28 October 2016
Hong Kong is promoting a plan to transform Kowloon East district into a 'smart city'. Photo: HK Govt
Hong Kong is promoting a plan to transform Kowloon East district into a 'smart city'. Photo: HK Govt

Cyber-security challenges in a smart city

Hong Kong is abuzz with “Smart City” excitement. As the government prepares to push related initiatives, which will come alongside growth in Internet-connected devices, it needs to sharpen focus on security.

In response to an increasingly urbanized world and a more mobile lifestyle, and a desire to enhance the efficiency in available resources – be it economic or environmental – authorities are trying to leverage technology to transform Hong Kong into a so-called smart city.

Committed to the growth of wireless and cross-platform technologies, cloud computing, Internet of Things (IoT), and big data, the city’s financial secretary announced in his 2016 budget that over HK$10 billion will be earmarked to promote smart production and research.

As we think about Hong Kong evolving as a smart city we also need to think about the security challenges this poses and how to solve them.

Why all the interest?

Now, the idea of “things” being connected to one another is not necessarily new.

In hotels, for example, the elevators, thermostats, and lights have been centrally managed for years on private networks.

But what is different about the new era of Smart Cities is that the government wants IoT always on, always connected, and always open.

And it is important that devices interact with a large base of people in order to learn and optimize, and generate meaningful results and convenience to the end-user community. The ecosystem needs to be truly ‘smart’.

However, the sheer volume of connected devices in circulation creates challenges in data privacy, data protection, safety and governance — issues that need to be addressed early.

Unique security challenges to address in Smart Cities

The scale of IoT devices, and their inconsistent adaptation, has made Hong Kong a haven for attackers seeking to enter a network.

At present, there are no common standards guiding Hong Kong’s technology migration and data exchanges. This leads IPT operators, municipalities and policy makers, as well as manufacturers, solution providers and vendors, to adopt specific solutions with low scalability and disparate requirements.

At the same time, critical infrastructure will evolve at different rates, because of factors such as resource availability, user preference, or scale and accessibility. Local ‘blind spots’ may exist in areas where older equipment remains dominant but lacks the same ability as newer equipment to report operational status, problems, or efficiency opportunities.

Such inconsistent adaptation poses challenges to developing consistent security policies for Hong Kong.

What can be done to protect a Smart City?

Early warning and detection of breaches are the key to being in a state of readiness. Using forensic data analytics to profile devices is an effective method of identifying vulnerabilities and understanding their impact.

This is much more than ticking off boxes on a spec sheet – CISOs, CSOs and security professionals are demanding a fully integrated, multi-vendor approach for security management. Consequently, today’s management platforms have to deliver a number of critical features including authentication and authorization services.

The platform must also be agile and sophisticated enough to embrace new levels of enforcement mechanisms for security in a mobile world.

To be effective, today’s security platforms must embrace authentication and enforcement models for wired networking; public wireless connectivity; and users who tunnel in via IP-based virtual private networks (VPNs).

Policy management platforms must support end-device profiling that identifies device types and respective attributes that connect to networks.

To be able to identify the type of traffic coming, a profiler has a huge database of the characteristics of each device. Just like people have fingerprints, devices are assigned fingerprints. Security vendors can track them and identify what type of device it is in order to create exceptions for each device.

Conversely, if you plug a new device into a network, the security system can flag that there is no fingerprint for this device and immediately block it and make sure the device doesn’t get bandwidth.


The Internet of Things will bring many great new advances, including whole new ways of thinking about and interacting with our world. However, with those opportunities come many challenges in the world of information security, and we will need to continue to research and develop new approaches to ensuring our safety, security, and privacy.

– Contact us at [email protected]


Director and General Manager, Hong Kong and Macau, Aruba, a Hewett-Packard Enterprise Company

EJI Weekly Newsletter