As cities aggressively adopt “smart” technology — especially in the very public-facing transportation and safety arenas — municipal auditors will increasingly find themselves facing a new version of a familiar risk: cybersecurity. The underpinning of Internet-of-Things (IoT) connectedness that makes smart tech so smart is also its Achilles’ heel, offering hackers access, on a vast scale, to all kinds of complicated technologies — and the people they affect. And countering that risk may require new internal audit skills and tools.
When the technology works, smart sensors create massive amounts of data that trigger mechanical responses: roadways charge electric vehicles as they pass above; connected cars find the best parking spots. But cybercrime experts take smart tech risks — and their implications for municipalities — quite seriously, painting a dark future portrait in the event things go awry. What happens, for example, if cybercriminals made every traffic light in a city green at the same time or scrambled the entire grid’s color cycles during rush hour? What if they completely shut down the city’s smart power grid? What if an attacker targeted water and sewage systems, tampering with automated meters that detect and respond to flood conditions?
Auditors take those risks seriously, too. “The benefits that smart and emerging technologies can deliver are accompanied by multiple new risks,” says Tonia Lediju, chief audit executive (CAE) for the City and County of San Francisco. “We need to ensure that cities have the right security governance, processes, and controls in place.”
Smart City by the Bay
In San Francisco, there’s a lot of smart tech to audit. Lediju says it’s one of the leading smart cities globally, and it’s working on even more smart mobility solutions — often in partnership with private companies or with the U.S. federal government. Initiatives include smart traffic signals, an electronic toll system with congestion pricing, and autonomous electric shuttles to Treasure Island in the San Francisco Bay. The city also uses smart parking meters that change prices according to the time and day of the week.
Lediju says her auditors tackle the new risks of smart tech head-on. The City Services Auditor Division assists the various city departments affected by new transportation technology, for example, in understanding the risks, monitoring the application controls designed to rein them in, and crafting preventive responses. Lediju says her team’s annual work plan includes auditing new technologies when deemed necessary, based on a risk assessment.
The division works closely day to day with the City and County of San Francisco’s Department of Technology, its Committee on Information Technology, and the departments adopting new technologies to ensure all risks are managed adequately, before adoption, Lediju says. She follows three key steps: understand the pipeline of emerging technologies being considered, identify risk trends, and help departments actively manage risks as they navigate relevant regulations.
In the cybersecurity space, the City Services Auditor Division “identifies systems’ vulnerabilities and risks through penetration and assessment tests, and recommends remediation,” Lediju explains. Testing encompasses several areas, including cybersecurity framework adoption, security awareness training, IT governance, systems and network security, and business continuity.
“We also contribute insight gleaned from our extensive scope of work to help departments evolve and improve their strategies and protocols to better prepare for cyberattacks,” Lediju adds. Her team’s work is based on the Cybersecurity Framework Core Functions outlined by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST): identify, protect, detect, respond, and recover. The City Services Auditor Division, she notes, also makes recommendations based on the CIS Controls and CIS Benchmarks guidance developed by the Center for Internet Security (CIS). “The CIS recommendations highlight for clients the numerous opportunities for control and process improvements or other enhancements that could ultimately increase their effectiveness in managing data security and fulfilling the organizations’ missions and goals in serving the city,” Lediju says.
Sweden’s Smart Tech
At Sweden’s Borlänge-based Trafikverket — the Swedish Transport Administration — the audit unit also gets involved early on, says Peter Funck, CAE. “The Agency,” as he calls it, is the national government authority responsible for public roads and railways; Funck’s office focuses on the planning and development phases, which is where he says his unit delivers the greatest added value. Audit and The Agency, he adds, have learned to manage large software and infrastructure development projects in similar ways, meaning audit is involved “several times before coding starts, as well as before the first spade is put in the ground,” Funck says. That’s been the case with two of Sweden’s key smart tech endeavors:
- The European Rail Traffic Management System (ERTMS) is a major industrial project underway in the European Union, Funck notes, and Sweden is one of the early adopters in developing and implementing it. ERTMS is a safety system that “enforces compliance by the train with speed restrictions and signaling status,” he says.
- Sweden is also developing a national system for controlling and scheduling all trains that will integrate train operator scheduling. “It’s one of the biggest software-based projects ever in the country,” Funck says. “The project brings a lot of opportunities, but, of course, size and complexity imply challenges: Will it work? Is it safe?”
Funck points out that his unit audited both the ERTMS and national integration projects several times, before they were even deployed on a test basis. “Those audits had different focuses,” he says, “but the common denominator has been whether internal controls provide prerequisites to make it work and make it safe.”
The projects aren’t yet far enough along for after-the-fact performance audits. But Funck notes that, in all of his office’s smart tech projects, health and safety, including terror attacks, are the largest risk concerns. “Information security often brings those risks down to some kind of acceptable level,” he says. Indeed, Funck emphasizes that available information security technology in general is up to the smart tech challenge; the bigger problem lies in people and their roles in keeping smart cities humming.
Funck adds: “There is always a need for some kind of security and safety risk acceptance in developing business processes to balance with productivity requirements.” At the end of the day, he points out, “railroads and roads are safer if we remove all trains and cars.”
