Austin, Texas is a city long known for its hot live music scene, its hip art and tech presence combined with a laidback country style, and its wildly popular SXSW festival every spring. But, like the popular kid that also wants to be known for intelligence, Austin is increasingly building its rep as a “smart city”—and those smart systems need to be secured.
Managing the greater complexity and more constant demands of the so-called smart city, particularly making sure the collected data makes transit safely and is not altered or stolen, can be even more challenging than it may sound, according to Kyle Chambers, security analyst for Austin Energy. Chambers presented his experiences on “Securing the Smart City: Data Handling Controls,” at the recent ISC(2) Congress, which was held in Austin, Texas.
The central Texas city has modernized its electric grid, completely replacing traditional mechanical electric meters with state of the art “smart meters”, electronic devices which utilize software to more accurately measure the amount of electricity used at each point in the day, to provide more frequent and accurate readings directly to the city via radio frequency waves.
Smart meters are promised to allow for remote (rather than in-person) meter reading, and provide for faster response during outage and better billing, payment and energy management options for businesses and consumers that use them. Smart meters could even support a reduction in or elimination of rolling brown-outs in power. In Austin, smart meters conduct automated reads every 15 minutes, according to Chambers, offering more granular data up to the city.
But, whenever there is more data being collected and transmitted, there is more risk of data leakage. Initially, Chambers said that Austin Energy “did not even know where all the automated meter information [was] going.” The risk of potential data loss has not escaped the attention of top energy department and government officials, who realized early on that the city needed to fix its vulnerabilities and put technical controls in place to secure the data, Chambers said. Hence, here was Chambers advice for staying atop the new demands of smart city cybersecurity:
Involve other departments. While IT may want to take the lead on such projects, it is important it get legal, network operations, compliance and other related units in the huddle to determine the “ability for recourse, workforce requirements, and the regulatory language” and demands to make sure risk is mitigated in this new environment, according to Chambers.
Consider the security costs. When it comes to support services, information security and technical controls, project leads need to be aware of how much they are costing an organization (in comparison to how much is being saved). “I need to be aware of how much my plan is costing the organization, every step of the way,” Chamber says. “Because the demands of the business will win, every time.”
Get everything in writing. The smart city project opened the city of Austin up to the concept that not every company (or vendor) defines personal identifiable information (PII) the same way. Based on the differing “language” alone, agencies and companies must make sure they are on the same page when it comes to controls and deliverables.