More cities in the United States and around the world are adopting Internet of Things (IoT) devices as part of their public infrastructure. These smart cities use connected devices for traffic management, distribution of services such as surveillance cameras and parking meters as well as waste collection, and even streamlining city elections. 

All these new IoT sensors and devices have data flowing back to central terminals for use in making city services more efficient and transparent. Unfortunately, more cities adopting new connected devices leads to a bigger attack surface, which can increase security risks in public spaces. For this reason, smart cities need to have smart IoT security in place. 

Examples touch on every aspect of urban life. A traffic light on a busy street might communicate with sensors to decide whether to shorten or lengthen its cycle. Public transit assets need to be tracked in real-time. Surveillance cameras need a central hub for human- and machine-processing of video feeds.

Smart Cities Worldwide Make Heavy Use of IoT

The promise of smart cities around the world is tightly interwoven with the spread of IoT devices. The Spanish city of Barcelona is one of the top smart cities in the world today. Barcelona has implemented IoT sensors throughout many aspects of city life, including through the Sentilo project that captures real-time information on noise levels, temperature, air quality, and traffic flow among other data. 

Barcelona also uses City OS, an open data infrastructure that enables more efficient distribution of municipal resources, as well as “superblocks” to create mini neighborhoods with less traffic congestion, better air quality, and more leisure and green spaces. Barcelona implemented an electric city bike system in 2019, and the metropolitan tram system celebrated its 15th anniversary the same year. 

In the United States, New York City implemented a pilot program in 2020 that deployed hundreds of smart sensors throughout the city. The program collects data more efficiently and manages services like waste management and collection. New York has also introduced smart hubs with contactless technology and WiFi capabilities. They’ve also installed online charging stations in place of phone booths. 

More IoT devices monitoring traffic flow and environmental issues are clearly a good thing in the urban environment, however, neither every aspect of IoT usage in the public sphere is necessarily positive, nor does it necessarily take into account all the possible security risks.

IoT Security Risks in Smart Cities 

There are a few dimensions of security risks facing cities looking to deploy connected infrastructure or those looking to expand their current usage of IoT in the public sphere. To start with, there can be privacy concerns with regard to IoT security cameras. Democratic governments around the world have restrictions on how CCTV cameras can be used, which places important privacy guardrails in place. 

There are also the physical security risks of connected equipment. Sensors deployed throughout a city to monitor the environment risk being damaged either intentionally or accidentally. Any time there’s a distributed piece of technology, there’s the possibility of it being stolen or damaged. If you’re putting a sensor in a public park to monitor air quality, there needs to be some sort of physical defense to ensure it’s not removed. Devices are often forgotten, leading to a sprawling inventory of sensors.

Similarly, IoT devices need to be secured from digital threats. Cities that want to share their data with the public need to be sure that they don’t expose devices to cybercriminals or nation-state attackers who want to cause chaos. Defending connected devices against malicious threats seeking to deliver ransomware to municipal servers or nation-state groups is a critical need in the modern age, especially as the critical infrastructure remains under attack. 

IoT devices themselves are often easy targets for criminals. They commonly have poor security measures, such as weak default passwords, and often aren’t easy to update with new firmware if they can even accept updates in the first place. It’s also normal for IoT devices to not encrypt traffic flowing to and from the device; unencrypted traffic is easy to spot on the open internet and track back to its source. Threat actors have taken notice of the weakness in municipal services and critical infrastructure, and are already targeting these organizations. 

How to Defend Smart Cities with Smarter IoT Security 

Defending smart cities requires smart IoT security throughout the interconnected architectures created as part of digitizing city services. Cybersecurity and IT teams in cities of all sizes should examine the NIST Smart Cities and Communities Framework (SCCF) to start with. The NIST SCCF is a good framework that provides cities and communities with technical guidelines for planning, developing, and implementing smart solutions.

Beyond understanding best practices from NIST, cities should engage their private sector partners in a joint effort to secure their IoT infrastructure. Effectively securing smart cities requires this sort of public/private alignment that takes the shape of: 

1. Information sharing across physical and cyber threats and communications. Danger comes from nation-state groups, criminals, natural disasters, and garden-variety negligence. 
2. Tying together operational management activities to prevent, mitigate, respond to, and recover from incidents. Integration and alignment among digital and physical first responders is key. Building incident response protocols across the public sector and private sector can streamline emergency response immensely.
3. Purchasing technologies that facilitate both physical security and cybersecurity. This could be specialized fencing, sensors, biometrics, surveillance technology, and data analytics. 

A more remote risk could also come from weapons of mass destruction. In response, the Department of Homeland Security (DHS) created the Securing the Cities (STC) program to “reduce the risk of a successful deployment of radiological or nuclear weapons against major metropolitan areas in the United States. Through STC, DHS provides radiological and nuclear detection equipment, training, exercise support, and operational and technical subject matter expertise through cooperative agreement grants.” 

Smarter IoT security also involves ensuring the security basics are followed, such as access management for devices and connecting devices in such a way that they are not easily discoverable via network scanning. Or if the IoT devices are discoverable from the Internet, accessing those devices should be harder than looking up an easily found default password on the Internet. 

How Asimily Helps Secure Smart Cities 

Asimily’s platform is designed to streamline IoT security. As cities adopt more smart technologies and IoT devices, locking down traffic and being able to determine traffic sources or any unusual connections can be very powerful. If cybersecurity teams notice that a water sensor is transmitting data somewhere it shouldn’t be, for example, that’s vital information to track a potential breach. 

Cities can use Asimily’s risk simulation to assess options for mitigating the risk from a given vulnerability on a device. Simulating a fix before doing it can help you determine criticality and whether the weakness is even of interest to attackers before doing the work. That’s critical information when you’re deciding how to improve your security posture. For instance, you may find that certain devices or access controls are inadequate.

Asimily provides holistic context into a city’s IoT environment when calculating likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.

Asimily customers efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations are as easy to execute as possible, from shutting down an unnecessary service to network enforcement solutions.

Cities looking to implement smart technology to improve their citizens’ lives and make municipal operations more efficient need a solution like Asimily in place to address IoT security risks. Only through deploying smart security can cities truly fulfill the promise of becoming a smart city. To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.