Mirko Ross, of Asvin.io and Digital Worx in Stuttgart hosted May 7th an online expert talk on Cybersecurity and Smart Cities – Where are we now, and where are we going.
Mirko Ross:
“Welcome everyone to this talk and to our three guest speakers:
Antonio Skarmeta – Professor at University of Murcia,
Rob Tiffany – Head of IoT strategy at Ericsson in Seattle
Giuliano Liguori, Cyber Security expert from GLWeb.eu in Naples Italy.
We will talk about cybersecurity in public spaces which is different than when we talk about IoT in general. What impact has this had on the development so far?”
Rob: “It’s been interesting following the smart city space over the years. I’ve watched quite a few things happen in my time. And there has been quite a few problems along the way, cyber security being just one of them. Certainly, old infrastructure is one problem. The realization with IoT is, that a lot of people imagined it was all going to be green field, futuristic projects and when they realized if you’re going to have success with that space you’re going to have to be preoccupied with old things like old infrastructure. It doesn’t seem as fun and exciting when we’re told, you’re going to spend the next 10 years retrofitting old things.
It’s the same no matter what country we’re in, there never seems to be enough money for the projects that should bring us all the way. Old things get left behind, and I think we see that across the board. You certainly see it in cities. If you want new and sustainable cities, well good luck.”
Giuliano: “We may not be as up to speed as many cities in Europe and the US. Italy have many small and medium size cities, and then there is Rome, Milan and Naples, which are very big cities with a lot of resources being poured into especially Milan. We know in Naples that the major efficiency improvements are necessary. We are up against poor connections between physical and digital systems, we are challenged in areas of transportation, water, power grid and waste management. In the previous stages of smart cities, we have made extensive use of information technology and computing, now we talk about IoT and how we hope this will bring us forward in transforming the urban spaces. We will build a link to the physical world and we’re only at the beginning of this.
But, the question for today is not whether the smart cities of the future will be smart – all Italian cities are waiting to use these advanced technologies, to improve their infrastructure and their public service – the question is whether they will be cyber safe.”
Mirko: “Antonio. How do you work with this agenda in Murcia? Murcia may not be a big city, but it is innovative in terms of smart technology. It is advanced in terms of practical execution is it not?”
Antonio: “Murcia is a very innovative city despite its size. There is a big initiative that has been going on for a while, building the smart city focusing on the end-users, building a smart city platform and this is possible primarily because of the a collaboration between University of Murcia and the city.
But, we were talking about cyber security. Since we started talking about smart cities, the discussions have changed radically. Now the focus has moved more to the data management of the city and how it is collectively used, by the municipalities, by companies and for research purposes and the impact of the deployment of the IoT technologies.
It is important not to focus just on the technology side. In this effort, we must consider how other people, work e.g. people employed by the city, to understand that they have completely different priorities. You have to engage them and make them see the difference it could make to the city and the daily lives of the citizens. We work with the local police and there we can clearly see two trends. We have the younger generation of policemen and women, who are pushing for the introduction of the technology, because they see how it will help them. It could be in their work with cyber-crime, where it is obvious to them how technology can help them work more efficiently, faster yes, but also with a much higher success rate. The older generation generally do not see how this is making such a difference and are more reluctant to embrace it.
You have to design the process around the organizations, new buildings and structures being created, how the existing ones are update, and then take into account how the additions of technologies are managed, thus making a path for the new technology and the management of the data it provides. The lamp post is an example often used in this context, a construction which is maybe 30 years old can have a second life, as a fixture for new smart devices. It creates this very nice image of what is happening in the city. You are creating a new infrastructure over an old one. But the truth is, it badly needs to be updated, and this is creating problems not only through the impact of the technology in itself, adding functionalities in the form of sensors to an existing structure introduces stress on the city in terms of an increasing demand for power and data infrastructure.”
Rob: “I can relate to what you are saying Antonio. A lot of people do not understand why it is necessary to invest in new things like 5G. In the US we have a lot of small cities, and in each city you’d have to, as we say “face city hall” and convince them why we should invest in this new infrastructure. Some decision makers do not want to change, they think things are fine the way they are. And some just have very specific budgets, that do not apply to investing in cool new things. And 5G is very different than the other generations of network. Normally you would simply update existing network towers, that are already everywhere. You could update them to go faster and farther and things like that, like you saw with LTE, but you can’t with 5G. It will face issues when you talk about having multiple dense small cells in urban areas.
