6 Steps to Smart City Cyber Resilience
Many London boroughs are currently either procuring or intending to procure connected technology (Internet of Things, IoT) and smart city systems to support the delivery of public services. This emerging area of technology has the potential to reduce costs, generate new insights at the borough and city level, and improve the current and future state of services in London. At the same time, smart city technologies present new cyber security vulnerabilities and risks, some of which local authorities are likely to need external support to address.
While maturity is building around the use cases, technology and connectivity requirements for smart city technology, LOTI has identified cyber security and resilience alongside ethics and standards as areas that still need to be addressed on the path to wider adoption and scale up.
In this article, I will outline some of the potential cyber security and resilience risks and questions that arise with this type of technology, and share LOTI’s latest thinking on what needs to be done to support boroughs.
Ensuring services are resilient
With services becoming both digital and connected through networked technology, boroughs must plan for the impact of service interruption caused by system failure or malicious attack. Planning for these risks requires understanding the specifics of each service from the perspective of the user, as well as the underlying technology architecture.
The impact on individual service users will need to be considered carefully where, for example, vulnerable people are involved. An emerging example is Assistive Technology that combines sensors, and data analysis can be used to detect the possibility that a person has fallen over or is seriously ill. These systems can reduce the risk of a vulnerable adult falling and lying undetected until the next scheduled care visit. However, relying on technology alone comes with risks. Boroughs must assess what provisions are in place to support these individuals if the service becomes unavailable or reports incorrect data. Are backups required? Who is responsible for bringing the service online? Over what time period? And how can councils audit for false positives and false negatives?
Who is responsible if the lights go out?
Smart street lighting is becoming increasingly common in London. Its core functionality allows boroughs to remotely control and monitor the operation of street lights. Traditional street lighting relies on ‘dumb’ or ‘unconnected‘ timers or light sensors and on street surveys all of which councils are experienced in managing. While smart street lighting infrastructure and functionality uses a different set of technology, service and contractual arrangements. These new arrangements have new associated risks. For example, data aggregation and network control is usually provided by a third party platform. Boroughs must assess how secure those platforms are, and plan for the impact of malicious disruption to this service. How will boroughs respond if one light goes out? How about if lighting in the whole borough is affected?
Mitigation requires a detailed understanding of how the service operates and its weak points so that strong operational responses can be designed, supported by contracts and service level agreements. These will need to include provisions for what happens to the lights if the platform provider goes bust. Do the lights stay on all the time? Are they switched off? Or can another form of control be activated?
The challenge for boroughs
Procuring Smart city technology adds a number of complexities to the existing procurement process for more familiar line of business and IT systems.
Boroughs typically lack access to the information and resources required to identify, understand and mitigate the unique cyber security and resilience risks of procuring smart city technologies and systems.
This is because there are limited reference examples of the same technology deployed in other public sector contexts to learn from. Boroughs are also currently expected to convert or map a plethora of existing high-level guidance and recommendations into specific procurement requirements that can be acted upon and evaluated. Boroughs must navigate:
- Multiple standards and frameworks (such as from the National Cyber Security Centre, British Standards Institution and Crown Commercial Services)
- Complex supply chains, where cyber vulnerabilities may occur due to the combination of several technologies, rather than in any system alone
- An immature market
- Unfamiliar and complex risks such as disruption to critical infrastructure and national security e.g impact of EV charging point infrastructure on energy distribution grid
Understanding the challenge in detail
LOTI commissioned security researcher Meha Shukula to conduct a detailed discovery to collate details on the specific challenges facing boroughs. The work involved workshops with Brent, Greenwich, the South London Partnership boroughs, Westminster and Kensington and Chelsea.
Over the course of the workshops we identified six areas where boroughs currently lack the capabilities, resources and tools to ensure the resilience of their connected place technologies.
- Resilience and Security: There is a lack of actionable guidance to help borough officers create a repeatable, continuous method of procuring secure and resilient systems
- Risk Management: When purchasing smart city technologies, boroughs lack a consistent way to quantify their resilience risks and their exposure to cyber security liabilities, right from their discovery phase through to contract management.
- Strategy and Governance: There is no centralised procurement strategy and governance spanning Business, IT, operations and services across smart city initiatives and the need for this is also not widely understood. For example the risk of shadow IT emerging as standard highways components such as traffic systems are re-procured with embedded smart technology without ITs knowledge.
- Supply-chain assurance: There is a lack of a consistent method to assess supply-chain resilience measures for end-to-end services in all contract stages. Current supplier assessment questionnaires get incomplete responses from suppliers.
- Frameworks and standards: Many of the existing frameworks and standards for smart service security and resilience are not relevant or specific to local governments and are not applied consistently.
- Service Operations: Once systems are in place there are not adequate measures to monitor and detect errors and malicious attacks, particularly those that emerge from the changing technology and evolving threat landscape.
Moving from complexity to action
Clearly, the challenges are significant and the complexity and associated risks have the potential to lead to local authorities wondering where they should start.
To break it down into more manageable actions, at LOTI we have focused on the key actions that individual borough officers involved in the procurement of smart city technology can take.
We have highlighted 6 key steps to Cyber resilience that will help boroughs to bring cyber resilience principles into their procurement process. It is hoped that with this, they can build confidence, capability and an understanding of the remaining gaps in their cyber resilience strategy.
Alongside the steps are suggested activities where LOTI can help build resources to support boroughs in taking the step. This work will need to be in collaboration with boroughs and other government agencies including the Crown Commercial Service (CCS), National Cyber Security Centre (NCSC) and Department for Digital, Culture, Media & Sport (DCMS), drawing on expertise and insights from across the public sector.
6 Steps to Cyber Resilience
1. Publicise and educate procurement teams
- Publicise and educate procurement teams and suppliers on London’s smart city principles
- Ensure that visibility is given to already existing guidance and organisational strategies.
2. Identify relevant stakeholders (such as IT operations, service design, legal) and engage them upfront in procurement to establish a methodology to identify potential risks in smart services projects
- LOTI Role: Select a borough currently going through the process of procuring IoT technology and work with them to document and templatise their process. Validate the process with other boroughs and security experts.
3. Templatise the risk assessment methodology and create best practice checklists mapped to standards relevant to smart services. Create a tool to make this process faster and more repeatable
- LOTI Role: Collate a cross borough list of service risks. Ask boroughs to crowdsource a list of service risks based on previous risk assessment activities.
4. Develop and use an industry standard supplier assessment tool.
- LOTI Role: Lead a project to develop the supplier assessment tool working with boroughs to test and iterate the product
5. Include provisions in all contracts for ongoing resilience tests including clauses that capture the changing and emerging technology threat landscape.
- LOTI Role: CCS’s forthcoming playbook will include specifications that can be used by procurement teams when communicating with suppliers about their cyber security requirements. LOTI can support boroughs to adapt these requirements for use outside of the CCS framework.
6. Introduce auditing of data and reports from suppliers to detect and prevent malfunctioning and malicious data reporting from smart city systems
- LOTI Role: CCS’s forthcoming playbook will include specifications that can be used by procurement teams when communicating with suppliers about their cyber security requirements. LOTI can support boroughs to adapt these requirements for use outside of the CCS framework.
View the 6 steps in full detail:
Top 6 Recommendations for becoming Cyber Resilient in your IoT and Smart city deployments
Final Reflections
Cyber resilience is complicated to execute well but, like health and safety before it, it can and should become an intuitive part of project and service design. The starting point is to demonstrate small and effective interventions which, as a sector and a community, we can continuously improve to make the process easier and more intuitive.
Jay Saggar