16 October 2019
'Smart cities' need to devise a robust cybersecurity strategy to protect critical infrastructure, says Fortinet's Alvin Rodrigues. Photos: Reuters, Alvin Rodrigues
'Smart cities' need to devise a robust cybersecurity strategy to protect critical infrastructure, says Fortinet's Alvin Rodrigues. Photos: Reuters, Alvin Rodrigues

Security challenges in smart-city development: An expert view

In her policy address in October, Hong Kong Chief Executive Carrie Lam Cheng Yuet-ngor pledged new initiatives to spur innovation and technology development. Among the various proposals, she announced an HK$700 million investment in several projects to help transform Hong Kong into a ‘smart city’.

Smart cities can increase productivity and efficiencies for citizens, but they can pose a serious problem if the data security issue is underestimated.

To understand the challenges and the tasks lying before authorities in relation to smart-city development, EJ Insight sought the views of Alvin Rodrigues, Chief Security Strategist, Asia Pacific at Fortinet, the US-based cybersecurity solutions provider.

Excerpts from an email interview:

Q: In a hyper-connected smart city, what can be done to prevent hackers from seizing control of critical infrastructure?

A: Hong Kong is talking about data sharing and driving greater analytics of this data to deliver high levels of efficiency, automation and optimization of processes and lifestyle services to bolster the quality of life in the territory, and to drive sustainable and progressive economic growth, while attracting a continuous flow of talent.

Like so many other governments driving smart city projects, one of the most important activities that need to take place to prevent hackers from taking over critical infrastructure systems and disrupting crucial city services is to obtain clarity of the many valuable workflows, and identify the critical digital and non-digital assets supporting these workflows.

With this visibility, it becomes easier to map the probable types of attacks on the digital and non-digital assets. With this knowledge, plus an understanding of the possible vulnerabilities within the workflow or critical infrastructures, governments can work with cybersecurity professionals to identify appropriate technologies to deploy within this environment to detect and prevent possible hacking or takeover of the city’s critical infrastructures.

However, one cannot just stop at detection and prevention. It is also key to establish a clear mitigation and recovery strategy which makes every discovered infiltration or breach more difficult, expensive and painful for hackers. This might persuade them to cease their onslaught and take their battles elsewhere.

Q: Millions, or even billions of Internet of Things (IoT) connected devices will be used in smart cities. How can authorities prevent breach in these entry points that could trigger a massive hacking event?

A: Many early versions of IoT devices have connectivity cobbled onto them, with little or no consideration towards incorporating security as part of its design. This is due to at least one of the following reasons – increased cost of production, lack of supporting design specifications, or a compromise to the physical aesthetics.

In order to devise a strategy to secure these devices, we must first understand the smart city’s workflow and the potential vulnerabilities as outlined in Q1, to determine a feasible cybersecurity deployment strategy.

We should also do an audit to determine the hackability of these devices.

At the same time, we need to take into consideration the criticality of each IoT device to the overall value it is delivering against its intent. If it is very important, then we need to protect or replace the device.

Q: In case of hacking, what should be done to avoid real-time systems from being disrupted?

A: Everything begins with preparation. In the words of Benjamin Franklin, if you fail to prepare, then you are preparing to fail.

As highlighted earlier, the pertinent steps to take are – establishing clarity and visibility of all digital and non-digital assets, supporting your critical workflows, identifying possible vulnerabilities within these workflows or environment and ensuring that appropriate security measures are deployed, and then constantly testing to ensure that your cybersecurity continues to remain robust and scalable to changes in your service delivery.

It is important to maintain continuous monitoring against any abnormalities in the environment.

This will help you to detect and prevent incursions from taking place. In the event of a successful breach, you must also have the ability to swiftly execute your mitigation response strategy to contain the threat and minimize service disruption.

Smart city infrastructure

Q: Several cities have adopted smart technologies, would you name some best practices that Hong Kong could learn from?

A: In terms of security best practices, here are a few suggestions that city planners and administrators can think about:

 End-user training for all users, combined with enhanced physical security for all resources is important. People and devices are the weakest links in any security strategy. Public campaigns encouraging security awareness about such things as phishing and similar attacks are a primary first step.

 End-point protection on all servers is the next important step. And that includes keeping servers patched and backed up.

 Many ransomware attacks originate via email. Email security on email servers and clients is a next important step. Ideally, this solution should automatically block phishing emails and malware attachments.

 Segmentation of network traffic – with strong user, device, application and protocol controls is key to network security. This would avoid any secondary and tertiary damage even if the ransomware is active despite the email security.

 Data loss prevention systems need to be put in place to prevent the loss of data at rest, in motion, and in-use. This step can help ensure that unauthorized data loss does not take place in order to avoid future misuse or liability.

 Bidirectional DDoS (distributed denial-of-service) attack mitigation is needed to take care of both inbound and outbound DDoS attacks for the Internet facing properties of smart cities.

The time to act, building in stronger security measures and protecting smart infrastructure (and the people who depend on it) is now.

Q: What do you think would be the major challenges for the smart city initiatives to be carried out in Hong Kong?

A: Hong Kong stood up and opened the data sharing concept for data correlation to improve the efficiency of its overall transportation system; and to continuously monitor its water distribution network to maintain cost effectiveness and optimize drainage system maintenance, etc.

One of the biggest challenges faced by smart cities is not in cyber security but is in the normalization and optimization of data aggregation for analysis to produce a single actionable dashboard. Once this is in place, then the challenge is to implement a robust cybersecurity strategy to protect this infrastructure, with the end goal of preserving the integrity of its data and information, preventing it from being locked up, stolen, corrupted or deleted.

When governments expand the scope and include every city service, they will be faced with a massive mountain of complex workflows and systems, as well as environments that might not interface well with each other. The challenge here is to harmonize and integrate legacy technologies with new technologies, to continue delivery of city services with as little downtime as possible, and with new value adds.

Q: Do you think the government has paid enough attention and investment on security as the city builds the smart city infrastructure?

A: Building a smart city is a constant revolution.

It usually starts with a pilot, before moving to a project, then running several projects, then aggregating these projects, and so on. It means that the security strategy, services and solutions put in place together with the mitigation and response plans needs to be robust and scalable. They must grow with the city as it evolves.

Rome was not built in a day. And this applies to smart cities. It will not be built overnight. It’s a journey, for every city, to start small, with cybersecurity as part of its design and evolution.

Q: From Wannacry to Petya, the private sector seems vulnerable to cyberattacks via ransomware. Is it the same when it comes to smart city infrastructure? What is the difference?

A: The difference is in the outcome of the cyberattack.

The consumer is driving digital transformation across the different industries, public and private. The rate of adoption of digital transformation varies from industry to industry. Some industries are savvier on cybersecurity compared to others.

Recently, cyber hackers shifted their focus from banks to healthcare because of the longer shelf life and value of healthcare data versus financial data. In addition, the healthcare industry is not as focused on cybersecurity compared to the financial sector, making them an easier target.

As mentioned earlier, if you have a robust security strategy in place with a comprehensive and effective mitigation and response plan, you will be able to make every attack attempt a painful, expensive and difficult exercise for the hacker, making it difficult to a point where he will take his attack somewhere else. Healthcare organizations are starting to realize this.

– Contact us at [email protected]


EJ Insight writer