The smart city is a digital image of the city in all its facets and arises from the desire to create added value for residents and visitors through the close-meshed networking of public services and commercial applications. A special feature in the smart city is the public accessibility of IT systems and users since, unlike companies, there is no protected area.
The individual sectors of the smart city are networked via data platforms and IoT systems and are centrally accessible to users via apps or web portals. To ensure added value for users, smart city applications must be intuitive to use and must not have any unnecessarily complex and time-consuming access mechanisms. Switching between different sectors must be fluid. Creating this mix of usability and necessary security will be a real Herculean task for municipalities and service providers in the coming years.
The Smart City Needs Multiple Lines of Defense
To best protect the smart city and its individual components from external attacks, the following four measures must be ensured:
1. Minimizing the human factor.
One of the greatest security risks for companies, municipalities, and thus also the smart city is and always has been the people who live and work in it. Analogous to the lowered drawbridge, the unlocked door, or the open window in the pre-digital age, today, it is still primarily the uninformed opening of mail attachments or phishing emails that make it easy for attackers to carry out their attacks.
We need to install technologies that are understood and thus take people out of the attackers’ line of fire. An authentication system is an excellent way to establish the first line of defense for the user.
2. Strict access controls and use of software-defined perimeter (SDP)
To make the smart city a true fortress, it needs straightforward and rigorous lines of defense. Unnecessary systems and unused remote management functions and ports must be shut down to prevent attackers from accessing them. All network activity must be scanned and suspicious Internet traffic monitored using security incidents and tools to detect and stop attacks early. One of the most important measures to protect a smart city is the use of secure firewalls and software-defined perimeters.
Determining and controlling the type of traffic that is allowed to pass through the firewall is one of the most important ways to protect a network from potential attacks. SDP goes one step further and allows individual services of a smart city to be opened only to those who have the authorization to do so. The foundation is end-to-end authentication as the basis for all digital communication, including between IoT devices, sensors, actuators, and software components.
3. Modern security architecture for the smart city
In any case, to enable secure remote access to the various applications and offerings of the smart city, a modern infrastructure must be set up on certified servers that relies on Zero Trust technology, for example. Zero Trust is the modern and much more trustworthy alternative to VPN technology. VPNs have been used for decades and can no longer guarantee protection in a complex digital environment such as a smart city.
They only provide a line of defense on the outside – once this is bypassed or cracked, the city’s systems are defenseless against the intruders’ attack. Zero Trust, on the other hand, remains vigilant inside the city and does not allow users blanket access to all applications and services but only to those applications that are needed at any given time. The accolade for the technology came recently when U.S. President Biden ordered U.S. government agencies to upgrade to Zero Trust.
4. Secure two-factor authentication without passwords.
Two-factor authentication always consists of two different security components. Usually, these are possession components related to a specific access device such as a smartphone, a tablet or even a work laptop. We also always integrate a biometric component, such as a fingerprint or a retina or face scan, or a knowledge component, such as the PIN. Biometrics is particularly suitable because of the flexibility and speed of use, as is also known from the use of Apple Pay, for example.
During the authentication process, the cryptographic key material is released. The processing of the biometric features is carried out by the smartphone and not by the app. The app simply receives the response “Yes, the request was successful” or “No, the request was not successful” and then unlocks access to the cryptographic key material. The advantage of this combination of a possession component and a biometric component is that services can be accessed more quickly, finally making the readily forgotten or lost pulp of individual passwords obsolete.
If you consider that more than 11 billion combinations of user names and passwords are currently freely available on the Internet, it becomes clear that doing away with passwords altogether will make a major contribution to protection against cyber attacks.
Balancing Act Between Usability and Security
For a smart city to function smoothly, the IT systems of the most important participating players must be closely interlinked. The interaction between administration and service providers from a wide range of industries must be convincing at the interfaces. In addition, it is important that the acting systems adhere to publicly accessible standards and thus create an open ecosystem in the smart city. In the recent past, many smart city projects have failed due to the lack of uniformity in the data standards of the different systems.
To be successful here, close cooperation and constant exchange with external partners is required. However, the Smart City Index of the industry association bitkom also lists promising model projects, such as those in Hamburg or Gelsenkirchen, on whose findings further efforts by the federal government can be built.
As mentioned at the outset, the security architecture of a smart city must under no circumstances restrict and slow down the digital lives of its users too much, otherwise, there is a risk that the offerings will simply not be used and thus offer no added value. In addition to security, the smooth and intuitive usability of technologies assumes central importance in the planning of the digital city. In order to address the widest possible spectrum of users and ensure maximum accessibility, user interfaces must be designed to be clear, intuitive, and barrier-free according to WCAG Level AA+.
Despite maximum security, all processes and workflows must be efficient and transparent, taking only a few seconds to complete. The use of two-factor authentication with the matching of biometric characteristics, as well as the system-side device lock to secure apps, creates a high level of acceptance and trust among users.