How can we make smart cities smart and secure?

Smart, digital, connected… these various adjectives all refer to the model of the ‘smart city’, i.e. a city that meets the dual aim of satisfying the new needs of connected citizens by providing them with adapted services and making the city itself more manageable for its administrators. Smart cities thus draw upon three fundamental pillars: 1) citizens, who have become an integral part of the information system by permanently connecting to the city’s services via mobile or smart devices; 2) connected objects that collect and aggregate their users’ data in real time; and 3) data centres, where this data is stored.

A mixed model, then, that combines data and applications and presents a series of challenges for their administrators. Indeed, building a smart city is not only about acquiring new technological solutions: to be smart, digital or connected, cities must also, and above all, be secure. While smart cities are now a necessity and are doubtless set to multiply, these developments also bring new risks and new threats that must be taken into account from the moment they are designed.

1. Smart cities: more manageable cities to cope with exponential urban growth and digital transformation

The urban population is estimated to increase by 2.5 billion in the next 30 years. African cities are thus set to see around 1.5 billion new inhabitants, Indian cities 500,000, and Chinese cities 250,000. Urban growth has even become a political problem in certain countries. This is particularly true of cities such as Cairo, which is currently receiving around 1 million new inhabitants every 30 months, or Dakar, the population of which is increasing by 130,000 newcomers per year. The World Bank and the World Economic Forum estimate the overall cost of receiving new urban populations (in terms of infrastructure and networks of all kinds – transport, telecommunications, etc.) at around 70,000 billion dollars.

According to Gerard Wolf,President of the Sustainable Cities Task Force at MEDEF International, the challenge for these new urban concentrations is therefore how to make cities ‘manageable’ and optimise the cost, profitability and efficiency of the services offered to citizens. City planning thus needs to be looked at in a systemic way, simultaneously taking into account all the necessary developments and adjustments (infrastructure, transport, water, energy, waste, etc.). Hence the development of so-called ‘smart’, or rather ‘ingenious’ cities, that is to say, cities that make services available to their inhabitants for smart use.

It is therefore as much a question of governance as of technology: administrations do indeed need to secure the technical and technological means to better manage cities in constant development, but in a smart manner. That is to say, by being particularly discriminating in their choice of connectivity and technology. In smart cities, technological development is not an end in itself. It is, rather, a means of continuously improving the services offered to citizens and optimising their management by local authorities. All the technological choices made must therefore be guided by this dual aim.

2) Smart cities: a mesh of infrastructure networks, digital services and interconnected information systems serving their inhabitants.

Projects currently being implemented or studied are a good illustration of the role smart cities have to play in serving local authorities, and the benefits (of all kinds) they provide for both administrations and citizens.

The aim is to transform networks into services, for example by simulating or building a connected smart city on a small scale to test the interconnection of urban networks and the interconnection between these networks and the associated services. One such project is Sunrise, a smart, sustainable city model being demonstrated by the University of Lille on its campus and managed by Professor Isam Shahrour: a small town covering 110 hectares with 25,000 users, 140 buildings and 70 km of interconnected smart networks (water, sanitation, urban heating, gas, electricity, lighting, roads, etc.). The aim is to improve the services available to citizens, facilitate their management and enhance the ‘user experience’ in this urban area. This network of networks is being implemented based on preliminary reconnaissance work carried out on the existing infrastructure. This enabled the state of the network to be checked, failures identified, damage repaired and leaks detected – all barriers to the provision of services adapted to its inhabitants and shortfalls to be addressed by the local administration. An example is the heating network on the University of Lille campus, where fault detection and repairs have led to a saving of 25 to 30% and improved the supply of related resources for its users.

Other projects have been designed to respond to well-identified organisational challenges with the aim of redeveloping urban areas. An example of this is the experiment carried out by the Paris city administration in Place de la Nation, where dozens of sensors have been installed to track and record the movements of its users (pedestrian flows and vehicular traffic), looking at how they use the space and measuring their impact (pollution, air quality, noise), in order to propose improvements designed to optimise getting around (reducing the roundabout, closing certain lanes, enlarging the central island, etc.). By optimising the data collected and sent in real time via its platform, the company OpenDataSoft provides city managers with information enabling them to adapt cities and their operation to inhabitants’ habits and patterns of use, thereby improving the quality of the services offered.

3) Smart cities and the challenge of security

For smart cities to serve their citizens and optimise the management of services available to them, they also require mechanisms and devices to guarantee operational safety and security, with the aim of protecting their physical infrastructure and also the data circulating within it.

In a networked network configuration, the ‘domino effect’ and potential impact of a failure or attack on even just one point/node of one network is central to the majority of safety and security concerns. This is a real resilience challenge, since a single attack could potentially jeopardise the functioning of this entire mesh of computer systems and networks. In the same way, control systems that automatically monitor and manage industrial process chains (distribution, handling, production, etc.) are directly exposed to the risks of faults or malicious acts, with potential consequences for the whole chain. It is therefore necessary to adopt a systemic and dynamic approach for the management of these risks and the security of smart cities. This means taking into account these systems and networks as a whole, bearing in mind that security should never be taken for granted as an achieved state but, rather, measured and evaluated continuously and updated whenever necessary.

The other security challenge posed by this new model of interconnected systems and networks concerns the data itself, beyond the infrastructure transporting it. This includes both personal data, containing information about users, and data of an industrial or commercial nature, containing information about companies and organisations. How do we ensure that this data is collected, stored, processed and possibly reused in a secure manner, i.e. without infringing the privacy of users or undermining the confidentiality of information on companies or organisations?

This issue also raises a series of questions in terms of governance. For example, users are rarely informed in a precise manner of the data collected, where and how it is stored and how it is reused. Indeed, information or traces left by their movements through and within physical or virtual spaces can be reused to enable certain applications, organisations and public services to offer them tailored services. This data can even be priced up and sold on. And yet the users remain the owners of this information. The traceability of this data is also a concern. If it is hosted in clouds, for example, choices made by the service provider’s re-user will not necessarily be dictated by the location of the data. Users, who are often providing this information unknowingly, are thus not associated with these choices and have no control over them. Finally, questions can also be asked about the databases where the collected information is stored. Precisely what information is being kept, who manages these databases, and who updates them if necessary?

Personal data is thus a central concern for smart cities, especially since the GDPR, due to enter into force in 2018, will impose greater responsibility for data protection upon digital operators and their subcontractors. Reconciling these new legislative and regulatory obligations with technological progress and the inevitable development of smart cities is thus becoming a technical, but also political and societal issue that goes hand in hand with digital transformation. We are thus reminded that, when it comes to digital technology, security must be included ‘by design’ (i.e. as soon as products, services or systems are defined) and that smart cities must adopt coherent strategies that take into account all the uses, functions and technologies involved in their make-up.