09 May 2017

Smart and connected cities: Surmounting the challenges

Linkedin

The European Commission's Directorate-General for Energy recently published its final report on the study on ‘Smart Cities and Communities’, which looked at the opportunities and challenges faced when attempting to connect a city's infrastructure with the internet through the Internet of Things. The Report found that city-wide integration was rare in the majority of the sample cases it looked at. Instead, what was found were examples of ‘smart’ districts and specific sectors.

While the Report suggested that there were not many examples of city-wide ‘smart’ initiatives, there are places where this is being attempted. Singapore has been one of the early adopters of connecting their city's infrastructure, as part of its Smart Nation initiative. The initiative is trying to develop a national IoT backbone across the following five key domains: (i) transport; (ii) home & environment; (iii) business productivity; (iv) healthcare; and (v) other public sector services. In order to achieve this, the government has taken steps to try and create an open and collaborative approach by releasing machine-readable government data to the public and the private sector in order to crowd-source ideas and expertise. However, its Prime Minister has recently admitted the roll-out is not progressing fast enough. The challenges Singapore is facing in delivering such an ambitious project highlight the difficulties for any government or local authority in seeking to coordinate and connect so many parties, technology and data, and also aligns with the difficulties highlighted by the Commission Report.

Challenges

The challenges involved in connecting the infrastructure of a major city or town are vast. These would range from (i) the technical and logistical challenges in connecting innovative technology to old and, at times, antiquated equipment; (ii) the legal and regulatory approvals; and (iii) the challenges needed to create an agreed framework for the connection and sharing of big data. I have identified a high-level summary of some of the challenges that governments and local authorities would have to consider when embarking on such an ambitious project.

  1. Funding – The Report highlights the significant costs in implementing such ambitious projects. At a time where governments and local authorities are under increasing budgetary pressures, spending on such IT investment may be considered a luxury. To overcome such challenges, governments and local authorities have been known to partner with the private sector to get the approval of large-scale infrastructure projects. In addition to the funding benefits, there may be added benefits in having the private sector invested as a key stakeholder to increase its chances of success.

  2. Procurement – The need for a structured and consistent government procurement process is obvious, in order to ensure transparency and fairness. However, when dealing with constantly evolving technology, which is to be connected across multiple sites and with legacy systems, such a process can be prohibitive. This fixed process coupled with multiple stakeholders across various layers of government departments could stifle any attempts at innovation.

  3. Supplier lock-in – A customer's dependency on a single supplier is a common fear in large-scale IT projects. There are a number of benefits (both practically and commercially) for having a single ‘prime’ IT contractor running parts of a customer's IT estate; however, there are significant risks when it comes to wanting to use updated technology or simply exiting the relationship. In some cases, the existing IT supplier's knowledge of a customer's IT systems surpasses that of some of the customer’s own staff. More significant though is the system's interoperability with a new supplier's software/hardware. Large parts of a customer's IT estate is often built around the main IT supplier's software or hardware. A successful implementation of a ‘smart’ city would need a significant amount of flexibility to be able to adapt to changes to technology and connect to a wide range of third-party software and hardware.

  4. Ownership of data – The commercial and strategic value of the ‘big data’ that would be generated by such an initiative would be significant and it would not be surprising to see the IT suppliers wanting at least partial ownership of this data. The contractual structure of the relationship will more than likely determine the outcome of the ownership question. If the engagement with the IT provider is based on a simple ‘customer-supplier’ relationship then the government or local authority is likely to have more success in seeking to own the data. However, if the relationship is based on a public-private partnership, as set out under Funding, then the IT providers are likely to want to benefit from the data as added consideration for their investment.

  5. Security – One of the most obvious challenges in creating a ‘smart’ city is identifying and remedying the security vulnerabilities. Connecting critical infrastructure to the internet and placing significant data in the cloud increases the risk of hacking and other forms of cyber-attacks on the connected infrastructure. The frequency and level of sophistication of these cyber-attacks have increased significantly over the years, witness the allegations of state sponsored cyber-attacks during the recent US elections. How the infrastructure is connected will also present risks. The IoT is largely reliant on Wi-Fi, as a means of connecting non-smart devices to the internet. Many unsophisticated IoT devices allow for auto-connecting to various networks, meaning a device will follow the strongest Wi-Fi signal in order to make a connection. If the critical infrastructure was then Wi-Fi enabled, without the necessary encryptions and firewalls, it would not be difficult for hackers to intercept the connections.

  6. Data protection – The type of data collected as part of a ‘smart’ city development will play a large part in determining the data protection risks. Citizens of most large cities will be familiar and relatively comfortable with being monitored via CCTV. However, the monitoring and tracking potential of a ‘smart’ city may leave some citizens feeling uneasy. The ability for governments to combine a wide range of data on individuals from connected devices will present many risks, as this is likely to lead to the profiling of individuals without any legitimate purpose. It is difficult to see how governments or local authorities could obtain consent for such mass collection and use of such personal data, especially when some of this data may include sensitive personal data, such as information relating to an individual's health. Any government or local authority looking to implement a ‘smart’ city will also need to navigate the applicable data protection legislation in its jurisdiction, which is likely to become more complicated in Europe when the GDPR comes into force in May 2018.

