Smart Cities: If We Want Things to Stay the Same, Things Have to Change

By Adnan Baykal

When analyzing global, systemic cyber risk one should look at smart cities, as they are the smallest IT ecosystem that mimics the global cyber security posture. They contain operations that are critical to the health and safety of their residents, as well as many other services that are designed to improve the “living experience.” Smart cities contain IT, OT and IIOT environments at different scales which are dependent on each other at varying degrees, while not being managed centrally. Politics are also a strong influencer in the decision-making process, which significantly increases the complexity of the problem.

When taking the leap on implementing smart city initiatives, if we want to make sure these initiatives do not negatively alter our security posture, we have to change our approach to security. We must do the basics and do them extremely well.

Keep in mind that cyber security is not a technical problem anymore but an operational one. From the technical perspective, we know how to secure systems, we know how to harden them (look at CIS Benchmarks), we have the technology to identify and reduce the risks, yet we are not implementing these best practices. At GCA, this is exactly the problem we are trying to solve: enable organizations and people to easily implement what seem to be complex solutions that significantly improve their cyber security posture. Look at Quad9, for example. It takes less than 5 minutes to implement Quad9, and you are automatically being protected from threats identified by a significant portion of the industry without compromising your privacy.

Due to what is at stake, it is of extreme importance in smart city deployments to design and implement systems that do the basics of cyber security well. Look at the CIS Critical Controls and ask yourself these basic questions:

  • Do you have an ability to continuously maintain an updated inventory of your hardware and software? Remember, you can’t protect what you don’t know you have.
  • Can you patch/update the firmware of all your networked devices (traditional computers to small sensors and everything in between)? This is a bigger problem when you are dealing with I/IoT environments. We have millions of vulnerable sensors connected to the Internet that cannot be updated/patched.
  • Do you have a robust process in place to continuously monitor your networks and identify attempted and successful intrusions? Remember, traditional AV and HID approaches do not work on most of these sensor environments.
  • Do you have an ability to enforce strict policies on credentials (not only passwords but certificates and PKI infrastructure)?

Some of these challenges can be mitigated at the procurement phase by placing strict verbiage in the contracts and shifting some of this responsibility to the vendors. For example:

  • DO NOT SELL ME a device that has a default password.
  • DO NOT SELL ME a device that cannot be updated/patched remotely.
  • DO NOT SELL ME a device that will not be supported for security updates in 6 months.

When there is a demand, the market always delivers. This is where we must let the suppliers know that if they want our business, they need to deliver the fundamentals of security.

So, what is government’s role in all of this? One of the functions and responsibilities of government is a provider of social welfare.  Government must analyze and provide solutions to existing and emerging threats that can undermine the quality of life of its citizens. From this perspective, governments have an important responsibility to regulate this emerging market to reduce the systemic risks so its citizens who don’t really understand the technology or its implications can be protected from the risks.  Initiatives like UK’s Secure by Design are an exemplary approach that must be replicated in other parts of the world to drive the market to produce solutions that address the basic but most important security concerns of I/IoT environments.

Other smart city challenges need operationalization of existing technical solutions, and this is where GCA excels. Quad9 is one of the best examples of what we can all achieve when we work together. Quad9 has a massive infrastructure footprint around the globe – currently has resolver clusters in 129 locations in 76 countries. It has 19 different threat intelligence feeds, and it is completely free to anyone who wants to use it. Quad9 blocks upwards of 2 million threats per day, and it does all these great things while respecting the privacy of its users.

We are working on number of different solutions, building coalitions, talking to many different communities to enable smart cities and small to medium-sized businesses to implement basic cyber hygiene practices. Follow our smart city initiatives – great things are coming. If you want to get involved, join the alliance – be part of the solution.

The author, Adnan Baykal, is the Global Technical Advisor at the Global Cyber Alliance. You can follow him on Twitter @adnan_baykal81.