The cyber risks of smart cities
Smart cities are increasingly reliant on innovative digital technology and, as a result, are also increasingly vulnerable to cyber threats. Indeed, in 2021, there was a sharp rise of attacks against local government, with ransomware attacks having increased by 70% in just one year. This is not surprising: as cities are transforming through the Internet of Things (IoT) (devices, sensors and wearables), Artificial Intelligence (AI), robotics, DLT/blockchain and, in general, through the digitalisation and automation of spaces, infrastructures, systems and services, cyber threats are becoming more frequent and impactful. This impact can be felt throughout the several areas where digital technology can be used in a smart city. On the one hand, in public spaces, including streets, bridges, ports, railways, parks and (local) government buildings. On the other hand, in public services, including mobility (e.g., public transportation, traffic and parking management, electric charging stations), energy (e.g., streetlight management), health and social care (including emergency services), water and waste management and supply, environmental management (such as pollution monitorisation, carbon removal and, in general, public services management to ensure less emissions, such as through traffic light management), and security (e.g., surveillance cameras), among others. And also in private spaces – including those open to the general public (e.g., stores, shopping centres) and those that are not, such as homes or working places –, and in private activities and services – such as security services in buildings or energy provision through smart grids (including decentralised power generation), energy storage, and energy monitorisation through smart meters.
The dependencies between public and private spaces and activities in a smart city mean that city cybersecurity needs to look at these two aspects. A smart city is not, naturally, only the spaces and services under the management and control of local government but also comprises those under the ownership or operation of the city’s organisations (such as companies or associations) and residents. When it comes to cybersecurity in smart cities, a simple example can show these interdependencies: for instance, a smart building equipped with sensors which directly communicate with emergency services in case of fire, thus triggering the provision of the fire service. A direct communication to emergency services in case of accident is, for example, already a legal requirement for road vehicles under the eCall Regulation, which requires these vehicles to be equipped with an emergency system “comprising in-vehicle equipment and the means to trigger, manage and enact the eCall transmission, that is activated either automatically via in-vehicle sensors or manually, which carries, by means of public mobile wireless communications networks, a minimum set of data and establishes a 112-based audio channel between the occupants of the vehicle and an eCall PSAP” (public safety answering point).
All the above makes cities more vulnerable to cyber threats. Indeed, the sheer number of digitised devices and sensors increases the attack surfaces in a city. Integration and hyperconnectivity increase the risk of contamination of all connected places, infrastructure, systems and services in case of a breach in a single infrastructure, system or set of devices. In addition, the interdependencies of digitised spaces, systems and services (and underlying infrastructure) under the control and use of different (public and private) entities and persons, each with their own processes, may lead to weaknesses in preventing and responding to cyber threats. These risks are amplified when legacy and new systems need to interoperate and work together.
Moreover, if connected digital systems are compromised, two substantial impacts need to be highlighted: data incidents and failure of critical functions. With respect to the first, because interconnected devices and sensors, systems and infrastructure process huge amounts of data as a condition for the provision of timely, efficient and responsive services, security breaches may become serious data incidents, even more worrisome when personal data is at stake. With respect to the second, because critical services and infrastructure (such as health, mobility or energy) are essential for the maintenance of vital societal functions and economic activities in a city, security breaches may lead to full disruption or even the shut-down of a city or parts of it.
The approach to address cyber risks in smart cities To ensure that smart cities are resilient in the face of growing cyber risks, cybersecurity policies and measures need to be defined and implemented in a multifaceted manner, at three main levels: at
the design stage, at the operations stage, and at the governance stage. In all cases, technical, operational and organisational measures must be defined and applied.
At the design stage, cities (places / infrastructure / systems / services) need to be developed following the principles of security-by-design and security-by-default, i.e., by integrating security concerns and measures from the onset and by integrating secure default settings. This includes, for instance, the definition of architectural and system designs that meet cybersecurity goals (including with respect to interoperability / interconnection, and scalability), and the selection of suppliers and systems that are cybersecure. The performance of cyber risk assessments is also crucial to allow the identification of main threats and risks and, accordingly, the definition of the most appropriate cybersecurity features for each place / infrastructure / system / service.
At the operations stage, cities’ physical areas, systems, infrastructure and services need to be administered to prevent and respond to cyber risks, including through maintenance and vulnerability handling, services continuity and incident response. Ensuring the set-up of cyber specialised teams and the capacity-building of personnel allocated to tasks connected with the city’s operation (i.e., of its places / infrastructure / systems / services) is also crucial.
At the governance stage, cooperation, knowledge-sharing and strategic structures must be deployed, bringing together all entities (both public and private, including academia and civil society) responsible for a city’s places, infrastructures, systems and services (including urban planners, system operators, suppliers and service providers). These structures must ensure an aligned approach to systems acquisition and maintenance (in view of their desired integration and cyber protection), to data exchange as may be necessary, and to incident response as required considering the affected systems in case of a cyber incident.
