Security arrangements for smart-city IoT technology around the world are in an alarming state of disrepair, according to a report from Forrester Research that argues serious changes are needed in order to avoid widespread compromises.\nMuch of what\u2019s wrong has to do with a lack of understanding on the part of the people in charge of those systems and a failure to follow well-known security best practices, like centralized management, network visibility and limiting attack-surfaces.\n\nThose all pose stiff challenges, according to \u201cMaking Smart Cities Safe And Secure,\u201d the Forrester report by Merritt Maxim and Salvatore Schiano. The attack surface for a smart city is, by default, enormous, given the volume of Internet-connected hardware involved. Some device, somewhere, is likely to be vulnerable, and with the devices geographically spread out it\u2019s difficult to secure all types of access to them.\nWorse still, some legacy systems can be downright impossible to manage and update in a safe way. Older technology often contains no provision for live updates, and its vulnerabilities can be severe, according to the report. Physical access to some types of devices also remains a serious challenge. The report gives the example of wastewater treatment plants in remote locations in Australia, which were sabotaged by a contractor who accessed the SCADA systems directly.\nIn addition to the risk of compromised control systems, the generalized insecurity of smart city IoT makes the vast amounts of data that it generates highly suspect. Improperly configured devices could collect more information than they\u2019re supposed to, including personally identifiable information, which could violate privacy regulations. Also, the data collected is analyzed to glean useful information about such things as parking patterns, water flow and electricity use, and inaccurate or compromised information can badly undercut the value of smart city technology to a given user.\n\n\n\n\n\n\u201cSecurity teams are just gaining maturity in the IT environment with the necessity for data inventory, classification, and flow mapping, together with thorough risk and privacy impact assessments, to drive appropriate protection,\u201d the report says. \u201cIn OT environments, they\u2019re even further behind.\u201d\nYet, despite the fact that IoT planning and implementation doubled between 2017 and 2018, according to Forrester\u2019s data, comparatively little work has been done on the security front. The report lists 13 cyberattacks on smart-city technology between 2014 and 2019 that had serious consequences, including widespread electricity outages, ransomware infections on hospital computers and emergency-service interruptions.\nStill, there are ways forward, according to Forrester. Careful log monitoring can keep administrators abreast of what\u2019s normal and what\u2019s suspicious on their networks. Asset mapping and centralizing control-plane functionality should make it much more difficult for bad actors to insert malicious devices into a smart-city network or take control of less-secure items. And intelligent alerting \u2013 the kind that provides contextual information, differentiating between \u201cthis system just got rained on and has poor connectivity\u201d and \u201csomeone is tampering with this system\u201d \u2013 should help cities be more responsive to security threats when they arise.