Smart City Cybersecurity Technologies and Future Investment Concerns in the Spotlight

“What is the top problem with cybersecurity in smart cities?” This simple yet powerful question perfectly encapsulates two major misconceptions regarding cybersecurity in smart cities. First, it attempts to boil down all challenges into one single vector, and second, it treats smart cities as one entity as opposed to a multitude of verticals connected by various platforms or even platforms within other platforms. Many believe that encryption (and some even mentioned quantum encryption) will be the solution; others focus on system and cloud security, and others yet believe that hardware security is the real problem. The answer lies buried among these hit-and-miss viewpoints as well as a plethora of other factors that are examined further.

“Can’t quantum encryption solve smart city problems?” Encryption (which depends highly on embedded hardware and processing power) is indeed lacking considerably across the entire Internet of Things (IoT) board. According to multiple research interviews during the past year, many IoT and security players estimate that the encrypted portion of IoT lies between the 3%–8% range. Quantum encryption is currently being used by governments worldwide for the protection of sensitive information, but there are no plans for smart city security as of yet due to the high cost and the lack of infrastructure and processing power required. When discussing smart city devices that run on Low-Power Wide-Area (LPWA) networks, there are other steps such as network security, communication security, and data security that should be tackled before quantum encryption. Note that installed bases for Wide-Area Network (WAN) connections in smart cities are expected to enjoy an almost twofold increase, rising from 696 million connected devices at the end of 2019 to 1.3 billion by 2024.

“Should hardware security be a top priority?” Embedded hardware security is usually an issue for devices with higher specifications and computing power, thus justifying the additional cost required to implement a Trusted Execution Environment (TEE) or a Trusted Platform Module (TPM). However, for the bedrock of smart city connected nodes with lower specs, such a measure would be highly impractical. Currently, implementers are advised at the very least to include a secure Integrated Circuit (IC) chip on smaller footprint devices (if applicable), to invest in secure gateways that can deal with the brunt of incoming communication hijacking attempts, and to address connectivity concerns and communication protection. The bottom line is that, if the sensor itself costs less than US$2, it is not cost-effective to include a US$1 security chip. Next-generation gateways, however, are expected to address a significant amount of security issues currently facing different verticals such as critical infrastructure, government, enterprise, industrial and manufacturing markets.

“What is a key security issue that many governments overlook?” Developing proper regulatory and standardization frameworks as well as addressing security in legacy protocols is a tough challenge that holds back many security considerations and is something that many governments and smart city players are overlooking. Even when addressed alone, many smart city verticals are severely lacking in proper security standards, and many are built on frameworks that were developed when cybersecurity was not an issue in the agenda or was not as dangerous as it is now. Two examples of insecure and easy-to-intercept protocols are the Modbus protocol used in industrial applications or the Distributed Network Protocol (DNP3) protocol used in connected utilities.

“Can’t we just invest in secure online platforms and cloud computing services? That is where everything connects to everything else, right?” Smart cities are not only comprised of smart meters or connected environmental sensors; they are a highly complex, interdependent network of devices, systems, platforms, and users. They span a multitude of industries, from smart retail, smart utilities, e-government, telemedicine, and intelligent transportation to law enforcement and surveillance, emergency services, critical infrastructure, and industrial control systems—and each has its own sets of submarkets. Thus, the development of secure platforms capable of handling such a rich, diverse, and volatile digital ecosystem should be a top priority. However, “cloud and online platform protection” is a rather simplistic battle plan for the task at hand. The real answer is more elaborate. ABI Research advises that other key technologies—such as secure device onboarding, identity management, device visibility controls and behavioral pattern analytics, middleware allowing cross-vertical value, and multiplatforms capable of merging security intelligence across different submarkets—should be some of the technologies that implementers need to keep in mind.

“Will security concerns affect future investment rounds for development projects?” Smart city threat vectors are increasing at an alarming rate, with new attacks originating at every single vertical. Connected surveillance cameras are hacked and turned into zombie botnets ready to be leveraged to launch Distributed Denial of Service (DDoS) attacks; fake Wireless Access Points (WAPs) can infect citizen and employee personal connected devices; device identity management systems and crypto-processes are lagging behind, allowing for easy interception; secure onboarding for connected devices is almost nonexistent; automotive and transportation systems are under attack remotely; authentication systems are subject to “replay attacks”; governments and industrial players are under attack by sophisticated forms of ransomware; and according to some sources, some nation-states have been behind cyberattacks targeting systems in critical infrastructure.

This is a rather bleak overview of the current state of cybersecurity in smart cities, but despite this turbulence, smart city investment is not expected to slow down. Rather, the prevailing hypothesis is that certain market applications will undergo restructuring, thus slowly but steadily transforming future smart city projects. This is expected to follow a much different evolutionary path according to different regions worldwide. For example, in the area of public safety and law enforcement, North America and Europe are rethinking certain aspects of public security, border control, biometric surveillance, and citizen privacy concerns with further regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), while Asia-Pacific (APAC) and the Middle East are fervently increasing biometric behavioral analytics and surveillance in every facet of society.

APAC is also more heavily invested toward the development of smart cities, with literally hundreds of new development projects on the horizon due to higher urbanization demands. These development projects are built on region-specific communication protocols and standards and are led by governmental mandates and supported by enterprises (e.g., Huawei) and alliances (e.g., the Association of Southeast Asian Nations, or ASEAN). On the other hand, in Western nations much of the innovation is mostly led by tech companies (e.g., Microsoft and IBM) who are focusing on innovative use cases that are depending on city-specific needs rather than massive smart city applications. Smart city investment rounds are not expected to slow down; however, many of the dangers outlined above still remain out of the spotlight, even among high-ranking government officials. Research interviews with smart city organizations reveal that politics also plays a big role in the development of security infrastructure, as public servants need to justify tax increases for measures (e.g., city cybersecurity) that are not as tangible as other projects (e.g., transportation, infrastructure, environmental, etc.).