Steven Kenny, industry liaison, architecture and engineering at Axis Communications, discusses the challenges of the smart revolution and the innovation that is needed to create a smarter, safer world
The strange thing about smart homes, smart buildings, smart cities – indeed, smart environments as a whole – is that despite the fact the technologies which make them possible seem to have been around forever, they are also still in their relative infancy.
Many of us use devices and services that would have seemed like science fiction just a few years ago to order food, stream entertainment or work remotely. Our phones help us to navigate congested cities as efficiently as possible, the cities themselves rely on connected devices to collect data and improve public services.
Daily headlines about data breaches and cybersecurity incidents remind us that there’s a long way to go before ‘smart’ technologies are mature. Too many smart devices are vulnerable to known attacks, and too much data is stored on servers that aren’t properly secured, by organisations that don’t have correct protocols for mitigating risk.
This is important because it’s been clear for the best part of two decades that the data collected from smart environments will be essential to improving quality of life in the 21st century. Humanity faces big challenges in the shape of population growth, urbanisation and climate change, and technology will have an increasing role to play in order to make our cities more resource-efficient, safer, more secure and, ultimately, pleasant to live in. Real-time data analysis and automated decision making will be the only way to ensure our traffic keeps moving, our power grids can adapt to new sources of energy and we reduce wastage in our food supply chains – to cite just a few examples from Axis’ recently released white paper, Smart Buildings and Smart Cities Security.
This white paper has been produced in association with Virtually Informed and Unified Security in order to address important questions about the security implications of smart city technology. As the world in which we live and work becomes more digitally connected, so the potential grows for cybersecurity incidents to cause disruption or harm individuals and corporate brands. By understanding more fully the benefits and risks of smart technology, we can help to define best security practices and deliver solid recommendations for stakeholders involved in its development and deployment.
Device interoperability: A pivotal moment in technology deployment
There are other promised benefits of the smart city. Faster, more affordable connectivity is directly linked to economic growth and can improve health and safety too. Environmental monitoring can help influence policy decisions around green spaces, for example, or quickly alert officials to breaches of pollution law. Camera networks provide citizens with improved security, and the same systems that help you avoid traffic jams can lead to faster response times for emergency vehicles.
On a more local level, smart buildings are delivering on the promise of being more energy efficient, providing safer working environments and – thanks to a proliferation of low-cost sensors that can detect early signs of wear and tear – reducing the likelihood of systems failing thanks to AI and predictive maintenance regimes.
What we identify in our white paper is that to fully realise the benefits of smart technology, we need to move beyond current deployments of individual systems and networks. Integrating data from multiple sources to create “systems of systems” will lead to richer insights and optimisations than are currently being achieved.
Today, the term ‘smart’ is used almost indiscriminately and largely to define systems that collect data but mostly operate in silos. The terms – smart buildings, smart cities, smart environments – are ill-defined and watered down by overuse. But as standards emerge to allow greater interoperability – systems talking to each other easily – we expect to see more strategic management and innovation.
We also expect this next phase of maturity to happen quickly. The basic technology is well understood by vendors and the next-generation mobile connectivity in the form of 5G will accelerate its proliferation. In particular, we expect to see the acceleration of deployment of the internet of things (IoT) devices, as networks designed for big data and AI processing extend their reach.
This places us at a critical moment: the early years of smart city and building technology have been notable for the prioritisation of features and time to market over cybersecurity, which in turn has damaged public trust in smart systems. As we become more reliant on the technology, it’s imperative that security is a primary design goal from the outset for any new implementation.
All stakeholders have a role to play in this – although one of the challenges highlighted in our white paper is that the first step in risk mitigation is identifying who those stakeholders are. The use of frameworks, such as those developed by NIST, can help to bring together the right parties for security collaboration.
From architects and landlords to security advisers and decommissioning consultants, who can deal with data-rich systems at end of life, the future of cybersecurity is building layered defences at every step of the design and implementation process for new products.
Security challenges and the trusted vendor
This collaboration is vital. The pace at which new technologies and advances in critical applications such as AI and data processing is happening makes it difficult for any one stakeholder to be able to maintain a holistic view of security in a smart building or smart city. Each design decision made in the development of a new product carries its own implications for risk assessment.
The rise of ‘edge computing’, for example, which limits the amount of data transferred to centralised servers and processes data closer to the point of collection brings with it a particular risk profile which is different to ‘pure’ cloud platforms. One critical challenge for IoT is device management and ensuring that endpoints are kept up-to-date with new firmware and software patches.
The blending of IT and ‘operational technology’ (OT) such as building management systems further complicates the security needs around implementation. Famously, a Las Vegas casino found itself the victim of a sophisticated cyberattack in which criminals breached its customer database records by first exploiting a weakness in an IP-connected fish tank thermometer.
Vendors have long and complex supply chains, which provide opportunities for vulnerabilities to slip into product design – buyers, on the other hand, often lack the skills to do a full security audit when making purchasing decisions.
In addition, there seems to be confusion even among vendors as to what best practices are and how to interpret standards. Against the decades-long culture of treating security as a secondary consideration to time to market and cost in the development process, the principle of ‘secure by design and default’ is still not applied widely enough.
The smart way forward
By identifying the challenges and threats, we can start to make recommendations about the way forward for the development and secure implementation of smart city and smart building systems and products, and in the white paper, we have made 10 clear recommendations to assist stakeholders.
At the very beginning of the process, we encourage the adoption of the Secure by Design and Default and Data Protection by Design and Default mindset, a requirement of the NIS Directive, and how it applies to the purpose of the project in question. Developing a strategy to implement those goals in a specific way may come over time, but having clarity around responsibility for project management and budgets for cybersecurity from the outset is essential.
Other recommendations cover issues such as standards, frameworks and compliance – and particularly how these differ to standards for physical security that building and city managers may be more familiar with. There are key recommendations for product strategy and full lifecycle support, including contingency plans for when suppliers may not be able to fulfil their obligations.
The white paper also touches on the issue of data compliance, particularly as it relates to personal data and the European Union’s General Data Protection Regulation (GDPR). For vendors, there are recommendations around clarity when it comes to appropriate marketing terminology and they are encouraged to fact check their own claims as to the capabilities of their products. For buyers, there’s advice on vetting supply chains and how to run an effective Converged Security Operations Centre and achieve a single, unified view of their current risk profile.
What the authors of this white paper don’t do, however, is claim to have all the answers. Cybersecurity in the smart building or smart city is an ongoing, collaborative endeavour, which is evolving as quickly as the technology itself. If we’re to reap the benefits of the technology and maintain the trust of those who live and work in these buildings and cities, it’s vital that we heed their advice.
Industry Liaison, Architecture and Engineering
Tel: +44 (0)844 8467533