Smarter Cities Through Secure Data

smart city

The first step to leveraging sensor and other information is ensuring that it is protected.

Jason Bonoan headshot
Jason Bonoan

As the world becomes increasingly urbanized, growing pains felt by large cities can be seen across a number of indicators, from rising crime rates to increased traffic to housing shortages. In 1950, only 29 percent of the global population occupied urbanized areas. In contrast, a recent United Nations study found that 1.3 million people now move into cities every week, and by 2040, 65 percent of the world’s people will be living in cities. As populations become denser and municipalities grow at a breakneck pace, there is a need to implement measures that will maintain a high quality of life.

Once thought of as a futuristic aspiration, smart cities have positioned themselves, in many ways, as the answer to these challenges. By collecting information from a variety of devices and sensors, municipalities are able to manage assets and resources more efficiently than ever before. Utilizing surveillance cameras equipped with high-definition optical
sensors and advanced video analytics, these systems are part of the Internet of Things (IoT) revolution in which an unprecedented amount of data is being collected and processed.

Thanks to innovations in artificial intelligence (AI) and deep
learning technologies, surveillance systems are now able to aggregate, structure and analyze complex sets of data. By identifying characteristics such as hair color, iris patterns, thumbprints, movement, license plate numbers and
more, surveillance systems can use this information to perform important tasks. Object classification, license plate recognition, pattern analysis, heat mapping and facial recognition are just a few examples.

At the center of it all lives data, collected by devices and leveraged by analytics. This data enables the features of a smart city, making the integrity of the systems that collect and process it of the utmost importance.

Data at the Center of Smart Cities

In smart city deployments, data is the central force driving improvements across numerous sectors, from health and safety to mobility to energy. Pairing IoT-connected devices with AI allows for real-time intelligence that can protect residents and optimize resources to keep municipalities
operating smoothly.

Body-worn cameras, city-wide surveillance systems, and gunshot detectors are only a few of the notable security devices being deployed in smart city applications to enhance public safety efforts. Enabling real-time crime prevention and mapping, these sensors help to reduce robbery, burglary and assault incidents by 30 to 40 percent, according to a McKinsey Global Institute report titled Smart Cities: Digital Solutions for A More Livable Future. In the area of public health, the data captured by IoT devices in smart cities can be utilized to improve the quality of health care, while also enhancing preventative measures to aid in creating a healthier population. In healthcare facilities, sensors that enable remote patient monitoring can provide staff with a patient’s vitals in real time, alerting to potential issues and crises prior to escalation.

Across the globe, many cities are in the midst of a housing shortage, causing both home prices and rents to skyrocket. While expanding the housing supply is a seemingly simple solution to address the issue, bureaucratic policies often hinder progress. Digitizing land acquisition, permits and design approvals can greatly ease a builder’s ability to begin new projects, simultaneously increasing both housing availability and affordability.

When it comes to resources, intelligent energy meters allow for more regular readings and enhanced tracking for both homes and businesses. This provides citizens with insights that can be used to make lifestyle adjustments, ultimately lowering utility bills and strain on the grid.

Smart streetlights, meanwhile, can help optimize routes based on traffic data collected by surveillance systems. As a result, commutes are shortened, roads are safer, and emergency response times are reduced by as much as 35 percent, according to the aforementioned McKinsey Global Institute

In the private sector, local businesses are able to better serve their patrons thanks to the data collected by smart city technology. By analyzing an area’s demographic makeup and buying habits, retailers can enhance their tactics for more potent marketing campaigns and enhanced customer engagement. Business owners can use AI-powered surveillance technology to develop heat maps, track visitor flow and monitor employee-customer interactions. This leads to an overall improvement in customer satisfaction, reduced theft and more efficient staffing. Additionally, municipalities that deploy smart city systems can more easily automate the business filings process, eliminating common roadblocks for would-be entrepreneurs while growing the local economy.

