IoT security for smart cities

Soon, almost everything could be connected – from streetlights and traffic lights to shops and utility networks, our workplaces and even our cars. The internet of things (IoT) is quickly becoming the foundation our cities of the future will be built on. This future will contain billions of devices, all gathering data that can make our urban areas more efficient and sustainable.

Analysts say spending on smart city initiatives is growing and so far Shanghai, Seoul and Barcelona are leading the way in ensuring citizens benefit from the investment. It has never been more important to get the basics right. Digitisation can transform our cities for the better, but it also increases the risk of cyber-attacks. Hackers see the potential in the IoT too, and in a smart city a single, insecure device can bring down an entire system. If the weakness is in a critical network, for example, our energy or water infrastructure, it could have serious implications.

Companies act on concerns about IoT security

Fortunately, the PSA Certified 2022 Security Report offers us some reassurance about the future. We surveyed more than 1,000 technology decision makers across Europe, the USA and the Asia Pacific region, and most (88 per cent) told us that security is one of their top three business priorities. For respondents working on smart city solutions, the number was even higher (90 per cent). Their concerns are understandable. Their technologies will underpin city life so the cost of failure will be high. Our research also shows the increased focus on security is not just being driven from within the technology industry. Almost half of respondents who work on smart cities projects said it is a priority because their customers demand it. That is higher than the average for all other sectors and demonstrates that security cannot be overlooked.

It also suggests we are reaching a turning point, where most of us agree that we should do all we can to enable governments, businesses and citizens to benefit from innovation without sacrificing their privacy or safety. It is the only way to build people’s trust in connected devices, the data they generate, and in the IoT.

Securing our smart cities

However, implementing security can be a challenge for the developers of IoT products, including the companies creating devices that are destined for our smart cities. A third of people we surveyed for our Security Report said the main thing stopping them from implementing stronger protection was a lack of specialists or security-focused staff members. Many respondents, regardless of sector, also said the cost of securing their devices was a concern.

As our smart cities evolve, product developers will be under pressure to overcome these challenges. Governments, regulators and standards organisations are already introducing requirements to help ensure security is built into devices from the outset. For example, the UK’s National Cyber Security Centre has published guidance on how to build smart and secure urban environments. We expect others will follow its lead.

To help device makers navigate the regulatory landscape and capitalise on opportunities created by the IoT we must make security accessible to everyone, regardless of the size of their business. To create this level playing field, we need clear guidelines, trusted components and greater collaboration.

More calls for industry-led IoT security guidelines

Most (96 per cent) of the respondents to our survey said they would be interested in an industry-led set of guidelines on IoT best practice. The level of interest has grown by 12 per cent in the past year. This highlights the need to work together to determine what best practice means in the context of the IoT.

Common frameworks and third-party certification will help with this. They will enable us to establish a common language and set a benchmark for IoT security that we can all work towards achieving.

Trusted components will help to strengthen IoT security

Trusted components also help to democratise security, providing secure, certified silicon and system software built using standardised best practices. With these, OEMs and device vendors can use the built-in and verified security capabilities in their end products. In fact, almost half of respondents (48 per cent) to our survey that work in the smart cities market said building with trusted components is the most important consideration when they are developing a secure device. By “trusted” we mean products with a certified Root of Trust – a component built into the silicon that provides the security features the rest of the system or device relies on, such as secure boot, cryptography and secure storage.

Collaboration is the key to success

This will move us in the right direction but by far the biggest step towards a more secure IoT will be made through greater collaboration within the industry. Everyone has a part to play in preparing us for our digital future. Governments and standards organisations, for example, will continue to introduce guidance and legislation to break down the barriers to security and help protect consumers and their data from cyber-attack. As we show in our Security Report, the developers of IoT devices are also taking a more proactive approach to securing their products, and the ecosystem must provide the support they need to do this.

Arm is one of the founders of PSA Certified, a global partnership of security experts that has come together to create an easy-to-use framework and independent certification scheme for the developers of IoT products. It reduces the time, cost and complexity of security and makes it easier to comply with security regulations worldwide. PSA Certified is gaining momentum – it is the fastest growing security ecosystem with over 100 product certifications from more than 60 partners.

Many within the industry who are considering their next steps will be asking whether an investment in security will pay off. Technology decision makers believe so. More than half (52 per cent) of respondents to our survey said people are more likely to trust their products if they have security built in. The majority (96 per cent) said security positively impacts the bottom line. Most importantly, if we are designing security into our IoT devices, we will be securing the foundations our smart cities will be built on.

To learn more, access the full PSA Certified 2022 Security Report here

For more information on PSA Certified visit www.psacertified.org

About the author

David Maidment is Senior Director, Secure Devices Ecosystem within the Architecture and Technology Group at Arm. Arm is one of the co-founders of the PSA Certified initiative.

About the research

The data in the PSA Certified 2022 Security Report was gathered from 1,038 technology decision makers across Europe, USA, and APAC by Sapio Research. PSA Certified is a global partnership of security-conscious companies that are building security best practices aligned to the cyber-security requirements of USA, Europe and China and that promote Security by Design across all IoT devices.