The Challenges of Securing Smart CitiesMiddle Eastern, Asian Leaders Align with Security Frameworks
Countries from the Eastern world, including Malaysia, Jordan, Qatar, Dubai and India, have embarked on the latest high-tech trend of building "smart cities."
Most experts consider smart cities to be an urban transformation, using the latest information and communications technology to make communities more efficient with world-class infrastructure, 24-hour power supply, complete Wi-Fi, green technology and the latest water conservation and waste management techniques.
But there's a huge security component, too. A smart city must provide innovative, resilient, solutions leveraging digital information, while protecting against malware, unintentional damage and natural disasters.
So, how do nations and their security leaders ensure the move to smart cities that are protected from cyber-attacks with a model that future-proofs networks and infrastructure?
This debate was sparked off at the GISEC conference in Dubai recently, during the session "Smart City to Secure City." Experts debated security challenges and the effective ways to secure these new communities against growing attacks, as well as how to future-proof networks.
'The Internet of Evil Things'
The smart city project blueprint will leverage the Internet of Things for connected education, healthcare, smart buildings, transport, smart parking, smart buildings and more. This is where the security challenge begins."'Internet of evil things' is CISOs' next nightmare," says Bassam AlMaharmeh, CISO, ministry of defence of Jordan, referring to a report from Pawin Express that says 83 percent of companies have printers in their default configuration, with default passwords, and unencrypted Wi-Fi. If this is the state inside major corporations, what will be the threat landscape within smart cities, where there is even less security governance?
And then there are targeted attacks. Symantec's Internet Security Threat Report says 22 percent of attacks aim at governments and energy/utilities companies; 24 percent of identity breaches target governments and healthcare.
While the challenges across all countries at a broader level are similar, there have been specific challenges owing to the local processes or regulations.
For instance, Dr. Amiruddin Wahab, chief executive officer, Cybersecurity Malaysia, Ministry of Science, Technology and Innovation observes: "Top business risks this year will be business interruption, supply chain, natural catastrophes and legislation changes; above all, cybercrime, IT failures, espionage and data breaches."
Col. Khalid Nasser Alrazooqi, director general, general department of smart services, Dubai Police, believes the key responsibility within the smart city concept is maintaining intellectual property and sensitive data integrity.
"Smart city projects draw several obstacles related to security, online payment fears and BYOD challenges, which require effective back-end procedural alterations," he says.
Alrazooqi says certain changes must be brought in re-engineering stages and levels of procedures, availing customer requirements electronically and integrate with the national ID to shorten verification procedures.
Gartner also says smart cities must factor in how deeply the city infrastructure and service lifecycles are impacted by their Internet of Things endpoint deployments. CIOs and CTOs must plan for security and functionality upgrades and bandwidth requirements.
Security becomes even more relevant, says Bassam Almaharmeh: "In 2050, 70 to 75 percent of the world will live in cities. We have about 16 billion connected devices to the Internet; this will be 50 billion by 2020, generating a lot of raw data. So, data will be the gold of this era; it's important to secure it."
How to Secure Cities
Says Ashraf Ali Ismael, CS information assurance-section head, ICT Qatar, ministry of Science, Technology and Innovation: "CISOs should understand whether we're ready for governance and have the capability to develop a national risk framework."
A governance framework allows organizations to see the big picture and risk in the interdependence of each system, Ismael adds.
Wahab suggests incorporating security from the design stage, while working out policies, procedures, risk framework and structure to make people accountable. He recommends a holistic approach, with key indicators to secure smart cities:
- Taking cognizance of legal regulation and compliance frameworks;
- Getting clued into technical aspects incorporating standards and certifications;
- Adhering to organization policies, roadmap for governance and national benchmarking;
- Capacity building - developing standards, manpower; developing professional certification and agency certification;
- Cooperation between intra-state, intra-agency, public-private partnerships and international players.
Alrazooqi suggest ways for securing data by leveraging open data policies to categorize information as public/private. "Have Wi-Fi and sensors across the city, connect government sectors with Wi-Fi," he sagugests. "With more than 205 nationalities in Dubai and a 67 percent increase in new types of malware on smart phones, protection is essential."
He recommends using next-generation cybersecurity technologies and tools, besides focusing on:
- Using deep packet inspection and application recognition and application payload inspection technologies;
- Utilizing smartphone applications to create secure neighbourhood environments with services like "We are all police;"
- Enhancing smartphone application security by targeting the source code review analysis;
- Using Next-gen logging and SIEM technologies to identify Middle East region-specific targeted attacks and DDoS attacks;
- Enhancing static data security;
- Adopting next-gen media monitoring focusing on social media and video sharing;
- Bench testing IT infrastructure with white hat penetration testing services.
"Setting up a national standards forensics framework environment and all-source intelligence analysis to study the exploitation of biometrics-enabled intelligence is essential," he says.
Experts have chalked out a plan of action that will help address the security challenges and protect infrastructure against attacks.
Wahab intends to strengthen Malaysia's cybersecurity policy and make it secure, resilient and self-reliant, and employ it in the smart city development process. He recommends a few thrust areas - effective governance; legislative and regulatory framework; cybersecurity technology framework; a culture of security and capacity building; R&D toward self-reliance; compliance and enforcement; cybersecurity emergency readiness; and international cooperation.
"Infused with a culture of security, the policy will promote stability, social well-being and wealth creation," Wahab says.
A few aspects to be considered are:
- Partnering with security vendors and police forces to form a collective security intelligence and incident research group;
- Enhancing cybercrime laws in combating rogue elements prowling on social media and video sharing sites;
- Prioritizing openness and innovation at the national level for security program development and technology advancements.
"Identifying the key stakeholders within the organization who can be part of the smart city development project and imparting training in security is critical," says Qatar ICT's Ismael.