Over the past few years, smart cities have gained interest, and research is being done in the Internet of Things (IoT) and urban domains to improve services in smart cities. Information security is essential to protect sensitive information and data, as well as the reliability of national services and organizations. Furthermore, sustainable and livable smart cities require stability, which is why national services and organizations must support information security. 

According to the Institute of Electrical and Electronics Engineers (IEEE), smart cities are characterized by the following characteristics: a smart economy, smart mobility, a smart environment, smart people, smart living, and smart government.  

In smart cities, the “governance” will be realized with a wide range of connected systems to process and exchange data between multiple stakeholders, including transportation, energy, and city services.  

Features of a Smart City

Figure 1 - Securing Smart Cities from Cyber Attacks 

 Source: Housers 

A smart city is not just a buzzword but is becoming a reality. Many cities have already begun integrating technology into their infrastructure, enhancing the quality of life of residents. Smart cities have several key characteristics. The first is the use of technology, along with data, including access to water and electricity.  

Additionally, smart cities feature a wide range of new solutions, including increased access to public transportation, smart parking, integrated model transport, and smart traffic management.  

In order to qualify as a smart city, a city must have the following characteristics: 

  • A well-developed system of health care, education, housing, and infrastructure. 
  • The delivery of enhanced key services to the community should be reliable and cost-effective. 
  • The management of resources in an effective manner to reduce depletion. 
  • Developing a smart plan for data analysis and involving the community. 
  • A well-designed urbanization strategy and coping strategy for population growth and climate change. 

Securing Smart Cities 

Nowadays, digital components are part of hundreds of different components that make up modern cities. Researchers at Kaspersky Lab, a Russian cybersecurity and antivirus firm, found that modern cities, make life easier and safer for citizens. Still, it can also pose a certain degree of threat to their data privacy and safety.  

Researchers examined digital kiosks and interactive terminals used in smart cities for a wide range of purposes, including paying for different services, and discovered that many of them contain flaws that can exploit private data or be used to spy or spread malware. They also found that malicious users could easily access and manipulate data captured by speed cameras used in cities as well as their supporting infrastructure. 

In most cases, all the Ticketing machines in theatres, bike rentals, service kiosks in government offices, airport information desks, and passenger infotainment systems in city taxis look different from the outside, but they are mostly similar inside. Such terminals are either Windows-based or Android-based. The user interface is special kiosk-mode software that runs on public terminals and distinguishes these devices from ordinary ones. In addition to giving the user easy access to selected features of the terminal, this software restricts access to some other features of the device’s operating system, such as launching the web browser and virtual keyboard. Attackers have numerous opportunities to compromise the system if they are able to access these functions, just like they would on a PC. 

Researchers discovered that public terminals were processing very sensitive information, including credit card numbers, and verified contacts. Some of these terminals were connected with other networks. For attackers, these terminals could play host to a wide variety of attacks, such as hooliganism and intrusion into a terminal’s network. Furthermore, in the future, public digital kiosks are likely to be more integrated into other city smart infrastructure, because they are a convenient way to interact with multiple services at the same time. 

The research was also conducted against the speed control cameras in cities. Using the Shodan search engine, researchers were able to identify multiple IP addresses belonging to such devices that were openly accessible from the web no passwords were required, and anyone could view the footage. The speed control cameras in some cities are capable of tracking certain lines on the highway, and this feature can be turned off. This means that if the attacker wants to disable the system for a period of time at a certain location, all they have to do is to turn it off. Since these cameras can be used for law enforcement and security purposes, it’s easy to see how these vulnerabilities would aid criminals in crimes like car theft. Therefore, such networks need to be protected from direct web access at least. 

Cyber Risks and IoT Infrastructure 

Technology has the potential to improve urban areas, but citizens are concerned about privacy and security in this growing area. Smart cities are challenging to secure because of the nature of IoT, the abundance of sensitive data collected by interconnected but unsecure devices, and the repercussions if a cybercriminal disrupts critical infrastructure.  

Smart cities are expected to have millions of devices connected to their networks as government IoT infrastructure continues to be planned, developed, and scaled. Cybercriminals will have a million or more entry points if they wish to attack this system. 

IoT sensors and video cameras are used to collect and analyse data in a smart city. Most of the data collected are private and sensitive. The development of smart cities is supported by information sharing and open data. For citizens, the collection of data raises concerns and questions about privacy and security. As an example, given recent cyber events, citizens may be curious as to the security of the data they collect and the protection of the data they transmit. 


Legacy systems and new systems may have inconsistent security policies due to interoperability. Smart cities may find it challenging to manage all these different data sources and turn them into useful, actionable information when legacy systems and new IoT-based sensors are combined. The lack of common standards and increased cyberattack risks make interoperability issues between devices in different domains challenging. Each device in a smart city will require a certain degree of interoperability in order to effectively utilize its capabilities and add value to the ecosystem as it connects from multiple vendors and geographical locations. In the absence of common standards and policies, many cities are experimenting with new vendors and products, causing integration problems. 


To integrate traditionally independent services, cities will have to review and adhere to relevant regulatory requirements, reconcile security protocols, and develop new ones, as well as address data ownership, usage, and privacy concerns. In addition to the challenges related to interoperability and integration, many IoT devices are not designed with security in mind. There is an increase in security vulnerabilities as a result. Smart cities require collaboration between vendors, device manufacturers, and governments in order to be secure. 