Data and Privacy Safeguards
Jim Thompson, city auditor in the Albuquerque Office of Internal Audit (OIA), takes smart tech in stride, too, though he’s also well aware of the risks it poses — including those related to cybersecurity. “OIA performs an annual risk assessment of the city, which includes consideration of the city’s information technology risk,” he says. “As the city increases its use and reliance on information technologies, including smart technologies, the risk of cybersecurity and data breach — as well as the liability risk — increase.”
The city’s Technology and Innovation Department maintains internal controls over IT and also uses outside experts for IT vulnerability risk assessments and intrusion testing. Thompson maintains in-house technology expertise on his team as well. One senior information systems auditor, he says, holds several IT certifications, including CISA, CITP, and ITIL v3 Foundation.
The City of Albuquerque, Thompson says, has implemented various smart technologies, including government document and data transparency, ride apps, enhanced wireless access, and online police services. Planned audit engagements assessing privacy concerns will target some of those enhancements. “Our annual audit plan this year includes an audit of all city systems and devices that contain personal identifiable information [PII],” Thompson notes. “Some of the city’s smart technologies will be included.”
Thompson says the audit will consider whether the city maintains a listing of all systems and devices containing PII and if it has controls in place to classify and safeguard PII correctly, including intake points, release and data sharing points, and storage. It will also examine whether individuals with access to the city’s computer environment are trained on and aware of their responsibility to safeguard PII and what to do in the event of a data breach. OIA will consider federal, state, local, and contractual requirements for PII and compare the city’s current practices with IT governance framework best practices recommended by ISACA’s COBIT framework, as well as NIST.
Down the Pike
For municipal auditors who are not engaged to audit their city's smart tech right now, there's a good chance they will be soon. Indeed, Kansas City, Mo.'s Chief Innovation Officer Bob Bennett declared last year at the Smart Cities Connect Conference and Expo that municipalities that don't get on the smart tech bandwagon soon will find themselves part of a "digital Rust Belt."
- 66 percent of cities say they're investing in smart tech, according to a 2017 report from the National League of Cities called Cities and the Innovation Economy: Perspectives of Local Leaders; one-fourth of the rest are looking into it.
- International Data Corp. reported in January that worldwide spending on smart cities initiatives would reach $95.8 billion in 2019, an increase of 17.7 percent over 2018; by 2021, the total could hit $135 billion. Singapore, New York, Tokyo, and London are expected to invest more than $1 billion each this year, IDC added; the applications receiving the most funding are fixed visual surveillance, advanced public transit, smart outdoor lighting, and intelligent traffic management.
- IoT Analytics said late last year that there were 17 billion connected devices worldwide; the number of IoT devices — excluding smartphones, tablets, laptops, and fixed line phones — was pegged at 7 billion. "The number of IoT devices is expected to grow to 10 billion by 2020," the firm points out, "and 22 billion by 2025."
- Mobility is the most common area for smart tech investment, according to the National League of Cities report. Other key applications include lighting solutions, security, and utilities management, according to the McKinsey Global Institute 2018 report, Smart Cities: Digital Solutions for a More Livable Future.
Protecting the Vision
Chattanooga, Tenn., City Auditor Stan Sewell also points to cybersecurity risk associated with his municipality’s emerging technologies. And while it’s not the No. 1 priority, the city’s tech-focused initiatives provide ample reason to ensure online security issues are addressed. “It’s definitely a risk, but it’s more of a ‘black swan’ concern,” he says.
Chattanooga’s Smart City Division, which manages street lights and traffic signals, acknowledges that “technical challenges may result from our vision in cybersecurity, hacking, and privacy issues.” “Vision” in Chattanooga includes autonomous vehicles and robust vehicle-to-vehicle and vehicle-to-infrastructure communications. The city won a 2019 Smart Cities Connect Smart 50 Award, a global recognition of transformative smart city project work, for its Chattanooga Smart Community Collaborative research partnership.
Sewell’s primary concern is supervisory control and data acquisition (SCADA) systems, composed of computers and both wired and wireless data communications modules that provide remote access to and control of a city’s infrastructure processes. “SCADA systems are vulnerable to cyberattacks,” he says, “which are occurring with an increased frequency.” A cyberattacker could gain remote control of the city’s water treatment, for example, “commanding the release of wastewater or sending false pressure sensor data, resulting in a catastrophic failure of water pumps and controls.” Sewell adds: “The various smart technologies increase the number of potential access points to enter the city’s systems to gain access to other areas.”
Tried and True
In some municipalities, the audit function’s treatment of smart tech doesn’t differ much from how it handles other city initiatives. Smart tech constitutes a largely routine subject, for example, for the City Auditor’s Office in Kansas City, Mo.
City Auditor Douglas Jones says he is aware of many of the city’s initiatives, one of which earned Kansas City a 2019 Smart 50 Award; plus, he knows smart tech is “timely and topical” and that it poses some reputation risk, as well as risks related to IT and operations. But from his perspective, newness can work against a program’s auditability. “It often makes little sense to audit a program with no track record,” he says. “And there’s always risk with a new program.”
