September 18, 2017 – Smart Cities Cyber Crisis Management

Cybersecurity of Smart Cities is a controversial topic today. Researchers and professionals are debating the viability and sustainability of a large complex environment, which heavily relies on the digital infrastructure, especially from a cybersecurity perspective (1). Smart cities continuously deploy and update information and communication technology (ICT) to enhance the quality of life for citizens. The cities are typically evolved ‘connected cities’ that deploy large-scale data exchange across extensive domains. An integral part of the smart cities is their intelligent systems; systems offering highly sophisticated tools and functions, enabling advanced services at high efficiency. The smart water meter technology deployed in Barcelona saves about $58 million each year (1). Smart sensors are being used in a smart city in South Korea to control electricity and water usage, cutting operational costs by about 30%. According to a hypothetical study from 2015 (2), 93 million people can be affected in case of a power blackout caused by sophisticated cyber-attacks on 15 US states, it can also result in economic losses of up to one Trillion $. Although not all cyber breaches a smart city can experience are devastating or involve systems compromise and disclosure of sensitive information, it might just be a matter of time before worst-case scenarios escalate and take place. The threat of cyber-attacks is inevitable, especially if a city is not well-prepared.

  1. https://hbr.org/2017/04/smart-cities-are-going-to-be-a-security-nightmare
  2. https://www.lloyds.com/~/media/files/news-and-insight/risk-insight/2015/business-blackout/business-blackout20150708.pdf

Unlike current cities with independent operators and multiple stand-alone systems, smart cities will be themed by more centralized systems (virtually centralized not physically, e.g. in the cloud), automated tasks, integration of information, and correlation (Data Analytics). There are therefore considerable larger consequences of inadequately protected data, infrastructure and applications as they are used to process, transmit and store critical information. Cybersecurity involves the measures put in place to detect, safeguard and respond to cyber threats that can affect the operations of organizations, hence smart cities at large. Furthermore, while solutions manufacturers and vendors touch on cybersecurity when defining smart cities, most definitions don’t prioritize it despite its essence in offering a sustainable city environment. In a previously published document (1) we identified the top smart city assets and processes that should be protected and guaranteed to the citizens, when it comes to life safety issues, mistakes should not be allowed.

  1. https://securingsmartcities.org/wp-content/uploads/2017/09/SSC-15-things-v1.3.pdf

The intensifying automation in smart cities can be attributed to many assets and services being influenced by data exchange. With critical services increasingly becoming interconnected, there is a need to protect infrastructure and services availability, citizens’ privacy, data transfers, safety, and health by prioritizing cybersecurity in smart cities. However, a lack of maturity around policies and regulations in place to govern how information and information assets (the basis of a smart city) should be handled and operated. This indicates that smart city stakeholders such as citizens, policymakers, solution providers, municipalities, manufacturers, technology vendors, among others, are forced to adapt to the smart city requirements with varying specifications and capabilities.

Few ICT (Information and Communication Technology) infrastructure operators have in place / and efficiently apply policies to protect critical assets that can meet the needs of the smart city and face threats on the numerous connected systems. Furthermore, smart cities may have a limited budget that will be preferably invested in new functions and capabilities rather than cybersecurity of the current infrastructure. Nevertheless, ICT operators deploy a wide range of cybersecurity controls that vary from one to another due to different protocols in use, architectural needs, compatibility, good practices, standards or policies for governance, though things then move towards the unknown when facing advanced cyber-attacks that cause complications to the availability, confidentiality or integrity of the municipal network and services.

Assuming cyber crises are one-time events caused by technical problems and require single solutions can be the beginning of peril for smart cities. Cyber crises call for high preparedness with sound cyber crisis management that encompasses a response life cycle starting from monitoring to reaction to response, resolution, and recovery. A smart city cyber crisis management plan stipulates the actions and processes to be carried out in the event of an attack to safeguard the smart city and its services. On the other hand, a cyber crisis response plan involves measures put in place to offer protection from routine activities such as distributed denial-of-service attacks and malware infections on a daily basis. It is important to note that not all cyber incidents in the smart city would be considered cyber crises, the smart city needs to accurately and legally define the circumstances by which a cyber crisis is detected and then how the related response process is activated and followed.

By definition, a cybersecurity crisis can be described as a breach, compromise or disruption of an organization’s critical data and/or systems. It is also important how both the organization and the law define a cyber crisis and classify critical data and systems. The goal is to state for example, what types of data do you have access to and what are the critical systems, by which if either was breached, compromised or disrupted, would present a crisis or potential crisis to the organization, its clients, or the urban environment…

Motive of this paper:

The motive of this paper is to give smart cities a guideline or foundation from which a viable cyber crisis management policy can be developed. Numerous cities already have established crisis management and handling centers, the problem is that challenges are no longer limited to natural or operational causes. Even though smart cities will differ based on various aspects such as maturity levels, priorities, geographical size and demographical characteristics. Ideological, geopolitical or even financial motives could be behind new types of cyber threats to the cities stability and are expected to often target city-wide applications, data, and technology. Without a converged strategy and transformed operations and handling of crises, cities will not be able to face modern types of threats and consequences could be severe. This paper focuses on the definition of smart city cyber crisis and the need for significant cyber crisis management planning in smart cities. The paper then covers smart city cyber crisis management measures that are needed before, during, after a disastrous attack.

To obtain a full copy of the report please visit:

https://securingsmartcities.org/wp-content/uploads/2017/09/SSC-SCCCM.pdf