The train outta cyber trouble in the smart city

black and white graphic of a person holding a phone next to images of a padlock, wifi sign and web globe | The train outta cyber trouble in the smart city

When we rely on a growing network of interconnected systems to help our urban societies function, how can we keep them cyber secure?

Urban populations are increasing, and our societies are becoming heavily reliant on the interconnected systems that help them function effectively and safely. However, these very systems are also susceptible to cyberattacks, and service providers are quickly discovering what’s at stake.

Ransomware attacks on integral digital infrastructure in cities can have severe consequences. Recent instances include the hacking of multiple public-facing portals that disrupted services for the citizens of Potsdam, Germany, while an Alabama hospital ransomware attack reportedly contributed to the death of an infant. In another case this year, UK security services confirmed that hackers backed by Beijing conducted a cyber-attack on the UK’s elections watchdog and carried out surveillance on UK politicians.

While our connected systems are becoming ever so crucial for public safety and security, it’s large-scale cases like these which demonstrate how our digital integrations can create a negative impact when not bolstered sufficiently, going beyond the traditional data and financial losses, but now also affecting human life.

With recent World Bank statistics predicting that 70 percent of people globally are expected to live in urban areas by 2050, a two-fold increase in the urban population over the next 25 years, what can be done with enterprise tech to make this rapid urbanization more sustainable and cyber-safe? Answers can be found in case studies from the likes of Transport for London and the Pennsylvania Turnpike, as made possible by the work and offerings of AWS and Deloitte respectively.

More people more problems – smarter solutions

As surges in population put pressure on the current infrastructure and resources available in urban centers, Piyush Pandey, Deloitte’s global and US smart cities cyber offering leader, argues that this pressure is an indicator that resources and infrastructure will need more technological help and smarter thinking to cope in the future. Plus, beyond just coping, there are surely many great benefits to be had from integrating technology into everyday services.

If you were to look up the smartest cities in the world, Zurich, Oslo, Canberra, Singapore, Beijing, Seoul and Hong Kong are often named in statistics, ranking high from the extent to which they use technology to address challenges and uplift quality of life. Some main areas include optimized energy usage, clean mobility, public transport, congestion, housing and employment, to name a few.

Recognizing the benefits to be gleaned from technology services, but also the risks if the services are suddenly halted by bad actors, governments and large organizations can be seen renewing their focus on protecting this critical infrastructure as reports of cyberattacks are becoming more prominent.

It’s a positive trend that Deloitte’s Pandey has seen too: “We are seeing the changes across the globe where governments are starting to take action, putting together regulatory requirements and demanding that cybersecurity is made part of the infrastructure development cycle, rather than being an afterthought.

“I feel that this is positive and will make a tremendous amount of difference in how we see cybersecurity.”

For example, the US Department of Energy (DOE) recently announced a $45m fund for 16 projects across six states to protect the nation’s energy sector from cyber attacks, helping develop new cybersecurity tools and technologies designed to reduce cyber risk. The European Union has also started assessing critical infrastructure and cyber resiliency to benchmark the progress towards its 2025 resiliency targets set earlier this year.

Smart thinking: a cyber-first approach

For Deloitte, the increased convergence, interoperability and integration that is excitingly emerging between IT, operations technology (OT) and IoT in smart city ecosystems, also comes hand-in-hand with a hearty investigation of the potential cyber risks.

Pandey points out that cyberattacks targeting three critical features of our increasingly connected world demonstrate the need for a cyber-first mindset for cyber safety:

“So what is needed here is a solution that will help this limited amount of infrastructure, resources and operations that are required to manage this urbanization in the most efficient way, and that’s where the smart cities promise comes into play.”

Smart cities ultimately allow the integration of data and technology and digital transformation to bring forward the collective intelligence to use these resources. But as it allows interconnection and exchange of data between various disparate systems and infrastructure, this creates a hyper-connected world, where cybersecurity is absolutely essential to prevent catastrophic disruption.

For this reason, when performing critical infrastructure work – for instance, transport-related work when securing clients’ tunnels and bridges infrastructure from the OT perspective, or integrating IoT – Deloitte adopts a cyber-first approach to secure the smart ecosystem from the planning phase.

The teams look into the processes that are going to be modernized, the systems that need to be interconnected and how they will manifest into the rest, in addition to the underlying privacy risks and issues.

Pandey explains the process: “So, the understanding at the time of conceptualization during the planning phase is step number one, and then you have to move towards this system as smart ecosystem development starts to take place. The building of the security solutions, the integration of those security programs as part of the process, the management of vulnerabilities and the management of the security of the systems and devices as part of that are critical.”

Then as they move to the final, operational phase, teams make sure there is a continuous evaluation and risk assessment due to the element of ongoing growth of smart cities – a constant as urbanization prompts the addition of new systems – making sure the cyber considerations are part of that right from the beginning.

