Who cares about smart city security?

Wherever you turn in the business and technology worlds, the internet of things (IoT) is the hottest of all topics.

Whether the conversation is about clothes or medical devices, robots or bicycles, cloud computing or mobile wearables, traveling the world or staying home, everyone and everything is trying to become “smarter.”

People and organizations now demand constant connectivity with machine learning to make sense of the volumes of data providing better overall business value, effective customer service and perfected lifestyle outcomes.  Even global cities are vying to be the top “smart city” in Europe or in the U.S. or in the entire world.

According to Frost & Sullivan, the global smart cities market is projected to reach $1.56 trillion by 2020.    

Which leads to a simple question: How significant are smart city security concerns?  

Smart city perspectives 

One fascinating thing about this smart city security topic is that opinions and research results are all over the map. Even when talking about a single city, the two sides seem to talking about very different places. They are certainly talking to two very different audiences.

On one side are thousands of stories, conferences and case studies advocating for smart cities in various channels.

For example, start by visiting the Smart Cities Council Website, which promises to “help cities become smarter through a combination of advocacy and action.”  Here you’ll find global news stories with motivating headlines, like “Why Free Wi-Fi is the Key to Making Cities Smarter,” “Go paperless, save money and planet!” and “From data integration to diversion: 6 efforts to reduce prison recidivism.”

Now head over to the Smart Cities Connect Conference (in Austin, Texas) to check out their agenda. You’ll find exciting and intriguing topics like: “Partnership Pioneers: Creating a Platform for Innovation” or “Urban Mobility on Demand.”

But if you flip the page and discuss smart cities within the cybersecurity community, the messages are much more negative. In fact, some are saying the sky is already falling. (I have previously noted that the RSA Conference in February was dominated by “hacking IoT” stories — including smart cities.)

We heard all about the major DDoS attacks when IoT devices were hacked last year. The numerous examples of utilities being turned off are pretty scary, even if they have largely stayed under the mainstream radar so far. And a Security Week article provided some specific examples of how hacking Europe’s smart cities is not that hard.

And this trend is not just about the earlier days of IoT, with a brighter future coming soon. Security professionals generally hold to these views expressed in the Harvard Business Review article “Smart Cities Are Going To Be A Security Nightmare”:

“Simple computer bugs can also cause significant glitches in control systems, leading to major technical problems for cities. Once hackers invade smart city control systems, they can send manipulated data to servers to exploit and crash entire data centers. This is how hackers gained access to an Illinois water utility control system in 2011, destroying a water pump that serviced 2,200 customers. Not only do these breaches disrupt daily operations for residents, they can be costly to remedy. A hypothetical hack that triggers a blackout in North America is estimated to leave 93 million people without power and could cost insurers anywhere from $21 billion to $71 billion in damages.

A tale of one city

Getting a bit more specific, let’s discuss one city: Dallas, Texas.

The Dallas Innovation Alliance website highlights projects and initiatives where Dallas is being promoted as a leading smart city. Here’s an excerpt:

Kerry Rupp, Dallas Morning News, April 3, 2017

With the launch of a living lab in the West End March 27, Dallas entered a new phase of its effort to create a smart city that will attract business innovation while improving the quality of life for its residents.

The living lab — where smart technologies involving mobility, infrastructure and connected living will be tested — is one of several public-private partnerships to transform Dallas into a smart city. …

Other government websites say similar things about Dallas:

Our Vision for Smart Dallas is to leverage technology in becoming an inclusive, connected and efficient city focused on improving the quality of life of our citizens.

The Smart Domains enable better planning, managing and governing of cities in a sustainable way by maximizing economic opportunities and minimizing environmental damage. Six foundational elements of the Smart Domain…

But MIT Technology Review tells a very different story:

On Friday night, residents of Dallas struggled to get as much sleep as they might have liked. At around 11:40 P.M., the city’s hurricane warning system sounded: 156 emergency sirens, all screaming out in unison. It happened another 15 times, each burst lasting 90 seconds, until the alarms finally fell silent around 1:20 on Saturday morning.

But as the New York Times reports, there was no hurricane coming—the sounds were triggered by a hacker who’d penetrated the system’s security measures. Few details have emerged about the hack, save for the fact that it’s thought to have been carried out locally and was very effective (technicians couldn’t stop the hacker, so they had to shut down the entire system to quiet the alarms).

Final thoughts

In this debate, like so many others, both sides passionately believe what they are saying. And there isn’t much listening to the other side to get to a workable middle ground.   

Another trouble is that there are few mainstream media articles and virtually no conversations on the pros and cons of smart city developments or potential trade-offs with security. As a result, there is minimal movement towards delivering a roadmap for smart city security.

City planners, tech startups and innovators describe to city leaders in tantalizing detail the amazing opportunities that will come to innovative smart cities. Meanwhile, security pros tell scary hacking stories at security conferences and in technology and cyber magazines to other security pros. 

This is what makes answering the simple question of the significance of smart city security concerns so hard. They are of utmost significance to one camp and of seemingly little significance to the other.

In my next blog post for CSO, I will provide some pragmatic middle ground that I hope can help enable better dialogue between the divided smart city camps.

In the meantime, let me know your thoughts on this question: Is your favorite smart city secure? Why or why not?