The ongoing COVID-19 pandemic has accelerated the digital transformation of municipalities around the world. The digitization of state and local governments has resulted in streamlined operations and greater efficiency of government services. While technological advances are transforming municipalities via networks, apps, equipment, and the internet of things (IoT) – these internet-connected devices and systems significantly increase exposure to cybersecurity risks.
IoT refers to a system of internet-connected devices and equipment that are embedded with sensors, software, and other technologies, which collect and transfer data over a network without human interaction.
Most of us are familiar with and use IoT in the home environment, such as smart lighting, doorbells, speakers, security systems, locks, and appliances, to name but a few of the range of smart devices available. The phrase “work smarter not harder” could be used to describe smart cities that leverage IoT technologies. Municipalities around the world are adopting IoT solutions in a variety of applications ranging from household objects to sophisticated industrial tools to improve services, save energy, and increase public safety.
Municipal IoT Examples include:
- Denver, South Bend, Indiana, and Columbia, South Carolina, have implemented gunfire detection systems that utilize a network of sensors to detect gunfire in real time and alert police to a precise location within a matter of seconds.
- Miami, Paris, Madrid, and Los Angeles have adopted connected street lighting solutions, that use sensors where street lights can be activated by motion or automatically adjust brightness based on periods of inactivity.
- London, Dallas, Pittsburgh, and Montreal have employed advanced traffic management systems to monitor traffic and analyze data in real time from sensors and traffic cameras and make adjustments to traffic lights and message signs, as necessary.
- Amsterdam, Seoul, San Francisco, and Santander, Spain, have utilized waste management monitoring systems, which use sensors to optimize waste collection and operational resources.
A much more common application of IoT technology used by governments that is often overlooked is smart building automation. Smart buildings utilize IoT sensors to control building systems such as air conditioning, fire detection, heating, lighting, security, and ventilation. According to the Smart Buildings Market 2021-26 report, by 2025, more than 75% of new construction will include smart building technology.
The rapid expansion and implementation of IoT devices is making government operations more efficient and productive, but IoT devices are susceptible to security weaknesses and are easy targets for hackers. Securing IoT devices is particularly challenging because any device or system that relies on software to function is at risk for a cyberattack. Frequently, state and local governments procure smart technologies without considering the potential security vulnerabilities before implementation. Without proper security protocols, connecting IoT devices to municipal networks can make infrastructure or services vulnerable to exploitation by hackers.
While the U.S. Federal Trade Commission has issued certain guidelines for IoT cybersecurity best practices, there are no universal standards regarding the cybersecurity of IoT devices. California was the first U.S. state to establish requirements relating to IoT security. The California Civil Code on Security of Connected Devices was passed into law in 2018 and became effective on January 1, 2020, requires manufacturers of IoT devices sold or offered for sale in the state, to “equip the device with a reasonable security feature or features...designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure...” On the federal level, the bipartisan Internet of Things Cybersecurity Improvement Act of 2020 was signed into law late last year, requiring IoT devices “owned or controlled” by U.S. government agencies to meet security guidelines developed by the National Institute of Standards and Technology (NIST). Unfortunately, this new law is only designed to apply to devices owned and controlled by the federal government.
In March 2021, the chief technology officer of New York City published a 78-page guide, “New York City Internet of Things Strategy,” which outlines how the city can equitably and safely adopt IoT technologies. The guide provides an assessment of the city’s current IoT environment and, in order to examine cybersecurity vulnerabilities in the city’s deployment of IoT, it has created processes to review and test devices and networks that city agencies procure. The guide also includes recommendations, such as conducting an inventory of the city’s IoT devices and establishing a standard review process to ensure IoT devices are safe and secure.
Before employing IoT devices, municipalities need to be aware of the potential risks associated with the technology. For example, common security risks associated with IoT devices include weak or hard-coded passwords, old and unpatched embedded operating systems and software, insecure data transfer and storage, and lack of secure updates.
State and local governments can mitigate most of the risks by implementing basic security processes like New York City. For example, conducting an inventory of all IoT devices used and ensuring that appropriate cybersecurity protocols are in place for each device.
Basic Security to Implement
A new report by the World Economic Forum, Governing Smart Cities: Policy Benchmarks for Ethical and Responsible Smart City Development, found that many of the global cities that have made the most progress on digital transformation are failing on cybersecurity and technology governance. According to the report, less than a quarter of the cities surveyed conduct privacy assessments when implementing new technologies.
When deploying IoT devices, to protect against threats to municipal infrastructure, networks, and systems, governments should follow basic security requirements such as:
- Securing passwords by changing the default username and password on devices and avoiding products with hard-coded passwords.
- Enabling end-to-end encryption whenever possible and using a VPN to limit data exposure when a device does not support encryption.
- Using multi-factor authentication where possible.
- Regularly updating all software and firmware and not using products that can no longer be updated.
- Limiting who has access to devices by only granting permission to devices to those employees who need access to the data.
- Ensuring the physical security of devices to prevent unauthorized tampering and protect against modification, theft or vandalism of devices.
City and state governments around the world are investing billions of dollars on innovative new technologies to improve government services. When implementing IoT devices as part of this digital transformation, it is critical that municipalities understand the security risks and vulnerabilities inherent in this technology. To mitigate these risks, governments must develop security guidelines to safeguard municipal interests and protect against data breaches and cyberattacks. Whether it is a smart thermostat or traffic management system, when deploying IoT technology, municipalities must proactively ensure the safety and security of these devices. As the growth of smart technologies expand and more governments rely on devices, sensors, and systems that utilize digital networks to manage data, their security becomes more important to prevent infiltration, disruption in critical operations, and exploitation of sensitive information.
Register for ICMA's Cybersecurity Leadership Academy, a 12-week mentorship based collaborative readiness program led by CISOs and other experts who deliver their proven frameworks and insights on how to lead and secure a network and an organization – protecting data assets and the enterprise brand.