  7. Responsibility and cross-dependencies – Large IT infrastructure projects often involve a number of parties. In such scenarios, there is usually a prime supplier who will take ultimate responsibility for the co-ordination and delivery of the various software/hardware providers. In these large projects there are a significant number of cross-dependencies where one small piece of software can jeopardise the entire project. Where such cross-dependencies exist, it may prove difficult to determine whether the failure was down to the connecting software/hardware, the communications network, the legacy equipment it is connected to or whether it was as a result of the installation.

  8. Liability – The government or local authority would need to consider whether to prime this project themselves or take on a third-party IT supplier to run the project. While there would be a long line of IT providers willing to take on such a project, the government or local authority will need to be confident that the supplier can ‘scale-up’ its skills to deliver on a project of such size. It will also be difficult to gauge how successful a government or local authority would be when agreeing on appropriate liability caps. The potential losses a government or local authority could face in the event of a connected infrastructure failure could be huge, yet it will be difficult to get any IT supplier to agree to wide uncapped liabilities under an agreement.

Insurmountable Obstacles?

The delays faced by Singapore in its Smart Nation initiative evidence the difficulties in implementing such a project. However, none of the issues identified above have yet proved fatal to the project. Singapore's collaborative approach is welcomed as it seeks to get private sector and citizen ‘buy-in’ to the project. By making key government infrastructure data available to the public, those involved are also crowd-sourcing knowledge and expertise in what is an innovative approach to managing the city's infrastructure. This will also allow input from small IT suppliers, individual coders and engineers rather than solely relying on the established big IT suppliers.

The Commission's Report also offers practical suggestions on trying to overcome the challenges above. In particular, with respect to the supplier lock-in, ownership of data and responsibility and liability risks, the Report stresses the importance of getting this right at the procurement stage, by setting out a framework-style agreement whereby key provisions are committed to from the outset and a collaborative culture is built into the main principles of the contract. Interoperability requirements, open standards and the purchase of commercially off-the-shelf products should also help to avoid over-reliance on one supplier and thus minimise the risk arising from a single point of failure.

Regarding the cross-dependency risks, the government or local authority will need to include cross-dependency obligations on the various suppliers to ensure a ‘fix-first, identify-cause-second’ approach due to the criticality of the infrastructure. We have seen such clauses work in large-scale IT projects where a detailed review of the system failure is conducted after the event and the responsible party is then required to cover the costs.

In order to limit the security risks, a significant investment in IT security products and expertise will be needed. A key principle in any security policy will be ensuring that an attack on one part of the ‘smart’ city can be easily isolated and contained, without affecting the rest of the city's infrastructure through a series of virtual gates and firewalls. This is especially true if the ‘smart’ city is centrally managed through a single coordinated system. A detailed and regularly tested business/city continuity plan will also need to be put in place as, depending on the level on interconnectivity between a city's core systems, such attacks could bring down a city's entire infrastructure. The data protection requirements that a government or local authority would need to navigate through would need a comprehensive review of what would be collected, and its intended use, to understand what the risk is. To the extent personal data is not necessary for the provision of services, anonymising such data should be considered. This may be of particular importance if the project was on a public-private partnership basis with the IT provider looking to have a greater say in how the data is used and potentially commercialised.

It is likely that many governments and local authorities would initially pilot a ‘smart’ town or district before rolling-out a wider implementation. In such circumstances, it is crucial that a scalable framework is established from the outset to ensure that such connections can easily scale up to operate across a city. Maintaining a scalable framework would make it easier for a national government or local authority to replicate such connections to further cities or towns in its jurisdiction.

Conclusions

While the consumer demand for the IoT has attracted most of the media attention, this technology offers businesses and governments, both national and local, huge opportunities. The ability for embedded sensors on motorway junctions to provide real-time traffic data to the relevant authorities could offer significant improvements and efficiencies to an area's roads and traffic management. As an example, the UK in particular has seen significant investment in ‘smart’ motorways allowing for variable speed limits to be instantly put in place to reflect upcoming traffic issues, as well as opening hard-shoulders as an extra lane during peak times.

Many of the challenges identified above are on the basis of this being a government/local authority roll-out of a single project, whereas, in reality, a ‘smart’ city is more likely to involve a patchwork of connected infrastructure with various government departments having oversight and responsibility for each sector (eg energy), which would have been rolled out at different times with different IT service providers. While this approach may not lead to the seamless connectivity for those envisaging a future resembling a sci-fi movie, it could avoid the risk of a single point of failure arising for such critical infrastructure.

First published by Society for Computers and Law.

Linkedin

KEY CONTACT

David Berry

David Berry
Senior associate

T:  +44 20 7809 2269 M:  Email David Office:  London