Go back a hundred years and services like electricity and running water — let alone phones — would have all been considered luxuries. Now, we see these services as critical infrastructure that could cause a serious threat to life and societal order if they were to break down.
As the Internet of Things (IoT) is becoming a bigger part of our world, creating a marriage of software and hardware that ranges from the exceedingly useful to the overly creepy, it is also finding its way into many of the utilities that we depend on for modern living.
What we define as infrastructure is being rapidly altered by the growth of IoT and the move towards smart cities. We depend on traffic lights, security cameras and garbage removal to keep our cities livable, and we would quickly take notice if these services faltered.
As these devices and systems start to get brains, they become vulnerable to attacks like Mirai or the one that targeted the Ukrainian power grid. There is the added challenge of how to protect smart infrastructure, recognizing that it has major differences from the way that we defend power plants.
Historically, critical infrastructure projects have been tougher targets for hackers as their operational technologies (OT) relied on legacy systems that were not widely connected to the internet. As cases such as Stuxnet and more recent cyberattacks on electrical power systems have shown, these systems are vulnerable to external hackers, despite their supposedly high level of security and regulation.
Whereas old-school critical infrastructure has been played out in the court of large corporates with their dependency on proprietary systems, smart cities are a whole other kettle of fish.
If we assume that smart city infrastructures will probably be implemented by many of the large corporates that have the experience and resources to run these projects, then they will probably try to work it as they always have with as much of their in-house tech as possible. Makes sense, right?
Michael Shalyt, CEO of the critical infrastructure security startup Aperio Systems, says that he is skeptical of whether the companies will want to turn to more efficient methods of development like adopting open source in the near future. “We probably won’t see a full blown project for handling end-to-end operations since that’s not modus operandi of utilities and other companies managing critical infrastructure,” he explained in an interview.
But unfortunately for the corporates, the smart city game has a different set of rules and stakeholders. Outside of the critical infrastructure bubble that allows for certain inefficiencies in the name of not having to deal with innovation, the public demands fast and friendly service.
For starters, this means that developers of smart city products and systems will have to keep up with a more rapid release schedule. Teams will need to pull in resources from third parties if they want to stay on pace, and they will be unable to take their time on writing their own code for everything.
“There will still be deadlines when we move to smart cities, putting pressure on developers,” said Shalyt. “Once an open source project seems good enough and it’s free, there is a lot of pressure to use it, simply to shorten the development cycle, saving time and money.”
Secondly, users want interfaces that are easy to use. This will mean a reliance on web and other apps, most of which are built on open source components for their look and functionality.
Finally, unlike sites like power plants, where there is a single company managing the project, smart cities are a collaborative effort, including many new startups that come from a newer culture that depends on open source.
While working with open source gives developers a faster way to build their products while staying on schedule, it presents a different set of challenges for security.
We have to assume that all code will have vulnerabilities. What makes an environment secure is how well you check the products that you are using for holes that attackers can exploit. For many, it seems obvious to test your in-house written code. Unfortunately, they don’t always do the same for third-party libraries and components. When talking more specifically about open source components, this does not mean checking the code yourself, but verifying that it does not contain any known vulnerabilities.
“No one is going to pen test an open source project that you took from somewhere else,” Shalyt remarked. “It’s not that it’s impossible to write perfect code, just nobody does it. In most cases, developers are under pressure from senior management to meet their release schedules and will just throw in open source components without first checking whether or not they have known vulnerabilities.”
When it comes to open source and smart cities, Shalyt believes that companies will turn to open source for what he calls “more granular operations.”
He pointed to more specific tasks like communication and enabling specific devices as the most likely uses. From an efficiency point of view, he said that it may make sense to run many of the devices and sensors that smart cities depend on off of hardware like Raspberry Pis, which utilize the open source Linux operating system.
“If there are vulnerabilities in the low-level communications, the hacker can have control of all of the endpoints in the city,” he said.
The risk is that hackers could target these base-level protocols and endpoint devices, potentially using their knowledge of vulnerabilities in projects like Linux’s OS from outside the infrastructure sector. If an open source library has a known vulnerability, attackers can try to exploit it across numerous targets, hoping that somebody failed to perform the proper fix.
Shalyt noted that today people often assume that new products include code from third parties.
“It used to be that 20 years ago, a software product was built by the company that you bought it from, but now we assume the opposite,” he explained. “While this is unlikely to change due to the culture of these older organizations, smart cities are probably going to develop differently since they are coming out of the more modern development culture.”
As such, all parties that are working in developing products for this sector will need to be sure that they are being responsible with their code, not adding code with known vulnerabilities.
However, since checking these products for crucial vulnerabilities and bugs manually is unrealistic, developers and security personnel alike will need to depend on automated solutions to ensure that everything in their products are on the up and up.
Some may ask why we need to talk about protecting open source in smart cities if those heading up the projects are by nature not big fans of it. Fair enough.
The thing is, at the end of the day, these companies simply won’t have much of a choice about working with open source. Just as DevOps is becoming a new standard (read: coping strategy) for dealing with schedules and expectations, so is open source adoption becoming the best option for developers to keep on top of demand. The big players will have to play ball or risk getting left behind in favor of those that are ready to evolve.
It is worth noting that there is currently some movement to introduce standards for open source in the critical infrastructure sector. The Linux Foundation’s Civil Infrastructure Platform (CIP) was launched last year to create a framework for the industry (with the backing of big players like Siemens and Toshiba to name a few), but it is still early in the process.
What is certain, is that open source — in whatever form it takes for these projects — is an additional attack vector that can be targeted by hackers looking to breach city systems. A well-placed attack can disrupt operations, hold a city hostage for ransom and possibly deter others from adopting the smart city model if they feel that they cannot properly defend it.
However, before running for the hills for fear of open source, take a beat and remember that it is often more secure than closed, proprietary software since it has more eyes passing over its code, alerting the community to threats and helping to provide for a safer space for development.
It is clear that open source is the way forward for how we go about building large-scale projects, in both government and business. It is up to those doing the development to ensure that they are incorporating security into their products.
Rami Sass is CEO and co-founder of WhiteSource, the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.
