After the recent release of the discussion draft of its Framework for Cyber-Physical Systems (CPS), the National Institute for Standards and Technology (NIST) has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance (CSRA) and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities.
What Are Smart Cities?
The term “Smart Cities” refers to the broad concept of using technology to gather and analyze city data in order to increase efficiency and improve quality of life. Cyber-physical systems will play an important role in smart cities by enabling the real-time collection of data related to health, pollution, energy usage, traffic, water usage, and waste disposal.
What Cybersecurity Issues Do Smart Cities Face?
Given the central role of cyber-physical systems in creating smart cities, many of the same cybersecurity issues that have been raised in the CPS context also confront the architects of smart cities. These issues may include the following:
- Numerous Points of Attack. Along with the promise of greater connectivity, the dense web of interconnected sensors and devices that define a smart city will bring the peril of having countless points of entry for an attacker seeking to compromise systems. If every traffic light, power meter, and garbage can is connected, smart city architects will need to take precautions to make sure the breach of one device does not compromise larger citywide systems.
- Exploitation of City Data by Attackers. In addition to presenting would-be attackers with more points of entry, a smarter city also may provide malicious actors with valuable intelligence about potential targets for criminal activity. For instance, if a malicious actor gains access to a comprehensive system of citywide surveillance cameras, they could potentially track and evade law enforcement.
- Physical Consequences for Cyberattacks. Cyberattacks may have physical consequences if smart cities rely on collected data to make automatic adjustments to real-world conditions. For instance, the manipulation of traffic data relied on by traffic lights could lead to car accidents.
- Cloud Security. Given that smart cities will involve the collection and storage of large amounts of data from many geographically disparate sources, it is likely that many cities will rely on cloud services to store that data. If a city fails to ensure that its cloud environment adheres to adequate security standards, it could potentially suffer a data breach that compromises large amounts of sensitive information.
- Vulnerabilities in the Constant Collection and Transfer of Data. The many sensors and devices that make up a smart city will create a near constant flow of data. To compensate, smart city architects will need to take precautions to ensure that the means of transmitting this information are as secure as every other part of the system.
- Security Systems on Resource-Constrained Devices. Smart cities will need to place large numbers of sensors and devices in order to ensure accurate collection of data. These devices may have limited computing power due to cost and size constraints. As a result, security systems for these devices will need to be lightweight in terms of storage space, memory use, processor use, network connectivity, and electrical power consumption.
- Security Maintenance for a Diverse Range of Devices. The diverse types of data that smart cities may be interested in collecting will likely require the use of sensors and devices from several different vendors. Given the closely interconnected nature of smart city devices, it will be important for smart city network engineers to continually update the security settings for a diverse range of devices in order to ensure that a security flaw in one device does not compromise other parts of the system.
- Balanced and Streamlined Regulations. As they begin to develop regulatory frameworks to deal with the cybersecurity challenges facing smart cities, localities should take a balanced approach that promotes both security and innovation. Although cybersecurity threats are real, regulators must avoid stifling the development of beneficial new technologies with overly restrictive rules. To the extent they can, regulators from different localities should seek to collaborate in the development of common regulations so that innovators face a more consistent regulatory environment.
After meeting to discuss feedback from the workshop, NIST and CSRA intend to write a white paper on smart cities and cybersecurity.
In addition to this workshop, NIST is also working to promote the development of smart cities and CPS through programs such as the Global City Teams Challenge (GCTC). The GCTC program brings together companies, universities, and other organizations to develop networked technologies and demonstrate their ability to create business opportunities and provide socio-economic benefits. Currently, over forty teams are working on projects related to key sectors such as energy, transportation, and public safety.
Special thanks to Ryan Woo, a summer associate in our Washington, D.C. office, for his assistance in preparing this entry.