Local government can expect a rude awakening from dreams of excellence and efficiency promised by the Internet of Things if it skimps on security, warns Reuven Harrison.
Across the developed world, central and local governments are increasingly shifting public services online.
As well as giving them the ability to offer citizens a faster, more convenient way of accessing information and services, they can also provide a far greater range of services at a far lower cost.
In recent years we’ve seen public-sector web sites evolve from simple, static pages providing basic information into truly interactive portals that are directly linked to back-end systems and applications.
This has enabled citizens to update their details directly, apply for things like passports, parking permits and driving licences, book hospital appointments, track their applications, make payments and more – all without the need for paper forms or lengthy phone calls.
As a result, public bodies have by and large been able to improve efficiency and levels of service despite dwindling budgets.
Automated cities, a double-edged sword
Fast forward a few years and the sector’s reliance on Internet connectivity will take a further giant leap – into the realm of ‘smart cities’.
The proliferation of Internet-connected devices will allow councils to do such things as monitor and control traffic flows, street lighting, irrigation and energy use in real-time – centrally, intelligently and increasingly automatically.
Already, pioneering smart cities like Barcelona are showing the rest of the world the sort of things that can be done.
Vulnerable citizens, such as those with ongoing care requirements, can be fitted with Internet-connected monitoring devices that alert carers to any issues as soon as they arise.
People can use mobile apps to find the nearest free parking spaces or be routed around traffic congestion.
The possibilities are endless.
As well as improving the level of service they can offer to citizens, smart cities are also achieving impressive cost and energy efficiencies as a result of these initiatives.
In other words, the growth of online connectivity is a win for citizens, public-sector organisations and the environment alike.
Unfortunately, it’s also a win for hackers with criminal and malicious intent.
When public-sector websites simply provided informational resources, they were relatively easy to secure and the risk of any damaging intrusion was minimal.
Generally, they stood alone from other systems in the network and there was no way a hacker breaching a website could access more sensitive systems and data.
But as more and more public-sector systems and devices are connected to the Internet, not only does the task of securing them effectively become magnitudes more complex, but failing to do so could have far more damaging consequences.
For example, hackers that find a way in could gain access to citizens’ sensitive personal information – financial information such as bank and credit/debit card details, healthcare records and pretty much everything they need to steal an identity or blackmail someone, for instance.
They could amend or delete vital records or otherwise sabotage systems, whether for the purpose of committing theft, fraud or wanton disruption.
More worrying still, as smart cities take hold, there is a huge potential for cyberterrorism.
Imagine the havoc someone could cause, for example, if they gained control of an entire city’s lighting, electricity, water or traffic-control systems.
Building a robust and manageable defence
Clearly, ensuring any public-sector systems and services connected to the Internet are effectively secured at all times must be a top priority.
It is no coincidence, for example, that in the US the Pentagon is spending $23 billion on network security initiatives over the next four years.
Unfortunately, other public-sector bodies don’t have the same investment latitude or political clout, and as the number of connected systems and devices proliferates, keeping systems secure is becoming increasingly difficult – especially for resource-strapped public bodies.
Public-sector network security managers are simultaneously expected to optimise firewall performance, reduce management overheads and adhere to security standards such as PCI-DSS.
Every time a new system or device is connected, or something is changed, it can potentially introduce new vulnerabilities elsewhere in the network.
And since no system can ever be guaranteed totally free of vulnerabilities (would-be intruders find new, previously undiscovered security holes all the time), organisations must do more than try to prevent hackers getting in – they must also ensure they can be stopped from doing significant damage when they do.
That means ensuring sensitive data is encrypted effectively, networks are properly segmented and access is strictly controlled.
Already, this can result in hundreds of changes a day to various firewalls and security systems across the network and its various sub-networks.
Trying to manage this manually, as many public-sector organisations still do, is increasingly impossible.
The potential for human error and omissions is huge, and is becoming ever larger as the complexity of public-sector systems and networks grows.
The solution rests in automating the process of designing, provisioning and analysing network security changes from the application layer down to the network layer.
Software tools can be set up to understand an organisation’s security and compliance policies and ensure every component of their sprawling networks continually adheres to them.
The programme fully automates the task of configuring everything correctly whenever there’s a change anywhere on the network.
When deployed across an organisation these tools will considerably mitigate the risk of public sector organisations of taking services online.
If we truly want smart, automated cities, their introduction must go hand-in-hand with smart, automated security.
Reuven Harrison is CTO and co-founder of security policy orchestration supplier Tufin
