Guest article | EY: Protecting the smart city from cyber attack

Smart cities – where everything is connected – offer huge potential for making people’s lives better. But they also create a much greater risk of cyber attack.

Ken Allan | Partner | Global Leader, Cyber Security

At a CODE _n workshop on protecting the smart city, Ken Allan, Global Leader, Cyber Security at EY, said the problem is that when everything is connected, there is a much greater “attack surface,” leaving previously secure sites vulnerable to hackers. “The number of devices and systems that are connected provide pathways into the things we care about,” he said. “There’s an entire industry out there trying to work out ways to take advantage of this connectivity for malicious purposes. These are not just lone-wolf hackers but organized groups and, in some cases, nation states.”

Hackers becoming more sophisticated

The ramifications are huge. Cyber attacks are becoming highly sophisticated and increasingly persistent, and there have been many instances where hackers have failed to break directly into an organization but have managed to gain access to a third party and then use the links between the third party and the target organization to jump across systems. We have to think about not just the cyber security of our own city, company or government but also the security of everything these organizations are linked to.

So is there such a thing as a cyber-secure city? No, according to Allan. He said most organizations are being hacked all the time – some realize it and deal with it, while others never even notice that it is happening. “We need to recognize that it’s not possible to be 100% secure,” he said. “Then we can focus resources, energy and capability on detecting breaches, containing them and remediating them. We used to talk about cyber security in terms of protecting the perimeter, but the perimeter no longer exists.”

Cyber economics

Often the only way to understand breaches is to “follow the money” and ask: who benefits? Allan cited the hypothetical example of an investor, who wants to invest in energy company A, lowering the smart meter readings of energy company B in order to reduce its revenue and, as a result, push the stock of company A higher. No wonder governments and industry are worried. So what would EY advise companies to do to protect themselves as much as possible? Allan recommended:

1. Think strategically: Don’t focus on the technology. Instead, think about your business strategy and its cyber implications. For example, if you are moving into a new market, launching a new product or making an acquisition, make sure security is at its highest level before and after the launch or around the time of the deal.
2. Exploit big data: Don’t just buy the latest software and hope it will filter out the malware. You need to gather as much data as possible, look for anomalies and correlations, and find attacks that way. You won’t identify breaches through standard security software; you will only find them with a big data analytical approach.

For more information please also visit the EY CODE_n insights page.