Security and the evolution of the smart city


By 2050, 70% of the world’s population will live in smart cities. For them to flourish we need to make sure there is visibility, control, and security of IoT devices – but what does that mean, asks David Maidment, the senior director of the Secure Devices Ecosystem at Arm

Why do we need smart cities?

The IoT ecosystem is gathering pace and expanding at a rapid rate, delivering incredible opportunities for digital transformation not only in how we work but also in how we live our lives. According to a United Nations report, by 2050 two out of every three people on the planet are most likely to be living in urban areas. This equates to 2.5 billion people living in smart cities, making the most of the opportunities urban living offers, whether in the form of smart offices, enhanced shopping experiences, down to smart metering of gas and electric utilities, systems for sewage and manhole monitoring, to the cameras, streetlights and traffic lights above ground.

Everywhere you look there is the potential for IoT to make an impact. But beyond the obvious hardware, what constitutes a smart city?

What is a smart city?

According to the McKinsey Global Institute (MGI), the development of a smart city comes in three defined layers.

The first layer comprises the roll-out of the technology, such as devices and sensors, which help gather data. After all, the fundamental building block of any modern technology is data, and it is the insights such information can offer that drive digital transformation. IoT devices are generating unprecedented volumes of data and the potential applications remain largely untapped.

Therefore, the second layer centres around the applications that process and analyse that data and start to break it down into alerts, insights and actions.

The third and final layer is the mass adoption of technology and the actioning of the insights derived from the gathered data. This needs governments, businesses and even the public to embrace digital transformation and drive change.

How IoT will impact our daily lives

The breadth of IoT applications is set to impact everything from driving your car to having groceries delivered to fundamental services like water and electricity, so getting security right is critically important to all of us. This is especially true for smart cities and connected buildings as they are home to many high-value assets, that if compromised could cause significant disruption and service outages. To allow smart city services to scale, and to ensure the benefits and efficiencies from digital transformation don’t leave governments, businesses, and the public at risk, we need to build trust in the Internet of Things (IoT).

Why IoT security is essential for smart city applications

Before we can get to the mass adoption of IoT technology, the industry is facing challenges that we must first overcome.

To get a better understanding of those issues, we created the PSA Certified 2021 Security Report, which brought together the combined knowledge of IoT industry decision makers from around the world, sharing their insights on the challenges, as well as what they believe are the possible future opportunities and next steps for the IoT ecosystem.

For example, differing standards were seen as a top challenge by 48% of respondents, while 42% felt a lack of understanding or security expertise within their own businesses was a challenge yet to be tackled. Then there is the inherent cost of security. The report found that 54% of those surveyed saw it as a genuine issue, with lack of buy-in and uncertainty around a return on their investment seen as the main barriers. These statistics paint a picture of an industry that is fully aware digital transformation is necessary but is also cautious of the many potential pitfalls that lie ahead.

However, there is also a sense of optimism about the future, as 84% of tech decision makers showed interest in the development of an industry-led set of guidelines and processes to help build IoT security into devices.

Security needs to be embedded from the beginning

For many, the biggest challenge right now is around fragmentation and the sheer number of different types of devices that make up IoT.

These can range from the high value, such as large industrial machines, down to low-cost sensors deployed at scale in connected spaces. One building or factory, let alone a whole city, can contain hundreds if not thousands of IoT devices. The problem is not all have security built-in, whether this is due to lack of security expertise within the manufacturing company, a desire to rush to market without due diligence, or a repurposed device that had never been built with the intention to be connected to the cloud, reasons are varied but all constitute flaws in planning. As a result, it only takes one flaw in a device or system to open it up to exploitation, putting an organisation, its people and customers at personal, financial and reputational risk.

One of the first areas of a building to be connected and made smart is often lighting – smart lighting. There are many reasons why this may be useful, from minimising unnecessary light and energy usage to the convenience of being able to control them remotely.

However, an insecure lightbulb can have repercussions, as Jan Münther, the head of Digital Product Security at PSA Certified partner at OSRAM, explained: “When you look at our industry, there are applications that have heightened security requirements. We have lights in the medical sector, for instance, and in civil infrastructure. We have lighting on airport runways and in the horticulture industry, or urban digital farming as it’s known. If we have our devices compromised in those settings, they can create very palpable damage. People might get hurt or companies could lose millions of dollars in income. That’s why we have to take security into consideration early in the device lifecycle.”

If we are to build connected spaces that governments, businesses and people rely on to share data and deliver insights, the data needs to be trusted, which means keeping it secure. But as we know, trusted data can only come from a trusted device. To this end, it is vital that IoT devices insecure. This makes it difficult for insurers to back new technologies, yet insurance is pivotal as it offers a low-risk way to experiment.

How to implement security in smart buildings

Peter Armstrong, a cyber-insurance expert at Munich RE believes that for the IoT to succeed: “It’s important for the technology environment to lead and continue to embrace the requirement for compliance in this evolving environment.” Elsewhere, we need to make sure that all operations within a device take place on components that have a critical baseline of security factored into them. In other words, we need security that is embedded into every layer of a device, starting with the silicon and system software, and leading right up and into the product itself.

What is a Root of Trust?

However, implementing security at every stage of the IoT device can be particularly challenging for device manufacturers, as they often do not have the resources or security understanding to implement best practice security. One solution lies in a root of trust (RoT) being built into the silicon, thereby providing a set of implicitly trusted functions that the rest of the system can use to ensure security. Working with the ecosystem and building on the expertise of silicon vendors and software providers simplifies the security journey for OEMs, allowing them to make use of security implementations from the value chain. Equally, we need to see manufacturers developing devices that work collectively on different platforms.

By moving away from a siloed approach to hardware security we can rapidly scale the deployment of devices, confident that we’re adding genuine value to the chain. Similarly, we need to see less fragmentation within the software security, allowing engineers to focus on the best available systems.

Why collaboration is the key to secure spaces

As cities become increasingly more connected, and create smart buildings, we need to make sure that all the disparate elements, from automation systems, access controls, environmental and IoT networks, through to transport hubs and utility systems, are gathering data in the most secure method possible. By fostering a connected device industry that embraces collaboration in the security space – of the kind made possible by PSA Certified – we will reduce barriers, decrease costs and free up resources, thereby accelerating the mass adoption of the IoT. To achieve this, we need to work together and collaborate on technologies that help build a system beneficial for all. This prevents hackers from taking advantage of weaknesses in the system and ultimately delivers the enhanced proposition smart technologies have long had the capabilities to deliver.

This article first appeared inside IoT Now magazine. Subscribe now to access free, expert content.