The Italian Job: how to stop chaos and keep systems secure

Last week the National Cyber Security Centre (NCSC) published its ‘Connected Places Cyber Security Principles’, guidance for local authorities planning ‘smart cities’ that rely on connected technologies.

The principles address system design and maintenance and have been created to help planners avoid creating costly security risks as they upgrade the infrastructure that underpins spaces such as town centres, transport hubs and universities.

Explaining the publication of the principles, NCSC Technical Director Ian Levy cited the scene in the Italian Job where Turin’s road traffic is brought to a standstill by Michael Caine’s crew of thieves. (The image at the top of this article is my sons’ respective cars, apparently ready for such a heist!) A scene such as the one in the Italian Job is perhaps even more possible today, Levy explains, because “as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors.”

An article in the Financial Times on the subject noted that “overseas smart city technology suppliers may come under pressure to ‘access and exfiltrate data’ on behalf of security and intelligence services in their countries of origin.”

Indeed, the article highlights the experiences of planners in Bournemouth, where a large smart city scheme was cancelled at the last minute when planners grew nervous that, under the terms of the contract, Chinese system supplier Alibaba “would have managed and controlled large volumes of data.” Apparently Chinese telecoms company Huawei – now removed from 5G infrastructure development in the UK over similar fears – was also one of the suppliers to the scheme.

If cyber-attacks on smart city infrastructure sound unlikely, consider that only this weekend a fuel pipeline operator in the U.S. had to shut its entire, 5,500 mile network of pipes – the source of nearly half of the U.S. East Coast’s fuel supply – after a cyber-attack.

As such, the publication of new guidance is not fear-mongering, but highlights a very real risk. Customers – whether they are responsible for a town centre, a train station, a university campus or a water pumping station – should ensure that their electronic security systems are properly protected.

As the NCSC makes clear this means systems designed and installed by suppliers that have the highest levels of IT knowledge and therefore know where system risks lie and can mitigate them. As I have argued on a number of occasions, users must also ensure that their systems are properly maintained – or, in the words of the NCSC: “using software products that are well supported including up-to-date and regularly patched software.”

At Reliance High-Tech, we regularly come across electronic security systems in town centres, universities and commercial applications that are vulnerable because their systems are old, and what was robust at the time has not been updated to meet the latest standards and now presents a risk. I’m certainly not saying that all connected systems are bad, or that every smart city is being hacked by foreign powers, but as the NCSC guidance makes clear, there is no excuse for not getting system integrity right.

A lot of the challenge is around the education of installers and users, so they know about the risks, recognise the need for a secure solution, and understand what that looks like. Like anything, it’s about having a competent design, a well-thought-through system and firebreaks to ensure that systems integrity is maintained.

The benefits of connected systems are clear and the insights that they bring customers are proven. These help make our university campuses safer, for example, but also help estate managers understand the flow of people around their properties, allowing them to optimise for how buildings are actually used, so funnelling resources where they are needed – saving money and improving the experience for those that use the estate.

Interestingly, the same planners involved in the Bournemouth scheme apparently baulked at the suggestion a few years ago that facial recognition technology could be used to locate those who have dementia and go missing around the town. This is precisely the type of benefit that connected technology makes possible and, as a business that wants to protect people and assets, I find Bournemouth’s reluctance difficult. I have written extensively in the past about the debate around facial recognition, and the balance between risk and benefit, but surely this of all applications is a good use case for the technology?

At a time when police and social services resources are pressed, why wouldn’t we want to search data we have access to in order to find a vulnerable missing person? We absolutely don’t want a surveillance state, but as I have written before, we can’t put the genie back in the bottle.

Clear guidance such as that published by the NCSC is to be welcomed, while end-users need to trust their business partners to design, install and maintain electronic security systems that are both secure and managed for the good.