Cities and municipalities across the entire world are stepping up their investments in smart city initiatives and technologies in order to improve quality of life in cities and save resources. This is leading to more digital interaction and networking between the city infrastructure, people, processes and devices. However, wherever there is an increasing reliance on digital technologies, the risks of a large-scale cyber attack, that can throw a smart city and our digital daily lives into chaos, also increase. Whereas megacities are increasingly adapting their digital security plans, smaller towns and municipalities are not prepared for a serious digital incident. Do smart cities have adequate risk and crisis management as well as fall-back options for a serious digital incident? This is one of the central questions that will be examined at the next Command Control Cybersecurity Summit organized by Messe München on March 3-4, 2020.
Should proof of this be required, then cities and municipalities in Germany have just received it. Cyber attacks and cyber criminality not only affect companies and individuals, but increasingly also public administrations and thereby the ability to run cities and municipalities. Only recently were the city administrations in Potsdam and Brandenburg an der Havel hacked when malware paralyzed all the computers. In September last year the State of Lower Saxony reported over 90 cyber attacks on its state and municipal authorities. Particularly devastating was the attack on the Lower Saxony town of Neustadt am Rübenberge in which hackers unleashed malware known as Emotet and paralyzed the entire IT system of the municipal administration for more than a week. The computers in the town hall were down and the vehicle licensing center was closed. Staff in the citizens’ office were only in a position to answer queries verbally. Ramsomware and malware attacks have already caused huge damage internationally – in Johannesburg, Baltimore and 22 towns in Texas. This is the provisional assessment for 2019 for cities and municipalities who are deploying more and more networked systems as they become smart cities.
A 2017 report from Cybersecurity Ventures forecast that damage caused by ransomware in 2017 would cost the world around 5 billion US dollars, a 15-fold rise in only two years from the 325 million US dollars registered in 2015. Damage levels of around 8 billion US dollars in 2018 and of around 11.5 billion dollars for 2019 were forecast. This trend illustrates a bleak picture on the current status of risk provision within digital transformation.
Cyber attacks, in particular on municipal administrations are a constant threat according to the German Federal Office for Information Security. The reasons for this include outdated IT systems, a lack of financial resources, and also in the age of digitization urban security arrangements which no longer have adequate resilience but are needed in particular to protect the critical infrastructures of cities and municipalities. This is a concern shared also by Jörg Ochs, head of IT at Public Utilities Munich:
“Large energy providers like the Munich municipal utilities – SWM have both the resources and sophisticated security plans in place to avert blackouts caused, for instance, by cyber attacks through the segmentation and decentralization of our systems. And in a worst case scenario, we will – from our apprentices through to long-serving employees – still be able to maintain the systems in analog manual operation and therefore also the energy supply.”
In parallel more and more people are moving to cities and metropolitan regions. The United Nation have forecast that by 2050 68% of the world’s population will be living in municipal areas. This population growth is placing town planners, managers and political decision-makers under pressure. Municipal administrations must be optimized and sustainable economic stability must be achieved which offers the population better quality of life. Smart city solutions meet these requirements by changing the services provided by a city – from administration tasks, traffic, to electricity, water and communications. However these new technologies also conceal critical risks for security and for essential city functions – risks which are often underestimated. This is because a smart city infrastructure, alongside a stable and secure energy provision is increasingly based on Internet of Things (IoT) solutions, which considerably increase the extent of networking within the city whilst at the same time hugely intensifying the potential of an attack.
A security failure in a smart city could potentially have a severe impact on lighting, communications or traffic management. In many smart cities, street lights form the backbone of city-wide Field Area Networks (FAN). Non-secure devices, gateways and networks constitute entry points for hackers who can trigger city-wide disruptions or control the systems. Smart meters which exchange data with municipal energy providers may also be problematic in this regard as they often do not contain the necessary digital security features. The risk of intrusion into the networks of utility companies via smart meters is high. Here a worst case scenario can lead to a power cut caused by hackers or where personal customer or payment data are compromised. In addition to the reputational damage and restoration of IT systems, such a data breach can have a considerable impact on the finances of cities and municipalities. A study carried out by IBM and the Ponemon Institute in the USA assumes that the average costs of a data breach are 3.86 million US dollars – and the introduction of the European General Data Protection Regulation (EU-GDPR), will only exacerbate the situation for affected cities and municipalities.
Leading smart cities such as Amsterdam, London and Vienna have started to find answers to these challenges with their own smart city strategies and have adapted their IT security plans, generally through public-private partnership oriented collaborations. New York has even gone one step further. In July 2017, Bill de Blasio, the Mayor of New York City, signed an executive order to protect the city from cyber attacks and set up a NYC Cyber Command with its own Chief Information Security Officer who advises New York City Hall and coordinates more than 100 municipal agencies and companies on cyber security issues.
Guidelines and recommendations from standards institutes such as the US-based National Institute of Standards and Technology (NIST) which have been adapted to IoT and smart city requirements have proven helpful in securing and introducing cybersecurity governance for smart cities. The Cybersecurity Framework issued by NIST consists of standards, guidelines and best practices for handling cybersecurity risks and supports decision-makers in cybersecurity issues in their smart city projects. The Smart Cities Guide from the East West Institute should also be compulsory reading for municipal leaders. This defines specific measures in the four key areas of cybersecurity, cyber resilience, data protection and data security as well as collaboration and coordination in relation to governance.
Germany still lags behind in its security of smart cities, in particular when it comes to the position of cities, municipalities and their administrations in the area of cybersecurity. These should be defined in the update to the IT Security Act by the Federal Government as Critical Infrastructures and treated like other areas where state-of-the-art in computer technology is a statutory requirement. Previously hospitals and energy providers were covered by this, but to date no authorities. There must be a paradigm shift here because the digital protection level can only be as strong as the weakest link in the chain. If the path towards a secure smart city is to be pursued, cybersecurity must be embraced as an issue of prime importance by municipal leaders, district administrations and their municipal decision-making bodies.
Even in the near future digitization and the automation of risk management functions will become an absolute necessity. What approaches and trends can be identified in this area? What is the role of strategic communications competence in digital transformation which is overloaded by acronyms and dominated by unclear term definitions? How can municipal leaders obtain an overview of the digital proliferation in their own city and introduce cybersecurity concepts systematically? This is where Command Control on March 3-4, 2020 in Munich will provide answers. For the second time it will bring together decision-makers and experts from the worlds of business and politics for a rethink on how to handle cyber threats and how to minimize urban digital risks and make smart cities cyberproof.
Author: Oliver Rolofs, Managing Partner of strategy consultancy connecting trust