For most people around the world, cities are central to our lives and security. More than half of the world’s population lives in urban areas and that percentage is expected to grow dramatically over the coming decades.

Along with this influx into cities, though,come many challenges. Increases in energy consumption strain remaining resources. Increasing traffic congestion adds more pollution and lowers quality of life. Larger populations produce more solid waste and wastewater that must be removed.

In response to these growing challenges, cities are turning increasingly to smart technologies and applying them to all aspects of city life. These technologies offer the promise of increased efficiencies that can reduce the burgeoning problems of urban growth.

At the same time, though, smart technologies create challenges of their own. Vulnerabilities to cyber-kinetic attacks accompany smart systems, putting systems critical to our lives at risk of massive disruption. Furthermore, the massive volume of data that our interactions with smart systems generate create serious threats to individuals’ privacy if not adequately protected.

Making physical objects in cities “smart”

One of my favorite descriptions of smart cities is from the British Standards Institute (BSI), which describes a smart city as:

The effective integration of physical, digital and human systems in the built environment to deliver sustainable, prosperous and inclusive future for its citizens

Smart cities are made possible by connecting physical objects in them to digital systems to create cyber-physical systems (CPS). This is done by means of sensors that act as the eyes and ears of the system, gathering data that then is fed into digital systems for analysis to determine how best to optimize the physical output of those systems.

These CPSes increasingly guide systems in our cities: traffic management, transportation systems, energy distribution, water distribution, public safety, pollution control, waste disposal, wastewater treatment and more. The homes we live in and places where we work are also increasingly becoming digitized, and all these systems, in order to function, generate data.

Data are as much building blocks of smart cities as bricks and girders are of their physical components. They help us manage the needs of people living in cities. Think of the data that you generate on CPSes in smart cities every day.

Your digital assistant reports your schedule for the day to you. If you drive a car with smart technology into town, it may track your route and interact with traffic management systems to report to you the least congested route to take and help you identify parking spots that best suit your preference for convenience versus cost.

If you take some form of mass transit, you can receive real-time updates on arrival times at various pick-up points, as the system works behind the scenes to optimize speed and efficiency. In the future, your options may also include being picked up by an autonomous vehicle that uses real-time traffic information to take the most efficient route to your destination.

When you stop in a coffee shop before your work day starts, you grab a coffee – brewed with water treated and distributed through a smart water system – and a doughnut – baked with electricity from a smart power plant – and need only tap your phone to pay. Your payment moves instantaneously from your account to theirs.

In the future, checking out to make a purchase may be unnecessary. Some businesses are already experimenting with systems in which you present your phone to a scanner as you walk in the door, grab the items you want and walk out with them. An advanced tracking system monitors what items you take out the door and charges them automatically to your account without having to present them to a cashier.

The office you work in likely already has some level of digital optimization installed, beyond the security system that recognizes you and clears you to enter the building. Flipping light switches or adjusting room temperature may be unnecessary, with smart systems sensing the presence of occupants automatically and adjusting light and heat accordingly.

While you’re at work, the power company detects that you are away and reduces power to appliances that aren’t being used, so you can waste less energy. You’re not even aware of this, though, because the power company, having data on your behavior patterns, restores your power to the level you require for your evening before you arrive home.

Such a scenario only touches the surface of smart city interactions. Many cities – not to mention countries – are aggressively pursuing an increasing amount of digital connectivity for everything that goes into their physical environments.

The development of smart cities

The rush is on to transform existing cities into smart ones. The market for smart city technology is expected to reach $1.5 trillion by 2020.

Among the most extensive smart city initiatives is Singapore’s “Smart Nation” project, which is applying new technologies to enhance transportation systems, health, home and business. The goal is to increase interconnectedness in all aspects of citizens’ lives through digital technologies. As a former Singapore resident, I have had the pleasure of working personally on many Smart Nation-related projects.

China, too, has been aggressive in developing smart cities, districts and towns, developing 103 smart cities over the past five years. These smart cities seek to bring pollution, traffic congestion and widespread energy consumption under control through greater use of connected technologies.

