Cyber security is a growing concern as public authorities and their suppliers develop still more digital solutions. A new guidebook founded on DTU contributions comes to the rescue.
By Morten Andersen
Numerous Hollywood blockbusters feature the bad guys hacking their way into the infrastructure of a metropole. Instantly, parts of the city lose their power supply or traffic lights run berserk resulting in chaos. A new guidebook is meant to assist public authorities seeking to prevent such scenes from taking place in the real world.
"It would really be a pity, should concerns over cyber threats discourage further digitization."
Marie Danneskiold-Samsøe, head of digitization at the Municipality of Vallensbæk
”We offer municipalities and private enterprises practical advice on smart city cyber security. Considering the significant benefits – such as better servicing of citizens, lower carbon footprint from activities, and getting rid of unnecessary workflows - It would really be a pity, should concerns over cyber threats discourage further digitization,” says Marie Danneskiold-Samsøe, head of digitization at the Municipality of Vallensbæk and chair of Smart City Cybersecurity Lab (SCL).
Garbage bins with sensors capable of “calling home”, to let the municipality know just when they are full, are already installed in several Danish municipalities. This is just one of many examples illustrating the smart city potential. By avoiding to dispatch garbage-collecting trucks and personnel unnecessarily, the municipalities can save substantial costs.
The academic contributions to the new guidebook have been provided by DTU Compute’s Hackerlab.
“Regrettably, we have to admit that such a thing as a completely secure system does not exist. Therefore, we are faced with the dual challenge of minimizing the risk of having our systems compromised, while also ensuring that normal operations can be quickly reestablished, should a disturbance happen,” says Associate Professor Christian D. Jensen, DTU Compute.
It is not possible to specify a universal smart city security setup, Christian D. Jensen notes:
“The recommended setup will be strongly related to the purpose of the smart city system in question. If we look at the garbage bin example, the consequences are not too severe, should an attacker manage to hack a sensor unit. Still, you have to ensure that access to one sensor will not open access to other units or systems. However, other types of smart city solution can involve much larger risks, including potential leakage of sensitive data and thereby breach of privacy. We thus recommend starting off with a risk assessment based on the actual smart city system under consideration. Further, we recommend that sensitive data are to the largest possible extent anonymized right at the point of data collection.”
Partners in Smart City Cybersecurity Lab are four municipalities, DTU, The Capital Region of Denmark, The Danish Society of Engineers (IDA), BaneDanmark, and Gate 21. The guidebook is financed by The Capital Region of Denmark through its Safer Copenhagen initiative. Dissemination is carried out in collaboration with the joint public Smart City Partnership.
- Start out by getting familiar with the local framework for a technology project with a focus on security. Which are the people in your organization to reach out to?
- Establish the scope of your planned smart city system. Which security issues are involved? Carry out this exercise prior to contacting potential suppliers.
- Get your risk assessment in place. Map the vulnerabilities and possible actions of mitigation for your planned solution. Which legal conditions need to be fulfilled? Pay special attention to data privacy.
- As a minimum, include seven brackets on security in your call for tender. Ask suppliers to specify just how compliance with each bracket is envisioned. If you are not a security expert yourself, the answers may not necessarily be meaningful to you but they will allow you to acquire a second opinion. The seven brackets are: Confidentiality. Integrity of data. Source of data. Right to test. Compliance with standards. Procedures for deleting data and decommissioning of hardware. Procedures for software updates (patches).
- Engage in a dialogue with your supplier. Establish that you want the right to carry out security testing. Also, that data are the property of the municipality, and that you want to be able to access raw data. Often, smart city projects start out as pilots.
- As early as possible, the distribution of tasks and responsibilities under full operation should be established.
- Make sure you have an exit strategy in place.
Elaborate versions of the recommendations are found in the guidebook.