Introduction to Smart City and Building Automation Security

Skip to content

Smart cities and building automation offer us endless opportunities to enhance people’s quality of life. However, the scale of devices needed to facilitate this reality, raises serious concerns about the number of insecure devices being released into the market. We need to build trust in the Internet of Things (IoT) to ensure that the digital transformation of cities and buildings doesn’t leave governments, businesses, and the public at risk. 

City living has its ups and downs. People are often drawn to urban areas by the opportunities they offer them, including more jobs, better services, and more sophisticated transportation links. However, residents in built-up areas often have to deal with increased pollution, more congestion, or higher living costs.

To help address some of the drawbacks many authorities, infrastructure or building owners and operators, are finding ways to make cities ‘smart’. That is, they are adopting connected devices and automating processes to help them improve the efficiency and sustainability of their buildings and services, enhancing people’s quality of life. In fact, cities that are underpinned by connected devices could, for example, be safer, cleaner, and more efficient.

The Smart City and the IoT

The IoT is crucial to achieving a smart city’s aims because it provides the fuel a smart city runs on, that is, the data. That information is then used to deliver fresh insights into all aspects of city life, from the ground up and drive improvements. For example, a program to install smart traffic signals in the US city of Pittsburgh has been expanded after initial research found adding sensors to existing equipment reduced the wait times at intersections by more than 40%. Similarly, building automation can transform workplaces, improving entrance management and minimizing energy consumption. 

Building a Smart City

According to the McKinsey Global Institute (MGI), there are three layers to a smart city. The first is the widespread rollout of the technologies that help gather data, including smartphones and sensors. The second is the applications that turn the data that has been collected into “alerts, insight, and action”. The final layer is the widespread adoption and use of the technology and data by governments, businesses, and the public, a lot of people need to embrace the technologies to drive change. To increase adoption rates, authorities, private organizations, and citizens must be able to trust the devices and the data they generate.

Smart Cities and Building Automation Rely on Trusted Data

Smart cities and building automation rely heavily on both connected devices and potentially sensitive data, making them an “attractive target for a range of threat actors”. When IoT devices are gathering and sharing data that businesses, governments, or individuals will rely on, the data needs to be trusted. Trusted data can only come from trusted devices. Therefore, it’s crucial that the IoT devices deployed in a smart city or for building automation are built with security in mind. This goes for every device involved in a service: leaving even the simplest of devices insecure can leave your entire system open to an attack.

For example, an insecure lightbulb can have far-reaching consequences, as Jan Münther, Head of Digital Product Security at ams OSRAM, explained in one of our recent #beyondthenow podcasts: “When you look at our industry, there are applications that have heightened security requirements. We have lights in the medical sector, for instance, and in civil infrastructure. We have lighting on airport runways, and in the horticulture industry, or urban digital farming as it’s known. If we have our devices compromised in those settings, they can create very palpable damage. People might get hurt or companies could lose millions of dollars in income. That’s why we have to take security into consideration early in the device lifecycle.”

IoT Security Challenges

Paul Williamson, VP and GM, Client Business, Arm explains: “The breadth of application of IoT security means that it’s going to impact everything from driving your car to getting your groceries, to fundamental services like water and electricity, so getting it right is critically important to all of us.” This is particularly true for smart cities and connected buildings as they are home to many high-value assets, that if compromised could cause significant turbulence. Consider the implications of a disruption to the provision of fresh water, power, or medical services to citizens. However, the PSA Certified 2021 Security Report highlighted that significant challenges remain for device manufactures when implementing security, including a lack of expertise and increased cost. 

The Need for Layered Security

For use cases like smart cities and building automation, that rely on large-scale deployment and data collection, one of the main challenges is embedding security into every layer of a device, from the silicon and system software through to the end-product. All operations within a device need to take place on components that have a critical baseline of security built-in. The key to this is a Root of Trust (RoT), built into the silicon, the RoT plays a foundational role by completing a set of implicitly trusted functions that the rest of the system can use to ensure security. Implementing security at every level of the device, whilst also trying to implement secure components is particularly challenging for device manufacturers as they often do not have the resources or security understanding to implement best practice security. Working with the ecosystem and building on the expertise of silicon vendors and software providers simplifies the security journey for OEMs, allowing them to leverage security implementations from the value chain

Navigating Increasing Regulations

Security for smart cities and building automation is complicated further as more industries and authorities set out sector-specific standards and requirements. For example, The National Cyber Security Centre recently published their Connected Places Cyber Security Principles providing guidance on how these spaces should be designed, owned, and managed. Speaking on the new standards, Mark Jackson (Cisco’s national cybersecurity advisor for the UK and Ireland) said: “With DCMS also planning to implement legislation around smart device security, this is indicative of a broader government strategy to level up IoT security across the board.” While these standards and regulations may differ in language, the fundamental security requirements are largely aligned and focus on implementing security best practices.

Simplifying Security for Smart Cities and Building Automation Solutions

To help build trust and assurance in the devices that will underpin the smart cities of the future, industry experts have developed PSA Certified: a global partnership providing a comprehensive framework and independent certification for IoT security implementations. Our growing ecosystem of PSA Certified silicon and system software is simplifying security for device manufacturers, allowing them to leverage the expertise of the value chain. PSA Certified also provides mapping to major IoT security standards and regulations, including ETSI EN 303 645NIST 8259A, and Californian State Law SB-327. Similarly, you can reuse your PSA Certified Level 1 certification in other schemes, enabling alignment with end-market requirements and guidelines.