Not far behind in numbers is India, whose government has targeted 90 cities to develop smart capabilities as part of its “Smart City Mission.” Their pragmatic approach is to attack this initiative in a layered approach, solving specific issues one at a time.

The U.S. Department of Transportation issued a “Smart City Challenge,” to U.S. cities, encouraging them with funding to develop more smart technologies around transportation. The hope is that, as cities compete, they will develop ways to use digital technology to solve transportation problems and improve efficiencies. As ideas are developed, other cities can then adapt them to their needs.

Billionaire Bill Gates is taking a different approach to building smart cities. Rather than trying to take the existing systems of a city and convert them to digitally connected systems, he purchased 25,000 acres of land in Arizona with the plan of building a smart city from scratch.

Smart systems behind smart cities

The following are some of the city systems enhanced by digitization.

Transportation

Transportation is crucial to cities, but it also creates pollution, costs energy, leads to injuries and fatalities and requires land for its infrastructure. Solving these problems involves both individual and mass transportation.

Smart public transportation offers real-time data about mass transit schedules and delays. For individual drivers, smart traffic, with data from automobiles, smartphones being carried by occupants of them, street monitoring sensors, drones and satellites, in some places, feed information that helps relieve congestion by controlling lights and signals based on real-time traffic conditions.

Montreal uses AI, satellites, drones, and sensors mounted on vehicles to improve traffic flow. NVIDIA Metropolis combines internet-enabled video cameras and AI to provide improve traffic flow. They also offer smart parking services. Drivers who drive IoT cars can get real-time information on available parking spots and their costs, even if cost varies according to parking demand.

Buildings

As our homes and workplaces become increasingly part of the IoT, we not only gain greater control over those spaces, but also generate more data about our preferences and lifestyles.

An example of smart technology in buildings is Deloitte Netherlands’ office building known as “The Edge.” The Edge is one of the most energy-efficient buildings in the world. Its lighting system is optimized to reduce energy usage and it has solar panels and underground geothermal energy storage. In addition, it uses rainwater for wastewater systems.

All this is tied to a vast array of sensors that collect environmental data. The data that these sensors generate optimize building management. Cleaning and maintenance are done on an as-needed basis. The system that all this data feeds makes it possible to track and find the location of any person on the premises at any time. It also offers employees the convenience of applying their personal preferences to all devices with which they interact – even down to the coffee machines.

Our homes are also becoming increasingly smart with the proliferation of devices such as Amazon Echo Spot that offer us the convenience of controlling systems across our entire home environment with voice commands. And useful IoT devices are expanding into a variety of roles to make our lives easier. Many even allow us to monitor what’s happening in our homes and control the systems in them when we are away.

Energy

Smart energy involves more than just delivering energy efficiently. It also involves balancing increasing energy needs against environmental concerns and incorporating more clean energy.

Smart grids use smart meters to coordinate supply schedules and deliver energy cheaper and more efficiently. The smart grid can even assess consumers’ energy usage patterns and turn off appliances that its assessment suggests are not needed during peak energy delivery hours.

Siemens is currently working with Rotterdam and Dutch energy providers to create a smart grid that connects 20,000 homes and companies. The system, due for completion in 2020, will use data generated by consumers to identify energy usage trends and then use those trends to optimize energy supply.

Water

Water is crucial to a city and delivering it to tens of millions of people is no small task. Its flow must be understood to optimize it. That’s where smart technology comes in.

Smart water systems analyze usage patterns to predict future water needs. But they also do more than merely distribute water. Their sensors also automatically assess water quality and detect maintenance needs throughout the system.

Public safety

Smart technologies are also being used to enhance public safety. Smart street lights are centrally managed to adapt to weather conditions and report their own maintenance needs. Traffic and surveillance cameras are used along with gunshot detection sensors to provide surveillance and real-time information throughout the city.

Law enforcement authorities use facial recognition technology to recognize known individuals who could pose a threat to public safety. The U.S. FBI is said to already have more than 52 million individuals in its facial recognition database.

