Introduction to Smart City and Building Automation Security

The Internet of Things could make our cities more efficient, sustainable, and enjoyable – if we keep the technologies and the data they generate secure.

Our cities have evolved over hundreds or even thousands of years, but the technologies that will shape them in the future have – in comparison – appeared almost overnight. The Internet of Things (IoT) will change the way we live in and move around our urban areas. It will provide the data and insights we need to make our cities ‘smart’.

The Benefits of Smart Cities and Building Automation

In practice, that means deploying devices at scale and automating processes to improve all aspects of city life, from the way we manage our utilities to the monitoring of air pollution. Some initiatives are already helping us understand what might be possible. For example, a program to install smart traffic signals in the US city of Pittsburgh was expanded after initial research found adding sensors to existing equipment reduced the wait times at intersections by more than 40%, which cut emissions by over 20%. Automating temperature, lighting and access control in buildings is transforming people’s experience of their workplaces and minimizing energy use. While having access to real-time information is even enabling us to engage in society in entirely new ways.

Smart Cities

Smart roads and bridges, smart energy networks, smart utilities, smart street lighting systems

Building Automation

Energy management systems, building management systems, access management systems, connected lighting systems

Commercial IoT

Smart retail spaces, smart office spaces

IoT Asset Tracking

Smart stock-to-store asset tracking from warehouse to delivery, high-value asset tracking

Smart cities are the future – and analysts expect spending on these initiatives to almost double over the next few years, to reach $70 billion by 2026. More importantly, connected technologies can help city leaders, infrastructure operators and building owners meet the demands of a growing population and – at the same time – reduce our impact on our environment and improve our quality of life.

So, how do we move from the city of today to the smart city of the future? According to the McKinsey Global Institute (MGI), there are three layers to a smart city. The first is the widespread rollout of the technologies that help gather data, including smartphones and sensors. The second is the applications that turn the data that has been collected into “alerts, insight, and action”. The final layer is the widespread adoption and use of the technology and data by governments, businesses, and the public.

IoT Security for Smart Cities and Building Automation

However, people will only embrace new technologies if they can trust them and the data they generate, and unfortunately, well-meaning citizens are not the only ones that find them interesting. According to the UK’s National Cyber Security Centre (NCSC), a smart city can be an “attractive target for a range of threat actors”. That is because they are home to high-value assets, for example, our energy, water, health, and transport infrastructure, and the many organisations that have sensitive data to protect.

Therefore, it is crucial that every IoT device deployed in a smart city is built with security in mind. One building could contain hundreds, if not thousands, of connected products, so we can only imagine how many devices will be deployed city-wide. Overlooking security in even the simplest of them could expose an entire system to cyberattack. That will put organizations, their finances, people, customers, and their reputations at risk.

As Jan Münther, Head of Digital Product Security at ams OSRAM, explained in series one of our #beyondthenow podcasts: “We have lights in the medical sector, for instance, and in civil infrastructure. We have lighting on airport runways, and in the horticulture industry, or urban digital farming as it’s known. If we have our devices compromised in those settings, they can create very palpable damage. People might get hurt or companies could lose millions of dollars in income. That’s why we have to take security into consideration early in the device lifecycle.”

Our PSA Certified 2023 Security Report presents the results of our survey of more than 1,200 technology decision makers, the top driver for prioritizing security comes from customers, end users or service providers demanding security for those working on smart city solutions.

57% of those working in these sectors now think a security certification would be useful in deploying secure products and proving robustness to customers.

Best Practice Guidelines

When we asked decision makers for their insights into IoT security, 96% said they were interested in an industry-led set of security guidelines that could inform their implementation. Two-thirds of respondents to our survey went even further and said a framework would be useful.

Common frameworks help us democratize security – they ensure we are speaking the same security language and enable us to agree on what best practice in IoT security means. The industry can then develop solutions that align to that.

Trusted Components

By utilizing components that already have security built-in, device makers can overcome the challenge of scaling their security, which is particularly relevant in smart cities where large numbers of devices are deployed. For those serving smart city markets building with trusted components was the most important factor for implementing security.

So, how do we define trust in this context?

All operations within a device, especially devices being deployed at scale, must take place on components that have a critical baseline of security built in. The key to this is a Root of Trust (RoT). The RoT is built into the silicon and plays a foundational role by completing a set of implicitly trusted functions that the rest of the system can use to ensure security. Device makers can leverage the expertise of the ecosystem by selecting components that have a RoT built in. This simplifies their security journey.

Third-party Certification

Another important consideration is how to demonstrate to customers that a product has security built in. Independent testing and third-party certification can provide that assurance. External validation is becoming increasingly important. Almost half (45%) of the smart city respondents to our survey said compliance and regulation were key drivers for working towards certification with security labs. This is not surprising. More regulators and authorities are trying to break down the barriers to security so they can protect people from the potentially serious consequences of a cyberattack on their devices. For example, the NCSC published its Connected Places Cyber Security Principles, which provides guidance on how spaces should be designed, owned, and managed. At the time of publication, Dr. Ian Levy, the NCSC’s technical director was quoted as saying: “… I urge every individual and organisation establishing a connected place in the UK to consult our newly published cybersecurity principles. It’s our collective responsibility to ensure that our cities of the future are safe and resilient.”

Third-party certification also makes selecting trusted components more straightforward because it tells device makers what security credentials to look for. Almost all respondents to our survey see the importance of it – 95% said it could be valuable to ensuring a secure IoT.