Connect with us

Hi, what are you looking for?



Securing Smart Cities from the Ground Up

Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them

Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them

Smart technology continues to change how people live and interact with the cities around them. While the full value of a connected city evolves – one that leverages innovations powered by artificial intelligence and machine learning – cybersecurity stands as one of its greatest challenges. 

The Smart City Conundrum

While the promise of Smart Cities provides municipalities and inhabitants with the efficiency and value of “smart” services, it also creates a cybersecurity challenge. Each connected component – from devices to the network infrastructure – offers a potential entry point for hackers to steal data, damage systems, and gain access to information they shouldn’t have. 

Smart City ecosystems could be filled with tens of thousands of Internet of Things (IoT) devices communicating over public network infrastructure. In order for the Smart City to succeed, each IoT device must be low power, exhibit excellent performance, be able to withstand interference, and be reliable. They’ll operate with the free flow of data between devices and the network infrastructure that connects them. How do Smart Cities ensure that each part of the Smart City ecosystem – the devices and network infrastructure — remains secure?

Smart City device security begins at the component level 

Smart City device manufacturers — from smart lighting and water systems to smart traffic management systems and transportation systems — serve as the first line of defense when it comes to security. Each device may feature many technologies working together such as chipsets, sensors, communications protocols, firmware and software. These technology components must be built or sourced with security in mind. 

Advertisement. Scroll to continue reading.

Security testing of components and devices should not be an afterthought, but a proactive part of the design and manufacturing process. Best practices may include:

• Communication protocol testing – For example, Bluetooth vulnerabilities like Sweyntooth and Braktooth in communication chipsets, could open the door to hackers. Braktooth vulnerabilities recently impacted billions of devices from the system-on-a-chip (SOC) in more than a thousand chipsets used in laptops, smartphones, IoT and industrial devices. Protocol level vulnerabilities like these are difficult to detect. While the security community established best practices for discovering application-level vulnerabilities, protocol-level vulnerabilities are much harder to pinpoint. The only way to test for these kind of vulnerabilities is using protocol fuzzing which detects vulnerabilities during the communications handshake or hand-off process. 

• Cybersecurity firmware, software and password update capabilities – Cybersecurity threats and vulnerabilities change over time. Many headline-making IoT security incidents have been caused by poor passwords and out-of-date firmware. Device manufacturers can take simple steps to enable Smart City device owners to strengthen authentication and provide methods to update firmware and software as the cybersecurity landscape evolves over the lifetime of their devices. 

Unfortunately, once a device is purchased, there is little a Smart City can do to improve its security, so making the right purchase is the key to success. The purchasing process should consider cybersecurity in the “bill of materials” (BOM) that requires that the device manufacturer considered component and device cybersecurity and can validate that their devices passed appropriate cybersecurity testing. Smart City owners should keep in mind that over time, smart device manufacturers may continue to develop new devices with short product cycles. This means that owners will need to understand that manufacturers will may accelerate dropping support for older devices.

Taking the risk out of the Smart City network

The second line of defense in a Smart City is network infrastructure. In a Smart City, the back-end network is the nerve center that keeps everything running smoothly. That’s why it’s important for Smart Cities to rigorously test their back-end network’s security posture including policies and configurations on a continuous basis.

There is additional network infrastructure to consider. Smart Cities now connect operational technology (OT) systems such as water and energy utilities to Smart City network infrastructure. These OT connections increase the risk to the network since they are prime targets for bad actors. OT systems traditionally existed as stand-alone city infrastructure separated from the connected network. Now, newly connected to the shared network infrastructure, OT systems must be secured like traditional IT systems. 

Smart City owners should follow cybersecurity best practices to improve their overall network security posture. Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them.  A proactive approach includes utilizing breach and attack simulation tools to continuously probe for potential vulnerabilities. Adopting these tools can:

• Prevent attackers from moving laterally across the network

• Avoid “configuration drift” where system updates and tool patches cause unintended misconfiguration and leave the door open to attackers

• Reduce dwell time by training your security information and event management system to recognize indicators-of-compromise for emergency or common attacks.

Smart Cities promise to deliver value from big data and analytics. However, for every new connection, there’s an attacker looking to exploit it. For Smart Cities to truly live up to their promise, we shouldn’t forget that – like all infrastructure – safety and security are a top priority.

Learn About Securing Smart Cities at SecurityWeek’s ICS Cybersecurity Conference

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.