ITEM: You would think that cyber security investment would be a no-brainer for smart city initiatives, but a forecast of cyber security spending for critical infrastructure over the next five years indicates smart city projects are cutting corners, which could leave smart cities wide open to IoT-related cyber attacks.
A report from ABI Research projects that of the $135 billion spent globally on cyber security in critical infrastructure in 2024, only 44% will come from smart city-related sectors such as Energy, Healthcare, Public Security, Transport and Water & Waste. That’s not nearly enough, given how vital cyber security will be to such projects.
The smart city vision has always been one where municipalities rely on advanced IoT technology to make almost everything in the city more efficient, from energy usage to parking, traffic congestion, waste management, supply chain logistics, government services, healthcare, emergency response and building automation. Actually putting that together is a complex undertaking, not least because smart city infrastructure won’t be just one network but a extremely complex interdependent network of devices, systems, platforms, and users.
As any security expert will tell you, complexity is the enemy of cyber security – the more complex the network, the more potential vulnerabilities that may go unnoticed that can be exploited – and it often only takes one vulnerability to stage an attack.
Moreover, the list of possible attacks is a long one, says explains Dimitrios Pavlakis, Industry Analyst at ABI Research.
“Smart cities are increasingly under attack by a variety of threats. These include sophisticated cyberattacks on critical infrastructure, bringing industrial control systems (ICS) to a grinding halt, abusing low-power wide area networks (LPWAN) and device communication hijacking, system lockdown threats caused by ransomware, manipulation of sensor data to cause widespread panic (e.g., disaster detection systems) and siphoning citizen, healthcare, consumer data, and personally identifiable information (PII), among many others,” says Pavlakis. “In this increasingly connected technological landscape, every smart city service is as secure as its weakest link.”
Pavlakis expressed particular concern over the fact that of the roughly 1.3 billion wide-area network smart city connections ABI is projecting by 2024, almost half will be LPWA connections such as LoRa and NB-IoT, which he says won’t by themselves provide the level of security necessary for complex, interconnected smart-city ecosystems.
Simply put, there are just too many things that can go wrong, and the frequency and sophistication of cyber attacks will continue to grow, he says.
“Lack of cryptographic measures, poor encryption key management, non-existent secure device onboarding services, weaponized machine learning technologies by cyber-attackers, poor understanding of social engineering, and lack of protection versus Distributed Denial of Service (DDoS) attacks are just are some of the key issues contributing to the amplification of cyber-threats in smart city ecosystems,” Pavlakis says. “This is further exacerbated by the lack of digital security investments and will, unfortunately, jeopardize the key elements of intelligence, efficiency, and sustainability of future smart city deployments.”
Lack of cyber security readiness isn’t limited to smart cities – the ABI report is the latest of a string of research reports from analyst firms and vendors warning that many organizations are not keeping up with the growing cyber security threat landscape.
Earlier this week, Sophos issued a cyber security report [PDF] covering companies in Asia Pacific and Japan, in which two thirds of respondents cited lack of security expertise and recruitment of skills were major struggles. Meanwhile, 85% said the biggest challenge to their security in the next 24 months will be improving cyber security awareness and education among employees and leadership.
A cyber security research report released by SolarWinds last month found that 97% of technology professionals in Hong Kong and Singapore “feel ill-equipped to own and manage their cyber security tasks:, with 36% saying budget constraints were “the most significant barrier to maintaining or improving their current IT security.”
Meanwhile, EY’s 2019 Global Information Security Survey found “77% of organizations are still operating with only limited cyber security and resilience, while 87% of organizations warn they do not yet have sufficient budget to provide the levels of cyber security and resilience they want.”
In other words, if enterprises are struggling to invest in sufficient cyber security to protect their business and their customers, why would smart cities be any different?