IoT cybersecurity falls short, say city IT leaders
When dealing with smart city cybersecurity, a new report shows most city staff feel unprepared and unsure of how to handle the growing wave of smart devices and Internet of Things technologies.
Nonprofit CompTIA released its report earlier this month after surveying government officials. In cybersecurity, researchers found only 9 percent of IT leaders felt they were well-equipped to handle the new technologies, despite reporting cybersecurity as their second-highest priority, just beneath replacing outdated IT infrastructure. Researchers said this suggests that cities require greater cybersecurity training, more outside partnerships and more compelling ways to convince leaders to invest in protection.
“While there have been improvements to security defenses and the ways organizations manage cyber threats through policies and employee training, the cybersecurity arms race continues to tilt in favor of the aggressors,” researchers say in the report.
Still in its infancy, smart city technology will likely require improved cybersecurity, the report says. The observation stems from a look at the emerging IoT market and a network of devices that connect with autonomous vehicles, drones and devices that regulate utilities and other critical infrastructure.
As an example of potential dangers from an unsecured IoT, the study spotlights the Ukrainian electric grid hack in 2015 that cut power to nearly a quarter-million people.
“The consequences now potentially involve the physical world in the form of crashes, outages, or mass disruption,” the report notes.
When ranking their cybersecurity fears for smart city tech, 68 percent of CompTIA’s respondents said critical infrastructure hacks represented a worst-case scenario. Attacks on citizen data wasn’t far behind, at 58 percent, and this was followed by fears that a breach could stir public backlashes, at 51 percent; a fear that ransomware might take systems hostage, at 50 percent; and that smart city cybersecurity costs may become unsustainable, at 48 percent.
The report recommended cities adopt guidelines from the National Institute of Science and Technology (NIST), collaborate with vendors, train staff and try to quantify for their organizations the value of strong cybersecurity.
Foggy definitions
Tony Batalla, IT Manager for San Leandro, California, said his city is using and applying various strategies to protect its smart city infrastructure, yet sees the work as a long-term pursuit that must adapt with the emerging IoT market. Mid-sized San Leandro has invested in IoT projects that consist of a fiber loop to spread gigabit internet through the city and a smart streetlight project that could eventually be used to broadcast free public Wi-Fi to residents or support a network of new smart devices and sensors. Currently the system runs on closed system, but Batalla said IoT cybersecurity is always a concern considering the evolving theat landscape.
“There aren’t clear standards and when that’s the case it’s hard for you to know really ascertain what the proper security is going to be like,” Batalla said.
Yet he said the absence of a defined structure for smart city cybersecurity shouldn’t be taken as an excuse for cities to sit on their hands while the industry develops. To the contrary, Batalla said the ambiguity should prompt cities to act and reach out to the industry as they develop their products.
“That means that as city leaders, or city tech leaders, we need to try to influence those manufacturers as much as we can,” he said. “We are still in this nascent period and we can have a lot of influence on what those technologies will eventually be by prototyping them, staying in the loop, trying to get our hands on the technology itself and working with the manufacturers.”
Batalla said a proper cybersecurity strategy shouldn’t just be about buying hardware, something that vendors often pitch as an easy bolt-on solution. Cities need to look past the advertising hype, he said, and focus on cybersecurity services and solutions that can scan an entire city operation, find holes and recommend what activities should be started or stopped.
“I think a lot of the tech vendors right now tend to focus on hardware and I’m not interested in cutting big checks for hardware devices,” Batalla said. “I’m more interested in the kind of assessment and analysis that says, ‘Here’s your whole IT landscape, here’s all the holes you have and here are the ones that are top priorities to fix.’”
To make dollars go further and refine best practices, Batalla added that it makes sense for neighboring cities to collaborate with each other on smart city cybersecurity. This can be done by forming regional task forces or security councils, or through launching joint procurements across several cities, Batalla said.
“The cities that are part of that cooperative bid can then pick and choose the parts of it that they want,” he said. “That’s another smart way for cities to tackle this together because we all have to face this challenge.”
