Most of us are familiar with the concept of Smart Cities, and their potential. But are smart cities automatically resilient? We caught up with Giampiero Nanni of Symantec to understand what’s driving concerns about resilience, and why he has authored a report to draw attention to remedies.
Resilience by design
Over 50% of the world’s population now live in cities. With this increasing population we see increasing demands. Many cities have turned to ‘smart’ solutions: those that rely on ICT as a key enabler, and where systems profit from the interconnectedness that ICT allows. It is crucial that those designing systems for cities build in cyber-resilience, and resistance to other disruptions, including natural disasters, as standard.
Resilience is defined by Collins Dictionary as the ability of an ecosystem to return to its previous state after disturbance. Cyber-resilience has been defined by the World Economic Forum as “the ability of systems and organisations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery”. In other words, how long can a system resist attack, and once it falls, how long does it take to recover?
As cities grow ever bigger, and the technology that runs them becomes more integrated and complex, the concept of cyber-resilience becomes more important, not least because the interconnected systems across smart cities can encompass a wide range of functions. These include energy supply, from switching on and off street lights, to supplying the energy that keeps businesses running, through intelligent transport systems, such as traffic light controls, and peak flow systems, through to healthcare. Public safety and security is also crucial, including CCTV systems and communication between law and order institutions. Other systems, less obviously public but no less vital to those who live there, include wireless networks and free wi-fi. The systems encompass both city functions and the Internet of Things.
Building security as standard
According to Symantec’s 2013 Internet Security Threat Report, 22% of all targeted cyber attacks are aimed at governments and energy and utility companies, and 24% are aimed at governments and healthcare institutions. Security needs to be built in from the ground up, especially as systems are more and more interconnected. As Symantec puts it, hyper-connectivity + hyper complexity + hyper information volumes = hyper-vulnerability. Big Data, kept insecurely, could equal Big Problems.
In order to build security as standard, a sensible starting point is to identify the most crucial systems and defend them from attack. Whether it’s the Internet of Things, or the cloud platform on which healthcare systems are managed, there will be certain areas that are more important, and therefore more intrinsically interesting to those wanting to disrupt. Those are the ones to make secure as a priority. And of course it goes without saying that any new systems should have security designed in from the start, for example by using data encryption systems.
Governments are in many cases taking a lead in this area. For example, the European Union has a project called CRISALIS (CRitical Infrastructure Security AnaLysIS). It aims to provide new ways to protect crucial infrastructure from attack, develop new detection tools, and new ways to analyse intrusions.
Start with a framework
Giampiero outlines practical steps to get started, or to review adequacy of current arrangements. Establish a governance framework. Get the right people around the table. Make sure that everyone knows their responsibilities for monitoring and preventing attacks. Third, in procurement, prioritise those suppliers who can explain how they will guarantee continuity in the event of a cyber attack. Take proactive measures to defend systems, such as strong authentication systems as standard. Draw on qualified resources to understand the nature of the threat. Outsource security if necessary, to those who understand it best, to make sure your systems are in capable hands. And always make sure you have a back-up for essential infrastructure in the event of a successful attack, so that your systems can be back up and running quickly.
These messages may not be totally new, but it is good to see them brought together to help remind cities of the need for security.