Modern public lighting, with its mix of street lamps and sensors, incorporates technologies to connect its services. For this reason, smart cities are focused on streamlining their operational efficiency while improving the experience of their users, all amid a general background of cost-cutting. This is the third paper in a series of articles on cybersecurity issues in smart and connected cities.
Behind this modernisation of practices in the urban environment lies the same problem as with other elements of the smart city: the more connected a city is, the more it is exposed to cyberattacks. What are the associated cyber risks? What cybersecurity strategy should be adopted to deal with these new challenges? This article provides answers to these questions.
Increasingly connected public lighting
Within the connected city, the need to ensure the cybersecurity of infrastructures that manage energy, water and urban mobility seems obvious. However, public lighting must also be monitored, supervised and protected – because every device in the connected city is able to return data. Street lamps, sensors and other devices are becoming an entire part of the Internet of Things (IoT) that powers this connected city. As a direct consequence, the public lighting network is a significant energy consumer in the city. In an era in which energy conservation is the watchword, public lighting in France gobbles up no less than two billion euros’ worth of local authority budgets, according to a report from 2021. While on the one hand the aim of the smart city is to reduce operating costs, it is also required to improve the safety of residents. The issue at stake: continuity of service in local authorities.
In the wider sense of public lighting, replacing the existing fleet can address not only cybersecurity but also ecological and economic issues. “When luminaires and lighting control points are networked in a centralised architecture, the lighting system becomes programmable and capable of generating data,” explains an article from a specialist French site. “This data can be applied to strategies such as optimising space usage, tracking inventory and providing location-based services. These strategies can in turn have tangible effects on cost reduction, process efficiency, branding strategy and occupant satisfaction.” When lamps are equipped with sensors, public lighting becomes “smart”: it is able to detect the presence or absence of people, enabling it to adjust brightness levels, and to inspect equipment in order to report failures or schedule advance maintenance operations.
However, such hyperconnectivity expands the smart city’s attack surface. And in addition to being sensitive, its entire infrastructure can become vulnerable.
Public lighting: vulnerable to cyberattacks
The proliferation of such connected devices in urban environments brings its share of constraints and cyber-threats. This complexity is explained by the diversity of equipment used as sensors (temperature, moisture, movement), GPS beacons, sensors and actuators that are installed on fixed or moving components. This complexity is compounded by the remote accessibility of these devices, primarily for maintenance, involving various actors (owners, delegates and subcontractors) with differing cybersecurity skills and interests, etc.
Regarding public lighting, the attack surface is precisely equivalent to the entire installed network: the centralised architecture is vulnerable, as is the data passing through it. While data related to lighting activity or intensity might seem to be of little interest to cybercriminals, access-related data is far more enticing. Having first gained access to connected objects, cybercriminals can then move laterally to other internal networks of smart cities. In this IT environment, traditional threats such as spyware, computer worms and ransomware pose genuine risks to control and supervision environments. Cyberattacks, such as sniffing attacks, aim to obtain this access information by intercepting data flows between luminaires, lighting control points, and the remote management system. Lastly, the vast number of network points also makes it particularly attractive for cybercriminals to launch DDoS (distributed denial of service) attacks. In this respect, a parallel can be drawn with smart surveillance cameras in urban environments. In 2021, cybersecurity experts discovered that the Mirai-based Moobot botnet was targeting a flaw in equipment belonging to the Chinese company Hikvision, a major player in the global surveillance camera market. This flaw could be used by cybercriminals to launch DDoS attacks.
In addition to immediate service disruption issues, the costs associated with remediating affected systems and securing against future attacks can be substantial.
What’s the right cybersecurity philosophy for public lighting?
By adopting an end-to-end cybersecurity philosophy, these urban environments can implement risk mitigation strategies. This requires reconstructing the architecture of the connected city, taking account of the various layers of industrial networks, all the way down to smart public lighting on the streets. To this end, the concept of defence in depth underpins urban cybersecurity: it is an approach that aims to secure each subsystem, as opposed to focusing solely on perimeter security.
This involves implementing network segmentation, flow control, communication channel encryption, and multi-factor authentication for accessing critical systems as priority considerations. Additionally, continuous software updates for smart equipment prevent security breaches and effectively respond to the ever-evolving cyber threats – though this is often easier said than done. Precautions such as regularly backing up collected data and implementing a robust risk management policy, including strong procedures for handling security incidents, also form part of this philosophy. The aim is to create a secure environment within which information can flow freely. This is the key requirement for operating a smart service: the ability to distribute confidential, authenticated, integral, and reliable information within the network.
Smart cities therefore face a twofold challenge in terms of public lighting and the urban environment: exploiting the advantages of new technologies while securing their infrastructures against cyberattacks. The adoption of coherent and effective cybersecurity strategies, supported by in-depth knowledge of the solutions used, is crucial for the success of smart cities.