We are heading towards an era of automation, where cars drive themselves, drones make deliveries, and intelligent systems collect vast amounts of data to make decisions about utilities, healthcare and other services. The intention is to make the city more efficient — but greater connectivity also creates weakness and hinders a city’s resilience, warns Sina Haghdoost, a senior consultant at WSP based in Stockholm and an expert in smart cities. “Every single element you add to the chain of a network or smart city — from billions of devices, to the nodes on a network, to the servers and data, to end users and vendors — brings a capability and an opportunity, but also a vulnerability.” An attack targeting such a complex global system, he adds, could lead to a very rapid and destructive chain reaction.
People typically associate cyber-security threats with data theft or the manipulation of money, but a breach today could have far more tangible results. These will only be exacerbated as we approach hyper-connectivity. “The big difference in the future is that there will be direct physical effects,” Haghdoost says. An attack might turn all the traffic lights red, for example, or overload critical national infrastructure for electricity or water — which would quickly lead to mayhem. “When you’re designing a system, you have to build in security from the beginning. You have to think about the whole chain. To be sustainable, a security system needs to be able to learn and adapt using AI and machine learning, so it can automatically update itself to resist new methods of attack. And, still you will never make it 100% secure.”
Peter Richards, head of security risk management at WSP in the Middle East, argues that we are nowhere near this level of readiness. “The response just isn’t there yet, because everyone believes that the cyber element of security is for IT departments to sort out. But in most organizations, IT isn’t about security, it’s about making sure the network works, so the cyber threat falls into a grey area. People aren’t thinking of it as a holistic problem.”
For people to start taking it seriously, he fears there will have to be “a major incident”. “The next 9/11 will be cyber. It will be what we call a ‘black swan’ event — something massive that changes the landscape and our perspective. It will happen, but will it be banking, power, water? And afterwards we’ll think, ‘Why didn’t that present itself to anybody as a threat before?’”