There are low-band frequencies for 5G and others, which is below 1.5 Ghz, which will travel many kilometers, but it will not be as fast. There is mid-band between 2.5 Ghz. and-, which is kind of like the sweet spot in the middle, which goes much faster, much further and then we have the 5G network which is the super high frequency. It goes incredibly fast, but it does not go very far, and it can’t penetrate buildings very well either, which is why we need the many small cell structures.
So it becomes a real-estate problem. A money- and leasing- and “I need to put this here”-issue. It should be interesting to see how this plays out.”
Antonio: “In the area of cyber security there is a challenge that should be taken into account which is that the 5G impact also means an added risk of cyber attacks or vector attacks, which has to be considered in an increasingly decentralized world. So possibly a new component is needed to address this. We are moving from a centralized world to one that is much more dispersed. How the cities will react to these new challenges is an obvious worry.”
Mirko: “It is a multi-dimensional challenge. The more we go into it, the more we are exposing the threat landscape. You cannot keep hold of all stakeholders. It would be nice if everyone did their best to be mindful of cyber security, but we already see in industry that things are not really working like that.
I had this revelation in California, where the tech-companies paint this picture of them creating this brave new world, and in reality, the industry consume ¾ of the band-width in the state, and where does that leave the cities? The gap between tech industry and cities are growing. And then we have countries like Spain and Italy, who may have even more work to do yet.”
Giuliano: “We have different layers of development of infrastructure. We have one situation in the north and another in the south. Our country has not pushed this agenda for too long, and it has created two realities. Milan is like a virtual creation of a smart city, here they are far along with 5G and fiber. But, in the south it is much different. Much work still needs to be done. 5G needs a lot of service and high power. It demands investment on a level we have not seen yet.”
Antonio: “The deployment of IoT and deciding which solutions are more adequate for the best possible data collection is the most challenging we are facing, I would say. A lot of cities are already working with the network that they have, but it will not be enough. A smart city needs a new infrastructure for this. We are already working towards an improved understanding of what low-band technology is needed. We experiment with LoRaWAN networks, we are talking about narrowband IoT, and we are looking into the suppliers who can provide that. Murcia is not a small dense community, it’s very wide-spread, so that’ll make it difficult. We are even looking into using satellite communication for the IoT.”
Mirko: “Coming back to the project “The IoTCrawler”; like you said you have many assets in your city, you have many data points and you are looking into how these devices can be searched in ways that are different from Shodan, which is a different search engine which can look for IoT devices. Shodan will try to figure out if there are open ports or open data and other privacy unaware stuff. In the project, you try another way of crawling IoT data, right?”
Antonio: “I think what you said, makes a good starting point for describing the IoTCrawler project. We are going in the absolute opposite direction from what you described. With the IoTCrawler you can search for everything that wants to be searchable, and not just the devices that are open and that are there. Our goal is to embed some capabilities into IoT devices that allow them to control, who are trying to get information from them, if they are able to get all or part of the information, we put in place this kind of control system, that allows the communication to be secure and at the same time we can control efficiently how the information has been disclosed. We beginning to test this in real scenarios in the city and other domains, while we are working on solutions. For instance Mirko, you are working on this innovation on how to boot-strap secure the devices, when you make the deployment, how to securely update the software of the devices with respect to the fact that you are using wireless technologies, which are traditionally constrained in terms of band-with and reach, and also the connectivity should be resilient.
First of all, we are using these experiences of the municipalities and companies to test and then evaluate what are the best solutions that we have, what should we deploy first? And second, how do we increase the security of the entire procedure, from the bootstrap to the commissioning and the operational part? Basically, we are improving the life cycle of the device operation.
And it is difficult to describe just how vast an improvement we are talking about here in terms of security. The present situation is that sensors are being used out of the box also by cities, with ordinary admin/ password security settings. The security agenda is being set by the manufacturer, and that is not exactly securing anything.”
Mirko: “Rob this should be interesting for you, or the US if you will. Is it not true that California has issued a statement that an IoT device cannot be deployed for a city using only the company setting?”
Rob: “That is correct. For a good reason. You may agree or disagree, but it is widely recognized that the IoT device is always the weakest link in the chain, when we talk about security. Always. It does not mean that there cannot be other weak links, whether it be default passwords, or what have you. When I worked with Microsoft with Azure, we had a simple design principle saying a device can be outbound only as far as connectivity. There was no such thing as a device that would ever be listening. I have seen people basically create open access devices, and it is like having a device online saying come: “I’m open, Come hack me.””