For the above purposes, the following key steps should be taken:
– The development of an integrated city cybersecurity policy by the city government, with the contribution of other relevant stakeholders, to ensure confidentiality, integrity, availability, safety and resilience. It must cover, among others:
-Guidelines and rules for systems and services procurement / supply chain, as well as for security architectures, data storage, interoperability and integration issues, and communication protocols. In this scope, common standards for interoperability and integration shall also be implemented to ensure seamless interconnectedness among devices, sensors and systems under the operation of different entities.
-Guidance and rules for cyber technical and operational measures and mechanisms, i.e., for technical security (security controls of systems implemented by the systems themselves through mechanisms in the hardware, software and/or firmware) and operational security ( security controls of systems implemented primarily by personnel).
The first may include, for instance, compusec (such as access and identification control measures – resorting, for example, to self-sovereign identity through blockchain, such as is the case of EBSI self-sovereign identity use, and through location-based systems
resorting, for example, to satellite technology –, protection measures such as antivirus, detection measures such as security logs and alerts, configuration and maintenance measures), infosec (including measures for data storage, confidentiality such as encryption and anonymisation, integrity and availability of information) and comsec | transec (such as encryption measures).
The second may include, for instance, (i) monitoring, auditing and tests procedures (such as processes for monitoring, auditing and logging; contingency plans; tests and simulations for all or a set of systems / stakeholders, including through the implementation of testbeds; and processes for systems maintenance), (ii) dealing with security incidents (such as processes to detect and register security incidents; processes to manage – process and recover – security incidents, including preparation, detection, identification, collection of information, analysis, classification, containment, response and recovery; and processes for notifying and communicating security incidents), and (iii) continuity (such as a strategy for service continuity and contingency plans, e.g., redundant operations and backup; processes for disaster recovery; and processes for upgrading systems).
The guidance should include integrated, aligned or compatible processes and coordination mechanisms among all stakeholders operating interconnected systems.
-Principles and rules at the organisational level, including within the city government and other relevant stakeholders, notably cybersecurity teams (including chief security officers) and service providers, capacity-building of staff to meet the required skills (covering also, as necessary, cyber forensic capabilities) and processes for communication and reporting.
Guidance for data management, including ownership and exchange in the light of multiple heterogeneous data sources, shall also be developed.
-Cyber awareness and capacity-building plans and programmes for city residents and visitors.
-The development of a framework, forum, work group or other body for cyber city governance, covering the roles and responsibility of each system / component integrated in the smart city ecosystem, knowledge and data / intelligence sharing processes (including on cyber threats and incidents) and cooperation on cyber management and response. This will help ensure transparency and accountability, as well as better efficiency in dealing with cyber matters. Collaboration among cities, especially in exchanging best practices, will further contribute to increased cyber resilience.
-The development of standard contracts and agreements for both the procurement of suppliers and cooperation among stakeholders. In this scope, platforms providing standard contractual terms and processes for building contracts and agreements (such as what has been done for data sharing), including by resorting to smart contracts, can contribute to better alignment, transparency and auditability, thus facilitating the efficient management of the smart city ecosystem’s cybersecurity.
In all the above, and in addition to coordination between the city government and the private sector (including residents), special consideration shall be given to the coordination between city government measures and national measures, as countries often have their own cybersecurity strategies. This coordination shall further take into consideration services that may be under shared competences at the national and city level, or that may be managed at the national level but then provided at the local level or which resort to resources at the local level (e.g., health services and emergency services).
Funding is naturally also an important topic: a long-term vision ensuring continuous resources for cyber resilience measures is crucial in the fight against cyber risks.
The diversity of systems, applications and stakeholders brought together in the smart city environment requires a common, or at least aligned and coordinated, cybersecurity approach that benefits all smart systems, infrastructures and services in the city, and which successfully avoids the overlapping and duplication of efforts (and costs) in dealing with cybersecurity and cyber threats.
The legal and regulatory framework for cyber resilient smart cities
The development of city cybersecurity policies and initiatives needs to take into consideration legal and regulatory requirements.
At the EU level, two Directives were recently published at the end of 2022: the NIS 2 Directive and the CER Directive (which shall both be transposed to national law and applied from October 2024). Though the purpose of this Insight is not to thoroughly describe these acts and their detailed application to smart cities, some brief notes are worth mentioning.
Firstly, the NIS 2 Directive, in addition to, among other points, requiring EU Member States to adopt national cybersecurity strategies and set-up computer security incident response teams (CSIRTs) (an obligation already resulting from the current legal framework), contains a set of very demanding cybersecurity obligations applying to entities in an extensive range of sectors. These sectors include energy, transport (which covers, for instance, road authorities responsible for traffic management control and operators of intelligent transport systems – ITS), banking and financial market infrastructures, health, water supply and distribution, waste management, digital infrastructure and public administration, among others. The applicable cybersecurity obligations comprise, among others (such as notification of significant incidents and communication of cyber threats), a specific set of measures that entities must take to manage the risks posed to the security of network and information systems. These include (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity; (d) supply chain security; (e) security in network and information systems acquisition, development and maintenance; (f) policies and procedures to assess the effectiveness of cybersecurity risk management measures; (g) basic cyber hygiene practices and cybersecurity training; (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; and (i) human resources security, access control policies and asset management.
