The city of tomorrow promises to make it easier to do business online, to make traffic flow more smoothly and to optimise energy consumption. But every new digital service is also an additional opportunity for a cyber-criminal to take control or siphon off the data collected. So what exactly are the cyber risks and protective solutions for the Smart City?
By offering more and increasingly digitalised services, smart cities are becoming more connected... but also more exposed to cyber risks. The news offers many examples of local authorities falling victim to ransomware, with the threat of seeing some or all of their services paralysed. More than ever before, cybersecurity is a priority issue for local authorities, and even more so for connected cities.
Local authorities targeted by cyber attacks
Frankfurt in Germany, New York in the United States, La Rochelle and Angers in France, and more recently Liege in Belgium... in recent months, the roll call of cities hit by a cyber attack has begun to resemble an endless list. Since the high-profile precedent of the city of Baltimore in the United States falling victim to a ransomware attack in 2019 that is believed to have cost it 18 million dollars, the phenomenon has been gaining momentum. As a result, any local authority can now find its activities slowed down, blocked or altered.
In 2019, more than 1,200 French local authorities were victims of cyber attacks. A figure that increased by 72% in 2020 according to the Cybermalveillance.gouv.fr platform's 2020 activity report. “Local authorities have data that is very valuable to hackers, such as public records office data”, explains Jérôme Notin, director general of Cybermalveillance.gouv.fr, in an interview with the Journal du net. “A person's date and place of birth and address can be used to make false documents, or to gain access to other victims' online accounts, which may be secured by secret questions asking for such information”. Last year, this prompted the ANSSI (French National Agency for the Security of Information Systems) to publish a guide (in French) to make companies and local authorities aware of the problem. But the threat is still with us, and smart cities represent a new opportunity for hackers.
Connected cities, vulnerable cities?
“Smart City” is a generic term that covers different fields and different stakeholders. It expresses the ambition of addressing the major challenges of tomorrow's cities (energy transition, fast-developing demographics, resource management, health, etc.) by relying on new technologies, as described in detail by Jocelyn Zindy, Cybersecurity Sales Director, and Grégory Coustou, Chief Technology Officer at Eiffage Energie Systèmes. “At a physical level, sensors are used in the Smart City to optimise waste collection, detect floods, and manage parking spaces or vehicle charging stations. Surveillance cameras are another valuable ally in this urban environment. Historically used for video surveillance, their list of uses has increased to take in license plate reading, human behaviour analysis, hazard analysis, detection of isolated objects, dynamic road allocation management or as a source of information for autonomous shuttles. And on the other hand, at a digital level, new Edge computing architectures allow all the data to be processed as close as possible to where it is generated and to use artificial intelligence technologies such as machine learning. This represents a gain in the scaling of centralised infrastructures and also in maintenance terms. Finally, IT platforms allow for centralised management of these interconnected systems and assist road workers in maintenance operations”.
These connected cities are therefore a convergence point for different information systems from a wide variety of stakeholders, with different technological bricks (5G, IoT, Edge, AI), different equipment (street furniture, traffic lights, public lighting, sensors, etc.) and different interfaces (mobile applications, data exchanges between IT systems, such as the citizen's journey) that considerably broaden the attack surface of a Smart City. To put it another way, the Smart City accumulates heterogeneities.
The heterogeneity of equipment
The Smart City must rely on its existing range of equipment. This means dealing with installations from different generations, and with different technologies, which complicates the implementation of an overall security policy. “It’s necessary to adapt both the technical measures, and therefore the security solutions to be implemented, and the organisational measures, according to the context, the information system, the generation of equipment and the technological bricks used”, explains Khobeib Ben Boubaker, Head of the Industrial Security Business Line at Stormshield.
Facilities are often at risk because they are located in the city, in full view of everyone, and therefore more easily accessible, including traffic lights, water, gas and electricity networks, etc. “When you’re in a traditional office information system, you know that the server room is in such and such a place, that it is secured by badge-based access and that it can’t be accessed” continues Khobeib Ben Boubaker. In Smart City environments, equipment can be accessed quite easily. There is therefore a strong issue to be addressed concerning accessibility to equipment and security”.
The heterogeneity of objectives
The Smart City includes independent information systems that must interconnect with one another. This is where things get complicated when it comes to cybersecurity. “You have to introduce an overall security policy and then adapt it to each of the IT systems” emphasises Khobeib Ben Boubaker.
Additionally, the Smart City involves several network perimeters: IT and OT. However, the challenges they face are not the same. “For IT, the main issue is data protection. And for OT, it's all about ensuring that the service is continuously available. The priorities are not the same, so the rules will be different in terms of the security to be implemented”, argues Khobeib Ben Boubaker. “This requires an overall approach to governance, adapted to each subsystem”. A central aspect of the cybersecurity issues in the industrial world.
The heterogeneity of the stakeholders involved
On the subject of mobility alone, for example, there is a mix of traditional players, soft mobility operators (scooters or bicycles), software or cloud solution publishers and government services. It’s difficult to agree on an overall approach under these conditions.
“In a Smart City, cybersecurity cannot be applied in the same way everywhere. It’s necessary to understand how the system works and what’s at stake to determine what is critical and what is not. To do this, you need to be able to work with both the business and cybersecurity people”, warns Khobeib Ben Boubaker.
