The tech industry’s focus on innovation–and lack of focus on security–has been coming back to bite organizations of all sizes in recent years with the spread of malware, ransomware, and the professionalization of hacking. But with smart cities, the risks are getting a lot bigger. As more and more public infrastructure–from nuclear plants to bridges to electrical grids–get connected, weak security will create new dangers to public safety and even national security.

The 2016 Smart City Summit tackled the issue with a special session from Gary Hayslip, CISO for the City of San Diego, who explained how one of the largest cities in the US is dealing with escalating attacks, scary new risks, and finding new tools to fight them.

SEE: Internet of Things: The Security Challenge (Special Report)

“Smart cities are totally changing our technology stack,” said Hayslip. “And it’s creating data sets we’ve never seen before.”

The City of San Diego has over 11,000 employees, 24 networks, and over 40,000 endpoints. It has done multiple large-scale, enterprise Internet of Things deployments. And, it’s taking a methodical approach to becoming a smart city by using ISO standards 37150, 37151 and 37120 as their framework.

But, with all of these new endpoints, San Diego now has to defend itself against an average of one million cyberattacks per day, Hayslip said.

The list of smart city technologies already implemented or in process by San Diego is impressive:

  • Smart electrical grid, powered by Sempra
  • Gigabit internet, powered by Google Fiber
  • LED street lights
  • Street sensors for intelligent parking
  • An intelligent public building (new library)
  • Smart HVAC systems in its 43 libraries
  • GPS sensors in its trash vehicles
  • Deployment of resilient emergency communications
  • City-owned solar panel arrays
  • Mapping of all city-owned trees
  • Sensor network covering the port of San Diego Bay

This has created four big security problems, according to Hayslip:

  1. Increased complexity – It’s difficult to identify and track of all the new devices coming onto the network, while also keeping all of their legacy systems updated.
  2. Cascading effect – Small issues can end up having a large impact because of the scale of all the systems that are now intertwined.
  3. Patch deployments – It has become increasingly difficult to deploy system updates on such a diverse and disparate network.
  4. Lack of threat models – Threats on the scale of the smart city are unique. Vendors don’t always offer perfect solutions because “they don’t have a lab on what it’s like to be a city,” said Hayslip. As a result, he’s setting up his own virtual city lab for his employees and partners to use.

One of the biggest challenges for Hayslip and his team is that not only is the city adding a slew of new technologies, but it’s also very slow in getting rid of old ones.

“City networks are messy,” said Hayslip. “Cities do not get rid of technology. They are packrats of old technology.”

As a result, the San Diego IT department has the very difficult challenge of managing the explosion of all of the new stuff and the rapid decline of the old stuff at the same time.

“You have no stable risk baseline,” he said. And, “my security tools aren’t keeping up with the technology.”

SEE: Devastating attacks to public infrastructure ‘a matter of when’ in the US (ZDNet)

To deal with the challenge, Hayslip has changed the IT department’s cybersecurity approach to a service model.

“I honestly don’t believe I have a perimeter any more,” he said. “I’ve moved security down to the data layer. We’re building out a full data governance lifecycle.”

That makes security much more focused on the user and the endpoint–and even moreso on the data itself. IT now does a risk assessment on its data and the impact that data leakage would have on the business. And, it applies security resources accordingly.

Of course, no matter how good the IT department’s security is, it can’t micromanage every user and users are still going to do risky things like unknowingly clicking on dangerous sites or phishing emails.

So, part of the approach that Hayslip’s team has taken is to quantify how much it costs to secure each user on its network. The price tag came up to about $62. By turning its cybersecurity services into a fixed cost, Hayslip was able to go to the city council and get approval for each department to pay $62 to IT each time it brings a new user onto the network.

With that money, Hayslip has done several things to keep his

  • Massive scanning – “The only way you survive is that you’re constantly scanning, constantly risk mediating.”
  • Resiliency approach – “We know people are going to break in, but we’re building a resilient network to kill them and not let them out.”
  • Code review – “We constantly do code review. You’ve got to prove you’re secure before you go live.”
  • Cutting edge solutions – “I’m allowed to partner with startups… We’re constantly adding new solutions to help us”

Above all, he’s changed the cybersecurity mindset both inside and outside of IT as part of the move to a service model.

“Cybersecurity is not a one and done,” he said. “It’s a lifecycle we have to take care of.”