Security is one of the key elements of the Smart City. The information exposed on the smart infrastructure of Smart Cities can be the subject of potentially dangerous cyber attacks. Not only to gain control of particular users or companies, but to gain control over whole energy or management infrastructures, not to mention privacy concerns if surveillance networks are compromised. McAfee is one of the first security companies to speak openly about safety in the context of smart infrastructures that are being used as we speak.
So far its deployment is neither global nor massive, but it’s a continuous process of innovation and discovery and in this sense, security has to be part of this process from the beginning. We had the chance to meet Raj Samani some weeks ago at the McAfee EMEA Labs Day event and we had the chance to chat about this subject. Raj Samani has extensive experience in cyber security and it was a great opportunity to get a deeper insight into the risks and trends related to Smart Infrastructures.
Security has evolved a lot recently, from viruses to financial issues and those about identity or privacy scandals such as the latest NSA PRISM issue. How does this influence companies such as McAfee that are devoted to solving security issues?
The threat landscape is constantly evolving, absolutely! We have a dedicated team focusing efforts on these threats, with technology in place to ensure that we understand the exact nature of this landscape so we can solve security risks for our customers.
The word Smart seems to be magic technology world, from Smartphones to Smart Cities. What is the relationship between Smart and Security? It is said that the smarter a device or service is, the worse the security issues associated with them are. Now we talk about protecting assets such as information, money or a digital identity, but it seems that our lives will depend on Smart Cars or Smart Cities in a few years. A failure in those Smart Systems could potentially compromise our lives or our health. How do these trends influence security companies?
Well, it’s a good question. I would suggest that the term Smart refers to the functionality of a given device, you raise the point about the phone. Consider the functionality of a phone 5, or even 3 years ago compared with those of today and the term Smart is definitely appropriate.
If we move this discussion then into security, the greater functionality and requirements that these devices end up having will naturally increase the attack surface. What I mean by that is: consider the amount of code required to support all of these new functions, or consider the level of connectivity required. Naturally with greater functionality, some of which you point out could be used as a critical component of our everyday lives, which means that providing security controls is imperative in terms of ensuring that the devices operate in the way we expect them to.
McAfee is working on projects related to the security of the Smart Grid. Why did McAfee start researching in that direction and when? Is there any relationship between this interest and any documented attempt to hack energy infrastructures as nuclear plants?
Our interest in Critical National Infrastructure (CNI) is in part due to our approach towards connected security. The fact that the world of tomorrow will have a multitude of devices outside of the normal devices we encounter, and all of these will need not only security, but also an effective way of managing, and correlating the information that they generate.
Energy is one of the Smart City’skey elements. How is it going to change (how is it changing) to be able to fuel the cities of the future? Is security part of the Smart Grid’s architecture or it is deployed once the Smart Grid has been built? Are there standards for security in the Smart City or the Smart Grid? Who is defining these security protocols or mechanisms and how secure are they?
Well, there are a number of various projects associated with defining the standards as they relate to Smart Energy, Smart Cities and Smart Grids. One for example is the work being done in Brussels with the Smart Grid Task Force, and our role is specifically within Expert Group 2 (EG2). The intention here is to work with key stakeholders and define the guidelines for security and privacy controls to be integrated within Smart Grid deployments.
Of course the privacy element will already be covered within existing legislation as it relates to data protection, but these guidelines aim to apply the expertise from the working groups as to their implications related to the Smart Grid.
Could you elaborate on the projects McAfee is involved with, related to the Smart Grid and its security?
Lots! We have recently announced our partnership with Alstom Grid, and the whitepaper should give an indication of the landscape. We will shortly also announce a series of Proof of Concept projects with major utilities in this area.
Which are the security risks you have to face as a security expert? I guess there are security issues nobody was able to foresee years ago. How secure will the Smart Grid or the Smart City be once they’ll become a reality?
Thank you! Even though we work in this industry we are also consumers like everyone else and still face the same concerns as they relate to the Internet. For example when my kids are online will they be faced with unsuitable content or unsavoury characters that try and communicate with them?
However it is difficult to predict what will be reality in the Smart City of tomorrow. The only thing I would say is that McAfee are working hard to develop the technologies to ensure that we stay one step ahead, but also with our partners, and utilities to develop standards to incorporate security and privacy controls into the design of tomorrow’s Smart City.
Apart from the Smart Grid, are there any other Smart elements McAfee is planning to secure? It is said there will be Smart Networks linking cars on the roads, or smart infrastructures for water or finances based on wireless or wired infrastructures with hundreds of millions of Smart devices running quite a number of operating systems. The cloud is another relevant trend both for consumers and companies.
All of the above! Stay tuned – we have some really exciting projects and announcements planned.
Working with the Smart Grid means working with enormous amount of data. Which tools you need to use to manage the security of the Smart Grid in the Big Data context?
Absolutely and we are working with partners to ensure that the data within this context is well secured, but also that it adheres to the regulatory frameworks as it relates to data protection. There are some remarkable opportunities for consumers as they relate to this data (Personal Data Economy), so it is important for the industry to help them realise this.
Is the Internet ready to face the security problems of the future? Or should the Internet be redesigned to accommodate the security protocols needed to protect our assets or even our lives?
Well the Internet is constantly evolving, and new technologies and standards are always becoming available. Take IPv6, but the threat landscape is also constantly evolving so we must constantly out-innovate the bad guys.
Now, when projects such as PRISM are already disclosed, one question most people ask themselves is about privacy. Should we close our eyes and accept the fact that those who control the networks are going to ‘spy’ on us or ask for mechanisms to protect our data from this kind of unapproved access?
When is this Smart City concept going to be a reality? Not just as isolated projects but as a global movement.
It has already begun…
Raj currently works as the VP, Chief Technical Officer for McAfee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK. He volunteers as the Strategy Advisor for Cloud Security Alliance EMEA, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In addition, Raj was previously the Vice President for Communications in the ISSA UK Chapter, having presided over the award for the Chapter communications programme in the years 2008, and 2009. He has had numerous papers published on the subject of security, and has appeared on television (ITV and More4). Additionally he collaborated on the 2006 RSA Wireless Security Survey and was part of the consultation committee for the RIPA Bill (Part 3). Raj is also the author of the upcoming book Applied Cyber Security and the Smart Grid. He can be found on twitter @Raj_Samani