City of the future to run on code

Oman’s director of ICT research Ali Al Shidhani outlined the increased risk associated with urban IoT – providing recommendations to help Smart Cities stay safe.

Prospects for optimizing the operation of urban environments and improving the life of citizens through the application of advanced technologies animated many sessions at Meeting of the Minds 2016. But there’s a darker side to adoption of IoT in the city that Ali Al Shidhani, director of ICT research for The Research Council of Oman, spoke to in his presentation on Leading Cyber-Security Threats. Al Shidhani began by citing the now familiar Ericsson stat on the number of connected devices which has become an accepted gauge of our online connectedness – 50 billion by 2020 – and outlined the implications of this for Smart Cities. Of the 50 billion, Al Shidhani argued that many sensor/actuator devices will be part of city infrastructure, connected to each other and to the Internet, generating huge amounts of data. The city of the future will be data driven and its infrastructure will run on software code, but Al Shidhani cautioned, this digitization “invites attack.”

To build awareness around this threat, in his presentation Al Shidhani focused on two subjects; how the integration of IoT technologies will increase risk, and what we can do about it. His thoughts are as follows.

The cyber security threat is going to get even bigger – and will become a huge challenge.

1. Through digital transformation, a city will become a complex system of systems. While each vertical (service area/administrative unit) is complex on its own, with Smart City deployment, these will be integrated. According to Al Shidhani, this increased complexity adds to the breadth of attack and integration increases the impact – if a hacker is able to take out one vertical, the others are also disrupted. When systems are interconnected, it is difficult to contain or originate the attack.
2. Allen’s law holds that threat risk varies directly with the number of nodes on the network, or as Al Shidhani put it, with more devices, and the connection of everything, the attack base becomes wider. With thousands/millions of different attack points, it’s difficult to understand and pinpoint the source of attack.
3. In IT systems, there is always a trade-off between security and performance, but in IoT, this issue is especially critical as field deployment requires that devices be as low power as possible. According to Al Shidhani, vendors often don’t add a security layer to IoT devices as this can impact performance and some devices come with no security at all.
4. Disruptive technologies, such as self-driving cars or quantum computing, are very exciting but we have not yet learned how to secure these. While machine learning may help a mayor make better decisions, but operational or administrative systems may be attacked by a specific group. Implementers need to consider “what happens” when an attack occurs – the risk to citizen safety – and to plan for failure.

Can we secure future cities? Recommendations:

1. Security needs to become the default mode of operation. In the IT industry, security is often a ‘bolt on’ after the solution is developed. But security should not be a patch for when a problem occurs; rather it should be integrated at each deployment stage, embedded at each layer of the IT stack and solutions must be designed with security in mind.
2. A central, national centre to coordinate defense against attacks on city infrastructure is needed. A cyber security centre can act as a single point of defense to monitor and protect against threats – in the UK, this has been established as a public/private initiative.
3. Governments can take proactive, regulatory measures to improve citizen safety. As example, Al Shidhani pointed to the comprehensive guidelines issued by the US Department of Transport this past September on safety in the manufacture of autonomous vehicles. Based on the principle that “we will achieve more significant safety improvements by establishing an approach that translates our knowledge and aspirations into early guidance,” Federal Automated Vehicles Policy aims to “accelerate the HAV revolution” by improving auto safety and urban mobility.
4. City security depends to a great extent on developing education, awareness and training on cyber threat and on how to StaySafeOnline. Al Shidhani advocated for programs for children in particular, who have grown up online and may make misguided assumptions about cyber protection, and who will serve as the new priests of the city of the future.

For an introduction to digital transformation activities in Oman, see Ali Al Shidhani’s report, Overview of Smart City Initiatives in Oman.