An Integrated and Holistic Approach to Securing Smart Cities 

In order to become a smart city, many governments realize that they will need to merge disparate systems into one, overarching system that provides a holistic view of their connected devices and applications. To secure smart cities, governments and businesses must understand the challenges holistically and use an integrated approach instead of reacting to specific services or devices to address threats and vulnerabilities.  Smart cities can be secured by integrating the following strategies. 

  • Digital trust platform 
  • Privacy-by-design 
  • Cyberthreat intelligence and analysis 
  • Cyber response and resilience 
  • Cyber competencies and awareness program 

The government agencies that aggregate all the information collected by IoT devices must adopt transparent practices to let the public know their data is not misused as part of a holistic approach in securing cities. The development of smart cities and planning will be strengthened as a result of building trust and support. As governments are able to remotely control and manage all IoT devices through a single IoT platform, cyber risks can be mitigated. 

Technology Implementation, Operations, and Maintenance: 


An organization’s professionals or third parties should deploy technology in a secure manner. 

Technology Was Securely Delivered: Binaries should be cryptographically signed, and devices should not have been tampered with from when they were shipped from the solution provider. 

Enable Strong Encryption: Communication must be protected against unauthorized interception, eavesdropping, and modification. Encryption keys should be well protected. 

Set Strong Passwords: A strong password should be required for all access to administration interfaces, functionality, etc. Password policies should be defined for password strength and validity duration. Use strong authentication mechanisms (one-time password, certificate- or biometric-based authentication, multifactor authentication, etc.), especially for any technology that can impact public safety to enhance authentication capabilities. 

Remove Unnecessary User Accounts: A test/default account and password can be used by unauthorized parties to access systems if they are not removed from the technologies default configuration. Implementation accounts can be created, but they must be removed after the solution has been installed and not used for operation. It is important to identify and remove these accounts in the product and implementation documentation. 

Disable Unused Functionality and Services: In some solutions, all functionality and services are enabled by default. Disabling unused functionality and services reduces the attack surface and prevents possible attack vectors. 

Enable Auditing of Security Events: Continuously monitoring audit logs will assist in identifying breaches and attacks. 

Add Anti-Tampering and Anti-Vandalism Mechanisms: Devices should be protected from unauthorized physical access, modification, vandalism, or theft. 

Operations and Maintenance

It is essential to provide continuous support, tracking, and monitoring to a smart city once the solution has been implemented. The following requirements ensure safe operations: 

Monitoring: The organization is responsible for monitoring the stability of its services and monitoring any suspicious activity, abnormal behaviour, performance issues, or any other service-threatening events by regularly reviewing system audit logs and/or other available tools. 

Patching: It is expected that organizations and vendors collaborate on deploying the latest security patches. Patches should be deployed in accordance with the company’s patch management policies, considering the urgency of the patches. In comparison to traditional enterprise IT systems, patching IoT devices presents challenges. It is frequently necessary to update the firmware of the device via secure updates, i.e., encrypted and signed. 

Regular Assessment and Auditing: Smart services should also be tested continuously to ensure compliance with standards and security policies (e.g., ensuring encryption is enabled, authentication is enabled, strong passwords are set, security settings are not altered, etc.). It is imperative to protect infrastructure to be prepared to respond to vulnerabilities and exploits every day. 

Protection of Logging Environment: The integrity and protection of evidence are crucial to investigating misbehaviour, tracking incidents, and determining legal liability. All logs need to be transmitted and stored safely. Data collection and routinely forwarding of data may not be possible on some ices, so logging should occur as close to the end device as possible. 

Access Control: To prevent unplanned changes, tampering, or downtime in smart cities, it is critical to monitor who, when, and how people have access to smart service systems. 

Cyber Threat Intelligence: A threat intelligence system helps an organization identify regional and worldwide threats, such as new, trending, common, and regional attacks. By using such information, organizations can update their security posture and parameters to prevent attacks in advance. In many cases, attacks are replicated, and vulnerabilities are reused. In addition, cyber-threat intelligence. It could be used at a country level by the government to prevent certain traffic patterns and source locations from flowing through regional Internet gateways, thereby protecting all organizations within the country. 

Compromise Reaction and Recovery: If a smart city system is compromised, detailed procedure manuals and checklists should be created describing what needs to be done. The steps include revocation of certificates, erasure of keys, system isolation, and clean-up, as well as following up on the incident to understand how the system was compromised and develop plans to prevent it from occurring again in the future. 

Technology Disposal

Smart city technologies are complex. Organizations plan for them, implement them, and then they need to dispose of them on a specific date. During the disposal process, multiple factors need to be considered. Organizations need to develop policies that ensure that technology is securely disposed of, keeping the following in mind: 

  • Technology should not be repurposed by the same organization or by third parties. It could expose sensitive design, client, password, or cryptographic information, posing a threat to production services.  
  • In order to ensure the safe, rapid disposal of critical data, it may be necessary to destroy the storage of data on the systems. 
  • The replacement of a vendor is also important. While many organizations focus on disposing of data correctly, smart service systems could be used by vendor maintenance and support personnel to perform regular maintenance tasks. They could repurpose hardware or dispose of it without appropriate security measures if they replace hardware. 


The rise of smart cities is being powered by technology, which is digitally transforming necessary functions from public parking to public safety to traffic management and waste management. A new wave of digital transformation also brings new cyber risks that could fundamentally affect smart cities. Smart city developers (such as government entities and businesses) must be able to effectively monitor and manage their IoT infrastructure in order to reduce cyber risks. 









Likhith PG,  

SOCGTM Department,  

Varutra Consulting Private Limited