The European Commission’s
Directorate-General for Energy recently published its final report on the study
on ‘Smart Cities and Communities’, which looked at the opportunities and
challenges faced when attempting to connect a city’s infrastructure with the
internet through the Internet of Things. The Report found that city-wide
integration was rare in the majority of the sample cases it looked at. Instead,
what was found were examples of ‘smart’ districts and specific sectors.
While the Report suggested that
there were not many examples of city-wide
‘smart’ initiatives, there are
places where this is
being attempted. Singapore has been one of the early adopters of connecting
their city’s infrastructure, as part of its Smart Nation initiative. The
initiative is trying to develop a national IoT backbone across the following five
key domains: (i) transport; (ii) home & environment; (iii) business
productivity; (iv) healthcare; and (v) other public sector services. In order
to achieve this, the government has taken steps to try and create an open and
collaborative approach by releasing machine-readable government data to the
public and the private sector in
order to crowd-source ideas and expertise. However, its Prime Minister
has recently admitted the roll-out is not progressing fast enough. The
challenges Singapore is facing in delivering such an ambitious project highlight
the difficulties for any government or local authority in seeking to coordinate
and connect so many parties, technology and data, and also aligns with the
difficulties highlighted by the Commission Report.
Challenges
The challenges involved in
connecting the infrastructure of a major city or town are vast. These would
range from (i) the
technical and logistical challenges in connecting innovative technology to old
and, at times, antiquated equipment; (ii) the legal and regulatory approvals; and (iii) the challenges needed to create an agreed framework for the
connection and sharing of big data. I have identified a high-level summary of
some of the challenges that governments and local authorities would have to
consider when embarking on such an ambitious project.
1. Funding
– The Report highlights the significant costs in implementing such
ambitious projects. At a time where governments and local authorities are under
increasing budgetary pressures, spending on such IT investment may be
considered a luxury. To overcome such challenges, governments and local
authorities have been known to partner with the private sector to get the
approval of large-scale
infrastructure projects. In addition to the funding benefits, there may be added
benefits in having the private sector invested as a key stakeholder to increase
its chances of success.
2. Procurement
– The need for a structured and consistent government procurement process
is obvious, in order to
ensure transparency and fairness. However, when dealing with constantly
evolving technology, which is to be connected across multiple sites and with
legacy systems, such a process can be prohibitive. This fixed process coupled
with multiple stakeholders across various layers of government departments
could stifle any attempts at innovation.
3. Supplier
lock-in – A customer’s dependency on a single supplier is a common fear in
large-scale IT projects. There are a number of benefits (both practically and commercially) for
having a single ‘prime’ IT contractor running parts of a customer’s IT estate; however, there are
significant risks when it comes to wanting to use updated technology or simply
exiting the relationship. In some cases, the existing IT supplier’s knowledge
of a customer’s IT
systems surpasses that of some of the
customer’s own staff. More significant though is the system’s interoperability with a new
supplier’s software/hardware. Large parts of a customer’s IT estate is often
built around the main IT supplier’s software or hardware. A successful
implementation of a ‘smart’
city would need a significant amount of flexibility to be able to adapt to
changes to technology and connect to a wide range of third-party software and
hardware.
4. Ownership
of data – The commercial and strategic value of the ‘big data’ that would be generated by such an
initiative would be significant and it would not be surprising to see the IT
suppliers wanting at least partial ownership of this data. The contractual
structure of the relationship will more than likely determine the outcome of
the ownership question. If the engagement with the IT provider is based on a
simple ‘customer-supplier’ relationship then the government or local authority
is likely to have more success in seeking to own the data. However, if the relationship is based on a
public-private partnership, as set out under Funding, then the IT
providers are likely to want to benefit from the data as added consideration for their investment.
5. Security
– One of the most obvious challenges in creating a ‘smart’ city is identifying and remedying the security vulnerabilities. Connecting critical infrastructure to
the internet and placing significant data in the cloud increases the risk of
hacking and other forms of cyber-attacks on the connected infrastructure. The frequency
and level of sophistication of these cyber-attacks have increased significantly
over the years, witness the allegations of state sponsored cyber-attacks during
the recent US elections. How the infrastructure is connected will also present risks. The
IoT is largely reliant on Wi-Fi, as a means of connecting non-smart devices to
the internet. Many unsophisticated IoT devices allow for auto-connecting to various networks, meaning a
device will follow the strongest Wi-Fi signal in order to make a connection. If
the critical
infrastructure was then
Wi-Fi enabled, without the necessary encryptions and firewalls, it would not be difficult for
hackers to intercept the connections.
6. Data
protection – The type of data collected as part of a ‘smart’ city development will play a
large part in determining the data protection risks. Citizens of most large
cities will be familiar and relatively comfortable with being monitored via
CCTV. However, the monitoring and
tracking potential of a ‘smart’
city may leave some citizens feeling uneasy. The ability for governments to
combine a wide range of data on individuals from connected devices will present
many risks, as this is likely to lead
to the profiling of individuals
without any legitimate purpose. It is difficult to see how governments or local
authorities could obtain consent for such mass collection and use of such
personal data, especially when some of this data may include sensitive personal
data, such as information relating to an individual’s health. Any government or
local authority looking to implement a ‘smart’ city will also need to navigate the applicable
data protection legislation in its jurisdiction, which is likely to become more
complicated in Europe when
the GDPR comes into force in May 2018.
