Introduction
Smart cities utilize information and communication technologies (ICT) to enhance the efficiency and sustainability of city operations and services. This includes infrastructure like smart grids, intelligent transportation systems, and the Internet of Things (IoT). However, increased connectivity also creates new cybersecurity risks and vulnerabilities. In this article, I will provide an in-depth look at the major security issues facing smart cities and critical infrastructure.
Increased Attack Surface
The sheer number of connected devices and systems in a smart city vastly increases the potential attack surface. There are now many more entry points and targets for hackers to exploit. For example, a smart city may have thousands of sensors, cameras, and endpoints connected to its networks. Each IoT device is a potential vulnerability if not properly secured and updated. It only takes one unpatched device to allow attackers access to the broader system.
This increased attack surface also stems from the convergence of IT and operational technology (OT) networks in smart infrastructure. Historically, OT systems were air-gapped from external networks. Now IT and OT environments are increasingly connected together, often without proper segmentation and security controls. This allows cyber risks to directly impact physical operations.
“The massive scope of smart city infrastructure means there are countless potential vulnerabilities that could be exploited by malicious actors.”
Weak Security Standards
Many smart city systems and IoT devices have weak cybersecurity standards and practices. Manufacturers tend to prioritize usability and features over security. Products are often rushed to market with flaws like hard-coded passwords, unencrypted data transfer, and lack of firmware updates.
For example, one audit of smart city technologies found:
- 63% used unencrypted networks
- 70% contained vulnerabilities in their firmware
- 80% collected privacy-sensitive data but with minimal protection
These weak security standards stem from a lack of regulation. There are currently no cybersecurity baseline requirements for most smart city and IoT vendors. This needs to change through updated policies, standards, and procurement requirements.
Increased Physical Threats
Cyber attacks on smart infrastructure can pose direct physical risks. Hackers could exploit vulnerabilities to take control of city operations systems like:
- Traffic control systems
- Energy grids
- Water treatment facilities
This could lead to traffic accidents, power outages, contaminated water, and other threats to public health and safety. Unlike data breaches, these physical impacts can directly harm citizens.
“The convergence of digital and physical systems creates cyber-physical risks that could endanger human lives.”
Vulnerabilities in Third-Party Vendors
Smart cities rely heavily on third-party vendors for many services like networks, cloud platforms, and application software. The cybersecurity of these vendors is outside the city’s direct control. If any contain unpatched flaws, they become a backdoor into the city’s systems and data.
For example, vulnerabilities in SolarWinds software led to the compromise of thousands of public and private sector organizations in 2020. Supply chain cyber risks must be closely evaluated.
Difficulty Updating and Patching
Updating and patching vulnerabilities across an entire smart city is an enormous challenge. Critical infrastructure systems often remain in use for decades without updates. Many legacy systems run outdated operating systems without vendor support. Upgrading can require taking entire systems offline which is often infeasible. As a result, known flaws remain unpatched for years, leaving cities exposed.
Lack of Visibility and Tool Integration
The highly complex nature of smart city networks makes it difficult to get full visibility across all systems. There is also often a lack of integration between cybersecurity tools and platforms. This fragmentation hinders cities’ ability to detect, analyze, and respond to threats in a unified manner.
Recommendations for Improvement
There are steps cities can take to enhance the cybersecurity of their infrastructure:
Establish a Unified Cybersecurity Strategy
- Appoint a Chief Information Security Officer
- Create policies and frameworks tailored to smart city risks
- Align leadership across departments on security
Strengthen Identity and Access Management
- Implement multi-factor authentication across all users and admins
- Establish role-based access controls and least privilege permissions
Assess and Segment Networks
- Classify data flows between IT and OT environments
- Deploy virtual patching to protect legacy systems
- Air-gap systems that do not require internet connectivity
Mandate Security Standards in Procurement
- Require vendors to meet minimum security criteria
- Perform due diligence on third parties’ cyber practices
Develop Detailed Incident Response Plans
- Define procedures for detecting, analyzing, containing threats
- Establish communication plans and decision authority for emergency response
Conclusion
While smart cities improve efficiency and sustainability, the associated cyber risks cannot be ignored. Cities must make cybersecurity a top priority and continue strengthening their defenses. A cyber attack on critical infrastructure would endanger citizens’ lives and undermine public trust. Proactive governance, policies, and standards are needed to secure smart city systems from the growing threat landscape. This will enable cities to realize the full benefits of smart infrastructure safely and securely.
