News & AnalysisNewsletterSecurity

Why Smart Cities are Sitting Ducks for Cyber Criminals

smart cities

Smart Cities are undoubtedly the future. With new technology and new developments in infrastructure solutions,  smart city enthusiasts have time and again predicted that living in a fully integrated connected environment will change how we live, commute, work, shop and pay our bills. On the dark side, several smart cities and establishments around the world have been hit by cyber threats in recent months and had suffered heavy losses. The latest in this category is Pimpri-Chinchwad Smart City project, whose servers were infected with a ransomware, in which attackers reportedly encrypted the data and demanded payment in Bitcoin for decrypting the lost information.

Tech Mahindra, which managed the servers, said in a police complaint that the project suffered a loss of Rs 5 crore and insisted that the loss was only a function of the hardware they would have to replace, and that no ransom would be paid.

A smart city, in many ways, is a treasure trove of data resources and critical systems which in turn makes it vulnerable to security threats. The inherent interconnectivity of smart cities makes them vulnerable to cyber attacks, which can severely disrupt operations and compromise a city’s critical systems.

An eye-opener for getting smarter, safer

Going by statistics, by 2050, about 70% of the global population will be living in cities, and India is no exception. The country needs about 500 new cities to accommodate the influx into its urban regions. In this context, Prime Minister Narendra Modi’s ambitious $30 billion 100 Smart Cities Mission has raised great expectations. However, the cities in India – that are often deemed smart – suffered significant drops in 2020 due to the detrimental effect of the pandemic, where technological advancement was not up to date.

Bruno Lanvin, President of the IMD Smart City Observatory that prepared the 2020 Smart City Index suggested that the cities that have been able to combine technologies, leadership, and a strong culture of security are able to better withstand the most damaging effects of such crises. Unfortunately, even hi-tech cities such as Mumbai, Bangalore, Hyderabad and Pune do not meet the expectations.

A recent Wall Street Journal report picked out four key areas that experts think will be of particular fascination to cybercriminals: sensors and data gathering networks, energy and water supply systems, autonomous vehicle systems and waste management systems.

“Smart cities are increasingly under attack by a variety of threats. These include sophisticated cyberattacks on critical infrastructure, bringing industrial control systems to a grinding halt, abusing low-power wide area networks and device communication hijacking, system lockdown threats caused by ransomware, manipulation of sensor data to cause widespread panic (disaster detection systems) and siphoning citizen, healthcare, consumer data, and personally identifiable information, among many others,” said Dimitrios Pavlakis, industry analyst at ABI Research.

“In this increasingly connected technological landscape, every smart city service is as secure as its weakest link,” Pavlakis added. Therefore, a strong cyber security infrastructure of India is the need of the hour that can be invoked in the case of a cyber incident.

So how to make smart cities safer

Not making cybersecurity and privacy a priority for city operations today is a mistake. The financial costs, loss of organizational credibility, damage to brand, severe disruption of services and pain to citizens it may cause make the stakes simply too high. As Dr Jonathan Reichental, a global smart city expert once said, “We shouldn’t be creating smart cities; we should be creating safe and secure smart cities.”

On speaking with various cyber security and smart city experts, we highlight a few strategies that can be implemented to improve safety and security of smart cities.

Biometrics for smart city security: One approach could be to implement biometric authentication processes for all cloud and end-point access. Access to sensitive systems and public personal data would then at least have the buffer of select biometric login, which although not foolproof, certainly enhances the overall safety and exclusivity of the network.

Regular auto-updates: In a large-scale city-wide IoT network it would obviously be near-impossible to manually update each device. Building in auto-updates would ensure that each device monitors its own health and auto-install any security patches or new software from authorized, trusted developers.

Compartmentalization: The compartmentalization of end-points ensures that each device can remain autonomous within the network, even as it is connected to the wide digital infrastructure. Isolating particular end-points can stop the spread of viruses or limit the moveability of a hacker within the network if a particular device is identified as the point of entry.

Multi-layered protection and authentication: Building in security by design can ensure that a smart city network is best placed to withstand any attempted breach or cyber-attack. Deploying a multi-layered protection system can make it a more daunting and less appealing hack task for any would-be intruders. Though not foolproof, multi-layered authentication can be a good supplement for one-step network logins.

Stopping the blame game

It’s natural to become angry and indignant when a breach occurs, and smart city breaches are no exceptions. The Pimpri-Chinchwad Smart City project has an estimated cost of hundreds of crores of rupees, according to a document on the municipality’s website. Elected officials fumed at the ransomware attack. According to an Indian Express report, Seema Savale, corporator of PCMC, said that the company did not do a good job of securing its systems, and that it was trying to evade responsibility.

The government official said that the municipality wouldn’t underwrite the losses Tech Mahindra suffered. “The PCMC will not pay anything to the firm. We have told them so.”

While breaches occur owing to some mistakes by some or several stakeholders and it is also fact every breach means some doorway may have been left open. But the balancing act that company leaders face isn’t easy. of us continue blaming organizations when they fall victim to a breach? It’s time for us to stop and more boldly advocate against pointing fingers at cyber victims, believe smart city analysts.

Dan Mosca, PA consulting cyber security expert, explains in his blog, it is vital that collaboration occurs between vendors, device manufacturers and governments to develop more stringent regulation around IoT security. Organisations and device manufacturers must adopt emerging standards and guidance to ensure systems are ‘secure by design’ and perform testing before and after installation to address any flaws. Furthermore, operators of active smart city technology must seek to understand the security issues facing their smart environments and systems if they’re to mitigate the risks before incidents occur.”

Cities of tomorrow will undoubtedly be smarter as the years go on but getting the security right will be the difference between a smart city and a secure city.

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at CXOToday, a published author and a storyteller. She can be reached at