Don't take our word for it: Ask suppliers these security questions

You don’t need to worry about security, your suppliers will take care of you, right? Maybe not. Just ask cities like San Francisco that bought traffic signals that could easily be controlled by hackers.

Your city’s cybersecurity is ultimately your responsibility. If there’s a breach, residents will blame you — not some vendor. So how do you know if your vendor is taking your security seriously? You need to have a conversation. These three questions, suggested by Council Lead Partner Gannett Fleming, are a great starting point that can help you keep your city’s digital infrastructure safe. — Kevin Ebi


By Immanuel Triea, Senior Director of Information Security, Gannett Fleming

Data is the cornerstone of a smart city. The use of data to analyze, adjust, and improve livability within a city is precisely what makes it “smart.”

But city leaders often hand off the responsibility of data management to a vendor or partner company. Instead, city leaders should ask questions during the vendor interview process to ensure that the provider is fully equipped to address the security needs of the city and its agencies, and so city leaders can make informed decisions about vendors and services. City leaders should also speak with their vendors on a regular basis about security needs and concerns.

Here are three critical questions to pose to your security vendors:

Question 1: Are we set up for success?
Many of the current smart cities technologies have limitations in areas like computational capabilities, memory constraint, and software restrictions. These constraints limit the appropriate level of security capabilities.

City leaders should engage cybersecurity experts to ensure that their smart solutions contain, at minimum, basic security mechanisms to keep the infrastructure protected. They should also base their cybersecurity design solutions for smart cities on established industry standards and frameworks such as those detailed in the National Institute of Standards and Technology’s Cybersecurity Framework, American Public Transportation Association’s Standards Development Program, and the Federal Information Processing Standard Publications.

Cybersecurity is not a feature to set on autopilot. It should encompass the entire lifecycle of smart city projects, including in the bid process, design and planning, technology selection, and maintenance.

Question 2: What laws or regulations are specific to my city and state?
Many city managers are surprised to learn that data management and security is largely unregulated. Since there are not specific laws governing smart cities, many designers and developers treat cybersecurity as an afterthought.

Leaders of smart cities should become familiar with the few state and federal cybersecurity regulations that are currently in place. This will enable them to respond to issues like breaches in a more effective manner.

Question 3: How will we engage safely with the public?
The participation of individual citizens – like those who can receive and send alerts about impending traffic or weather conditions – is an integral part of the brilliance of smart cities. Enabling interconnectivity between potentially millions of personal devices and the larger city infrastructure creates a host of vulnerabilities that infrastructure owners must mitigate through public outreach in addition to rigorous security measures.

City leaders should consult with their security experts to find innovative ways to educate its citizens on cybersecurity in regards to their personal devices and social responsibilities.

Cybersecurity functionality must be part of the smart cities design from the earliest stage of the process if it is to be cost-effective and successful. To do this, I encourage city managers to engage their vendors and partner companies in the security conversation and to ask the right questions.

Immanuel Triea is the senior director of Information Security at Gannett Fleming. Reach him via email or by calling 717-512-3982.