The heterogeneity of reference systems
This wide variety of stakeholders leads to a wealth of different reference systems. “What we’re seeing from project to project is that there’s no harmony: one time this communication topology or this technology will be used, while another time, it will be another” notes Khobeib Ben Boubaker. “Sometimes it’s well documented and the right level of security can be provided. Other times it’s not standardised. And so the first task of the Smart City should be to harmonise the reference systems”.
It’s therefore in the cities' interest to be vigilant... and to read the fine print! “An analysis of the contractual clauses in current and future contracts is a priority”, notes the Cybersecurity Guide published by the AMF in November 2020. “In service or subcontracting contracts, it’s imperative to identify what the gaps or weaknesses in digital security might be. It’s not uncommon to find that contractual clauses run counter to the security objectives of the local authority, or that there are simply no clauses that guarantee good security (time to return to normal, backup/restore, reversibility, etc.)”.
If the city uses delegated management, it’s better to define the conditions for managing the information system in general (and personal data in particular) in the specifications.
The heterogeneity of standards
In terms of compliance, the Smart City must incorporate various standards and regulations both at European and national level, with the GDPR for personal data and the NIS directive for certain aspects linked to OES’ (operators of essential services), or the military programming law in France for operators of vital importance (OVIs) on subjects such as energy, water, waste management, health and transport, etc.
As for the question of responsibility, this is shared. Delegating the management of a particular area of activity does not imply a transfer of responsibility. “The delegator and the delegatee are jointly responsible for safety in general. It is strongly recommended that the agreement should contain explicit and express clauses setting out the division of responsibilities and obligations between the two partners” explains the AMF.
This is especially true since the connected services in cities may involve sensitive aspects, such as energy networks (electricity, gas, water) or hospitals. In all cases, the city must ensure that it draws up templates for contractual clauses to be included in its future contracts, drawing on legal and technical expertise.
Incorporating safety into the design of Smart Cities
As cities become smarter and more interconnected, they are more exposed to cyber threats, with very real consequences for citizens. “If security is not incorporated from the design stage, there can be real tragedies with physical consequences”, points out Jérôme Notin, also in the Journal du Net. For example, if red lights are blocked or connected light bulbs in the city are used to conduct denial of service (DDoS) attacks and bring down other networks. We have no known cases of this type in France at the moment. The manufacturers of these systems also bear some responsibility, as to release their products quickly they do not always integrate the security-by-design principle”. With new technologies, the Smart City faces new vulnerabilities. “Data management is now a strategic point in the Smart City, as was network management 10 years ago”, stresses Grégory Coustou.
Cybersecurity must be on board from the outset and live throughout the project, to put an end to the "add-on" approach where layers of cybersecurity are added to plug gaps after the fact
Khobeib Ben Boubaker, Head of the Industrial Security Business Line at Stormshield
The cybersecurity of a Smart City must therefore anticipate its development over time. There is only one method for this: take cybersecurity into account at all stages of a Smart City project, from the brainstorming phase onwards. “When the project gets underway, you have to take into account the evolution of the IT system and consider the challenges and uses of tomorrow. Cybersecurity must be on board from the outset and live throughout the project, to put an end to the 'add-on' approach where layers of cybersecurity are added to plug gaps after the fact”, adds Khobeib Ben Boubaker. Cybersecurity is an area requiring vigilance at all levels and starts with the sensors”, continues Jocelyn Zindy. The choice of equipment is therefore essential, since security affects each piece of communicating equipment, the network and system infrastructure, the operating centres (client workstations, mobiles, tablets, etc.) and also the users (habits, awareness, etc.).
The Smart City needs tailor-made cybersecurity
Some initiatives are leading the way. In France, the Saint-Quentin-en-Yvelines urban community is experimenting with a cybersecurity solution for its public lighting, through the Paclido research project, which aims to improve the security of connected objects. The idea is both to "physically" protect the installations and to secure the exchange of data. “With Paclido, an artificial intelligence solution can detect cyber attacks. It has learned how the lighting normally functions and knows how to recognise an anomaly”, explains Guillaume Séraphine, the project’s coordinator, in Smart City Mag. Cryptography adds a layer of security by encrypting the data. It’s important to secure our Internet of Things, because tomorrow, if it’s connected to our IT system, it must not represent a security flaw”.
Cybersecurity for the Smart City is a long-term issue, with a constantly changing perimeter. These connected cities therefore need a special approach, which consists of:
- Installing different levels of security: data encryption, firewall, authentication, access rights management, etc.
- Putting in place sovereign solutions, adapted to sovereign regulations, because they involve public state solutions, to also guarantee the technological autonomy that is being implemented,
- Having overall cyber governance, with the implementation of an SOC in the city that will administer the security events of the various IT systems and identify whether there are any spillovers between these systems,
- Segmenting systems, as all information systems are interconnected, it is vital to partition them to avoid transferring corruption from one system to another. “Sometimes the point of entry is not the target system, and the proliferation of connected objects opens up even more entry points to access a system and critical data”, warns Khobeib Ben Boubaker.
- Mapping the equipment and the IT system. “You cannot secure an IT system that you do not know. You must have a clear vision of what needs to be secured and what equipment will be added”, insists Khobeib Ben Boubaker.
- Ensuring interoperability between solutions to increase the level of security.
- Ensuring that the city's contracts contain contractual cybersecurity clauses detailing the distribution of responsibilities and obligations between the partners.
The potential benefits of the Smart City are numerous, both in terms of quality of life and respect for the environment. These benefits cannot be achieved without effective cybersecurity.