How to ensure your ‘smart’ suppliers are protecting data

Not to make you feel worse about not getting today’s Wordle, but even our trash cans are getting smarter. And cities like New York and San Francisco are adding more than high-tech receptacles as they build out a smarter city.

As cities invest in infrastructure ranging from environmental monitoring sensors to gunshot detectors, officials must understand suppliers’ data security practices, which, if absent, could lead to disastrous, large-scale consequences. (See: water.)

“If you’re a city working with the vendor company, you would want to have enough access to their data to confirm that they are following the privacy and security practices that you require them to follow,” said Ashley Johnson, senior policy analyst at the Information Technology and Innovation Foundation.

Chaos! Cybersecurity experts polled in a 2021 UC Berkeley report saw emergency alert systems, street video surveillance, and certain traffic signals as the most vulnerable smart city components. Tampering with traffic lights could cause accidents and gridlock; spoofed emergency alerts could cause widespread panic.

“By controlling a city’s traffic intersections, you’re giving control over flow of people and resources, potentially, when those resources need to be directed and not delayed…More than the data involved in it, it’s really the control of those systems,” said John Gallagher, VP of marketing at the IoT-security tech provider Viakoo.

In March, US Transportation Secretary Pete Buttigieg announced over $94 million in grants for 59 innovative mobility projects across 33 states, ranging from smart traffic signals in Cleveland to crash-detection sensors in Nashville.

Your pilot speaking. In several municipal parks in Las Vegas, optical sensors monitor activity and alert officials to suspicious after-hours activity, said Michael Sherwood, chief innovation officer for the City of Las Vegas.

The effort requires partnerships with vendors supplying components like cameras, wireless networks, and switches.

“Our secret sauce is we do a very small pilot with any company before we buy a mass amount…We’ll test it for a few months. We might test it for six months. And we’ll provide feedback to the vendor the whole time,” said Sherwood.

Sherwood told IT Brew that he works with between 75 and 100 partners to deploy “smart” infrastructure. Other initiatives include traffic-management systems, crowd-detecting lidar (light detection and ranging), or air-quality sensors, adding up to hundreds of devices on the city’s network.

What Sherwood likes to see from suppliers: data encryption and multi-factor authentication for any device connections.

“When there are vulnerabilities, how well does that vendor report the vulnerabilities? Do they keep it secret? Do they proactively contact our customers about it? And then how do they address it?” said Sherwood.

Gallagher recommends checking a supplier’s compliance with SOC 2, or ISO 27001 for cloud environments. A software bill of materials and a unique, preprogrammed password is also important to confirm in any incoming devices.

Smart trash cans may just send alerts to the sanitation teams, but who knows what kinds of personal data a smart future brings?

“As smart city technologies become more advanced, it’s possible that they would start requiring forms of information that would make them more attractive targets, which would require greater cybersecurity,” Johnson told IT Brew.—BH