When a Smart City Is Not Smart: From Smart City to S2I City

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...


If you develop an infection on your finger, your body doesn’t say, “Ah finger, go figure it out by yourself and make sure the rest of the body doesn’t get infected,” Paul Ferrillo and George Platsis write, The body produces a whole bunch of white blood cells, knowing that if it doesn’t do something about this bacteria building up on the finger, it could get a whole lot worse. In contrast, the “smart” city approach, as is, does the opposite, they write. It’s “everybody for themselves” and misses the largest concern of them all: the economy.

Paul Ferrillo George Platsis

By Paul Ferrillo and George Platsis

Paul Ferrillo is a partner and shareholder in Greenberg Traurig LLP in New York City. He focuses on cybersecurity, privacy, regulatory and securities matters.

George Platsis is a senior associate on the cyber risk team at Susan Davis International. Independently, he also focuses on social engineering, data manipulation/integrity, and information dominance. Both are members of The #CyberAvengers.

Look all around and you’ll hear “smart city” this and “smart city” that. It’s the way of the future, we are told. Urban center problems will be solved; the internet of things (IoT) gadgetry will make our lives run more efficiently; and, basically, all will be well in the universe. All sounds great, but like the old saying goes: “If it seems too good to be true, it probably is.”

Let’s be blunt: The security concerns are real and the “don’t worry, we got this” approach has not been working. 2017 was a banner year for cybersecurity breaches, and anybody who isn’t drinking the spiked punch knows that our cybersecurity problems will get worse before they get better, even if we miraculously turn on a dime, start doing things differently, and get some national strategy in place that includes public- and private-sector involvement.

A large part of the problem is that there is no clear and unambiguous definition of what a “smart” city is. And whatever definitions we have seen, safety and security are usually afterthoughts. That’s why we think we should hold off going full throttle on the entire “smart” city plan until we put a few things in order. We’d rather slow this one down a bit to minimize the chances of traffic signals all showing green, HVAC controls suffocating you, and having a privacy disaster that will make the 2017 breaches look like preschool material.

To do that, we need a simple approach: Begin with the end in mind. Regrettably, we have seen many of our recent technological achievements come with some significant unintended consequence. For example, a decision made in the early days of the internet has effectively made the entire system inherently insecure. Social media, a platform that was intended to work between friends, governs our lives to the point where there has been psychological impact across generations.

We will not claim to possess the clairvoyance required to know what the next unintended consequence is going to be, but we know we can reduce the impact of something going wrong from a safety and security point of view.

This is why we look to create a safe, secure, and intelligent city, or S2I City. The “safe” and “secure” components are relatively straightforward, but the “intelligent” piece will need some explaining. As we walk through our approach, we are confident you will know exactly what we mean when we say “intelligent.” And we are walking you through our approach by design because we want to begin with the end in mind.

Know What You Are Building

Quick disclaimers about what S2I City is not. If you have followed any of our work, we describe cybersecurity in the following manner: network security + information security = data security. Keep in mind when we are discussing S2I City, we’re “network security” heavy. We’re doing this intentionally because the way we characterize information security, it has more to do with how information changes your life. Yes, we enjoy efficiencies and conveniences, but not at the costs of your personal freedoms and liberties. So, to be clear, our S2I City concept is to use algorithms to keep the trains on time and keep an eye out for suspicious network traffic that wants to derail the trains, not populate your news feed or influence your buying habits.

A second comment about what S2I City is not. Any serious security professional understands this concept well: “Secure” and “efficient” should never be used in the same sentence to describe something. Security requires redundancies to be built in. Redundancies are not efficiencies, though “smart” cities keep harping about efficiency. We’re not striving for that, as all that means is building more fragility into an overstressed system. Not smart.

What we’re going for is reliability, robustness, resilience and, ultimately, anti-fragility. That means efficiencies will not be the priority, but we’re willing to sacrifice a few nanoseconds in terms of latency to make sure your gas line doesn’t explode. And the only way to do that is to build a system by design and test it relentlessly.

