RSA: Securing Smart Cities - no turning back

Industry giant, Dr Taher Elgamal spoke at RSA's conference on his idle thoughts of the future of smart cities

Abu Dhabi is set to be one of the world's first smart cities
Abu Dhabi is set to be one of the world's first smart cities

"It's a good thing to think about in my free time, I suppose," said Dr Taher Elgamal, opening yesterday's talk at the RSA conference in Abu Dhabi considering the subject of Smart Cities. The fact that Dr Elgamal does this in his free time shouldn't be taken lightly - the good doctor has been at the source of cyber-security since day one. His day job is CTO for security at Salesforce.com, but clearly he has other things on his mind. After getting his PHD in cryptography during the 1980s, Elgamal joined up with Netscape, one of the world's first browser companies, before going on to a series of jobs on the bleeding edge of the then-nascent cyber-security industry. In a nutshell: he's known as the "Father of SSL." He is. Look it up. So the fact that he thinks about smart cities in his free time is no small thing.

There were few more fitting places to discuss the problems involved in turning major urban infrastructure into a computer than the RSA conference in Abu Dhabi.  

Abu Dhabi is set to become one of the world's first smart cities, with much of it's major infrastructure, electrical grid, public transport and security services set to be linked up and let loose. You could call it almost the full realisation of the IoT, the point at which there is no meaningful difference between the data we now deal with through our laptop screens and the world we experience. This fact was not lost on Dr Elgamal, who plainly stated that, "the problem with smart cities is that we're combining the virtual world with the physical world."

It might be worth remembering that Abu Dhabi is doing this at a time when most IT professionals are still trying to figure out what IoT even means for them.

However vulnerable or resilient the city might be at outset, it's clear that securing a city's data is not the same as securing an Ipad's: "Hacking a phone is not the same thing as hacking a car," said Dr Elgamal.  The differences are clearly profound, the implications of a breach of the former could, at worst, result in data being stolen or abused. It's not hard to imagine how a breach of the latter could result in human tragedy.  

Cities are not computers and shouldn't be treated as such said Dr Elgamal.  The problems of e-commerce for example don't at all resemble the problems of a networked electrical grid.

The cyber-security industry's problem is it's love of walls. But, said Dr Elgamal, we've known for 3,000 years that even if the wall can't be crushed or scaled, your fort can still be snuck into. There's a reason we call them trojans.

The problem faced with cities is the amount of data, the millions upon millions of pieces of almost anonymous information which a smart city would process every day: “Everything looks like anything in this new, interesting world.”

For cities, walls can't be the starting place: “The firewall does not look inside”, it merely blocks everything, which seems to defeat the smart city's very point. Perhaps, a more contemplative approach might serve us better, said Elgamal: “We have to think of what we are afraid of before we can protect ourselves.”

"Let's not start with firewalls and intrusion detection," rather, said Elgamal, we can start looking at threat modelling and analysis. This might start by making the end nodes smarter - for example, if you had several cameras placed up and down a residential street, the smart city should be able to learn what qualifies as 'normal' behaviour there. Those who live or regularly visits that neighbourhood, would learn, for example, that No 32 regularly gets deliveries on a Thursday. The fabric must be made strong: these end nodes must work and learn together to establish the conditions of its overwatch and what this neighbourhood requires. This kind of system would allow intelligible data to be sent back to any central correlation engine instead of the random vomit of information that individual security cameras might provide to the smart city.

As e-commerce enabled fraud by its mere existence, so will smart cities enable its own abuse. That doesn't mean we should shy away from them, but it does mean the application of this potentially revolutionary way of managing cities needs some thought.

Concluding, Elgamal reminded the crowd that when it comes to technological progress you are either on the train, or standing on the tracks. Whether this is a regrettable situation is not the point; this is happening and there's no turning back.