October 25, 2023
This article was authored by Todd Renner, Senior Managing Director, FTI Cybersecurity.
While we have yet to reach the point of coexisting with walking, talking robots who work as public servants, a la the film I, Robot, cities are beginning to leverage smart technology to improve daily life, making communities feel more like science fiction than ever before.
Smart city technology involves a reliance on Internet of Things (IoT) devices and advanced digital infrastructure, from motion censored streetlights and red-light cameras, to integrated municipal services such as water, electric, and waste systems.[1] As smart cities evolve alongside interconnected technologies, lifestyles of the city residents will likely include aspects of Web3 and other emerging technologies such as autonomous vehicles and artificial intelligence (AI).[2][3] The global market for smart city technology is valued at $748.7 billion in 2023, with United States city governments expected to invest around $41 trillion over the next 20 years to upgrade their technological infrastructures.[4][5]
As cities become increasingly digitally connected, they also become prime targets for data privacy issues and cyber attacks from a variety of threat actors. Smart city technology manages many critical operations, all of which are attractive to threat actors. Cities often struggle to respond to and recover from incidents quickly and efficiently, which can stall necessary operations and can create serious financial impacts.[6]
Why Does Smart City Technology Increase Cybersecurity Risk?
The current lack of regulation to govern smart city development means the industry is lacking defined cybersecurity standards. Implementation of smart city technology and our increased reliance on digitally connected systems increases the risk of a cyber attack and the associated impacts for multiple reasons:
Increased Attack Surfaces
Integrating previously separate systems across a city creates a larger attack surface, with the potential of a cyber attack on one system now affecting other interconnected systems. Automated services also create additional remote attack vectors, giving threat actors more opportunities to gain access to networks and systems.
Interconnected Critical Infrastructure
Ransomware actors have already realized the impact on critical infrastructure, recognizing the necessity for availability of systems. As a result, cities are more likely to pay a ransom when the alternative is to disrupt electric, water, health care, emergency services, and other vital municipal services. Critical infrastructure will also continue to be an attractive target for nation-state threat actors, whose primary goal might be disruption, confusion, and damage.
Data Privacy Issues
Increased digitization uses and creates data which may not have been previously available, including personal information, health data, and sensitive government or business data. Threat actors are interested in stealing this data, especially if it is sensitive in nature, be it for financial, personal, industry, or political gain.
Third Party Risk
External vendors and providers are often necessary to assist in the implementation of new technology which internal teams do not have the expertise to execute. However, third parties bring with them their own set of cybersecurity risks. If third parties do not practice proper cybersecurity hygiene, it can lead to supply chain risks such as data theft, system or network failures, or exploitation of vulnerabilities by threat actors.
How Can These Risks Be Mitigated?
When cybersecurity is prioritized from the beginning of the smart city technology implementation process, cities will be able to minimize the likelihood and impact of a significant cybersecurity incident. To start preparing, cities can:
Incorporate Cybersecurity Into The Planning Process
When considering a smart city technology implementation project, ensure cybersecurity costs are incorporated into budgets, such as costs for experienced security personnel and cybersecurity assessments. The necessary cybersecurity infrastructure must also be in place before incorporating any new technology, and all required stakeholders and departments should be involved and informed so that nothing is developed in a silo. This includes employee training, updated networks and devices, and having the necessary backups and safeguards in place.
Adhere to Cybersecurity Best Practices
In April 2023, the Critical Infrastructure and Security Agency (CISA) released cybersecurity best practices for smart cities to ensure cities are following a set of guiding principles as they plan to implement new technology into their infrastructures.[7] General cybersecurity practices are also imperative, like implementing multi-factor authentication (MFA), operating on a zero-trust architecture, and only granting network access to necessary personnel.
Understand the Data Being Created
Smart city technologies often create new data or collect existing data in a central location. Determine what data is being compiled and have proper processes in place to keep it secure and delete it as necessary. Regulations may be in place to protect personal data in some countries, and cities must adhere to these policies.
Properly Review Third Party Risk
Vet third parties for proper cybersecurity programs and policies and other supply chain risks to keep systems and networks secure from external threats. Cities should proactively manage supply chain risks by only using trusted vendors, establishing minimum security requirements with third parties, and researching how external parties use, store, and share data.
Have an Incident Response Plan in Place
Even the most robust cybersecurity preparedness planning can still result in a cybersecurity incident, so it is crucial to have a plan in place for swift response and recovery in the event of a cyber attack. This plan should include an outline of which stakeholders are responsible for each aspect of the incident response plan, a trusted external incident response provider who can be called for assistance, and a backup plan for keeping critical operations running should networks and systems be inaccessible.
Smart city technology has the potential to positively change the way people live, work, and play in their community. However, the technologies bring a set of cyber risks with them which could potentially disrupt critical city functions at scale. To fully realize the benefits of smart city technology, cities should focus on protecting their cybersecurity infrastructure and have tested plans in place for an inevitable cybersecurity incident.
[1] Matthew Britt, “What are Smart Cities and Why Do We Need Them?.” Forbes (August 18, 2023), https://www.forbes.com/sites/honeywell/2023/08/18/what-are-smart-cities-and-why-do-we-need-them/?sh=d865d586f69e.
[2] David Ly, “On The Horizon For Smart Cities: How AI And IoT Are Transforming Urban Living,” Forbes (April 7, 2023), https://www.forbes.com/sites/forbestechcouncil/2023/04/07/on-the-horizon-for-smart-cities-how-ai-and-iot-are-transforming-urban-living/?sh=23681d377145.
[3] Naveen Joshi, “6 Ways in Which Blockchain Makes Your City Even Smarter,” Forbes (April 7, 2022), https://www.forbes.com/sites/naveenjoshi/2022/04/07/6-ways-in-which-blockchain-makes-your-smart-city-even-smarter/?sh=578a9b557f5d.
[4] “Smart Cities Market Size, Share & Trends Analysis Report By Application, By Smart Governance, By Smart Utilities, By Smart Transportation, By Region, And Segment Forecasts, 2023 – 2030,” Grandview Research (2022), https://www.grandviewresearch.com/industry-analysis/smart-cities-market.
[5] “Smart Cities USA,” Smart America Presidential Innovation Fellows, https://smartamerica.org/teams/smart-cities-usa/.
[6] “Cybersecurity Best Practices for Smart Cities,” United States Cybersecurity and Infrastructure Security Agency (April 19, 2023), https://www.cisa.gov/sites/default/files/2023-04/cybersecurity-best-practices-for-smart-cities_508.pdf.
[7] Id.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc.
All rights reserved. fticonsulting.com