Is this a more expensive approach? On the front end, almost certainly.

Will it take more time to build? Perhaps, but it’s going to take a lot less time to fix if something goes wrong.

With trillions of dollars at stake, and with a finite amount of resources, we think it’s a good idea to take care of these issues before we start throwing money. And we ask you to keep this concept in mind because it ties up our S2I City concept.

Build a System or Build Nothing

Think of the human body in its entirety. Is the human body still “a human body” if all you have is a hand? Or a foot? Or a brain? Obviously not. These independent pieces are subsystems, connected to other subsystems, connected to larger subsystems, to make one large system. That is how the human body works.

Right now we’re doing an OK job at building independent pieces, such as IoT devices, each all right at its specific task. You might be asking why we say “OK” and “all right” as opposed to something more reassuring. The reason is because most of these independent systems were built purely from a convenience (and generally low-cost) perspective, not really taking into account safety and security concerns.

We understand that good code is expensive to write and that nobody wants to pay $500 for a toothbrush, but as we plug more of these poorly designed toothbrushes into the network, we’re arming a fleet of drone toothbrushes that, if taken control by a nefarious actor, will bring us to a standstill.

Understandably, this can seem comical, but it’s not, as all these devices we plan to let rule us operate with similar challenges. Here’s why: A “smart” city simply can’t operate without these deployed devices acting as primary sensors for data inputs. If the sensor can’t accurately pick up the room temperature, it can’t send data to the control box that sets the thermostat to the most “efficient” temperature. Similarly, if the sensor picks up the right temperature, but that sensor reading (data) is altered, you’re not going to get the “optimal” temperature.

And we haven’t begun to address the ever larger problem: All these subsystems working together. Because these independent pieces were never designed to work together — “anti” by design — instead of the grace of an Olympic figure skater, we have spasms, discombobulations, and a total lack of coordination. Notice how this can get messy quickly as we keep on tacking on “things” on an ad hoc basis?

We did mention the system (the internet) is inherently vulnerable, right? Good, because we’re also going to tell you the infrastructure is aging and overwhelmed.

If we continue down the current path, we’re building even more fragility into an already fragile system. But our goal should be anti-fragile, something even better than mere robustness or resilience. Anti-fragility ups your game because it allows you to withstand shocks and become stronger from them.

You can’t do any of this if you’re not building a system and looking at how everything interacts with each other. That’s where the “smart” city approach has failed and where we look to fill the gap.

Get the Small Stuff Right

Now that the theory and concept are out of the way, how do we build S2I City? Since we have begun with the end in mind — safe, secure and intelligent — we now need to design it, and there is an existing concept that fits this mold quite well: security by design.

The concept is as straightforward as it sounds. When you are building something — software, hardware, you name it — your priority is security. You want to ensure the code or device is as impervious to attack as possible. And the only way to do this is through relentless testing. The National Institute of Standards and Technology’s SP 800-160 gives you a thorough understanding, but we’re going to give you a kindergarten explanation.

Think of relentless training like weight training in a sense. The only way you get stronger is by pushing yourself to your limits, going further and further, even when you think you’ve reached your limit. Granted, at some point everything does break, but you want to be “that strong” where you can withstand not only the majority of shocks that come your way, but those big wallops, doozies, and uppercuts that sucker-punch you like a Mike Tyson special. If you can take blindside shots from a heavyweight in his prime and still be on your feet, congratulations, you’re on your way to anti-fragile.

Here’s the thing: we do none of that for our IoT devices, nor for a lot of our software and hardware. A factory-default password is like saying to your opponent “I’m giving you a free shot to the breadbasket.” Unencrypted data transmission is like broadcasting where in the ring you’re going to stand next. Relying on signature-based intrusion detection systems is like asking your opponent, “Can you show me where you’re going to punch so I can block?” And failing to patch in a timely manner is like having a bad diet. There’s no way you can last, never mind win, if that is your game plan and training schedule.

