Crisis planning is integral to many cities across the planet and we see it in use when natural disasters strike. When the magnitude 9 earthquake hit Japan in 2011, previous disaster planning kicked in. But the response has been criticized because of the predictive limitations that informed the disaster recovery attempts. Other criticisms highlighted too much emphasis on using ‘hazard maps’ which were inaccurate. If our starting points are off point, then our disaster recovery will also be lacking. In our smart cities, which are intrinsically dependent on data, disaster recovery has to include data as a critical infrastructure in its own right or as my previous article outlined - the data superstructure. Controlling Catastrophe We are never going to stop catastrophic events, be they natural or human-made; so all we can do is be well-prepared for them. In a smart city, our very infrastructure is dependent on the data generated by citizens and our daily lives. For example, smart water is a critical infrastructure that needs lots of data to improve our city living. Smart water needs to analyze water flow, distribution, use metrics, and pressure; it is also intrinsically linked to weather and perhaps other, more behavioral-based data. Smart cities need to provide clean, always available, water to many millions of city dwellers. Critical infrastructures, like smart water, are also likely to be a sweet target for hackers. We have already seen the ‘testing of the waters’ in energy CIs like the attack on Ukraine’s energy grid by the CrashOverride malware. Or the unnamed water treatment plant where hackers adjusted the chemical mix used to treat tap water. Our critical infrastructures are under serious threat from cyber attacks and according to the World Energy Council are now amongst the top concerns of energy companies in North America and Europe. Having disaster recovery and planning in place is all part of creating a smart city. But modeling it so it is as accurate as possible, is part of the planning process. We have already built up a knowledge-base of information on our weak points. And, there is a lot of research on where the likely attack points in smart city critical infrastructure attacks will occur. Utilizing these will help towards more effective control, post-catastrophe. Smart Disaster Recovery in the Smart City - Extended PEN Testing? Smart cities are built on big data analytics - much of which is Cloud-based. These data have to be not only managed and organized well but protected too. These data run the city. They will ultimately be behind water clean enough to drink, heating to keep us warm in winter, and roads that are not continuously grid-locked. The cogs and wheels behind the smart city will be Cloud-based data, and having a disaster recovery plan in place for these data is crucial to keeping the city running smoothly. Disaster-Recovery-as-a-Service (DRaaS) is a new era way to manage Cloud data. In a useful article by Disaster Recovery specialists NetApp, they set out the main criteria for smart disaster recovery using a service model such as Azure Site Recovery (ASR) - it is analogous to having an umbrella over your data superstructure. One of the key steps is preparation and planning. But to plan accurately, you need to have an understanding of the infrastructure and model behind it. I believe that as part of this planning stage, a new extended version of traditional Penetration testing needs to be developed that can follow the data across its use in a smart city context to take into account both natural and human-made disasters. This data lifecycle testing should be able to incorporate both security and privacy checks. We should take heed of the mistakes we have already made when a disaster occurs. Having an accurate way of modeling a disaster and its aftermath will help us to a better laid out disaster recovery plan. As our smart cities begin to mature and take root, we need to lay down the expectations for managing the city when disaster strikes. Having a mental map of the data driving the city will go a long way towards having an accurate plan to recover critical infrastructures, if and when, these data are compromised. We are already experiencing the touch of cybercrime on critical infrastructures as they become ever more Internet-connected. We need to put full effort into the disaster recovery plans of smart cities now, or sit back and watch the cybercriminals take us hostage.