Smart Cities and Infrastructure End Users Share Thoughts on Building Good Cybersecurity Programs

By Larry O'Brien

ARC Report Abstract


Smart cities and critical infrastructure both face major cybersecurity-related challenges. Today’s rapid adoption of IoT technologies, convergence of IT and OT environments, drive toward ubiquitous connectivity, and resource constraints are all major challenges when it comes to implementing a good cybersecurity program for smart cities and infrastructure. Even worse, many end users and owner-operators lack standard cybersecurity policies and procedures within their organizations.

The recent ARC Industry Forum in Orlando, Florida featured a dedicated track on smart cities and infrastructure.  Here, end users shared their experiences in justifying and implementing cybersecurity programs in both smart buildings and water & wastewater, two sectors that embody a broad spectrum of requirements for cybersecurity.  The municipal water & wastewater industry is a classic ICS/SCADA environment governed by critical infrastructure standards and practices.  Building automation and other smart city applications, on the other hand, are focusing on adopting new technologies like remote access.  Both segments share the challenge of a legacy installed base of controls and sensors.

Developing an Effective Cybersecurity Strategy for Smart Buildings

Smart Cities and Infrastructure smart%20city%20architecture%20LO.JPGKhanh Nguyen, Vice President, IT-Enterprise Applications at Kilroy Realty Corporation, discussed the development of his company’s cybersecurity strategy for monitoring and controlling its many connected and intelligent buildings. The big push to adopt IoT and remote connectivity resulted in many connected buildings with remote access, but these remote connections were not always secure.

Building automation systems are also frequently left exposed and, historically, have been a vector for cyber-attacks where the attacker gains entry to a building automation system and then uses that to move to the corporate network. The attack on the Target Corporation several years ago was executed in a similar manner. In addition to these technology-oriented issues, cybersecurity policy was not standardized or enforced. This resulted in the use of default credentials and ports, as well as other issues.

Vendor Selection a Challenge

Kilroy executed a search for good partners to help it execute its plan. The company’s three-pronged strategy for evaluating partners was based on organizational, technical, and policy/legal criteria. Kilroy had to find a vendor with experience in facilities and asset management, but also realized it had to make its own internal organizational changes.

Reorganization and New Roles Required at the OT Level

These organizational changes included establishing an operational technology cybersecurity role, something that many end user organizations in the building automation sector lack. The OT role also needed IT skills and facilities knowledge and would reside at the level of the corporate IT department.

Standardization Helps

Kilroy wanted to adopt a standardized approach to technology and architecture that leveraged the IoT and would enable a future path to data analytics and edge intelligence. The company applied this same philosophy when selecting its cybersecurity vendor, IoTium, which provides secure mass deployment of IoT technologies that also allows for continuous monitoring and centralization of user access and provisioning.

Cybersecurity for Water Applications

Shay Geisler, I&C Administrator at the East Cherry Creek Valley Water & Sanitation Department, gave his organization’s take on the importance of cybersecurity in a critical infrastructure application.  Located in the Denver, Colorado suburbs, ECCV provides drinking water to around 50,000 people.

Legacy Installed Base Presents Cybersecurity Challenges

Like many similar installations in the water and wastewater segment, ECCV had a large SCADA system that featured a mixed bag of equipment going back many generations. The original system was more than 20 years old and built before cybersecurity was a major concern for end users. For public utilities such as this, system availability is a primary concern. The system must operate continuously and reliably to deliver safe and consistent drinking water to customers. And as a public utility, ECCV also faced budget constraints.

Like many other end users in the process industries, ECCV had to start with a control system modernization project to avoid vulnerabilities associated with legacy operating systems, software, and tools. The HMI software was updated first, removing legacy 32-bit applications that relied on 1990s-vintage technologies like ActiveX and DCOM.

ECCV found that it could address most of its potential cyber vulnerabilities through upgrades and by securing of its PLC and SCADA communications systems. The company paid particular attention to communications between PLC and HMI applications as well as peer-to-peer PLC communications. SCADA systems also include a large amount of radio communications, which also had to be secured.

ARC Advisory Group clients can view the complete report at ARC Client Portal 

If you would like to buy this report or obtain information about how to become a client, please Contact Us     

Keywords: Smart Cities, Smart Infrastructure, Cybersecurity, Building Automation Systems, Water & Wastewater, ARC Industry Forum, ARC Advisory Group.

Engage with ARC Advisory Group