Deploying smart city technology has also been shown to have positive effects on the local community, enabling municipalities to better appropriate assets and disseminate information to residents. Platforms are now becoming available that provide the public with helpful information, such as roadblocks to avoid on a morning commute or neighborhood disturbances to be aware of. These systems also invite participation through incident reporting,
resulting in enhanced safety and community engagement.

With the exponential increase in data gathered by smart cities, it is essential to implement measures to protect, preserve and process it. While the collection of personally identifiable information (PII) can help to improve the lives of city dwellers, it also demands a higher level of privacy protection than the standards associated with traditional surveillance footage.

Understanding the Risks

The primary risk to smart city surveillance data containing PII is that it could be stolen. If not properly encrypted, data can be accessed from the camera wire (during transmission), the network (through stolen passwords), hard drives (during disposal) and physical security equipment sabotage. Stolen data leads to unauthorized access to networks and personal accounts, which can result in crippling cyberattacks on businesses, individuals and even government entities.

Prime examples are the Mirai and Reaper Botnets. In October 2016, a distributed denial of service attack was launched by exploiting default usernames and passwords of IoT devices, including IP cameras, routers and digital video recorders (DVRs). Together, these hacked devices comprised the Mirai Botnet, which made the Internet inaccessible in several regions of the United States. A year later, the Reaper Botnet used “software hacking techniques to break into devices” and infected more than a million networks, according to an October 2017 article in Wired.

Cyberattacks through malware and stolen data can have
serious ramifications, as these examples illustrate. However,
the reality is that many IoT devices lack basic data hardening
features. In fact, as many as 46,000 commercial and residential DVRs can easily be accessed by hackers, according to a recent report from Risk Based Security.

The concern escalates when considering what unsecured data could mean for the critical infrastructure sector. If hackers were to gain access to the networks of electrical substations, power plants, transportation systems, communication lines or the military or law enforcement, entire cities and even governments could be shut down.

Decoding Data Privacy Regulations

Partially in response to these threats, the General Data Protection Regulation (GDPR) was enacted by the European Union (EU). The GDPR is the most significant change in the world of data protection in a generation. The goal is twofold: one, balance an individual’s right to protection, and two, allow a data-based economy to thrive without stifling innovation. The GDPR also imposes direct obligations on service providers (known as processors) for the first time. Furthermore, the European concept of personal information is broader than the U.S. concept of PII and includes personal identifiers that may result from AI processing of surveillance video.

Industry experts expect the GDPR to have a ripple effect on legislation across the globe. For example, in the United States, the California Consumer Privacy Act, one of the most significant data privacy laws in America, is now in effect. Companies that store large amounts of personal data, including corporations like Google and Facebook, will have to be transparent about the type of data they collect, and they will also have to provide an option for consumers to opt out of having their data sold. Many other changes will continue to take place as policymakers respond to the need for stricter data management practices.

The implementation of the GDPR ushered in a new era of security. Because many of today’s advanced security solutions collect some form of PII, systems integrators, security operators and end users can no longer deploy solutions that employ mediocre cybersecurity measures or none at all. Security professionals will now be held responsible for ensuring that this information is safeguarded.

While there is an immediate impact on security manufacturers, dealers and end users in the EU, companies who are based in other geographic regions but have a global customer base can also fall under the purview of this policy. Moreover, as technologies continue to evolve and data
aggregation increases, it is likely that the United States and other countries will follow the EU’s example and implement similar legislation. Consequently, it is essential for security
leaders around the globe to act now by deepening their
understanding of the risks associated with unsecured
data and implementing best practices to protect it.

While many cybersecurity discussions revolve around the theft of “data in transit,” safeguarding “data at rest” is just as crucial. Protecting data at rest begins with ensuring that storage solutions utilize solid state hard disk drives alongside appropriate data protection protocols.

