A new paper, ‘The (In)Security of Smart Cities: Vulnerabilities, Risks, Mitigation, and Prevention’ by Rob Kitchin and Martin Dodge, has been published in the Journal of Urban Technology. Download the paper here.
Abstract
In this paper we examine the current state of play with regards to the security of smart city initiatives. Smart city technologies are promoted as an effective way to counter and manage uncertainty and urban risks through the effective and efficient delivery of services, yet paradoxically they create new vulnerabilities and threats, including making city infrastructure and services insecure, brittle, and open to extended forms of criminal activity. This paradox has largely been ignored or underestimated by commercial and governmental interests or tackled through a technically-mediated mitigation approach. We identify five forms of vulnerabilities with respect to smart city technologies, detail the present extent of cyberattacks on networked infrastructure and services, and present a number of illustrative examples. We then adopt a normative approach to explore existing mitigation strategies, suggesting a wider set of systemic interventions (including security-by-design, remedial security patching and replacement, formation of core security and computer emergency response teams, a change in procurement procedures, and continuing professional development). We discuss how this approach might be enacted and enforced through market-led and regulation/management measures, and then examine a more radical preventative approach to security.
Abstract: In this paper we examine the current state of play with regards to the security of smart city initiatives. Smart city technologies are promoted as an effective way to counter and manage uncertainty and urban risks through the effective and efficient delivery of services, yet paradoxically they create new vulnerabilities and threats, including making city infrastructure and services insecure, brittle, and open to extended forms of criminal activity. This paradox has largely been ignored or underestimated by commercial and governmental interests or tackled through a technically-mediated mitigation approach. We identify five forms of vulnerabilities with respect to smart city technologies, detail the present extent of cyberattacks on networked infrastructure and services, and present a number of illustrative examples. We then adopt a normative approach to explore existing mitigation strategies, suggesting a wider set of systemic interventions (including security-by-design, remedial security patching and replacement, formation of core security and computer emergency response teams, a change in procurement procedures, and continuing professional development). We discuss how this approach might be enacted and enforced through market-led and regulation/management measures, and examine a more radical preventative approach to security.
Last Thursday saw the launch of the ‘Getting Smarter about Smart Cities: Improving Data Privacy and Data Security‘ report by Rob Kitchin and published by the Department of the Taoiseach. The report was submitted a few days before the publication of a similar report by Lilian Edwards titled ‘Privacy, Security and Data Protection in Smart Cities: a Critical EU Law Perspective‘ and therefore has no reference to it. Whereas my report takes a more governance and policy focused approach, Lilian’s is more legally focused. If taken as a pair I think they provide a pretty comprehensive overview of the various privacy and security issues raised by smart city technologies and possible solutions.
As part of ‘EU Data Protection Day’ a new report – “Getting smarter about smart cities: Improving data privacy and data security” – was launched today by Dara Murphy T.D., Minister for European Affairs and Data Protection. The report, commissioned by the Data Protection Unit, Department of the Taoiseach (Irish Prime Minister) and written by Rob Kitchin (of The Programmable City project), is the first publication by the new Government Data Forum, a panel of experts drawn from across industry, civil society, academia and the public sector. The Forum advises Government on the opportunities and challenges for society and the economy arising from continued growth in the generation and use of personal data. The report is available from the Department of the Taoiseach website or click here.
Executive Summary
Many cities around the world are seeking to become a smart city, using networked, digital technologies and urban big data to tackle a range of issues, such as improving governance and service delivery, creating more resilient critical infrastructure, growing the local economy, becoming more sustainable, producing better mobility, gaining transparency and accountability, enhancing quality of life, and increasing safety and security. In short, the desire is to use digital technology to improve the lives of citizens, finesse city management, and create economic development.
In this context, a wide range of smart city technologies are being deployed within urban environments, including city operating systems, centralised control rooms, urban dashboards, intelligent transport systems, integrated travel ticketing, bike share schemes, real-time passenger information displays, logistics management systems, smart energy grids, controllable lighting, smart meters, sensor networks, building management systems, and an array of smartphone apps and sharing economy platforms. All of these technologies generate huge quantities of data, much of them in real-time and at a highly granular scale.
These data about cities and their citizens can be put to many good uses and, if shared, for uses beyond the system and purposes for which they were generated. Collectively, these data create the evidence base to run cities more efficiently, productively, sustainably, transparently and fairly. However, generating, processing, analysing, sharing and storing large amounts of actionable data also raise a number of concerns and challenges.
Key amongst these are the data privacy, data protection, and data security issues that arise from the creation of smart cities. Many smart city technologies capture personally identifiable information (PII) and household level data about citizens – their characteristics, their location and movements, and their activities – link these data together to produce new derived data, and use them to create profiles of people and places and to make decisions about them. As such, there are concerns about what a smart city means for people’s privacy and what privacy harms might arise from the sharing, analysis and misuse of urban big data. In addition, there are questions as to how secure smart city technologies and the data they generate are from hacking and theft and what the implications of a data breach are for citizens. While successful cyberattacks on cities are still relatively rare, it is clear that smart city technologies raise a number of cybersecurity concerns that require attention.
To date, the approach to these issues has been haphazard and uncoordinated due to the ad-hoc manner in which they were developed. However, given the potential harms to citizens and the associated costs that can arise, and the potential benefits at stake, this approach should not be allowed to continue. The challenge is to rollout smart city solutions and gain the benefits of their deployment while maintaining infrastructure and system security and systematically minimising any pernicious effects and harms. This is no easy task, given the many stakeholders and vested interests involved and their differing aims and ambitions, and the diverse set of technologies and their complex arrangement.
This report details the development of smart cities and urban big data, highlights the various privacy and security concerns and harms related to the deployment and use of smart city technologies and initiatives, and makes a number of suggestions for addressing trepidations about and ills arising from data privacy, protection and security issues.
It argues that there is no single solution for ensuring that the benefits of creating smart cities are realised and any negative effects are neutralised. Rather, it advocates a multi-pronged approach that uses a suite of solutions, some of which are market driven, some more technical in nature (privacy enhancement technologies), others more policy, regulatory and legally focused (revised fair information practice principles, privacy by design, security by design, education and training), and some more governance and management orientated (at three levels: vision and strategy – smart city advisory board and smart city strategy; oversight of delivery and compliance – smart city governance, ethics and security oversight committee; and day-to-day delivery – core privacy/security team, smart city privacy/security assessments, and computer emergency response team).
These solutions provide a balanced, pragmatic approach that enable the rollout of smart city technologies and initiatives, but in a way that is not prejudicial to people’s privacy, actively work to minimise privacy harms, curtail data breaches, and tackle cybersecurity issues. They also work across the entire life-cycle (from procurement to decommissioning) and span the whole system ecology (all its stakeholders and components). Collectively they promote fairness and equity, protect citizens and cities from harms, and enable improved governance and economic development. Moreover, they do so using an approach that is not heavy handed in nature and is relatively inexpensive to implement. They are by no means definitive, but build on and extend work to date, advance the debate, and detail a practical route forward.
The report concludes that a core requirement for creating smart cities is the adoption of an ethical, principle-led approach designed to best serve the interests of citizens. In other words, being smart about how we plan and run cities consists of much more than deploying data-driven, networked technologies; it requires a smart approach.