Managing the Risks Inherent to Smart Cities


A new guide for non-technologists aims to help local officials avoid technology and policy pitfalls.

Adopting smart city technologies comes with increased risks of technical failures and cyber crime that officials must anticipate and manage, according to a guide released Thursday by the EastWest Institute.

The scale and speed at which smart devices are deployed, their interconnectedness via unstructured networks, and the novelty of the technology all increase a city’s risk of crashes and hacks, the security think tank says.

Appropriate risk management requires that officials establish a framework with a tested incident and emergency response plan—a concept “Smart and Safe: Risk Reduction in Tomorrow’s Cities” outlines.

“The reality is that the smart city and [Internet of Things] devices have been procured in waves at least over a 10- to 15-year period,” said Mark Forman, global head of public sector at the IT company Unisys, who was consulted in writing the guide. “City governments don’t usually have a budget to hire the level of talent to cover all these different generations of cybersecurity risks.”

Add to that the management complexity of juggling a wide array of tech and the public’s distrust that government can keep that information safe, Forman said, and establishing a risk management framework becomes a tall order.

Senior city executives must first decide when and how to connect devices and systems to each other, and only after procuring secure ones, according to the guide. Secure devices and systems are certified, while the guide suggests that cities make sure that they patch and upgrade them regularly, change default passwords, encrypt communication, and strongly authenticate users.

Mapping the network is key to ensuring data goes only where it’s intended, the guide adds.

Secondly, a smart city network must be resilient enough to continue delivering critical services like public safety at predetermined levels in spite of glitches or attacks.

“Nobody’s quite figured out how to be totally resilient,” Forman said.

Coastal areas are subject to hurricanes and tidal waves that could threaten IT facilities, he added, so physical resilience is just as important as cyber resilience in an emergency.

The guide advises building in redundancies around any system components deemed critical, and everything should be able to reboot or restart in such a way as to provide basic services until a situation is resolved.

Periodic testing and citywide disaster exercises help fine-tune such failsafes, according to EastWest.

Unisys surveys have previously revealed that while people generally want to provide government personal data that can help solve crimes, for instance, they’re less certain that information will wind up with the right people, Forman said.

Data privacy can be assured in stated policies, transparent reporting and the appointment of a chief privacy officer, the guide recommends. When partnering with third parties on smart city projects, city officials should enter into data governance agreements.

“In most connected cities, data is being collected almost instantaneously by license plate readers, traffic cameras and toll booths,” Forman said. “In some cities, the culture doesn’t support that collection and retention.”

Lastly, a government structure is needed that supports multi-million-dollar security improvements through collaboration with civic groups and other stakeholders, according to the guide. In that way, the city can prioritize investment in line with local security needs, Forman said.

While major cities have more money to spend on smart city projects, their officials are just as likely to fall into risk management pitfalls as small city officials, Forman said. Everything comes down to the tech savviness of local leadership to understand the policy and economic impacts of smart infrastructure.

“I think a lot of the people coming into city it leadership roles—chief information officers and chief privacy officers—understand a lot of these concepts,” Forman said. “The guide was designed to be used by the non-technologist because that’s where the payoff is in education around best practices.”