7. Responsibility and cross-dependencies –
Large IT infrastructure projects often involve a number of parties. In such
scenarios, there is usually a prime supplier who will take ultimate
responsibility for the co-ordination and delivery of the various
software/hardware providers. In these large projects there are a significant
number of cross-dependencies where one small piece of software can jeopardise
the entire project. Where such cross-dependencies exist, it may prove difficult
to determine whether the failure was down to the connecting software/hardware,
the communications network, the legacy equipment it is connected to or whether
it was as a result of the installation.
8. Liability
– The government or local authority would need to consider whether to prime
this project themselves or take on a third-party IT supplier to run the
project. While there would be a long line of IT providers willing to take on
such a project, the government or local authority will need to be confident
that the supplier can ‘scale-up’ its skills to deliver on a project of such
size. It will also be difficult to gauge how successful a government or local
authority would be when agreeing on appropriate liability caps. The potential
losses a government or local authority could face in the event of a connected
infrastructure failure could be huge, yet it will be difficult to get any IT
supplier to agree to wide uncapped liabilities under an agreement.
Insurmountable Obstacles?
The delays faced by Singapore in
its Smart Nation initiative evidence the difficulties in implementing such a
project. However, none of the issues identified above have yet proved fatal to
the project. Singapore’s collaborative approach is welcomed as it seeks to get
private sector and citizen ‘buy-in’ to the project. By making key government
infrastructure data available to the public, those involved are also
crowd-sourcing knowledge and expertise in what is an innovative approach to
managing the city’s infrastructure. This will also allow input from small IT
suppliers, individual coders and engineers rather than solely relying on the
established big IT suppliers.
The Commission’s Report also
offers practical suggestions on trying to overcome the challenges above. In
particular, with respect to the supplier lock-in, ownership of data and
responsibility and liability risks, the Report stresses the importance of
getting this right at the procurement stage, by setting out a framework-style agreement whereby key
provisions are committed to from the outset and a collaborative culture is
built into the main principles of the contract. Interoperability requirements,
open standards and the purchase of commercially off-the-shelf products should
also help to avoid over-reliance on one supplier and thus minimise the risk
arising from a single point of failure.
Regarding the cross-dependency risks, the government or
local authority will need to include cross-dependency obligations on the
various suppliers to ensure a ‘fix-first, identify-cause-second’ approach due
to the criticality of the infrastructure. We have seen such clauses work in
large-scale IT projects where a detailed review of the system failure is
conducted after the event and the responsible party is then required to cover the costs.
In order to limit the security
risks, a significant investment in IT security products and expertise will be
needed. A key principle in any security policy will be ensuring that an attack
on one part of the ‘smart’ city can be easily isolated
and contained, without affecting the rest of the city’s infrastructure through
a series of virtual gates and firewalls. This is especially true if the ‘smart’ city is centrally managed
through a single coordinated system. A detailed and regularly tested business/city
continuity plan will also need to be put in place as, depending on the level on
interconnectivity between a city’s core systems, such attacks could bring down
a city’s entire infrastructure.
The data protection requirements
that a government or local authority would need to navigate through would need
a comprehensive review of what would be collected, and its intended use, to understand what the risk is. To the extent
personal data is not necessary for the provision of services, anonymising such
data should be considered. This may be of particular importance if the project
was on a public-private partnership basis with the IT provider looking to have a greater say in how the
data is used and potentially
commercialised.
It is likely that many
governments and local authorities would initially pilot a ‘smart’ town or
district before rolling-out a wider implementation. In such circumstances, it
is crucial that a scalable framework is established from the outset to ensure
that such connections can easily scale up to operate across a city. Maintaining
a scalable framework would make it easier for a national government or local
authority to replicate such connections to further cities or towns in its
jurisdiction.
Conclusions
While the consumer demand for the
IoT has attracted most of the media attention, this technology offers
businesses and governments, both national and local, huge opportunities. The
ability for embedded sensors on motorway junctions to provide real-time traffic
data to the relevant authorities could offer significant improvements and
efficiencies to an area’s roads and traffic management. As an example, the UK
in particular has seen significant investment in ‘smart’ motorways allowing for
variable speed limits to be instantly put in place to reflect upcoming traffic
issues, as well as opening hard-shoulders as an extra lane during peak times.
Many of the challenges identified
above are on the basis of this being a government/local authority roll-out of a
single project, whereas, in reality, a ‘smart’
city is more likely to involve a patchwork of connected infrastructure with
various government departments having oversight and responsibility for each
sector (eg energy), which would have been rolled out at different times with
different IT service providers. While this approach may not lead to the
seamless connectivity for those envisaging a future resembling a sci-fi movie,
it could avoid the risk of a single point of failure arising for such critical
infrastructure.
David
Berry is a Senior Associate in Stephenson Harwood’s Commercial Outsourcing and
Technology Team
If you are interested in contributing an article to SCL
please read these guidelines: https://www.scl.org/about/contributing