Mirko: “But that is an engineering problem. Once it was a non-connected world, and suddenly we use the same thinking applied to a new reality. I can only say: take care of your supply chains!”
Antonio: “The problem is in a way linked to the democratization of the IoT. It is now cheap and easy to buy the devices and start sending data to the rest of the world. Everyone can now do it. But what is the security impact? Normally people will not share their mobile data, but when we talk IoT devices, people will do all kinds of things, they will put a sensor on their roof or front door and start sending information about their home out to the world. It is a question of changing this paradigm. It can easily be set up, but it can also easily be subject to attacks.”
Mirko: “Do we need a proactive instance to turn off insecure devices in these kinds of networks? Do we need a device police? You do not have to say yes, but what do think of the idea? What are your thoughts?”
Antonio: “Maybe not to shut things down, but to show people what is happening. Something that shows you the consequences of having an open port. Make it obvious, that in a way it is like a video camera on your property. People can see through it, anywhere anytime and they can use the information later. Making more examples showing people the consequences, will be important. Then people will understand.”
Mirko: “You could compare it to a living body. The immune system is able to protect you, and to detect malicious outside dangers. If a smart city is like a living organism, we may be able to protect ourselves, but are we able to defend ourselves?
I am thinking of the insane number of American cities, which have been hacked and huge ransoms have been demanded, and this does not even involve IoT but regular IT. So, you can see what I am getting at.
Do we shoot the bad elements off the roof before they are used for evil? We see these things coming, how do we prepare?”
Rob: “You need device management on your IoT devices, because they are only secure at a certain point in time. Moving forward you no longer know if they are secure. Back to your IoT police, or Smart City police. Because, you are right. It is a very big deal, if you have a smart city where trains, traffic lights, everything is online and connected, it is much more dangerous to have this hacked. You need to mitigate them, almost in an automated fashion. We cannot expect people to be able to manage this anymore. We are past the era of people looking at web dashboards managing a city.”
Antonio: “I agree with that. We are saying everything can be hacked. But, in Europe we are countering it on different levels. Work has already started on a certification or labelling of IoT, which is going a bit in the right direction. The main problem we’ve established is, that you have no guarantee that a IoT device is secure, and what we are now hoping to achieve is to have sensors for cities, but also for homes and hospitals, tested and validated, acquiring a certificate of trust. And then in the future they will be re-tested and revalidated. That would really be fundamental to making people confident in buying and trusting privately sold devices.”
Mirko: “Let me bring both your points together and take it to the next level. We can do what you are suggesting Antonio, that is achievable. But, the way we are also talking about it in the IoTCrawler project is, that in a fully automated IoT world, devices have to trust devices.”
“I would like to give each of you an opportunity to give a final statement.”
Rob: “Where we are is a bit chaotic. We have devices that come from all over the place, we do not even know if we can trust those devices. Am I really who I say I am? There are so many things to do to get us where we want to go. And it is all about modernizing infrastructure. Power, fiber, connectivity, ensuring devices secure and that they are updateable and can be secured over the air. Having enough fiber, and – one of the features people rarely talk about when we talk about – 5G with an extra 100x capacity which is what we need actually, in order for IoT to work in a smart city. You need that extra capacity at a wireless level and a fiber level. Trusting not only devices but an AI operating a network on our behalf. It sounds crazy, and it sounds like a fun challenge.”
Giuliano: “As smart cities grow, we have to have more cybersecurity awareness. We must create an awareness program regarding data protection and security by default. And also as a user of the technology, it is our responsibility to ensure that it is designed, deployed and manufactured with the same strategy in mind.
The way I see it, the Smart Cities are our banks, we have to put money in the smart cities and to make as many precautions to keeping them as secure as our banks.”
Antonio: “I am cautiously optimistic about the future. Especially because of new IoT functionalities that are needed are likely to be introduced. I think we can assume that IoT will create a valuable impact in the welfare for many citizens. It is important that we work actively towards implementing these technological leaps, to design the cities in a secure way. Just like planning infrastructure for water, for electricity and so on, the infrastructure for IoT has to be secure for the citizens. Which is what we do in the IoTCrawler. In Smart City solutions you should strive to leverage the existing solutions that are available in security and IoT in broad scale, with the goal of making the cities IoT data easily available for those who need it.”
Mirko: “Gentlemen, thank you for your time.”