Indeed, smart tech, Jones emphasizes, is “just one more thing that would be in our universe of potential audit topics. We cover everything from airports to the zoo, and we don’t put a specific emphasis on one thing or the other.”
Austin, Texas, another 2019 Smart 50 Award recipient, also places high priority on leveraging tech. In fact, Assistant City Auditor Andrew Keegan says Austin is trying to use its technology to help save lives. “Austin is committed to a Vision Zero plan, which calls for zero fatalities or serious injuries resulting from vehicle collisions by 2025,” he explains. “Part of that plan is focused on implementing new technologies.”
But Keegan’s team likely won’t be involved until after those plans and programs have been implemented. “Selecting a particular technology to audit depends on the risk posed by the new technology as compared to other risks facing the city,” he says. “This is our practice regardless of the topic.” Indeed, right now, his office is conducting an audit related to motorists’ well-being. “While part of that project includes reviewing the implementation of new technology,” he comments, “the audit is focused on the general issue of traffic safety.”
Amanda Noble, city auditor in the City of Atlanta’s City Auditor’s Office, notes that Atlanta has implemented smart mobility tech, but she, too, says the audit function didn’t have a role in assessing risk on the front end. “As the city was implementing the technology, we became aware of it and went to a demonstration,” she says. “But we looked at the data the city was connected to and its potential uses in risk assessments and audit work. We hadn’t thought about auditing the technology itself.”
Would it help? “I think it would,” Noble says. She notes that her team has assessed controls on financial systems installations, but “possibly because smart tech is not financial data, the audit function has not been asked to play a role.” Stakeholders viewing the profession as dealing primarily with financial information can be frustrating, she adds, in the face of internal audit training that emphasizes the importance of foresight in all areas of the enterprise.
“So much of our role is looking backward,” Noble says. “There’s not really a process for emerging risk, unless we do it as one-offs. There’s nothing systematic.” She adds that resource constraints limit the audit function’s ability to tackle emerging issues, so new risks may not be audited until nearly a year has passed. She’d like to do more.
“Decision-makers value our input,” Noble emphasizes. “We need a way to assess and report on emerging technology.”
Expanded Services, New Skills
Lediju sees a balance between tried and true audit services and helping organizations see around the corner. “We’ll need to remain focused on our existing foundation of auditing standards and principles to detect internal control weaknesses and fraud risks,” she says. “But the profession must be ready to take on more of an advisory role and help cities keep pace with and get ahead of emerging risks, maintaining its unique perspective on people, processes, and governance when striving to strengthen its risk management programs.”
Because of the specialized knowledge required for new and smart technologies, she adds, internal auditors who possess a mix of business and technology skills will be needed. In fact, more of them will be needed. “Smart tech requires more internal audit resources because the pool of tools is constantly expanding and being used for various operations across government services,” Lediju explains. As a result, she says, information and software oversight and accountability, including human and technology resources, become more necessary.
Internal auditors will need to adopt new tools and techniques, she adds, such as artificial intelligence and blockchain auditing and reconciliations, to increase continuous audit activities, rapidly pinpoint control gaps, and identify nonconformance and process improvement opportunities in real time. She says her office “currently relies on outside contracting and consulting services to keep abreast of the rapidly evolving trends and practices in technology, governance, security, and privacy relevant to the respective technologies.”
Lediju adds: “With the requirements of continuing professional education and the goal to help businesses and government adopt best or leading practices, internal audit can remain a necessary and beneficial agent of change.” Maybe, in fact, the profession could do more when it comes to smart tech.
The risk issues every public entity project faces are amplified when the connectivity required for smart technology is at play.
- Human error. Hackers are one kind of human risk, simple mistakes are another. Often overlooked as a threat, the public entity employees who read the meters and monitor the system outputs — and decide when to override — are likely inexperienced with smart city technology, Risk Management magazine noted recently. Their ethics and judgment may also come into play in a smart tech crisis.
- Technical difficulties. The connectedness needed for smart technology to work may require integrating powerful, cutting-edge IT infrastructures with, as Travelers calls them in its 2017 Public Safety for the Smart City report, "legacy IT infrastructures that may not be fully up to the task of handling the extreme volumes and types of data." This includes, for example, vehicle-to-infrastructure that smart devices generate. Plus, sometimes software fails, or lightning strikes, or the power goes out.
- Complicated connections. Many smart tech projects, especially in transportation, involve public sector entities, academia, and private industry — and each often has its own data management infrastructure already in place. Many also involve multiple — in some cases, dozens of — local, county, and state jurisdictions. The City of San Diego General Plan, for example, includes a "mobility element" that will guide implementation of the city's part in the multi-stakeholder Mobility 2030 Regional Transportation Plan prepared by the San Diego Association of Governments, an organization of 18 local and county public entities. In addition, Southern California is a national Intelligent Transportation System Priority Corridor Program participant; the Southern California Association of Governments represents six counties and 191 cities.
Even the familiar risks posed by smart tech can cause greater concern to internal auditors because of their vast scale — especially if, as Risk Management puts it, "policies, procedures, and training do not adequately address the new capabilities." Additional education and new tools may be required to meet the challenge.