Smart Cities: The Security ChallengeWhat Are the Cybersecurity Threats and Opportunities?
India Prime Minister Narendra Modi envisions 100 smart cities by 2022.
This goal, and the finance ministry's decision to allocate Rs 7,060 crore toward meeting this objective, has sparked discussion not just about how to build smart cities, but also how to secure them.
Experts say security leaders must evolve a cybersecurity model that future-proofs their networks, not just reacts to risk as an afterthought.
And it's going to take a significant private/public partnership to succeed, government leaders say.
"We are consulting with state governments, local bodies and those keen on developing smart cities," says Urban Development Minister Venkaiah Naidu. "We've finalised the PPP model."
The Smart City Model
By definition, smart cities are an urban transformation using the latest information and communications technology to make these communities more efficient with world-class infrastructure, 24-hour power supply, complete Wi-Fi connectivity, green technology as well as the latest water conservation and waste management techniques.
Naidu says 20 cities will be listed for modernisation this year, 40 in 2016 and 40 more by 2017. Starting with Delhi, then Varanasi, India will also develop the proposed new capital for Andhra (as a pilot).
The government will emulate the smart city models of Japan, Spain and Australia, and collaborate with them.
Opportunities for Security Players
Private sector security vendors foresee a huge growth opportunity as the government will collaborate with them via the PPP model.
Already, Cisco plans to release the "Cisco Smart City" blueprint for the future of smart and connected communities using the Internet of Things for connected education, healthcare, smart buildings, transport and smart parking.
Pravin Srinivasan, head of security, India and SAARC, at Cisco Systems, says: "It's an opportunity to combine information from video surveillance cameras, social media and other sensors, and security frameworks, which enable a higher rate of incident detection, automated incident detection and quicker response for richer safety."
Mumbai-based Sunder Krishnan, chief information security officer at Reliance Capital, and a member of ISACA's task force, sees opportunity in evolving a Wi-Fi security/mobile data management strategy, developing a tactical network security architecture plan with IoT, besides log monitoring tools.
FireEye, HP, Cisco, IBM and others will offer support through the PPP model. Private players will design the ICT master plan with Japan, Spain and Australia.
As an immediate step, the ministry of urban development has urged Nasscom (National Association of Software and Services Companies) to develop the reference model on the architecture framework for technology, GIS and Safe City for the 100 smart cities initiative.
What About Security?
And then there are the security concerns.
Security practitioners agree with Symantec's executive report, which says smart cities can experience different types of cyber-attacks, including phishing, malicious code, website intrusions and DDoS. Administrations and those in charge of designing, building, operating, maintaining and using the smart city and its services must therefore include security from the conceptual stage.
Says Krishnan: "For security leaders, this throws up an interesting challenge, as it requires state-of-the-art deployment of the latest technology, dynamic practices and well-trained staff."
"Practitioners should re-imagine their approach, creating an adaptive architecture protecting against advanced attacks," says Ramsunder Papineni, regional director-India and SAARC, at FireEye. "CISOs must focus on early detection, prevention, analysis and appropriate response."
Pune-based Ankush Tiwari, senior vice president of engineering and managing director, India - Mobiliya, says sharing data in the cloud may raise concerns over the illegitimate use of data for a purpose other than that it's actually meant for. Controls will be required to identify what data can be cross-processed. "CISOs must ensure data is securely classified, stored and accessed to flag potential risks."
As the level of granularity increases to the level of data from specific buildings, dwellings and people, the privacy risks and the need for trust and security increase.
Many experts agree that challenges arise from the higher connectivity, opening up new vulnerabilities. The top challenge is ensuring the fundamental cybersecurity of systems.
"Network with enterprises connected to 1,000 devices, 100 applications talking to millions of others worldwide, it's open to threats from multiple types of attacks," Srinivasan says.
Mumbai-based Durga Prasad Dube, chief information security officer at Reliance Industries, says the constraint is that security is considered too late in project development. The challenge, Dube observes, is at the gateway level, risk-prone due to ineffective authentication methods.
Papineni expects threats that are targeted: "It's likely they've never been seen before, custom-designed for information theft, sabotage or espionage."
Smart Security Model
Although India's smart city initiative is only in the conceptual stage, security practitioners are geared up to handle the initiative.
Cisco's Srinivasan believes a smart city requires access to good security services with expertise in mobility, physical security and systems integration. "Security practitioners should be part of an ecosystem to create a set of services around network connectivity, appliances and data analytics to have effective controls," he says.
Says Tiwari, "One government body must be responsible for information security for various e-governance projects, aligning with independent software vendors, system integrators and companies creating products for collaboration and communications. These can be monitored through a dashboard and can manage other Internet of Things. Smart cities will require a complex network connectivity; hence new vulnerabilities."
Dube suggests security planning should begin at the network design stage itself to avoid data leakage. "Every request for proposal going out should have a security aspect well-articulated on the authentication protocols and access controls used to protect the smart gateway," he says.
Krishnan of Reliance Capital lists some imperatives of a security framework:
- ISO standards and business processes;
- Risk assessment tools and procedures;
- Risk auditing and monitoring process, both internal and external;
- ISMS framework to handle security risks.
"The project's starting on a clean slate," Papineni says. "It's a huge opportunity to leapfrog to an approach that actually works against new and unknown threats of today and tomorrow."