Connectivity is fast becoming the standard in a growing segment of our lives. We carry devices in our pockets with more computing power than a spaceship, which allow us to reach out to every corner across the globe. We wear smartwatches that collect data on how many steps we take a day, while our fridge chats with the stove about what might be on the menu for the evening.

While the private sector is moving at a breakneck pace to get on board the Internet of Things (IoT) movement, cities are working hard to provide their residents with services through digital mediums as well.

Leveraging applications on mobile devices has been a key strategy for meeting the people where they are most comfortable. If you can order a Lyft, pizza, or other kind of service through app platforms, why shouldn’t you be able to reach out to the municipality to report a busted fire hydrant? What about having greater visibility over public transportation to know when the next bus or train is coming, helping you to plan your travels?

It stands to reason that these types of services, which are already available in some leading cities, will become widely available in the very near future.

However, before cities take the leap into the smart city era, they need to consider issues of security that could have a very negative impact should a breach occur.

Integrating applications into your city

In hopes of getting a sense of how application security should be addressed for the smart city environment, we spoke with the CIO of Palo Alto, Jonathan Reichental. Having written the e-book on how to run smart city app challenges in one of the most tech-focused cities on earth, Reichental has a few insights on how to approach the secure integration of applications.

"Apps are essential to smart cities," says Reichental, noting that, "Most are benign and should be of no concern from a cybersecurity perspective, e.g. an app for knowing arrival time of bus; app to report a crime; app to find a parking space. In many of these instances the app is 'read-only' or it doesn't require an PI or PII info."

"But, of course, many apps will publish or require what can be considered sensitive info,” he says. "In that regard, cities need to step up their game in making cybersecurity a priority."

Beyond the crisis that could arise of residents having their data stolen for possible theft or fraud ops by hackers, the cities themselves could end up paying additional costs over the long run.

First and foremost is that unlike a private company that might lose a contract if an attack occurs due to negligence, a city official like a CIO or even a mayor may be more skittish in endorsing projects out of fear of losing their job. While companies can suffer bad press, folks who answer directly to the voters may feel more at risk.

Secondly, a mismanaged project could hurt a city’s prospects of pursuing other projects down the line, especially if they come with bigger asks from residents.

Managing security when working with third-party developers

One of the major challenges facing cities and their CIOs in adopting applications for their smart city initiatives is that these apps are most likely being developed by third-party developers. For the team in Palo Alto, Reichental says that they normally try to avoid building custom apps, preferring to buy from vendors.

Similar to open banking projects where banks will connect their APIs with applications that were developed by vendors, cities are mostly dependent on startups and others to build the applications for them.

While this may save costs and create opportunities for entrepreneurs, it means that the cities are often putting their residents' security in the hands of private developers. Therefore it is up to the CIO or other relevant administrator to implement a security policy that will hold vendors to task for security concerns.

Reichental says that his office has a security questionnaire for vendors that he terms as rigorous. To start with, all applications must be ISO 27001 compliant.  

"Our requirements are driven by the answers provided by the vendor," he says. "If there is an integration, we ask how it is handled and where [the] data is stored. We ask about their processes and procedures for handling sensitive data."

Moving forward, Reichental says that setting out requirements for handling open source component security is a "part of our roadmap."

Securing open source components is an often overlooked but important part of application security. According to Gartner, open source components can comprise up to 80% of the code in many applications, making for a very large threat surface for attackers. As many popular components can be incorporated into applications across many organizations, a known vulnerability in an open source component can lead to multiple exploitations ranging from denial of service that takes the app offline to remote exploitations that give the attacker a free hand to pilfer or disrupt your data.

Tips for working more securely

In light of the threats, and potentially dire consequences, Reichental has a number of tips for cities that are looking to step up their security management game throughout the application lifecycle.

Recognizing that context is important for figuring out the kinds of measures that need to be taken to protect applications, he says to ask questions like if the application is public facing or internal. How sensitive is the data being handled by the application, and does it have any personally identifiable information like social security numbers or credit card numbers?

The first step he says is to perform a security assessment for all vendors and products that the city is working with prior to engagement, and then periodically.

"I'd advise local government CIOs to make cybersecurity a requirement throughout the lifecycle of all systems,” he says, driving home the point that protecting an application does not end when it is released, but is a continuous process requiring monitoring of new vulnerabilities and developments over the long term.