Q&A: How Saudi Arabia is securing its $500 billion smart city, Neom

Neom is the smart-city centerpiece of Saudi Arabia’s Vision 2030 plan to grow and diversify its economy. Located in the country’s north-west, covering an area roughly the size of Belgium, the project — actually a cluster of several towns and cities — will be developed from the ground up and incorporate multiple levels of security.

Mike Loginov, Neom’s CISO (chief information security officer), is undertaking the colossal task of building an intelligent and reliable security system for the project. Neom is one of a growing number of major smart city initiatives in the Middle East that is leading to adoption of IoT networking and related technology, including machine learning and 5G mobile platforms.

Smart cities integrate these emerging technologies to monitor and control infrastructure and the flow of data, with the goal of improving the standard of living for residents.

Smart cities, though, potentially offer many different avenues of attack for hackers. Loginov’s job is to ensure that the operational technologies, along with the millions of IoT devices at the core of the project, are developed with built-in security that can repel potential threats.

In a career spanning over three decades, the former security engineer from the U.K. has led the cybersecurity programs of several high-profile companies, including HP.

As the ongoing COVID-19 crisis and geopolitical tensions in the Middle-East increase the risk of cyber threats, Loginov talks about his strategy for Neom, while offering advice to regional entrepreneurs and CISOs working on other smart city projects in the Gulf region.

Can you explain from end-to-end the processes that will be put into place to make Neom a secure smart city?

One objective is to have well-trained cybersecurity teams, innovative, integrated and proactive defense technology coupled with smart processes across the whole region. The geography makes this a significant challenge, but we will make Neom one of the most attractive and safe places to live and work in the world.

For example, on arrival at the airport visitors will walk straight through our digital borders, no queues, no waiting for your suitcases as they will be delivered direct to your smart home or hotel. Communication devices will connect directly into our secure digital air. No need to visit the ATM as Neom will be a completely cashless society. An advanced Founding Law reflects the needs of the digital enabled citizen, putting control for personal data and data privacy back in the hands of the individual.

What are the challenges involved in building a formidable cybersecurity system for a project of Neom’s magnitude?

This is the first large-scale urban project that will have been designed and built in an artificial intelligence (AI) and machine learning (ML) digital era. There is no legacy infrastructure around, which is highly advantageous. We select our vendors carefully. To become one of Neom’s trusted suppliers, vendors will need to show they understand and share our security ethic, allow us to test critical infrastructure beforehand and are prepared to contractually warrant that their applications and platforms are fit for deployment.

Neom will feature new operational technologies and sophisticated IoT capabilities; where do you see the greatest number of vulnerabilities?

Although Neom will be completely new from the beginning, the volume and diversity of devices is probably the biggest area of concern. Neom will be built using operational technologies (OT) with millions of IoT devices at the core of its infrastructure. One fascinating aspect of being part of the NEOM team is the level of creativity one encounters almost on a daily basis. My role is to ensure that these concepts and new innovations are developed with baked-in security.

There are planned smart cities all over the Middle East at this point, be it UAE, Oman or Kuwait – what is the advice you would like to share with the engineers and entrepreneurs working on those projects from a cybersecurity standpoint?

 I would anticipate that engineers across the region are for the most part aware of the cybersecurity risks that may impact their designs and plans. The concepts of ‘Security by Design‘ and ‘Security by Default’ are common currency now and cybersecurity is a core element of master planning for smart cities.

For entrepreneurs there are evolving examples of innovation, many evident in Neom, that address varying levels of security. One example we are exploring is the establishment of ‘Trusted Digital Enclaves.’ This is an architecture where a blend of legal and technology solutions can greatly enhance the security and resilience of the critical infrastructure that makes the city work improving livability. In cities in which technology is part of the urban fabric, it is critical to remember that cybersecurity matters at every level of commercial or public services.

Saudi Arabia and other Gulf countries are battling coronavirus by promoting more remote working and e-learning; at the same time, concerns are growing that this will leave digital infrastructure vulnerable to cyber-attacks/breaches – what can organizations do to secure their infrastructure?

Remote workers need to understand that they have a responsibility to follow company policy and guidelines to protect their organisation and ultimately their jobs. Most organizations understand and recognize that the first line of defense is their people, so risk awareness training remains important, but supported with well configured and layered technological back-up. Security essentials such as multi factor authentication (MFA), encryption and deploying the capability to access the corporate network via a virtual private network (VPN) all help to make it more difficult for adversaries to breach security protocols.

Incidents of cyberattacks have been increasing in the MENA region especially on crucial national infrastructure. Have these events caused you to re-think your strategy for Neom?

All applications, platforms and systems that Neom will purchase will need suppliers and vendors to warrant that their offerings have been built and tested with cybersecurity risk in mind and with security by default. Working with our Technology & Digital teams at NEOM, our CNI (critical national infrastructure) capabilities will require independent testing and certifications from bodies approved by the NEOM CISO Office and NEOM Cybersecurity Authority before deployment.

 Are you facing issues in procuring resources, for example developer talent, especially with the Covid-19 pandemic shutting down economies?

There was a global shortage of cybersecurity talent and skills before the shutdowns. We have established partnerships with authorities, universities and other educational bodies to develop a pool of talent that will meet NEOM’s needs. We have started a Neom certified training program for 100 new cybersecurity specialists through Tabuk University and the Neom Academy, the intention is to certify and train hundreds more.

It is too early to determine exactly what the implications of the pandemic shutdowns will be. However, most users are aware that the internet can present a risky environment. Existing products and services do little to remedy or cure the problems cyber-attacks pose as organizations continue to suffer high profile breaches and data privacy continues to deteriorate.