Cybersecurity research group wants to certify ‘smart city’ devices
As the “smart city” movement continues to grow — making local governments more reliant on traffic cameras, environmental sensors and other internet-connected gizmos — a leading nonprofit group wants to create a platform to help city officials ensure that their efforts don’t discount cybersecurity.
The National Cybersecurity Center, based in Colorado Springs, Colorado, is considering the development of a certification system by which smart-city hardware and software can be reviewed for potential vulnerabilities and municipal officials who lack technical backgrounds can be instructed how to properly configure those products.
“What we’re realizing is that when the mayor declares a smart-city initiative, they’re often just thinking of the benefits they can get economically or regarding increased citizen access,” Forrest Senti, the center’s director of business and government initiatives, said in a phone interview. “Oftentimes they’re not thinking about security.”
A 2018 report by IBM Security found that popular lines of internet-connected environmental sensors and traffic signals often come loaded with easy-to-guess passwords and unsecured remote-access protocols. And the amount of information gobbled up by these devices is also driving concerns: During a technology conference last year in Atlanta, a manager in Cisco’s Smart and Connected Cities division said city IT officials are often astonished by how much more data they have to manage when gadgets like self-timing street lights and biometric scanners are deployed.
According to the NCC, the value of the smart-city market is expected to balloon to $821 billion by 2025. But because many smart-city programs tend to be economic development initiatives, the people in charge of them need more information on the technical side, Senti said.
“The ultimate goal is to be giving those non-technical decision makers something to review,” he said. “It’s giving not only some clout or credibility to the vendor, but it also gives the city a little bit more to go on.”
The NCC’s certification program only exists as an idea for now, though. Senti said the group is still having conversations with vendors about how their products would be evaluated.
For city officials procuring internet-connected devices, he said there are many emerging issues to consider.
“Not many people ask the questions ‘Is this secure?’, ‘How do you secure it?’, ‘Are there best practices you follow?’, ‘What kind of proactive patching do you do?’,” he said. “You don’t have to understand a single thing about cybersecurity, but you should be able to ask the question.”
Senti said the NCC has done some of this outreach in its hometown of Colorado Springs, where the city has installed energy-monitoring street lights, weather sensors and telematics devices mounted on snowplows.
“They’re willing to ask the questions,” he said. “We can talk openly. It’s been nice for us to have direct connection into a smart cities program to build this out.”