Pennsylvania Turnpike Commission’s cybersecurity journey

Pennsylvania Turnpike Commission is an example of a company updating its infrastructure to facilitate smarter cities, led by the principle of greater cybersecurity, as it went on to innovate America’s first superhighway which spans 552 miles and serves more than 500,000 daily travelers.

Pennsylvania Turnpike, the nation’s second longest toll road, has been heading towards a future vision of supporting connected vehicles, using AI for preventive maintenance, traffic prediction and driver alerts, deploying IoT networks to help monitor roads, bridges and tunnels.

In a shift from a traditional castle-and-moat approach to cyber defense – focused on building firewalls and patching security holes as they emerged – the company first pivoted to a more strategic approach in 2017.

In collaboration with Deloitte, leaders created a roadmap for a more resilient and cybersecure enterprise, developed through a series of strategic planning sessions. The roadmap helped commission executives to fine-tune their vision for the future and identify and understand risks to the organization.

As part of the planning, leaders focused on adopting cyber practices and capabilities like bolstering identity and access management (IAM) to ensure that the right users within the organization have access to the systems they needed to do their jobs. The team also tapped Deloitte to roll out privileged access management (PAM) capability that provides system access for users such as systems administrators.

To make its new approach to cyber even stronger, the Pennsylvania Turnpike Commission worked with Deloitte to put in place new technologies and processes for cyber incident readiness, response and recovery (CIR3).

Deloitte also assisted the $110m modernization of a mile-long tunnel through the Appalachian Mountains – a project requiring deployment of connected environmental sensors, as well as automated ventilation, lighting and video detection systems.

Throughout their collaboration, Deloitte also provided critical cyber support during the design phase, including professionals with multiple specialties and skillsets – such as a consultant with a deep understanding of industry-specific engineering requirements for critical infrastructure and leading practices for cybersecurity, network infrastructure and business requirements.

Transport for London minds the cybersecurity gap

Another smart city example is the large transportation system network, Transport for London (TfL), which recently rebuilt its security operations from the ground up.

With just the tube section of the network alone transporting up to five million passengers per day in the UK’s capital, the company facilitated an AWS cloud migration to become a more cyber-resilient organization for more secure journeys.

Starting from traditional Splunk Enterprise deployment and an AWS-hosted on-premise/private cloud, TfL’s existing system encountered a number of challenges with availability and throughput as upgrade paths to additional capabilities were also difficult.

Continuing its journey with Splunk, a cybersecurity vendor offering solutions to help search, monitor, and analyze data, Peter Griggs, principal cybersecurity engineer at TfL, detailed how the team decided to adopt Splunk best practice for all existing architecture.

This meant data could be imported from the nearest point (e.g. SaaS services via the IDM/Cloud Stack) rather than pulled on-premises and pushed back up. The transport network also decided that only vendor-supported technology add-ons would be installed moving forward.

As part of this strategy, Griggs explained that they made sure all apps pass a vetting process, which prevents installing apps that could break the platform. Moreover, to avoid existing issues, the TfL team opted to avoid a simple lifting and shifting of data to the cloud.

“If you have challenges within this environment, lifting and shifting could be moving the problem from point A to B,” Griggs says. “If all you’re doing is taking bad and putting it into a good area, you are still going to have a problem with your data, so we literally started again. We had two platforms running at the same time, which we felt was a big game changer.”

As part of this migration, the team managed to implement a Splunk Enterprise Security in just five days, with all foundations/data ready to go. Alongside this, modular syslog configuration with a separate port per vendor shaved off 50 percent of TfL’s time to onboard data with the positive outcome of strengthened cybersecurity along the way.

The future of smart cities management

Pandey emphasizes that as cybersecurity is more progressively seen as not just a step in infrastructure development as part of smart ecosystems, but as an integral part of the conceptualization and a cyclical part of infrastructure improvement, smart cities have an increasing ability to avoid compromised security.

“As they start looking into smart ecosystem development, if governments and organizations keep cybersecurity as an integral aspect of that in each and every phase, this is going to be the most important part of managing risk,” he says.

Even more, as technology continues to advance, certain events could be foreseen long before any indicators for that event are present, resulting in key detection mechanics down the line. At this stage, AI is able to help, as it assists in evaluating threatening actions and creating a plan of action to prevent attacks from happening in the future.

“And so AI is really going to play a major role in threat intelligence, threat monitoring and proactive detection to further halt and manage the cyber risk associated with smart ecosystems,” Pandey concludes.

As the future of cities looks to get ever more dependent on technology to connect our journeys and services, the takeaway is that cybersecurity needs to be woven into the implementation of these smart city systems from the beginning, ensuring a safer solution, and a smooth ride outta cyber trouble.