Civic leaders around the world are looking to automate the infrastructures that make their cities run in a drive to reduce costs and cope with rising populations. From transit networks and utilities to refuse collection and street lighting, connecting services to the internet is proving an appealing prospect for those in charge of cities and large towns. In fact, UBS predicts that Asia’s smart city market could reach US$800 billion in 2025, leading the continent’s fourth industrial revolution. The UN projects that 66 per cent of the population in Southeast Asia will be living in urban areas by 2050, and many of its cities are looking to smart solutions to address their challenges. However, in their rush to automate cities, civic managers need to ensure that they also build in cybersecurity that will protect them from threat actors wishing to create chaos for their own nefarious ends. The severity of the threat Looking to connect any of the infrastructure under their jurisdiction will be an unknown territory for many civic leaders. To understand the types and scale of threat their newly connected networks could face, city managers should look at what has happened elsewhere. For example, North Korean hackers managed to retrieve nuclear reactor designs from power plants in South Korea and India using software vulnerabilities and phishing attacks. This is a concern as it does not take long once a threat actor is in an information technology (IT) network to move laterally into the operational technology (OT) that a smart city runs on, if there is not proper segmentation between the two. This is a lesson that other sectors have learned, to their cost. In Asia-Pacific, 88 per cent of organisations have experienced at least one Internet of Things (IoT)-related security breach, the highest rate in the world. A joint study by Microsoft and consultants Frost & Sullivan also found that 67 per cent of organisations across Asia-Pacific have experienced lay-offs following cyberattacks. However, civic leaders face a major hurdle in that much of the technology they would use to create smart cities has been built with maximum connectivity in mind – leaving security researchers to point out that this exposes vulnerabilities in those IoT connected devices. Can China outsmart US in the race to build smart cities in Southeast Asia? Once these devices are active, they often run on operating systems that have significant vulnerabilities that are, in many cases, challenging to patch or no longer supported. For instance IPnet, which supports network communications between computers, is still an integral part of the operating systems of many smart devices used in connected cities, despite not being supported since 2006. When combined with the reality that there are likely to be hundreds of thousands of these devices connecting to an OT network, that presents a large attack surface for threat actors to exploit. The situation is likely to be exacerbated by the roll-out of 5G networks, which not only provide a better way for devices to connect to the OT network, but also cybercriminals. What might be attacked? More or less anything that is under the jurisdiction of civic managers can be made more efficient and cost effective through automation and connectivity. However, with each service that is brought online, smart cities are exposing themselves and their citizens to the potential risk of catastrophic events that could have a devastating and long-lasting impact. Take street lighting for example. By 2026, the Asia-Pacific region is set to be home to a third of all smart street light installations worldwide, the bulk of which include central management systems. Street lighting is vital for towns and cities as it helps enhance quality of life, improve public safety, and reduce traffic accidents. Studies show that in areas where street lighting has been improved, road collisions fall by 30 per cent and the severity of injuries is reduced by a factor of three. However, in the event of a cyberattack knocking out the street lighting system, the well-being – or even the lives – of commuters could be in danger. There is also the reality that alongside the potential to cause chaos across a city, cybercriminals are likely to want to break into these systems to steal the significant amount of data, including personally identifiable information, on which they run. Reducing risks So while connectivity and automation have the potential to drastically change how cities are managed and how people live, these advantages can be wiped out by a single cyberattack. As such, civic managers must make cybersecurity a priority when looking to make any infrastructure “smart”. However, public servants often lack cybersecurity expertise. In 2018, Singapore faced what authorities dubbed the “most serious personal data breach” in its history when the personal information of 1.5 million patients was leaked in a cyberattack, which was attributed to system vulnerabilities and weak passwords. This means existing staff must be trained to be “cyber aware” so that their actions do not endanger the security of city networks. Planners must also recruit or train a cybersecurity team that is able to understand the difference between managing and protecting IT and OT networks. The other piece of the puzzle is to invest in technology that provides detailed oversight into everything that is on a city’s IT and OT networks. Knowing granular details such as a device’s make, model, operating system and IP address through to risk level and update schedule, the IT security team will be able to identify and mitigate any vulnerabilities in their networks. This requires specialised solutions. Security professionals need to know how to detect network anomalies. This requires continuous automated monitoring that can present contextualised alerts ranked by level of severity, providing security teams with all the information they need to tackle potential risks in priority order. Such solutions also help to reduce the amount of time wasted dealing with false positives and low risk alerts. When building physical infrastructures, a key consideration for civic managers and leaders has always been safety and security. The same now has to be true when building OT infrastructures. In this way, smart cities can be created that provide all the advantages to their citizens rather than to cybercriminals. Galina Antova is the co-founder and chief business development officer of Claroty, a company that offers an integrated suite of cybersecurity products to help engineers, operators, and cybersecurity professionals to protect complex industrial networks. Purchase the China AI Report 2020 brought to you by SCMP Research and enjoy a 20% discount (original price US$400). This 60-page all new intelligence report gives you first-hand insights and analysis into the latest industry developments and intelligence about China AI. Get exclusive access to our webinars for continuous learning, and interact with China AI executives in live Q&A. Offer valid until 31 March 2020.