Securing the smart city IoT by Chris Janson, Nokia

Wireless connectivity combined with continued advances in computing miniaturization, software operating systems and analytics have enabled direct machine to machine interaction. Small sensors and actuators working together now perform relatively simple tasks such as controlling thermostats, traffic signals or water service pressure. Connecting these machines has long been a goal of modern infrastructure, where human interaction is automated for routine tasks. This web of connected things, commonly called the Internet of Things (IoT) is expected to spike the growth of wireless connected devices to over 40 billion by 2020. Smart city projects should fully embrace a dedicated IoT but need to be mindful of inherent security risk.

The smart city IoT touches public infrastructure such as roadway monitoring, traffic control, water system control, public safety systems, public utility control and other functions. Almost any city infrastructure could benefit from use of the IoT. Yet that benefit comes with an inherent risk: those seeking to steal or cause harm could exploit the soft underbelly of a smart city through its IoT.

The smart city IoT is particularly vulnerable

Historically, network security centered on protecting data from theft. Hackers were looking to steal personal identity, credit card numbers or other data with immediate financial value. That threat spread as information technology and networks became interwoven with nearly every aspect of modern life. This makes the network an obvious target for thieves and vandals. Some hackers seek to steal, others conspire to wreak havoc or influence society. Recent hacks have affected electric utilities, commercial retailers, credit card companies, government agencies and political elections. Every enterprise and public sector organization must protect against the threat of theft and intrusion.

Sadly, this danger is juxtaposed against the opportunity of modern, smarter infrastructure built upon an IoT. Each element of the IoT places a small amount of data, and therefore, risk to the infrastructure it supports. These devices are small by design, with limited processing power and battery capacity, making use of strong encryption at each device problematic. NIST recognized this trend and studied use of lightweight cryptography in the IoT. Lightweight ciphers and hash functions could be implemented within the constraints of IoT devices, providing frontline protection.

Common security measures include firewalls, strong passwords, encryption and intrusion detection. Yet each protection measure is vulnerable to hacking. Given enough time and determination, firewalls can be flooded, passwords can be stolen or guessed, encryption can be deciphered and unauthorized intrusion can go unnoticed. But this should not stop construction of smart city IoT infrastructure. What is needed is a diligent security practice that makes use of the best combination of protection measures and continually adapts to emerging threat sophistication.

Securing the smart city IoT network

Smart city deployments need to make use of an IoT dedicated to providing monitoring and control of government infrastructure. Securing the IoT should be a top priority and take a defense-in-depth approach, where multiple barriers are set to reduce the threat from any attack vector or reduce potential impact. These barriers include device encryption, network firewalls, strong password policy, in-flight data encryption, intrusion detection and network resiliency. Supporting this idea, Gil Press recently summarised six key IoT security topics in a Forbes article. He includes network security and encryption among the hot topics.

[adsense size='1' ]

While each device on the IoT is small, a network optical line usually includes aggregated traffic from thousands of devices. These optical lines are particularly important to protect against theft and intrusion. Quantum-safe Layer 1 encryption is an important element to ensuring data security on the smart city optical backbone. This encryption is usually performed at the optical transport terminal, in addition to any higher layer or device encryption. At the same time, measures are needed to monitor optical lines for unauthorized tapping, where data can be stolen and stored for later malicious use. This function is performed within the optical equipment by continual monitoring of minute changes in optical transmission.

Another important security consideration is network resiliency. While theft of data can create harm, outright disruption of public infrastructure is a prime goal of many enemies, making destruction of network elements, optical fibers or supporting systems a threat vector. Networks need to be constructed with redundant systems, diverse communications paths and automated restoration mechanisms, such that catastrophic events cause only fleeting impact to public infrastructure.

Securing smart city infrastructure will require diligent effort, making use of all tools available and with continuing oversight to adjust as threats emerge and change. It is worth the effort, as the potential return to public good is very high.