S technology PROTECTING
S technology PROTECTING SMART CITIES Today, one of the most pervasive risks is ransomware attacking various government services, and cities are susceptible to attacks on network equipment and items. Websites and applications connected to IoT are at risk of exposure. And targeted attacks on infrastructure facilities are serious incidents. From energy and water management, video surveillance and others, IoT is a core part of enabling smart cities. Efforts around protecting the environment should encompass every level of the smart city ecosystem. “Unfortunately, many IoT devices have little or no protection at the software and infrastructure levels. They are often unsupported and have no updates from the vendor. Implementing IoT solutions on top of existing legacy systems, which were once standalone and unconnected, will also create vulnerable targets for cyberattacks,” says Bethwel Opil, enterprise client lead at Kaspersky in Africa. To respond to these IoT security challenges and provide help to companies and government departments requiring specific cybersecurity protection, activities on different levels must emerge. Fortunately, there is movement towards standardising the development and implementation of IoT platforms to make them more dependable and secure by design. “Effectively, smart cities can only be successful when all the stakeholders across specialist IT, business, government and the private sector work effectively together. No single service provider, government department or private sector business can try to do everything to deliver the environment for a smart city to succeed. For example, from a security perspective, Kaspersky contributes to this process by designing and developing components, including IoT gateways and other solutions based on the principles of cyber immunity,” adds Opil. This cyber immunity approach is a means to create solutions that are virtually impossible to compromise and that minimise the number of potential vulnerabilities. For smart cities this means protecting systems for buildings and public services such as those that enable public administration managers to control the consumption of water and heat – and much more. A smart city is a cyber-physical system, meaning both physical safety and digital security are essential for the smooth operation of city services. Cybersecurity practices for smart cities should include basic measures, such as encryption and strict password policies, vulnerability management, network segmentation and a zero-trust model, as well as firewalls and dedicated protection for any cloud infrastructures that the smart city’s systems and applications are connected to. Dedicated IoT security solutions, such as security gateways, need to be in place to connect IoT devices with business applications while ensuring the security of the communications and data transferring through them. In organisations where the IT infrastructure is connected to smart city objects and systems, endpoint and network protection with the ability to detect and respond to diverse threats should be used. “The harmonious fusion of the digital and physical worlds in a smart city can significantly improve citizens’ quality of life, increase the efficiency of urban utilities and strengthen the position of cities in the global digital economy, making them attractive to investors and contributing to dynamic growth. However, cybersecurity measures must be considered every step of the way if such cities of the future are to flourish,” concludes Opil. This has implications for market packages. All service unit costs should be attributable to one or more departments. This is straightforward when there is one-to-one matching between users and the services consumed. When platforms are shared or there are services that underpin other user-facing services, this clarity is lost. Hence, the packages must ensure some sort of an allocation of service-tower costs for shared elements. BEGIN WITH THE END IN MIND After transforming current-state services for IT infrastructure, the next challenge is articulating future-state services. Instead of defining these services, central agencies should focus on articulating high-level target-state requirements. They highlight the relative prioritisation of emerging technology trends, as well as the change in user segments and their needs. An effective strategy is to focus on target-state requirements to help suppliers understand the direction the central agency is headed and to signal a businessoutcomes focus in delivering IT infrastructure services. Short-term service needs, such as logical next steps for current and ongoing projects, should be clearly articulated. However, these needs should be positioned as directional, using the breadth of market capabilities to bring a fresh perspective to the business problems that these technical solutions are attempting to solve. BRINGING IT ALL TOGETHER Which service elements stay in-house depends on the approach chosen to ensure effective service management. There are many models to choose from based on size, complexity and final accountability for success. At one end of the spectrum is the monolithic model for integrated service management, where one supplier provides all service towers and is accountable for endto-end service delivery. The main issue with this model is supplier entrenchment and lack of competitiveness, which often leads to higher costs and a possible hostage situation. A variant of this, the prime subcontractor model, lowers the risks, but only slightly. A second model sources integrated service management through a supplier that is not delivering services in any of the service towers. This is typically combined with the help desk tower for a closed-loop service offering. The issue here is that the service manager cannot contractually take accountability for service levels achieved by the other suppliers because they are not under its control. Full accountability may be possible but at a significant price premium. In a third model, the central agency overseeing IT infrastructure drives integrated service management centrally, through the departments, or with a 18 | Service magazine
technology S combination of both, depending on the department size and segregation of infrastructure. The central agency holds the supplier contracts that define service levels expected from each service tower. The main risk with this model is in execution should the right people not be in place. While this requires fewer people, staff should have above-average capabilities in commercial, technical and servicedelivery roles. If risk appears insurmountable, then the central agency can use the second model above on a best-efforts basis using a third-party service manager. THE JOURNEY TO DIGITAL GOVERNMENT A well-planned agency approach that works effectively within the government structure and has a clear transition plan can produce results within a couple of years. Understanding the market by using collaborative procurement models and competitive service contracts with vendors should allow for needed flexibility as technology and the government’s specific technology needs evolve – all with an eye towards creating a digital government that can serve a municipality well for years to come. S Service magazine | 19
