Cyber Risk Mitigatio for Smart Cities Abstract Rapid growth i global populatio ad evolvig techological, macro-ecoomic, ad evirometal ladscapes have fueled widespread iterest i smart cities, which are, essetially, dyamic ecosystems characterized by highly advaced, ituitive, ad iterdepedet cyber systems. As emergig digital techologies ad the Iteret of Thigs (IoT) pave the way for these smart habitats, effective risk maagemet becomes crucial to provide risk-free smart services to citizes.
The Rise of Smart Cities Approximately 70% of the world's populatio is expected to live i cities by 2050. Two key features of smart cities are citizecetricity ad digitallyeabled ifrastructure. As with all IT-eabled services, smart city services too should be risk-free ad secure. I coectig devices ad users, cyber systems should esure the highest level of co detiality ad itegrity, while allowig uhidered availability. It is therefore importat to proactively maage the security risks of iterdepedet systems of the smart city digital ifrastructure. Apart from smart ifrastructure, a smart city has advaced systems to maage eergy, trasport, traf c, water, healthcare, ad educatio. It is a seamless uio of techology, govermet, ad society to eable smart livig, which is characterized by a boomig ecoomy, effective goverace, ad coveiet public services. Iterdepedet Systems Form the Backboe of Smart Cities Iterdepedet systems are the foudatio of smart cities, as they provide the critical ifrastructure to hadle major public systems ad citize services. These iclude water ad eergy geeratio ad trasmissio setups, trasportatio frameworks, waste disposal mechaisms, street ad home lightig systems, coected healthcare, surveillace, ad more. Iterdepedet systems also eable dyamic ad syergistic data gatherig ad aalytics, which drive cotiuous improvemets across systems. I effect, a smart city is a 'system of systems' that follows a scale-free topology to allow future expasio, but without affectig the attributes of iterdepedecy ad itercoectedess.. Opportuities ad Risks: IT-eabled iterdepedet systems preset several opportuities to improve a citize s lifestyle. They ca help city coucils take ecessary actios, based o real-time aalysis of the data collected from various iterdepedet systems, such as idetifyig health hazards, mappig eergy ef ciecy of buildigs, prevetig crime, ad effectively maagig atural disasters. However, these iterdepedet systems also pose operatioal challeges ad security risks. If oe smart service iformatio system fails to provide relevat iformatio to other coected smart services, it ca lead to chaotic situatios.
Criticality of Risk Mitigatio: Due to the large umber of coected devices that make up a smart city's digital ifrastructure, ehaced security maagemet for gateway devices, such as idustrial cotrol systems (ICS) ad IT systems (ITS), is critical to prevet data breach or leakage. Leakage of sesitive data ca lead to a lockdow of critical services. The Role of Smart City Coucils Risk mitigatio i smart cities requires a detailed uderstadig of several factors. These iclude desig ad architecture of smart services, IT ifrastructure support capabilities, ad the kowledge of probable cyber threats. A city coucil should operate like a moder-day eterprise with speci c goals ad objectives that iclude plaig for defedig agaist cyber-attacks ad respodig to emergecies. Esurig security of etwork ad sesors: The smart city coucil should secure coected systems ad sesors from ay physical attack or i ltratio. Idetity maagemet ad device autheticatio mechaisms should be deployed at every iterface of a smart system. Digital foresic capabilities, which help trace cyber breaches ad gather evidece of malicious activities for legal actio, should be itegrated with the overall cyber architecture, right from the desig phase. Gatherig ad aalyzig real-time data with supervisory cotrol ad data acquisitio (SCADA) will help predict security failures, ad thus prevet a complete lockdow of critical services. Buildig resiliet systems: As a smart city grows, the itercoectios of systems ad iterdepedecies of smart services icrease maifold. This makes them more vulerable to cyber-attacks. The smart city coucil should therefore aim to desig risk resiliet digital architecture. The architecture should possess the adaptive capability to arrest aomalies i the ascet stage, ad lock dow a subsystem without disturbig other live compoets, esurig uiterrupted service delivery. Adoptig iteratioal stadards: The security stadards ad risk mitigatio strategies curretly beig used to secure IT systems may ot be adequate to safeguard the iterdepedet systems i smart cities. ISO 22301:2012,
the Iteratioal Stadard for Societal Security Busiess 1 Cotiuity Maagemet Systems should be adopted to prevet the disruptio of citize services. Proper commuicatio maagemet is critical for smart cities to respod to cyber threats ad other exigecies. Performig system impact ad iterdepedecy aalysis: Periodic system impact aalysis should be performed to idetify risks posed to critical iterdepedet systems ad itercoected services, with appropriately de ed recovery time ad recovery poit objectives. Smart cities should also have secure data receivers ad data storage to collect ad store data geerated from the ICS ad ITS compoets for aalysis, decisio makig, ad icidet respose maagemet. Smart city coucils should devise a compoet protectio strategy to idetify critical compoets of iterdepedet systems for agile risk aalysis. The CPNI Good Practice Guide for Process Cotrol ad SCADA 2 Security- ca be used by city coucils to esure security ad trustworthiess of the iterdepedet systems. It provides a framework based o idustry best practices for process cotrol ad IT security. The framework focuses o seve key themes: 1. Uderstadig busiess risks 2. Implemetig secure architecture 3. Establishig respose capabilities 4. Improvig awareess ad skills 5. Maagig third party risks 6. Egagig projects for security measures i service desig 7. Establishig ogoig goverace Esurig citize compliace: Citizes of smart cities are boud to play a crucial role i esurig the security of iterdepedet systems from cyber as well as physical security perspectives. Citizes with smart devices are critical poits i the cyber system framework, ad ca be targeted by attackers ad hackers to gai etry ito the system. This ca be doe through social egieerig, spam emails, data streamig, ad other malicious methods. To prevet this, smart city coucils should develop policies ad procedures for establishmet, maiteace, ad operatio of secure smart services. Cyber-awareess programs should be made madatory for citizes, ad pealties levied for ocompliace.
Coclusio Uderstadig ad evaluatig risks i smart city systems require a pragmatic approach to cyber risk maagemet due to the high level of itercoectedess of smart services ad the rapidly evolvig ature of costituet systems. With smart cities projected to grow rapidly over the ext few years, there is a clear eed for smart city coucils to focus o mitigatig security cocers. Icorporatig risk mitigatio ad developig strog security strategies i the iitial plaig ad service desig stages will eable smart city coucils to provide safe, secure, ad reliable services to its citizes. Refereces [1] ISO, 2012. ISO 22301:2012, http://www.iso.org/iso/catalogue_detail?csumber=50038, accessed November 2015 [2] Good Practice Guide Process Cotrol ad SCADA Security, http://www.cpi.gov.uk/documets/publicatios/2008/2008031- GPG_SCADA_Security_Good_Practice.pdf, accessed November 2015
About The Author Abhik Chaudhuri Abhik Chaudhuri is a Domai Cosultat with the Iformatio Techology Ifrastructure Services Global Techology Practice at TCS. He is a Cheveig TCS Fellow i Cyber Security, Privacy ad Policy with more tha 14 years of IT experiece. Cotact Visit TCS IT Ifrastructure Services uit page for more iformatio Email: itis.presales@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services Ltd (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is TM delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2016 Tata Cosultacy Services Limited TCS Desig Services I M I 12 I 16