Taking a stroll down Main Street of a smart city makes Disney’s Tomorrowland feel like Yesterdayland. Today, cities are being transformed into IoT hubs, with ubiquitous connectivity, powerful but invisible sensors, and the ability to send and exchange enormous quantities of data over wireless networks. As a result, the connected city has vastly improved infrastructure, providing more efficient municipal services, fewer traffic jams, better public transportation, greater energy conservation and even improved air quality.
With no intentional effort, smart city residents themselves have become touchpoints in this buzzing swarm of connectivity. Citizens use municipal Wi-Fi to keep smartphones connected. Connected cars communicate with smart traffic lights and road signs to optimize traffic in real time. Smart meters track energy and water use and send alerts to consumers enabling immediate action to improve efficiency, such as remotely turning down the heat. Intelligent first response solutions ensure help is on the way the moment an incident occurs. NFC technology enables cashless payment systems for government services, public transportation, and even car and bicycle sharing. We even can consult noise maps for real-time advice on where to find peace and quiet in today’s crowded urban environments.
Connected cities clearly offer residents unprecedented benefits, and underlying this comfort and convenience is a profound improvement in efficiency that municipalities need in the years ahead. Today, a little over half the world’s population lives in cities, and by 2050 two-thirds are expected to live in urban areas. This rapid population growth puts a strain on city resources. It is estimated that by 2020, we will spend $400 billion to create a global network of smart, connected cities to accommodate this influx and mitigate the associated issues. In smart cities already, water, lighting and waste systems undergo constant monitoring, as does the structural integrity, usage and energy consumption of public buildings. All of this information is collected, analyzed and stored. Using this data, city planners make better-informed decisions that lead to enhanced economic development – and, ultimately, more satisfied citizens. On a larger scale, these enhanced efficiencies afford more people the opportunity to live — and thrive — in urban settings.
Securing IoT and the connected city
As exciting and promising as this is, when your connected city is under attack by unknown forces, the internet of things takes on a much darker hue. Digital security and privacy issues are a serious concern as the growing incidence of hacks and data breaches expose the vulnerabilities of our connected world. In the first half of 2015, there were more than 880 major breaches reported that compromised well over 245 million data records. That’s the equivalent of 16 lost or stolen data records every second, or 1.3 million every day.
Given the complexity and scale of smart cities, the issue of security is now paramount. The safety of millions if not billions of people is at stake, as malicious intent could result in massive blackouts, traffic and public transportation upsets, interrupted water supplies, and stolen services that could reduce government revenues and increase the tax burden for all. And make no mistake: there is no shortage of hackers who will exploit any weakness they discover. Driven by a wide range of motivations including fame, fortune and the simple joy of a challenge, hackers grow more sophisticated every day. To keep municipal systems safe and operable, citizens must trust that government representatives are utilizing the utmost in precautions. In an effort to reduce the risk of tampering or disruption of key infrastructure, forward-thinking government officials are designing these cities with critical security measures and protocols.
Fortunately, the same challenges currently facing the IoT have been seen before. IoT developers can learn from industries such as banking, healthcare and government and approach connectivity with the intelligence of IT system integrators who defend against attacks on all fronts and continuously update security architecture as new threats emerge.
Security by design is essential
It’s been said that “the devil is in the details,” and no place is this more true than in IoT security. Just as one would never build a home without a foundation, IoT solution design must begin with intelligent security architecture as the foundation of trust in the device, the data, the network and the ecosystem. Security needs to be designed in at the beginning of development projects across the entire IoT ecosystem and not bolted on as an afterthought.
The following five guiding principles for data security can help developers as they begin new IoT design and development projects:
- Confidentiality — Assure that data is confidential across the entire ecosystem and access is limited only to authorized stakeholders
- Integrity — Secure the integrity of the data, maintaining and assuring the accuracy and consistency of data over its entire life cycle. This is a critical aspect of design, implementation and usage because integrity attacks are difficult to identify and hackers can alter data that is used to make mission critical business decisions.
- Availability — Solution design must ensure that data is easily available at required levels in all situations even when challenging wireless network conditions prevail
- Accountability — Assure that system users across the ecosystem are accountable for the data they produce and the actions they take
- Auditability — Design systems that provide a clear and transparent audit trail providing evidence that the data is accurate
Risk evaluation and hack testing
Developers need to work with experienced and trusted security partners to know, identify and understand all potential system vulnerabilities. An early comprehensive risk evaluation is critical to implement security architecture across the entire connected device ecosystem — from the hardware components that enable connectivity, to the software running the device, out to the communication channels it uses and the cloud platforms hosting applications. In the same way that we rely on crash tests to verify the safety of a car, digital security partners can provide security “hack tests” that reliably establish that a given product or service is secure and safe to use. These best practices help protect the device, the network, and the data at rest and in motion.
Trusted identities: An important consideration
Unlike consumer devices that are connected to a single user with a traditional identity structure, IoT devices have multiple identities. Each of them needs to be secured and authenticated in order to secure the entire ecosystem. IoT solutions need to be able authenticate the ID of a device like a connected solar panel installed on a rooftop along with the smart home hub that is processing data and drawing power from it and all other smart energy ecosystem elements communicating data — the utility company’s cloud system, the smart grid system, the power repair person’s iPad. In other words, the smart home or connected city device needs to automatically and securely authenticate that the smart grid system is who it says it is and not a malicious attacker seeking to create havoc by forcing power outages for personal gain in the energy trading market down the road.
Best practices for secure IoT solutions
The following strategy for implementing end-to-end trust points and countermeasures, including hardware and software elements, can help mitigate threats and defend data when and if attacks occur:
- Protect the device. Implement tamper-proof hardware solutions and secure software to protect the device. For example, embedded Secure Elements are implemented to add a layer of physical and digital protection against intrusion and to store credentials and device data in a dedicated, secure platform.
- Encrypt and digitally sign the operating software to protect against attack. Encrypted software is useless without the keys and an electronic signature will ensure that only validated software is running on the IoT device.
- Implement strong authentication and encryption software solutions to ensure integrity and that only authorized people and applications are granted access to the IoT solution infrastructure.
- Securely manage encryption keys to protect data and manage access to connected systems.
- Protect against attack across the lifecycle of the device by including an interoperable, dedicated platform to deploy security updates and launch new applications over the air without impacting other embedded software.
The “age of IoT revolution” has arrived. Connected cities — and our world — is quickly transforming to a place where ubiquitous connectivity provides the potential to greatly improve the way we live, work and play. Cyberattacks are inevitable. However, we can defend against them and protect data privacy by designing security architecture at the beginning of development projects and managing the entire trust ecosystem, from the edge to the core, protecting what matters, where it matters and when it matters.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.