EDITOR’S QUESTION
MIKE LLOYD,
CTO, REDSEAL
Smart cities will either be flexible or
secure – they are not at all likely to
be both. Why? Cities are sprawling,
complex affairs – they change and
grow without central control. Indeed,
attempts to build centrally planned
cities have generally been disastrous.
Historically, cities only work when
many individuals can all optimise
independently for their own goals and
objectives, without central control.
Smart cities are the same – they are still
organised by humans, no matter how
much centrally generated technology
we add. Those many, independent and
chaotic humans come up with novel and
effective solutions to problems, but they
also keep the rules of the game in flux.
This means builders of smart city
technologies need their solutions to be
flexible, not cast in stone – they face
an environment more like that of boats
on choppy seas, not skyscrapers fixed in
bedrock. But cyber security history also
shows that flexible technologies tend to
be the least secure.
If a given technology does not know
in advance exactly which other
technologies it must interface with,
it has to have open interfaces which
the surrounding environment can and,
inevitably, will change. These open
interfaces cannot be nailed down to say
“only authorised technology X can talk
to technology Y, in the following
precise way.”
Instead, technology Y will be open,
in case X is replaced with a new
technology, or needs new features and
capabilities tomorrow.
The need for this flexibility is only
amplified because of the massive
financial costs of replacing deployed
78
INTELLIGENTCIO
equipment around a city – you don’t
ever want to replace the hardware, so
you build the software so that it can
be changed. But securing a city is much harder – it’s
a sprawling, complex environment with
more interactions than humans can
easily track.
This flexibility brings huge benefits in
terms of ability to change, and ability
to bring new and attractive features
that citizens want. But it also means
the attack surface that cyber terrorists
can use is extremely large. The good news is that automation of
security is possible – humans may not
be good at keeping track of how all
these separate technologies interact, but
software is excellent for this purpose.
The complex interactions of flexible
technologies is exactly the same root
cause for much of the bad security
on the Internet today. As an analogy,
note that securing a bank is relatively
easy – there’s a big vault, you put a
big door on it, you monitor who can go
in and out.
As we build smart cities, we need to
map their complexity, and automate
the detection and reduction of the
attack surface. We cannot expect
iron-clad security when the rules of
the game favour flexibility and lack
of central control – rather, we have to
manage down the risks that come with
all this innovation. ¡
www.intelligentcio.com