The COVID-19 pandemic highlighted to cities around the world the importance of smart city programs—the use of technology, data, and innovative solutions to address their social, environmental, and economic challenges. Indeed, 65% of city leaders surveyed in 2020 as part of ESIThoughtLab’s Smart City Solutions for a Risker World reported that the top lessons learned from the pandemic was that smart city programs are crucial for their future.
However, innovation is a double-edged sword. As city leaders increase their investments in digital technologies, they also expose their cities to greater cybersecurity risks if they do not put appropriate safeguards in place up front.
The pandemic was a stress test for urban cyber security systems. Attacks on state and local governments went up dramatically as cyber criminals sought to take advantage of the crisis.
Many cities fell victim to ransomware and other attack vectors. For example, Knoxville, TN was hit in June of 2020 with an attack that crippled its IT systems. The disruption escalated when hackers began publishing data online in a move to extract a ransom payment. Hackers also took advantage of pandemic-related disarray by shamelessly targeting some hospitals.
The ESI ThoughtLab study shows that cities need to do more to keep their urban centers and citizens secure. Most cities, 60%, reported they are not well prepared for cyberattacks. Although small cities felt more confident about their cybersecurity systems than others, the smallest urban areas are in a more precarious situation, with only 29% believing they were well prepared. This is borne out by the incidence of attacks during the pandemic on smaller cities in the US, such as Florence, AL, and Pensacola, FL.
In fact, one sign of a smart city leader—one that is most advanced in using technology and innovative solutions—is its level of cybersecurity Ninety-five percent of cities classified as leaders in the study said they were well prepared for cyberattacks, against just 8% of beginner cities.
% of cities that are well/very well prepared for cyberattacks by size
Cybersecurity best practices
There are best practices that cities can follow to shore up their defenses against attacks. City managers should take a sheet from the lesson book of smart city leaders.
There are five key cybersecurity steps that leaders take far more often than other cities to address their cybersecurity vulnerabilities:
- Prioritize assets and create access control policies. Protecting a city's most valuable assets is a smart first step, as is making sure the city imposes tight controls on who can access its systems.
- Invest in disaster recovery, response, and event management technology. No matter how strong a city’s firewalls, it only takes one bad guy to get through. So smart city leaders invest more heavily in specialized recovery and response technology to act quickly to mitigate impacts.
- Provide cybersecurity training to staff. This is a critical step for cities since cybercriminals often capitalize on employees’ mistakes.
- Protect critical infrastructure. This includes security testing of electricity grids, traffic lights, hospitals, and other urban assets. Interconnecting city assets and domains through IoT and other technologies can expose cities to a catastrophic attack if they do not adequately safeguard their infrastructure.
- Develop a cyber incident response and recovery plan. Smart city leaders understand they not only need to be act quickly to stop an attack, but also have processes in place to limit the aftereffects, including those related to liability and financial and reputational impacts.
Cybersecurity areas where smart city leaders invest more
Lessons from a cyberattack
One small city that learned the value of such best practices was Torrance, CA. On March 1st, 2020 Torrance experienced a cyber incident that had an adverse impact on city operations. Just two weeks later, Torrance declared a local state of emergency due to the coronavirus pandemic.
Faced with two major crises, city leaders scrambled to set up a virtual emergency operations center (EOC) through Slack, a cloud-based messaging platform hosted by Amazon Web Services. The city used Google Drive for all its forms and documents instead of email, as it was both safer and more efficient.
Within a week, the city had transitioned from brick and mortar, paper and pencil, to virtual operations. It was then able to connect area hospitals, the local school district, the Red Cross, Salvation Army, and business groups to the EOC for real-time information sharing. And when Torrance and Southern California experienced civil unrest—yet another disruption—a few months later, Slack allowed the city to flatten the information curve and share data, internally and confidentially, for increased awareness about the events.
The city was able to funnel live pictures of events directly into Slack where everyone involved in the management of the response could see and better understand the situation. “There were no longer silos that could form because the departments were all dissolved,” said Jeffrey Snoddy, emergency services manager for the city.
The experience was an eye-opener, and the city has since developed a cybersecurity plan. Reminders are sent to staff regarding practices to shore up security, such as changing passwords regularly and connecting from home with city-issued devices only. The city also does routine self-risk assessments of its vulnerabilities.
“Resilience and agility are a must to survive and to thrive,”said Torrance’s city manager, Aram Chaparyan. “Governments move at a slower pace because we have fiduciary responsibility. We have oversight by our elected officials and the public. We don’t have the luxury of time. It’s not if, it’s when we’ll have another crisis, and it’s all about creating a state of readiness.”