Smart Cities and Zero Trust: The Time Is Now

By George Vukotich

According to SunGard, there were 79 ransomware attacks on city and county governments in the U.S. in 2020. While that may not seem like a large number add to it that these attacks had an impact on some 71 million people, almost one-third of the U.S. population. From there data from Comparitech shows that cyberattacks cost American government entities over $18 billion in recovery costs and downtime. With data like this, we can see the importance of cities and communities having effective cyber processes and the severity of what an attack can cost.

Information about many attacks is never shared but we can learn from some of the more publicized ones like the one that happened in Atlanta, Georgia in 2018. The attack there shut down many of the cities agencies including; the court system, water department, and traffic department. Keep in mind cities often have 30-40 different agencies that can be impacted by a single attack. In this case, the Iranian hackers behind the attack demanded $51,000 in Bitcoin which the city indicated they did not pay. The city spent $17M in costs related to the hack. Clearly deterring and preventing hacks is much cheaper than paying the costs to recover from them. Some might say why not just pay the ransom, but there is no guarantee that doing so will prevent further attacks and may even encourage others.

While not new there is an increased focus on cities and communities taking a “zero trust” approach to data and information and how it is accessed and by who. Zero trust is more of an approach or methodology rather than a technology. It is built around a focus which only allows access to data, information, and applications through an access control and identity approach based on a user’s need to know.

One version of the Zero Trust model looks at five areas which include: Users, Devices, Networks, Applications, and Data. Trust is established in each pillar that determines whether to allow or deny access.

USER: At the user level parameters include; password authentication and multi-factor authentication which can include dialing a user’s cell phone, using some type of biometric such as a fingerprint, or even monitoring where a person is at when trying to access the system.

DEVICE: The physical device a person would use to access the system. It could have built-in memory, where the device is located (GPS), or access management software.

NETWORK: Also known as the transport level. The focus here is on protecting data in motion and can include approaches that include encryption and protecting the data from being accessed while it is moving through networks.

APPLICATIONS: The actual applications that are used in accessing the data. Taking care that only certain users have login access at the application level. It may also have differing levels of access depending on the need of the specific user. Keep in mind user IDs should be for individuals’ users not groups of users. Group access can cause issues in identifying specific users and what they accessed.

DATA: The data itself is where the value is and is generally in one of three stages where it could possibly be accessed. Data at rest or in storage. Here the key is to ensure that no one can access and take or manipulate the data. Data in transit through a network. Here the key is to ensure that that the data cannot be read or interpreted. A strong encryption set can help protect the data. The third area is data in use in an actual application. Here the key is to make sure the data has integrity.

In addition to the various areas cities and communities need to track who and how data is being accessed along with having effective backup and recovery processes. From my work, I ask mayors and city managers when was the last time they conducted a data audit? Often the answer is never or only a minor subset of what should be done to protect the data of the members of the community they are responsible for.

George Vukotich, Ph.D. works with cities and communities to help them become smarter and more effective. In addition to his expertise in smart cities, he is certified and provides education in the cybersecurity space.