Critical Infrastructure Security and Smart Cities

Recently there have been several policies, simulations, active designing and implementation of smart city concepts in several locations around the world including India. Today, the world is talking about connecting everything to the internet. The fourth industrial revolution (Industry 4.0), a term used to draw together cyber-physical systems, the Internet Services and Internet of Things (IoT), has started to revolutionize projects such as smart grids and smart cities.

There is no universally accepted definition of a smart city, with different schools of thoughts describing this concept in terms of annotations depending on their geographical scope, location and socio economic settings. Faced with rapid urbanization, city planners are turning to technology to solve a wide range of problems associated with modern cities.  To provide for the aspirations and needs of the citizens, urban planners ideally aim at developing the entire urban eco-system, which is represented by the four pillars of comprehensive development – institutional, physical, social and economic infrastructure. This can be a long-term goal and cities can work towards developing such comprehensive infrastructure incrementally, adding on layers of ‘smartness.’

Ideally the planning of a smart city originates from the end user. The needs of the end user are assimilated in a systematic manner and are then distributed into several smart layers such as transportation, energy, utilities, finance, social, and logistics, amongst others. A true smart city is networked in such a manner that there is a balance between sustainable socio economic growth and urbanization. There are several examples of successful smart cities in the world such as San Diego in southern California and Glasgow in Scotland. The above illustrations show a few aspects of steps required to convert a city into a smart city. There are also several aspects of smart cities that are directly related to critical information systems and critical infrastructure. These components directly connect an end user to the service provider in terms of information display and service availability. For example, an end user can directly monitor the usage of piped gas from a mobile application; at the same time sensors in a house detect motion and usage, and the service can be cut off in case no one occupies the premise. This close networked platform is usually achieved through machine to machine communication (M2M) or an IoT platform.

So how do we define these critical infrastructure platforms?

Critical infrastructures are usually divided into physical and socio-economic infrastructure systems. Physical critical infrastructure encompasses all basic services such as electricity and water supply, waste (water) management, transport or information and telecommunication technologies. Socio-economic infrastructures instead include facilities such as banks, hospitals and schools but also public administration. Critical infrastructure is also a term used by governments to describe assets that are essential to the functioning of the society and economy. Future cities will challenge existing safety and security engineering models e.g., the United States electricity blackout in 2003 showed that in interdependent networks a very small failure in one network might lead to catastrophic consequences. New and complex cascading failure modes will arise out of unforeseen or emergent system characteristics as they are developed in an incremental and ad hoc fashion, especially where more sophisticated technologies are added to an already ageing physical infrastructure.

A common concept between smart cities and critical infrastructure is cyber physical systems with city as the platform or (CPS). There are a number of definitions of CPS. Common features effectively describe control systems, networked and/ or distributed, incorporating a degree of intelligence (adaptive or predictive), and work in real time to influence outcomes in the real world. These definitions point to the diverse nature of CPS found in transportation, utilities, buildings, infrastructure, manufacturing, and health care. Although CPS have similarities with traditional data processing systems e.g., their networked or distributed nature and a degree of automation, the real-time nature of their interactions with the physical world is a significant difference. Interactions are sensors detecting and measuring physical parameters with actuators to control physical processes. Feedback loops allow data about the environment and the physical processes to be collected and computed. Actuation may be automatic or by an alert to a human operator. Critical infrastructure systems are CPS, whose failure would have economic or social impact. Society expects systems will operate in a safe, secure and consistent manner. In response to environmental, demographic and societal pressures, cities may no longer conduct business as usual. Traditional city models are no longer appropriate, as transport and utility infrastructures become unsustainable and require significant investment. Some cities have embraced the concept of the ‘city as a platform,’ a hyperconnected urban environment that harnesses the network effects, openness, and agility of the real-time web. The focus has been on access to data, leading to development of smartphone apps and portals allowing citizens to ‘connect’ with city services and institutions.

