With a sprawling sensor network to be deployed soon, scads of systems and 1.3 million residents depending on service, San Diego is bracing for the next wave of cybersecurity threats.
San Diego’s Chief Information Security Officer Gary Hayslip said he is preparing the city with techniques that reduce risk through a combination of advanced analytics, department partnerships and exploration of emerging technologies to secure the city’s Internet of Things. The effort is an attempt to reinforce the city’s defense strategy while shielding San Diego from the half million attacks that are volleyed against their networks each day.
In an interview with StateScoop, Hayslip drew on his experience as a Navy Command information security officer and shared three core lessons for cities securing the digital front.
Progress through partnerships
While bureaucracy may have its faults, government also provides a clear structure and chain of command. Hayslip said this was one of the major differences between his work in the federal government and a metropolis where departments can work independently and require partnerships to move projects along.
“What I realized when I got here from the Defense Department [in 2013] was that the city is really a $4 billion business with 1.3 million customers and many departments,” Hayslip said. “This made me really flip the way I looked at security, because it requires a different approach. Here I don’t have one network — I’ve got 24 networks, 40 departments and they don’t have to listen to me if they don’t want to.”
To build a sustainable cyber strategy, Hayslip said that partnerships and communication are essential. Recalling his first six months, he noted a lineup of one-on-one meetings, department visits and inventory assessments to learn offices priorities and how he could collaborate. The outreach was also about education, explaining why security mattered and how it could directly aid staff.
“Whether they were doing trash collecting, whether they were in the police department, development services, dealing with permits for new business, or what have you, I really needed to understand what technology was important to them, what data was important to them, what data they created and who had access to it,” he said.
The end result has been new partnerships and relationships that have empowered San Diego’s cybersecurity teams to innovate with startups and share the same vision for a cybersecurity roadmap that protects citizen data.
Understanding data lowers risk and saves money
San Diego estimates it has more than five petabytes of data, some of which contain highly sensitive information like credit card numbers and healthcare records and others that can be less important or completely outdated and unneeded. Hayslip said having an awareness of data, its age, its use and its connection to different systems has become a critical component of the city’s security stance.
“When I look at cybersecurity, I look at it down to the data layer because I have large system of networks with 11,000 personnel on desktops and 4,000-plus vendors working with the city,” Hayslip said. “This means you’re going to have breaches and issues on the network and to address those challenges you have to be able to understand your data, how it’s used, where it’s at, who’s accessing it, how it’s backed up and how old it is.”
Working with the security company Varonis, Hayslip said the city has been able to gain a clearer picture of its operations and how its databases are performing. An audit with the platform revealed scores of “stale” data that weren’t being used by anyone. Out of its five petabytes of data, Hayslip estimated the city will be able to reduce the footprint by 30 percent, freeing server space and saving money along the way.
Don’t wait, secure the Internet of Things
In February, San Diego Mayor Kevin Faulconer announced one of the largest city IoT networks in the nation — 3,200 streetlight sensors to monitor air, traffic and pedestrian safety at intersections. With another 3,000 sensors scheduled to go up soon, Hayslip said IoT can’t be left unsecured.
Some cybersecurity experts and CISOs contend that IoT networks can be isolated from critical infrastructure communications networks in cities, a practice that allows innovators to test IoT devices and applications without fear of jeopardizing key city services. Hayslip said this is one of the biggest misconceptions about IoT. The new sensor networks are tomorrow’s critical infrastructure, and so Hayslip argued they should be secured with the same urgency as other systems.
“You’ve got to own IoT, because there really are no standalone networks anymore. You have to maintain them,” Hayslip said.
“As you bring in a lot more smart city infrastructure I worry about these things because what we’re building here is going to be providing services to my children when they’re adults. So, it’s about understanding that risk of what we’re building and what we’re tying to do with it.”
Though IoT is still an emerging technology, Hayslip said cities should be experimenting with different security measures as they develop, instead of waiting for a major incident to respond to.
“You don’t want to create this single point of failure,” Hayslip said. “You want to put things in place to be resilient.”