LIVE TV DownloadNews18 App
News18 English
» » India

Cyber security is an imperative for Modi’s Smart Cities

Saurav Jha @SJha1618

Updated: October 2, 2015, 1:01 PM IST
facebook Twitter skype whatsapp
Prime Minister Narendra Modi's government allocated over Rs 7000 crore for Smart Cities in its first budget. However, a smart city which promises a range of new ‘digitally’ enabled conveniences and resource conservation also opens the way for new security vulnerabilities deriving directly from the nature of the smart city itself which is ‘instrumented’, ‘interconnected’ and ‘intelligent’ or IN3. Running an integrated network in a smart city with numerous data feed-ins (information nodes) and computer systems running analytics can serve to increase both personal and system risks, both of which have to be addressed from the ground up. Obviously given the nature of the system, a rounded focus on cyber security encompassing legal and social aspects in addition to the technical is the key to operating a ‘safe’ smart city.

Smart cities will generate an unprecedented amount of additional data (Big Data) from various instrumented information feeders such as sensors, meters, cameras, existing consumer equipment such as smart phones and eventually even household appliances as the ‘internet of things’ (IOT) progresses. This information will be geographically referenced. As mentioned above IOT will encompass a multitude of devices interacting with control units and dashboards, through sensors, RFID, M2M, satellite and GPS. These will be processed on a network enabled by inter-connected systems riding broadband, Wi-Fi or satellite and even Bluetooth at the instrument level which would all be fed into massive server banks for centralized control centers capable of running Big Data analytics and operator interfaces for decision making. IN3 is essentially already being brought together in existing cities through the culture of search, recommender services and locational apps for devices that suggest services based on a person’s location often geographically referenced through GPS and IP, recorded traits and historical preferences. So a smart city will see a rapid increase in the number of connected system and their entry points bringing forth new opportunities for security breaches or human error.

Thus whether it be ‘reconnaissance, exploitation of available information, infection of systems, locating command and control, making an internal pivot once inside the system, data preparation for subsequent exfiltration’, the entire cyber kill chain taken together or in parts is now potentially easier to do in a smart city set up without adequate cybersecurity safeguards. For instance, a more instrumented city population living in more instrumented households can become very vulnerable to both pre-meditated or even near spontaneous criminal activity since it would now be much easier to orchestrate surreptitious surveillance through say GPS monitoring which is relatively easy and evades ordinary checks. As ‘digital’ citizens become more and more instrumented with smartphones et al putting data online about their location and activities, privacy obviously evaporates. Thus privacy protecting systems that generate data and trigger emergency responses in a smart city when needed are actually accompanied by security risks.

Obviously in such an environment effective enforcement of the legal concept of privacy updated to encompass a dynamic technological space will require both resources and new statutes. Unauthorized access to a computer, network and related data, unauthorized interception of, interference with or transmission of data and unauthorized data processing et al can all be elevated to the level of serious crimes for deterrent purposes. However, if the ‘authorization’ has to come from every individual in this context then the very concept of the smart city will become unworkable! So ‘who exactly can authorize what’ is a grey area that smart city adjudications will have to address in the future.

Automobiles in a smart city will themselves be a major data source from a variety of subsystems within them that produce different types of information. This data typically collected locally may also be transmitted and collected in central repositories in a smart city where they will be analysed for a range of uses. On board diagnostics and event data recorders in the new automobiles chronicling speed, acceleration, braking, seatbelt usage, vehicle status, airbag deployment etc can end up giving unwanted disclosures of information to third parties via the intelligent transportation system integral to the smart city concept. For instance, a car OBD with native Bluetooth can easily end up revealing whether a person is at home or away, making the home a natural target for burglars etc.

Information security for the smart city must therefore examine suitable targets of compromise and the consequences of that compromise. Information may of course not just relate to personal privacy but may be ‘intellectual property’ exploited through compromise, such as copyright, patent or trade secrets. Now cyber security is a subset of information security that focuses on computing systems, their data exchange channels and the information they process, the violations of which may be sanctioned under criminal law pertaining information security. The three key ‘information segments areas to be secured are privacy and confidentiality, integrity and authenticity and availability itself. These goals require specific cyber security architecture, obviously. Digital objects, security domains and services and routine activities elements will all be compared and mapped in such an architecture.