Waste management

Waste management is a vital aspect of smart cities. With more than half of the world’s 7.5 billion people living in and around cities, the amount of waste generated is staggering. In response, technology companies have increasingly been developing smart solutions.

IBM, for one, has developed an intelligent waste management platform. Its advanced data analytics helps it optimize collection, transportation and waste recovery. Another company, Veolia, has created internet-enabled containers. Sensors in the containers identify empty ones that can be skipped and detect the volume of garbage and odor so collection can be done on an as-needed basis. By communicating with waste trucks so they pick up only the containers that need it, pollution from the trucks is reduced.

Pollution control

Chicago, in 2016 began a massive “Array of Things” program, installing sensors at key locations to monitor pollution and climate conditions to provide relevant data to researchers as they seek to improve Chicago’s air quality.

Threats to these systems

The following show some of the vulnerabilities of these smart systems.

Traffic control systems

Tests have shown that many smart traffic control systems are vulnerable to takeover. Disgruntled employees attacked Los Angeles traffic control systems in 2006, snarling traffic for days before their actions were discovered. And security expert Cesar Cerrudo demonstrated in 2014 how the lack of encryption in many widely used traffic control systems could enable an attacker to reverse engineer systems so that false data could be fed into them. This could allow an attacker to disrupt traffic lights and snarl traffic. Although an increasing number of newer smart systems have the necessary encryption, older systems currently installed lack it and would be very hard to replace without major street reconstruction. And attacks on traffic and surveillance cameras, too, could render a city blind.

Mass transit systems

The 2008 hijacking of the Lodz, Poland, tram system shows evidence of vulnerabilities in mass transit systems, too. And while the 2016 ransomware attack on the San Francisco municipal rail system didn’t significantly inconvenience riders or cause injury, it, too, demonstrates that municipal transit systems are being targeted. Additionally, introducing false information on the systems could cause unnecessary congestion and delays as people base their actions on that false information. You can read more about mass transit and railway risks here.

Power grids

Attacks on power grids could be devastating, as the 2015 BlackEnergy attack on the Ukrainian power grid has already demonstrated. More than 80,000 consumers were left without power. And both vulnerability demonstrations and actual attacks on power plants have been reported.

Water distribution systems

Attacks on water distribution systems could be even worse. And like with the Ukrainian attack on the power grid, such attacks have already been accomplished, although, fortunately, with minimal damage so far. Most chilling are reports of a 2016 hack of an unidentified water treatment plant, where mass casualties were averted only because the hacktivists who attacked it did not immediately realize what toxic chemicals they were in a position to unleash on the plant’s consumers.

Other threats

Every city has hundreds of systems to manage different services and tasks. Hacking centralized service management systems would give an attacker many ways to wreak havoc, from introducing software bugs to introducing false data into systems to disrupt their intended functions.

Hospitals have been particularly hard-hit by ransomware attacks. This can have a massive effect on the health and well-being of city residents if essential equipment and services are disrupted.

Wireless smart street lighting systems, like traffic management systems, have encryption problems, leaving them vulnerable to attack. Such attacks could cause widespread street blackouts.

Services that are location-based are often based on GPS. This opens vulnerabilities to GPS spoofing. When people are making decisions based on real-time location information and the location given is incorrect, it disrupts potentially critical services.

Threats to individuals’ privacy

Although not as much a matter of cyber-kinetic threat, one of the biggest concerns with smart cities is privacy. The amount of data that each person generates is immense. And much of that data is vulnerable.

The data generated for enhanced traffic control can be used to track individuals’ movements. This is especially the case with Montreal’s system of sensors installed on cars. If an attacker can link the vehicle to the person, they can track the person through the data their car generates.

The amount of aggregated data collected in the smart city about individuals’ movements and behavior patterns can expose individuals to increased risk of stalking. A Man-in-the-Middle attack can easily be used to track and stalk a targeted individual.

Data intercepted from smart cars about individuals’ movements could also be used for blackmail. Blackmailers could focus on specific targets for surveillance, or even track cars entering known red-light areas and then identify the drivers for the purpose of blackmailing them.

