In a previous article, I talked about how we need to build a smart identity for a smart city. The article, hopefully, pointed to building a perspective on what smart actually means. But, smart cities are built up from many smart pieces. These ‘smart pieces’ are really just an evolution of our current critical infrastructures (CI). The U.S. government, have named 16 essential sectors that come under the heading of ‘critical infrastructure, this includes transportation, energy, healthcare, and water. We are currently living through a movement from, once, disconnected and distinct, sets of CIs, to highly connected entities. Each area of CI, each sector in the smart city, will be directly, or indirectly linked. And, the glue that binds them is data. I believe that because of the criticality of data within the context of a smart city, perhaps data should be viewed as a critical infrastructure in its own right and even given ‘superstructure status’.  

The Trouble with Being Big

Critical infrastructures are like the gold at the end of the rainbow for cybercriminals and hacktivists. Hit a CI, then sit back and watch the repercussions roll in. This is what happened to the energy sector in Ukraine which was infected by the CrashOverride malware designed to attack substation automation technologies. The lights went out for an hour only, this time; but as we all know, cybercriminals like to play with us and test the water. Imagine the action of a similar mindset within a hyperconnected infrastructure based on data. It would be like children in a sweet shop. The smart city has to use data to make it work better. In doing so, smart cities have to connect up the underlying CIs in a collaborative feedback matrix of data sharing, analysis, and optimization of services. This is a positive and vital move forward in a world that is rapidly changing. But in doing so, we are opening up massive holes in those infrastructures. An attack on the data superstructure may well bring down, not just one area of a CI, but the entire city.  

Bringing Down the City

A smart city is only as smart as the data governance it has in place. This has to cover the entire lifecycle of these data, from collection, through to storage, analysis, and dissemination. Regulations like GDPR, which may seem onerous now, are actually a good way to discipline ourselves for data governance on a hyperconnected scale. If an adversary decides they want to cause havoc within a smart city, they would need to look no further than attacking or disrupting the data sources. An attack would happen, just like in Ukraine by carrying out an initial test on the smart data vulnerabilities. Cybercriminals are, even now, building up a model of how to apply multiple attacks across the data surface to get the most devastating outcome. The interconnected nature of the smart city is both its superpower and its Achilles Heel; the data that city depends upon is its weakest link.  

Building the Smart City Walls With Good Data Governance for Smart Cities

In the smart city, disaster isn’t just about the lights going off in your home for an hour. It has the potential to cause mayhem in hospitals, cause gridlock on roads, change the settings in a water treatment plant to allow sewage into rivers, close off our communications channels, and override security systems in chemical plants. NetApp alongside analysts IDC produced an interesting global survey about how data is driving digital transformation - citing as an example, GE’s digital wind farm which can produce a 20% increase in efficiency.  The report concludes with a list of industries impacted by the new era of data-driven industry. The list coincides with the current view of what constitutes a critical infrastructure. This is no coincidence. In the smart city, data is the new critical superstructure that operates across our traditional CIs and in doing so, creates a funnel into them all. Protecting the smart city walls is not just about the protection of individual CI components, it is also about ensuring that we protect the data that allows those components to operate. We have watched as the enterprise perimeters smashed wide open when we connected across organizational digital barriers. Now data is creating a new perimeter. Only by having a robust data governance stance can we hope to, not only protect our individual critical infrastructure sectors but the city and its citizens as a whole.