The technical Hardening of such systems is certainly important, by anticipating risks and removing them such as open Bluetooth access ports. System implementation that both locks the data collected by these systems and notifies an ‘instrument’ user that the information is being transmitted/accessed are important security features. At a social level a culture of awareness and support which alerts possible compromise targets to data loss or manipulation is necessary. Instrumented bona fide data recipients should immediately alert their counterpart in the event of a breach that may show up on their end. Instrumented citizens themselves should be made fully cognizant of such issues and must be informed of the vulnerabilities, risks and proper responses that IN3 brings forth.

Moving on from individual to system risk, it is clear that besides robustness, reliability, privacy, and information integrity the new cyber security architecture must also be ‘resilient’. Cyber resilience can be defined both as ‘an organisation’s capability to withstand negative impacts due to known, predictable, unknown, unpredictable, uncertain and unexpected threats from activities in cyberspace’ or more appropriately in the case of a smart city ‘the ability of systems and organisations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery’. The latter definition comes from the World Economic Forum which is a major proponent of the smart city concept.

As the concept is implemented, the interconnected services of smart cities which encompass control and monitoring of both energy and water utilities will evolve a centralized governance dashboard of specialised stakeholders, responsible for setting policies and processes, managing ICT assets, services and protocols, and ultimately administering the services for constituents. And all of this will ride Big Data which will be centrally stored, managed, analysed, and protected. The city operation’s centre will supervise the interaction between systems and will have to ensure continuity, integrity and resilience. The Tele-surveillance systems that are becoming increasingly common in urban settings, coupled with real-time communication capabilities, will require to be backed by a proper cyber security practice if misuse is to be avoided. Moreover, wireless hotspots which will be common in such smart cities if not secured properly will both increase individual risks as well as system risks through compromised individuals.

Like any other ICT network, the smart city will have to constantly upgrade itself to stay ahead ofemerging trends in attacks, malicious code activity, phishing, and spam. And it must do so while being scalable, given the impossibility of protecting every aspect of the ecosystem with the same level of sophistication and resources, choices will have to be made. City governance will need to identify the most critical areas to protect, the types of threat they could be subject to, categories of attackers and likely motivations (financial, criminal or political). City IT ecosystems will increasingly be built on public sector cloud or infrastructure virtualisation, with social and mobile computing as the primary access for applications and services.

Attackers exploiting vulnerabilities in SCADA systems (Supervisory Control and Data Acquisition), based on traditional software platforms, can lead to intrusions with the potential to disrupt data exchange between utility control centres and end users, and severely compromise the delivery of energy services. Whitelisting techniques, used to ensure that only specified system applications and processes are active at any one time, are being seen as effective against zero-day vulnerabilities and attacks in SCADA environments. New intrusion prevention techniques, coupled with robust policies for areas such as network usage, browser patches, email and user awareness and education will have to be implemented. Host-based intrusion detection systems (HIDS) and host-based intrusion prevention systems (HIPS) will have to be par for the course if critical infrastructure protection has to be more than just a buzzword.

Public key infrastructure (PKI) or managed PKI concepts can be leveraged for securing data integrity, revenue streams and service continuity. The smart grid part of a smart city can be secured at the communication layer by implementing PKI directly into meters, enabling identification, verification, validation and authentication of connected meters for network access.In a PKI environment, it is essential that private keys and certificates are guarded bya reliable management solution that can deal with evolving data threats.Protecting the smart city’s critical services whether medical or utility needs strong authentication procedures with two-factor authentication and one-time password entry, being some simple measures. Digital certificates for authentication, signing and encryption will be necessary as well. Ultimately an information-centric approach, embedding security within data and coupled with a content-aware approach to protecting information is vital for identifying ownership of where sensitive details reside and who has access to them.

Effective classification of data and state of the art encryption techniques will require an overall intelligence framework that brings together industry, governments and individuals with specific capabilities. A smart city cybersecurity practice, as it were, is the best bet for India to reduce insider threats and application based vulnerability. So India’s smart cities will have to rely on the Computer Emergency Response Teams (CERT) that have been set up to orchestrate the national coordination required to manage cyber incidents and security.
First Published: October 2, 2015, 1:01 PM IST

Live TV

Countdown To Elections Results
To Assembly Elections 2018 Results