Information-sharing arrangements are further addressed in the NIS 2 Directive, with a view to facilitating the exchange of cybersecurity information.
The obligations listed above apply to both public and private entities in the mentioned sectors that meet the requirements of the Directive (notably, that are medium-sized or large enterprises, where enterprises are entities engaged in an economic activity). They also apply, as already seen, to public administration entities, provided these are entities of central government or (to the extent that certain requirements are met), at regional level.. Though public administration entities at local level are not mandatorily subject to the obligations of the Directive, Member States may, when transposing the Directive to national law, provide for it to also apply to these entities. Nevertheless, the Directive does not apply to public administration entities that carry out their activities, among others, in the areas of public security or law enforcement.
Hence, when it comes to cybersecurity measures in smart cities, the diversity of stakeholders involved in the smart city ecosystem, as seen above, means that they may not all be subject to the same legal framework. This makes the development of city cybersecurity policies even more relevant to ensure alignment among all stakeholders involved – not the least because, under the Directive, national cybersecurity strategies shall also address topics such as procurement; preparedness, responsiveness and recovery measures; governance framework; and a cybersecurity awareness plan.
The CER Directive, on its turn, contains a set of obligations aimed at ensuring the (physical) resilience of critical entities in a set of sectors: energy, transport (which also covers public service operators, i.e., those that operate public passenger transport services), banking and financial market infrastructure, health, water, digital infrastructure and public administration (in this last case, covering only entities of central government), among others. Critical entities are public or private entities that have been identified as critical by a Member State given that they provide services which are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment and, thus, an incident therein would have significant disruptive effects. Note that, also here, the CER Directive does not apply to public administration entities that carry out their activities, among others, in the areas of public security or law enforcement. The obligations critical entities are subject to are also more demanding than those resulting from the current legal framework. In addition to incident notification, critical entities have to take appropriate and proportionate technical, security and organisational measures to ensure their resilience, including measures necessary to (a) prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures; (b) ensure adequate physical protection of their premises and critical infrastructure; (c) respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines; (d) recover from incidents, duly considering business continuity measures and the identification of alternative supply chains; (e) ensure adequate employee security management, duly considering, for example, access rights; and (f) raise awareness about the measures referred to above among relevant personnel. Critical entities will also need to have in
place and apply a resilience plan or equivalent document or documents describing the above measures. They shall further regularly assess all relevant risks through risk assessments.
The CER Directive is pertinent for smart cities given their convergence of the cyber and physical worlds. However, and as with the NIS 2 Directive, the requirements of the CER Directive do not necessarily apply to all stakeholders involved in the smart city ecosystem. Once again, the development of city policies is thus essential to ensure alignment among them all (not least because the Directive also requires Member States to adopt a strategy for enhancing the resilience of critical entities) and avoid the impacts of any weaknesses arising from systems of entities not subject to the legal framework.
Note, in addition, that both Directives encourage the use of European and international standards and technical specifications. The NIS 2 Directive further indicates that Member States may require entities to use particular ICT products, ICT services and ICT processes certified under the Cybersecurity Act, which establishes a cybersecurity certification framework for ICT products, services and processes.
Very recently, the EU also approved the Proposal for a Cyber Resilience Act laying down (a) rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products; (b) essential requirements for the design, development and production of products with digital elements; (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle; and (d) rules on market surveillance and enforcement. Products with digital elements means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately. The proposed Act will play a central role in ensuring the cybersecurity of the IoT ecosystem and thus also of smart cities, including when dealing with procurement and maintenance.
Naturally, the cybersecurity of 5G networks is also crucial when it comes to smart cities, with the EU having, notably, implemented the EU 5G Toolbox of 2020 (which contains a risk-based approach to 5G cybersecurity based on an assessment of possible mitigation plans and identification of the most effective measures) and issued the Commission Recommendation of 2019 on the Cybersecurity of 5G networks. Likewise, the sector-specific cybersecurity obligations arising from the corresponding legal frameworks shall also be taken into consideration, as applicable.
Guidance from cybersecurity agencies, such as ENISA at the EU level, shall also be considered in the design, deployment, operation and management of smart cities. Finally, the rules and provisions applying to open data and data sharing (at the EU level, notably, the Open Data Directive, the Data Governance Act and the Proposal for the Data Act), to the processing of personal data (notably, the GDPR and the proposed e-Privacy Regulation), as well as to European Data Spaces, are also key for smart cities. That, however, is a topic for another time.