So how do you win?

Start by understanding what’s going on in the ring. In other words, recognize that you need to:

  •  Acquire and produce authentic data.
  •  Transmit data security.
  •  Store data security.
  •  Interpret data, by both machines and humans, each of which requires its own safety and security considerations, plus privacy concerns.
  •  Screen, assess, and evaluate that data for bad or malicious activity, differentiating between false positives and actionable alerts.

Before you start letting the machines drive the buses and trains, figure out the stuff above first, unless you are looking to create a modern-day nightmare.

Life would have been a whole lot easier if we had some confidence measuring system for these devices, similar to an Underwriters Laboratories (UL). But that doesn’t exist. Note: We’ve been calling for one, even if we are naturally reluctant to burdensome regulation.

What we’re looking for is simple. Much like we can be confident that a hard hat with a certain safety mark will withstand a specific level of impact, we want some sort of safety mark that makes sure the IoT devices have no serious vulnerability.

This approach more or less takes care of the small stuff (the devices and various subsystems). But now we have the bigger issue: the larger system.

Build It (Right) and They Will Come

Let’s go back to the human body analogy for a moment. Say you catch the flu. Is it just one part of your body that is affected? Of course not, the entire “system” is. But the human body is pretty ingenious because it is a system. It has a “systemwide” defense mechanism — the immune system — to help when things go wrong. And it does wonderful things to try to help you get better.

If you develop an infection on your finger, your body doesn’t say, “Ah finger, go figure it out by yourself and make sure the rest of the body doesn’t get infected.” What the body does is produce a whole bunch of white blood cells to fight off any more bad stuff. It’s kind of like an “all-hands-on-deck” approach because the “system” is intelligent enough to know that if it doesn’t do something about this bacteria building up on the finger, it could get a whole lot worse.

In contrast, the “smart” city approach, as is, does the opposite. It’s “everybody for themselves” and misses the largest concern of them all: the economy. Whatever type of “city” we end up building, all these cities are subsystems to something bigger: the United States of America. If you can’t protect the economy, you put your security at risk. And here’s the paradox: If you’re not secure, you can’t ensure that safe environment that allows an economy to grow and prosper. That’s the “intelligent” part of our solution. That is what the S2I City approach ultimately looks to protect. The “intelligent” part ensures the whole darn thing doesn’t go all up in smoke just because a few dominos fell over.

So what are the practical ways to do that?

  • Security by design mindset. Simple.
  •  Create a confidence-giving authority so that only safe and secure products make it to market.
  •  Include some anti-tampering device on digital devices.
  •  No hardcoded or factory set passwords.
  •  No backdoors into the devices.
  •  Means to restrict use to only authorized users.
  •  Automatic firmware updates.
  •  Ability to deploy/receive/install patches in a quick and timely manner.
  •  Publicly available vendor history of installations, updates, flaws, and vulnerabilities.
  •  A clear understanding of product testing and supply chain security.

We understand there are many stones we have left unturned, but this is a lead-in piece to much larger concept, which is why we leave you with our Principles of a Safe, Secure and Intelligent Communications System that serve as the “rules of the game” in creating S2I City:

1) The system must not allow unauthorized or unintended interception, manipulation, and exfiltration of data.

2) The system must give equal attention to inside and outside actors.

3) The system must give equal attention to technical challenges and human interaction.

4) The system must ensure privacy.

5) The system must ensure multiple redundancies are built in.

6) The system must be modular, easy to maintain and upgrade, and not rely on any single source for operation.

7) The system must not have any single points that can cause cascading or catastrophic failure.

8) The system must be able to withstand continual disruptive attempts.

9) The system must be able to learn from disruption.

10) The system must endure regular and extreme stress testing, even during the design phase.

11) The system must be able to purge itself completely from unwanted, unnecessary, and malicious data.

12) The system must be economically tenable over time.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security