Skip Navigation
BlackBerry Blog

The Trouble with Smart City Security Assessments

FEATURE / 08.29.18 / Pete Herzog

So, you’re running a city, and are in the process of making it smarter. You invest in new tech to broadcast warnings to all mobile phones in the area, you get free public WiFi at key points in the city to drive people to hang there longer, you have street lamps that adjust with sunlight and tell you when they’re broken to save you money as well as keeping streets safer, and you outfit all public buildings with centrally managed smart thermostats to better control heating and cooling costs.

Maybe now you’re even ready to take the next steps with police and emergency communication systems, as well as e-voting for local directives. Things are looking good for your city, and they will continue to look good if you’ve made it a Secure Smart City.

Cybersecurity vs. the Smart City

Cybersecurity is that thing that all that smart-stuff in your Smart City needs to grow upon. It’s not the thing you buy to put in front of all these things to make them safe because you’d need one for each of the thousands of devices that make up the Smart City network.

Security needs to be part of everything, or else just one criminal on the other side of the planet will be joy-riding your traffic light system and at the minimum causing pure chaos. Or just one raccoon could chew through the line going to your smart thermostat system and your courthouse could double as a sauna.

The problem is assessing that security. Cities have very different requirements than corporations and many security professionals are not prepared to test the kinds of devices and the kinds of networks that smart cities create. Even if they can test them in the technical sense, what may fail a corporate security test may be acceptable in a Smart City and vice-versa.

For example, in a corporate financial network, it is acceptable to log individual computer traffic for incident response later. In a public Smart City network, the public’s right to anonymity and their right to be forgotten, or at least not logged in an identifying manner without their consent, means that the assessor has to rate certain indemnification controls as a security flaw.

Another place security professionals struggle is in the scope. Corporations are centrally controlled, and that central authority makes the final decisions on the scope. In a Smart City, it’s more political. The security analyst can only include the scope of the department making the assessment and treat all other departments, even those on the same network, like they would vendors - look but don’t touch.

In some Smart City set-ups, you can find some crazy scope issues because they are often more political than logical. So, you can have hundreds of apps made by dozens of departments all accessing many of the same databases, yet each require separate registrations and operate on separate cloud-based servers at different cloud vendors.

Cybersecurity - an Industry of Specialists

Another problem is vendors. Most cities do not manage their own IT infrastructure. If they do, it’s way understaffed and they serve the bare minimum out of their own infrastructures just to keep running. So, you’ll find exponentially more vendors serving cities than you will in corporations.

In addition, many of their products are built on one another, and yet few have any control or even any communication with the operations of the other vendors. To clearly understand the complexity of the issue, consider how in a company security test, the best way to enumerate services is through network scanning. In a Smart City, the best way is through the office of the comptroller to get a list of all the vendors they’re paying for in each department.

Because technology has grown so diversely, cybersecurity has become an industry of specialists. You have application security analysts, network security analysts, IoT security analysts, SCADA security analysts, database security analysts, etc. In a corporate assessment, you may assemble a team that has two or three of these specialists depending on the industry. In a Smart City security assessment, you may need to assemble them all. Even for smaller cities.

The good news is though that the cybersecurity problem of Smart Cities is so deep and dangerous that bringing them any security whatsoever is an immediate improvement. So, don’t get discouraged or bogged down by the insane complexities. Think of it like digging a gold mine - you don’t have to dig out all the tunnels right away, just stick to the gold vein and you’ll get the important stuff.

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.