Privacy concerns also haunt the smart buildings we work in. Recall the convenience offered by Deloitte’s office building, “The Edge.” Granted, the convenience of having the building know their preferences and adapt to them as they move around it is welcomed by employees, but the amount and kind of data generated by these smart systems create a very detailed profile of each employee that could be disastrous if it fell into the wrong hands. Fortunately, Deloitte has been very conscientious about protecting their employees’ privacy, but as similar systems roll out into other buildings, employees’ vulnerability would be massive if those buildings’ owners turned out to be less diligent.

Similarly, our own homes are vulnerable to covert intrusions into them. IoT devices that contain video cameras or microphones for voice activation – even such innocuous devices as some smart vacuum cleaners – have been shown to be vulnerable to being hijacked for covert surveillance. It is possible for an attacker to hack into these devices and use them to spy on what we do and say there. All it would take is someone with the necessary skills and an axe to grind against the target.

Wearable devices create massive data about individuals’ lifestyle and health. Many companies are already using wearables to stay apprised of employees’ location, movement and health. Access to such a wealth of information could put employees at risk of that data being used against them for discrimination.

Although you would think that your energy or water usage would be anonymous, your personal data can be used to find out much more about you than you would think. Energy usage can be analyzed to such a fine level that it can even be used to identify what television shows you watch from slight fluctuations in energy consumption.

Similarly, the data generated from what you throw away is far from anonymous. It is surprisingly easy to re-identify individuals through the data they produce via smart waste management systems.

With the myriad data sources available, methods have developed that enable attackers to get around efforts to anonymize data from one source and re-identify individuals from the data available across multiple sources. For example, the Harvard University Privacy Lab demonstrated it to be easy to re-identify individuals by combining news items about hospitalizations with publicly available datasets.

Then there is also a technique called a “statistical disclosure attack” that can aggregate anonymized data from multiple systems and detect patterns that enable an attacker to re-identify an individual. UK researchers are studying how this technique could increase the risk of data exposure in large clinical data warehouses, like those that would likely exist in a smart city.

Marketers, too, push the envelope when it comes to their use of data. The facial recognition technologies used by law enforcement are used not only to protect people. Stores use similar facial recognition technology to analyze shopper demographics, assess shopper engagement with displays, identify individuals, and then apply the information available to them from Big Data to provide customers with more individualized shopping experiences. These marketers can use your behavior patterns and all other data on your life to influence you. In other words, the massive amounts of data available about you is being matched with your face to try to get you to buy more.

The Dutch train company NS is already facing scrutiny over privacy issues over their development of smart billboards that they use on mass transit vehicles. Cameras in the billboards are connected to software that analyzes people’s faces to determine the person’s sex and age and push relevant ads at them.

The volume of data that marketers currently have on individuals can enable them correctly predict individuals’ life events even before they happen. In one such instance, a retailer targeted a teenage girl with products for pregnant women. The girl’s father complained to the retailer about this advertising blitz of inappropriate products. Not much later, though, the father learned that his daughter was indeed pregnant. The girl had not shopped for such products, but the data the retailer had on her enabled them to accurately identify her condition.

As data becomes available on us from an ever-increasing number of sources, the loss of privacy will become more severe. And with the demonstrated vulnerability of smart systems to attack, there is no way to know who knows what about us.

Takeaways

With so many critical services enmeshed with smart cities, the attack surface is enormous and extremely vulnerable. The more technology is involved, the greater the vulnerability to infrastructure and city services. Securing systems is essential.

Existing systems are already often prone to the “too-fast-to-market syndrome” that plagues so many industrial control systems. Much of what is out there has had too little thought put into its security, leaving systems shockingly vulnerable.

Many systems need to have their security upgraded and the new smart systems that are added need to be carefully thought out for security before they are incorporated into critical infrastructure. Our cities are growing larger and the challenges of so many people living so closely connected need solutions that not only solve those challenges, but do not create new ones.

The time to act on securing our smart cities is now. The more that systems with vulnerabilities are incorporated, the greater is the risk to which city dwellers are exposed – and the more that we will have to catch-up in the future.