To address cyber security requirements, we need to understand the proliferation of functions in this hyper-connected world. Where functions in individual CPS interact, they will create new functions that will proliferate over time. To protect these complex systems, we need to understand their network of functions, relationships and interdependencies. A study of critical infrastructure interdependencies led to the identification of six dimensions, which can be used to examine CPS and supporting infrastructures:

  • Type of interdependency e.g., cyber, physical, logical or geographic.
  • Environment e.g., business, economic, public policy, legal, regulatory, security, technical, health/ safety, or social/ political.
  • Coupling and response behavior e.g., adaptive, inflexible, loose/tight or linear/ complex.
  • Infrastructure characteristics e.g., spatial, operational, organizational or temporal.
  • Type of failure e.g., common cause, escalating or cascading.
  • State of operation e.g., normal, stressed/ disrupted, restoration or repair.


Identifying critical city infrastructure in every smart city project is of prime importance. Whilst there are a number of definitions for critical national infrastructure, from a city perspective the concept of critical infrastructure is not well defined. The UK’s definition of critical national infrastructure (CNI) is: “Those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends;” where criticality is determined based on a criticality scale, which assesses impact of events or scenarios on a national scale. From a city perspective, the criticality addresses elements necessary for the delivery of essential services to the populace who are resident and/ or work in the city, and their impact is focused at city rather than national level. The critical infrastructure must encompass both the city’s normal operating state, and its ability to effectively respond to natural or other disasters. The definition of a city’s critical infrastructure translates the principles underlying criticality at a national level to apply them at a city level based on four factors:

  • The impact on delivery of essential societal functions and services e.g., to provide water, food and shelter, and to maintain law and order.
  • The economic impact on the well-being and viability of the city e.g., the ability to operate as a business and financial center and provide employment.
  • The impact on life, health and well-being of city occupants e.g., to provide medical and social services to protect and care for citizens.
  • The ability to respond to major incidents or disasters e.g., to provide emergency services including sites to manage emergency operations and to provide housing in the event of a disaster.

The future city will be a complex environment comprising a variety of technologies, existing and emerging. The cyber security approach may vary considerably, depending on factors such as assets and systems complexity, ownership and use.

With the increasing sophistication and integration of city systems and the need to protect their growing populations, there is a need for city planners to consider risk, resilience, asset security and cyber security in a holistic manner. An analysis framework needs to be constructed holistically for each individual system. The below frame work was tested on the CCTV and area management systems in the United Kingdom.

The approach used to test the framework was to identify the set of affected systems, which included a number of control rooms. The context and role of the control rooms was examined, including the relationships between the areas of coverage. The resilience requirements were investigated, taking into account the need to manage major annual events and public safety incidents. Finally, the cyber security requirements and current systems issues were investigated. In collating the results a number of deficiencies were identified including a significant loss of capability following a system upgrade. The discovery of this loss and the rapid advances in the technology employed in ‘smart’ cities confirmed the need for regular reviews, to monitor changes in systems and infrastructure, and identify new dependencies and emergent functionality arising from systems integration or interconnectivity.

The smart city infrastructure will ultimately hook on to the ICS (Industrial Control Systems) database and Operations Technology (OT) infrastructure for a multiple flow of information. ICSs, which are a part of the OT environment in industrial enterprises, encompass several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other smaller control system configurations such as programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices (IEDs) and other field devices. ICSs were originally designed to increase performance, reliability and safety by reducing manual effort. Security was achieved by physical isolation, or a so-called air gap (security by obscurity). It is only a matter of time before a lot of ICS information is routed to sophisticated applications across enterprises through a wide area network where security by obscurity no longer offers valid protection. Governments plan to connect ICSs to the Internet for projects such as smart grids and smart cities, which will significantly increase the risk of intrusion from malicious actors and ultimately affect these grids and cities.


The expectation of future cities is that the information and communications technologies, autonomy and CPS will be harnessed to deliver a safe, secure and sustainable environment for their rapidly growing populations. This dependence on technology is not without significant risk as the complex CPS that are already being developed will increasingly interact with each other. When the systems start to behave as a platform, the city becomes exposed to cascading failure modes, where apparently unrelated events may cause significant disruption or even loss of life. A consolidated frame work analysis, testing, simulations and subsequent contingency infrastructure can effectively mitigate these risks.

By Malcolm Cooper – Analyst, MitKat



By Malcolm Cooper – Analyst, MitKat

Click for Magazine version

Leave a Comment