Data Protection Best Practices for Systems Integrators

Despite data’s central role in the security industry and the increasing importance placed upon data security, many systems integrators have a hard time knowing where to begin. In the 2019 State of the Industry report by Security Business, 43 percent of survey respondents selected cybersecurity as a key technological disrupter in the security market, yet only 23.5 percent have added cybersecurity features to their service plans, highlighting the disconnect between thought and action.

So what can be done about these unseen digital threats? And why should integrators take note? As mentioned previously, locking down a security system starts with the integrator, and part of this crucial responsibility is understanding which practices offer the highest level of data protection. Insufficient data security standards not only reflect poorly on integration firms, they can also make them liable if breaches occur. For example, in 2018, a major home security company paid $16 million to settle several class action lawsuits that accused it of installing systems that left users vulnerable to digital threats.

For these reasons, systems integrators should adopt the latest data protection measures. Examples include software encryption, pseudonymization, hardware encryption and secure erase features. All of these tactics have their own important and distinguishable characteristics.

  • Software encryption utilizes tools that run on the same processor as the security system, which can lead to system slowdowns.
  • Pseudonymization is another form of reversible data encryption. Simply put, this is a data management and de-identification process, placing PII with one or more artificial identifiers, or pseudonyms, within data records. This process of masking data and keeping the key to reversing the process separate is greatly encouraged throughout the GDPR.
  • Hardware encryption, which uses a separate processor for continuous authentication and encryption, is another optimal solution for data hardening. Self-encrypting hard drives work 30 percent faster than encrypting software and are cost-effective life cycle solutions. Self-encrypting drives also provide important benefits to businesses. In the event of a breach, the GDPR states that organizations do not have to publicly report the incident if the data is encrypted, making self-encrypting drives valuable assets to companies for both data protection and reputation management. For these reasons, hardware encryption is often the most effective data security strategy for systems integrators.
  • Secure erase, used when a hard drive reaches end-of-life status or when the stored data is no longer needed, is another key best practice to implement for total data protection. Alternative methods of retiring or repurposing a drive can be time or labor-intensive. Physically shredding a drive is both expensive and environmentally hazardous, while overwriting data software is a costly process that can tie up a system’s resources for days at a time. Long-term storage of decommissioned drives in a warehouse puts the data at high risk of theft. The most reliable option is a secure erase function, which quickly eliminates all data on the drive, instantly resetting it to factory defaults and automatically changing the encryption key so that any remaining data is cryptographically erased. This means all data that was once housed on the drive is permanently unreadable.

Systems integrators and end users who implement end-to-end encryption, pseudonymization and secure erase procedures will experience the greatest peace of mind. In addition, integrators should focus on partnering with trusted security suppliers who are committed to data security and regulatory compliance. By deploying hardware that encrypts from verified sources, systems integrators can provide end users with a secure, comprehensive surveillance solution.

As smart city solutions enhanced by AI capabilities continue to evolve and aggregate mass amounts of personal data, cybersecurity measures will continue to increase in importance. Systems integrators must lead the way in recommending and installing surveillance systems that contain the necessary protections. By partnering with manufacturers who prioritize data privacy, integrators can be assured that their security solution is protected.

Jason Bonoan is the global product marketing manager for Seagate Technology.

Features Checklist

When sourcing smart solutions for smart city deployments, it is important to look for a few key features:

  • Secure supply chain – Know where the hardware is coming from. Ensure that a manufacturer's components are sourced securely from trusted partners in compliance with the Open Trusted Technology Provider Standard.
  • Self-encryption – Seek out devices that utilize hardware-based encryption to protect against attacks.
  • Secure download and diagnostics – Establish that a manufacturer's firmware is protected from attacks during its working life through precautions such as digitally signed firmware and rogue firmware detection, blocked cross-segment downloads, locked diagnostic ports and a secure boot process.
  • Secure erase features – Look for storage devices that offer instant and secure erase functionality so that administrators can easily replace encryption keys on any device, rendering the data cryptographically erased, making device retirement or repurposing much simpler.