Smart cities: time to think through the risks

Nicolas Reys

Technology enabled smart cities promise to transform the provision of urban services, but carry the potential for severe threats to security. City planners must start thinking through the risks, says Nicolas Reys, cyber security lead for Control Risks

Faced with rapid urbanisation, city planners are turning to technology to solve a wide range of problems. Smart cities is the term for the outcome of this deepening integration between technology and the urban landscape. 

Smart cities are set to fundamentally change how many of us experience the world. In practice, this transformation will arise from the combination of three technologies: inexpensive logic controllers; millions of sensors connected to devices dispersed across a city; and networks that connect everything together. But although smart cities enable the more efficient provision of complex urban services, increased connectivity carries with it potentially severe cyber security risks. City planners would do well to start thinking about them. 

How smart is smart?

The potential benefits of smart cities are numerous. For instance, a city’s electricity infrastructure can be significantly improved with ‘smart meters’ which provide real-time data, via an internet connection, to consumers, suppliers, and authorities. This would allow better management of the power supply by tailoring it to demand, thereby reducing the costs and outages which blight many traditional analogue cities. These benefits are replicable across almost all domains of urban life. Cities such as Amsterdam, Barcelona, Santa Cruz and Stockholm have all started to incorporate elements of a “smart grid” – or a network of interconnected sensors within the city – across energy provision, transport systems and telecommunications infrastructure.

New city, new risk

Smart cities are dependent on machine-to-machine (M2M) interactions. This is partly a result of the sheer speed with which associated calculations need to be completed. In the case of a smart energy grid, it would be impossible for a human operator to process all the data necessary to make decisions at the speed required. However, while M2M decision-making (M2MD) is an unavoidable feature of smart cities, it is also one of their greatest vulnerabilities.  

The risk of a cascading error is especially acute. A cascading error is a small mistake which spreads through a system and becomes a systemic risk. For instance, if a minor bug caused a smart electricity reader to transmit inaccurate data readings to its control centre, this could lead to an automated (and mistaken), assessment that a company’s premises required increased power. This would necessitate rerouting energy to the building which would raise costs for the affected company and would reduce the energy pool available for everyone else. On a bigger scale, the consequences of such cascading errors could prove calamitous. 

Smart cities and cyber threats

Smart cities also provide cyber threat actors with a large – and tempting – attack surface. Cybercriminals, hacktivists, and even sovereign states can all exploit smart cities for nefarious ends. 


Smart cities are a boon to criminals capable of deploying self-propagating malware. ‘Worms’ injected into the digital fabric of a city might be used to acquire healthcare information, social security numbers and banking credentials. Were attackers able to successfully hijack these systems they could then be used for powerful distributed denial of service (DDoS) attacks or to hold an entire city for ransom in extortion attacks.

Cyber activists

Smart cities provide cyber activists with a big surface on which to be a nuisance – or worse. Hackers might simply deface a city’s billboards, but at the extreme end they can attempt to destroy cities’ physical infrastructure. 

The potential destructiveness of a cyber-attack on smart cities is such that even its mere threat is likely to be viewed by governments and businesses as existentially significant. When capricious and uncontrollable cyber activists have the power to cause widespread material damage, the security of smart cities becomes essential to their survival. 

Nation states

As well as criminals and activists, state actors can also pose a threat to smart cities. For instance, belligerent states can interfere with the traffic management system of foreign cities, with the possibility of causing substantial damage. Similar scenarios are conceivable for the interruption of energy supplies or water networks. 

Securing the implementation of smart cities for the private sector

Smart cities offer clear benefits, but they are also burdened by risk. Businesses and city planners can take a number of precautions to ensure a smoother implementation process and, ultimately, more secure infrastructure. 

Prioritise the security of critical assets: Contemporary networks are already impossible to protect in their entirety, a problem which will apply equally to smart cities. Some components of the system will have to be made more secure than others. Public and private sector organisations will need to work together to identify cities’ critical assets and oversee the institution of appropriate security measures.

Behaviour based security: Auditing millions of separate devices for signs of malware simply isn’t feasible. A superior approach would be to evaluate the behaviour of smart city components and systems against an established baseline of normal functionality. Any deviation from the norm above a pre-determined threshold would trigger an investigation into the possible presence of malware on the subcomponents. 

Rapid component replacement: Given the potential for component failure or attacks compromising these components, an automated replacement system will enhance the security of the whole system. Although difficult to apply to critical components without full redundancy, such measures would be suitable for low-level, relatively isolated components.