Intelligent CIO Middle East Issue 20 | Page 78

EDITOR’S QUESTION MIKE LLOYD, CTO, REDSEAL Smart cities will either be flexible or secure – they are not at all likely to be both. Why? Cities are sprawling, complex affairs – they change and grow without central control. Indeed, attempts to build centrally planned cities have generally been disastrous. Historically, cities only work when many individuals can all optimise independently for their own goals and objectives, without central control. Smart cities are the same – they are still organised by humans, no matter how much centrally generated technology we add. Those many, independent and chaotic humans come up with novel and effective solutions to problems, but they also keep the rules of the game in flux. This means builders of smart city technologies need their solutions to be flexible, not cast in stone – they face an environment more like that of boats on choppy seas, not skyscrapers fixed in bedrock. But cyber security history also shows that flexible technologies tend to be the least secure. If a given technology does not know in advance exactly which other technologies it must interface with, it has to have open interfaces which the surrounding environment can and, inevitably, will change. These open interfaces cannot be nailed down to say “only authorised technology X can talk to technology Y, in the following precise way.” Instead, technology Y will be open, in case X is replaced with a new technology, or needs new features and capabilities tomorrow. The need for this flexibility is only amplified because of the massive financial costs of replacing deployed 78 INTELLIGENTCIO equipment around a city – you don’t ever want to replace the hardware, so you build the software so that it can be changed. But securing a city is much harder – it’s a sprawling, complex environment with more interactions than humans can easily track. This flexibility brings huge benefits in terms of ability to change, and ability to bring new and attractive features that citizens want. But it also means the attack surface that cyber terrorists can use is extremely large. The good news is that automation of security is possible – humans may not be good at keeping track of how all these separate technologies interact, but software is excellent for this purpose. The complex interactions of flexible technologies is exactly the same root cause for much of the bad security on the Internet today. As an analogy, note that securing a bank is relatively easy – there’s a big vault, you put a big door on it, you monitor who can go in and out. As we build smart cities, we need to map their complexity, and automate the detection and reduction of the attack surface. We cannot expect iron-clad security when the rules of the game favour flexibility and lack of central control – rather, we have to manage down the risks that come with all this innovation. ¡ www.intelligentcio.com