The digital transformation will continue to decisively change the economy and society in the coming decades. The Internet of Things (IoT) plays an essential role in the networking of the analogue world. The handling of sensors and communication modules as well as their integration in cloud applications are the prerequisite for new applications and business models.

The term 'Smart City'

The digital transformation in the municipal environment includes not only classic administrative services, but increasingly also infrastructures for services of general interest, such as the transport network and associated transport options, water and energy supply or waste and wastewater disposal. These activities are often publicly associated with the term "smart city". In a smart city, intelligent information and communication technology (ICT) is used to increase participation and quality of life and to create an economically, ecologically and socially sustainable municipality or region. Therefore, the term "Smart Region" is also often used, which takes the "Smart City" into account.

The different sectors of a 'Smart City'

The following figure shows different sectors in which added value can be achieved through digitalisation.

In addition to the digitisation of individual sectors, the concept of the "smart city" also envisages their networking in order to exploit synergies. In the area of mobility, for example, the flow of traffic can be optimised to shorten journey times and reduce emissions. Digital services make it possible to reserve a free parking space, which at the same time provides the infrastructure for charging the electric vehicle.

Technical foundations

Data platforms are often used as the technical basis for networking individual sectors. These platforms bundle data from different sources and make it usable across the board. The following figure shows that these platforms are fed by sensors connected via various access networks and form the basis for controlling various actuators or other "smart city" applications.

The challenge of digitalisation

In addition to the positive effects of a successful digitalisation of utility services, their increasing influence on everyday life also brings with it an increased potential for risk. In order to be able to control this effectively, efficient processes are needed to identify relevant risks as well as the development of adequate information security measures and their implementation. According to the study "Zukunft wird vor Ort gemacht" (The future is made locally), published by the initiative „Stadt.Land.Digital“), 81 percent of the municipalities surveyed would like the federal government to support them in their digitalisation efforts. Primarily, they asked for support for specific projects or the provision of guidelines. In addition, most of the municipalities surveyed state that a lack of expertise is the main reason for not developing digital strategies. This shows that municipal actors have a need for digitalisation expertise, which also includes information security.

Recommendations for action

The BSI therefore carried out the project "Secure Municipal IoT Infrastructures" (SMIoTI) and, based on the results, prepared the publication Smart Cities/Smart Regions Informationssicherheit für IoT-Infrastrukturen with recommendations for action. These are intended to support municipal decision-makers and operationally responsible persons in orienting themselves in the environment of "information security of IoT infrastructures". The recommendations for action include the following four suggestions, which should already be considered in the planning phase of an IoT infrastructure in order to lay the foundation for secure IoT infrastructures:

1. Digitisation efforts in a municipality should lead to a digitisation strategy or build on it in order to establish a sustainable digitisation process including the necessary higher-level control.
2. Roles, responsibilities and possible stakeholders should be defined/identified to support a structured approach.
3. Use cases (especially their benefits) and their requirements (for example organisational, technical, financial, personnel, regulatory and especially security-related) should be discussed and documented in order to develop concrete objectives with added value and to enable forward-looking resource planning.
4. Based on the documented requirements, the need for protection and the protection goals of the processed data and information should be determined in order to identify and ultimately implement the necessary security measures.

Outlook

In many cases, the digitisation of municipal infrastructures for services of general interest is still in its infancy. Nevertheless, many municipalities are pushing ahead with the necessary processes in the sense of a smart city. In the future, high-availability communication networks and platforms for various IoT infrastructures with high demands on the integrity of corresponding systems will play an increasingly important role. Corresponding systems require closer examination in this regard. The BSI plans to define concrete security requirements on the basis of standardised and practice-relevant models. Using suitable test criteria, this will create the basis for verifiably secure components of municipal IoT infrastructures.

In order to be able to implement corresponding requirements consistently, an ecosystem is necessary in which all stakeholders are empowered to fulfil their roles appropriately. The BSI supports the establishment of such an ecosystem not least through these recommendations for action, the provision of IT-Grundschutz and a platform for the creation of IT-Grundschutz profiles by the user community, and the offer of certification for management systems and products.