enable the system to tolerate operational faults and perform needed functions.

10. Ensure continuity of basic services

In the unfortunate scenario where all systems fail, cities need to have measures to maintain citizens’ basic access to utilities such as electricity and water, and to emergency response services.

This story was contributed by David Siah, Country Manager (Singapore & Indonesia), Trend Micro. The views and opinions expressed here are solely the contributor’s own and do not necessarily reflect the official policy or position of GovTech.