Are smart cities a disaster waiting to happen?
Urban IoT promises to provide better healthcare, utilities, education and policing, but the cost to privacy could be high
Demographic change is set to be one of the biggest challenges we will face this century. According to UN predictions, the global population will hit 9.5 billion by 2050, with 68% of people living in urban environments.
The towns, cities and megacities where these billions of people will live are already having to adjust to the realities of a steadily growing population, with transformation into "smart cities" becoming one of the go-to solutions.
Using Internet of Things (IoT) sensors and edge computing to collect and analyse data, smart city infrastructure is aimed at managing assets and resources efficiently. It's being used in areas such as transportation, power plants, water supply, environmental management, crime detection, schools and hospitals.
Although this type of data collection is proving useful for public services and city officials, it's also raised concerns around security and privacy. According to an online poll by industry body Wi-SUN Alliance, 21% of people believe these issues are holding back smart city development.
When asked about their biggest security concerns, 37% of respondents highlighted data privacy as their biggest worry. Other issues include attacks on critical infrastructure (28%), network vulnerabilities (24%) and unsecured IoT devices (11%).
A privacy crisis
Connected sensors and devices are the beating heart of smart cities, and they generate masses of data. To put things in perspective, a report by SaaS provider DOMO claims that currently 2.5 quintillion bytes of data are created daily. By 2020, that number's predicted to increase to 1.7MB per second, with the rise of smart cities contributing to this growth.
Dr Isabel Wagner, senior lecturer in computer science at De Montfort University, says this collection and integration of data leads to complete surveillance and profiling of individuals."Uiquitous surveillance has negative impacts on individual rights and freedoms, such as a chilling effect, discrimination and social sorting.
"Depending on how you judge the severity of loss of individual rights and freedoms, the problem is more or less significant. But what greatly increases this baseline significance is that individuals typically cannot 'opt out' of a smart city because jobs, friends and family are in the city. This means options for individuals to protect their own privacy are very limited."
Wagner admits that fixing these problems isn't easy. "Adding security and privacy protections to smart city tech costs more initially because of more work for developers and may require expertise that developers may not have," she continues. "Cash-poor cities partner with private corporations who promise great features for low cost; but corporate profit motive means they collect (and then sell) more data than needed."
Dr Darren williams, CEO and founder of cyber security firm BlackFog, says cities are looking into many technologies that have wide-ranging implications on data security and privacy. "These include the ability to monitor commuter travel based on smartphone data so cities can plan better and reduce congestion. Needless to say, this would mean cities and governments would know exactly where citizens are going and what they may be doing," he explains.
"Cities are also experimenting with centralised health records. Such information could be used to assist in funding government departments and research into diseases to improve healthcare, fight chronic disease and reduce healthcare costs."
He adds that data collection on this scale would mean wide access for the government and could be open to abuse if not carefully controlled. "How comfortable citizens will be with the prospect of this remains to be seen, and how governments use and store this information will be crucial in protecting the privacy of their citizens."
Open to attack
Data privacy isn't the only potential concern when it comes to smart cities; there's also a very real risk of them being targeted by hackers. In the past, IoT devices have been criticised for poor security, which has led to them being recruited into botnets, used to spy on people in their own homes and as a gateway into businesses.
"Smart cities are inevitable but the introduction of such advanced technologies into the fabric of a city is not without risks," says Kevin Curran, senior member of the IEEE and professor of cyber security at Ulster University. "Relying on a central technological hub to control core infrastructure can allow nefarious hackers to bring a city to its knees more easily than ever before. We have already seen many cities paying large amounts when subjected to ransomware attacks."
Curran says cities need to ensure that when they deploy connected devices they have security policies in place -- such as firewalls, intrusion detection and prevention systems. "They also need to ensure that they cater for the confidentiality of their customers data, this is where encryption plays a core rolem" he adds.
"It's crucial that all devices have strong passwords and it's also good practice to enforce certificate-based authentication, which identifies communicating individuals and authorised devices. Device management agents can also highlight failed access attempts and attempted denial-of-service attacks. All non-IoT devices must also be patched and kept malware free to ensure the safest smart cities."
Just like Curran, NCC Group research director Matt Lewis says smart cities present a high volume of potential attack surfaces that are practically impossible to monitor and police effectively. "This not only increases the risk of these devices being tampered with, but also means it's difficult to detect when this has occurred, especially when the sensors are deployed in public spaces rather than on private servers," he tells IT Pro.
"Ultimately, this could lead to personal information such as an individual's location, biometrics and CCTV images being accessed, manipulated or stolen," Lewis explains, adding that attackers could even potentially gain access to full surveillance capabilities and other systems connected to the network.
Smart city lockdown
As the number of smart cities grows, it will become increasingly important to mitigate these risks. Indeed, there's a strong argument that businesses and authorities involved in the creation and administration of smart cities have a duty of care to ensure privacy by design
According to Phil Beecher, CEO of the Wi-SUN Alliance: "Organisations need to start off on the right foot and make security central to their IoT strategy in order to realise the long-term benefits that IoT and ensure the threat to data privacy is offered at minimal risk."
Given the amount of data collected by smart cities, there are also legal considerations. Georgia Shriane, senior associate solicitor at specialist tech law firm Boyes Turner, says: "The question of smart cities turns on careful use of technology and legislation adapting to cope. Trust in public services and the government will be key ensuring privacy is protected. Data protection will be at the forefront of most people's minds.
"Laws like GDPR were created to cover traditional internet and hard copy use of personal data. They weren't drafted with smart cities in mind. As the technology develops, the amount of imagery and data captured will increase exponentially. This whole area of law will need to be constantly reviewed to ensure we keep pace, maintaining public trust and confidence in the smart cities we live in.
"Data ownership will also be something that needs resolving. The public may accept data being owned by a public body but may have strong reservations if the data remains the property of providers or contractors and enforcement becomes more complex."