Without trust and security, forget your smart nation/ city

• Protecting a smart nation requires security to be baked in at the start
• Need to navigate the new frontier while standards are still being formulated

 
MUCH has been said about the great possibilities and potential good smart city or smart nation projects can bring to the people, but too little has been said about the security and trust needed for adoption.
 
A smart city (or nation) entails building a digital nervous system connecting various silos – which could mean cracks between them, according to Munich-headquartered international testing and certification corporation Tüv Süd.
 
“Typically, all smart city services would be hosted on the Internet as customers require mobile access to [these] services,” said its chief digital officer Dr Dirk Schlesinger (pic above).
 
“[So] there is a security issue across the whole vertical solution stack,” he told the audience at Tüv Süd’s recent jubilee event in Singapore, which had the theme Inspiring Trust in a Smart Nation.
 
Transforming from a vertical model to a horizontal one requires a change in thinking, and this has its challenges – many incidents illustrate what can happen when security is not taken into account in this new horizontal model, Schlesinger warned.
 
“In 2008, a teenager stopped all the trams in Poland; and in 2010, Stuxnet made a very sophisticated attack on the centrifuges in northern Iran,” he said.
 
The issue in fact goes as far back as 2000, when a disgruntled employee hacked the computers controlling sewage pumps in Australia, he noted.
 
“When you talk about smart cities, it’s not just about fending off attacks but also about security-by-design and how you do it at the line infrastructure – which has to do with the power supply, critical service providers, and training people to use equipment the right way,” said Schlesinger.
 
Need for standards
 
The issue has become even more complicated as the Internet of Things (IoT) – where sensors will be embedded in just about everything – has become a key component of any smart city initiative.
 
But security standards for the IoT have only been set the communications stage, and there are no interoperability standards yet for the different devices, let alone the different ‘domains’ such as elevators and lighting.
 
“There are efforts to build a platform or equivalent operating system – the challenge we have here is a semantic challenge; they all speak a different language,” said Schlesinger.
 
“There will not be the one standard for everything because technology moves too fast, but I do see a common language that covers 70-80% of the necessary functionality that will emerge in the future.
 
“We will never be able to cover all the stuff that you can do because the churn is now 18 months, and you can’t standardise in such a short time,” he added.
 
As sensors get smaller and more prevalent, standardising that last-mile connectivity will be key, according to Schlesinger.
 
“It doesn’t make sense to have an IP (Internet Protocol) stack or VPN (virtual private network) for every sensor,” he said, adding that it would make more sense to have a standard protocol for the last-mile connectivity.
 
“Secondly, some protocols are more secure than others – for instance, WiFi is inherently more secure than Bluetooth,” he said.
 
Schlesinger believes that ‘tiering’ will play a part in last-mile security protocols.
 
“For instance, there is secure ZigBee and not-so-secure ZigBee protocols,” he said, referring to the wireless technology.
 
Testing and certification
 
So security has to be baked into the technologies that will be used to build smart cities, and for that to really happen, testing and certification will have to play a part.
 
“We already certify management processes, product development, service provider processes, and even the property of products in the IT security space,” said Schlesinger.
 
“But we are not certifying the functionality of systems … not in the foreseeable future,” he added.
 
But in a world where threats can evolve within a minute, how can systems be certified as secure?
 
“I personally think that certifying for a time period is a declining business model because the changing of the device is more software-defined than hardware-defined … and 70% of all breakdowns occur in software,” Schlesinger said.
 
“We are currently exploring ways and actively pushing how we can go from a cyclical certification to continuous certification,” he added.
 
Related Stories:
 
Critical infrastructure: A clear and present danger
 
SEA countries lax on IoT security: Intel study
 
Making the world ready for the IoT
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.