Municipal Security

A smart city must also be a secure city. The use of information technology and networked devices greatly expands the surface area available to attackers. Municipalities are already targets of cyberattacks and ransomware attacks. Accordingly, digital security will be an enormous issue for municipalities going forward.

Security-by-Design is crucial in addressing the security challenges in smart cities. This involves putting security interests at the forefront of all stages of the technology life cycle: selection, operation and maintenance, and disposal of technology.

Why does Smart City Technology Pose Security Challenges?

Like most organizations, modern municipalities use information technology tools to deliver services and manage operations. Accordingly, municipalities encounter the security challenges all users of such technology face: vulnerabilities and bugs that, if unpatched, permit cyber-attackers access, and internal mistakes and bad actors. The smart city expands the surface area for external attacks and complicates internal security management. Why? The smart city uses more systems, new systems, and third party systems, all of which need to be managed and all of which carry with them their own security challenges.

Security challenges include data and identity theft, system vulnerability, and cyber-attacks on IoT endpoints, man-in-the-middle attacks, fraudulent software updates, cryptanalysis, protocol and authentication tokens attacks, signal interference through either jamming or tag killing, spoofing, and compromising location privacy including GPS, WiFi, and Bluetooth. For instance, in the healthcare sector, technologies may pose interoperability and integration problems, especially if the provision of software and services is by a third party. This can threaten data integrity, compromise private communications, electronic health records, and impeded the flow of healthcare data and this is just a sector in the smart city.

How should Municipalities approach Security in Smart City Procurement

Municipalities must implement security-by-design in every design stage and procurement process of smart city technology. Smart city technologies must be brought within the security policies of the municipality, and these processes themselves must be adapted to address the security risks new smart city technologies bring with them. Standard security practices will include:

• Protecting personal information and privacy - This includes masking of personal data in the design process using encryption (DES, RSA, and AES for sensor networks), hashing (hash link, and hash lock), minimalist cryptography, and differential privacy.

• Using security technology - Intrusion Detection Systems (IDS) on all technologies in existence before the implementation of security-by-design. Additional protection includes the installation of antivirus and firewalls, software updates to patch software vulnerabilities and security flaws, the use of digital signatures, and secure APIs.

• Develop security impact assessment tools – Checklists and other such tools assess the impact of smart cities technologies on security and privacy at an early stage. Some terms to include in the checklist may be securing information and communication, standard protection of data and identity, the level of authentication and its process, elimination of weak points, firmware update timeframe, protocols for security breaches, etc.

• Develop human security policies – Many cyber attacks exploit human gullibility. In this environment, security is everyone’s responsibility. Training, access policies and credential enforcement will help address security vulnerabilities that no amount of software can patch.

• Consider Open Source Software – All software has security vulnerabilities. Open source software benefits from a community of peers able to review and improve the software. As collaboration expands, the quality of the software improves. Closed source systems, in contrast, depend on the security analysis of their publisher. This can be slow and expensive.

Standards, Best Practices, and Guides

Resources

Guides and Toolkits

Canadian Centre for Cyber Security Cyber Centre Learning Hub - The Learning Hub (LH) is a trusted source for cyber and IT Security training for the Government Canada through a standard curriculum and customized solutions. There are two professional straining streams, Communications security (COMSEC) and Cyber Security, each with its own comprehensive lesson of security programs and best practices. Although the LH is based on federal policies and directives, Canadian municipal governments and public institutions are eligible and take priority for course offerings. These learning opportunities can also be tailored to address specific context and requirements.

Center for Internet Security, “Cybersecurity Best Practices” - The Center for Internet Security developed a list of 140 guidelines on worldwide security configurations.

IoT Security Foundation, IoT Security Compliance Framework and Questionnaire - The Framework covers the security requirement and guiding processes for IoTs while the Compliance Questionnaire is a spreadsheet checklist to support and document the security designs.

GSMA Association, IoT Privacy and Security assessment checklists - The GSMA Association provides checklists for IoT providers and vendors to document the design process of IoT products.

Government of India, Cyber Security Model Framework for Smart Cities (2016) - The Government of India released a Model Framework with 30 cyber security requirements for smart city. The requirements cover different layers of security in smart cities (such as application layer, data layer, communication layer, and sensor layer).

Public Safety Canada - Public Safety has release a number of guides on infrastructure security.

• Fundamentals of Cyber Security for Canada’s Critical Infrastructure Community

• Mitigation Guidelines for Denial of Service Attacks [currently offline]

• Industrial Control System (ICS) Cyber Security: Recommended Best Practices [currently offline]

LSNetwork, Best Practices and Guides on IoT security in Smart Cities - The Canadian Urban Institute has released a practical guide intended to assist municipalities, provinces and solution providers in developing Smart City Master Plans for Canadian communities, including key strategies for plan development and examples of best practices.

The Internet of Things Coalition Canada, Privacy and Security in the Internet of Things Era: IoTCC Best Practices Guidance - The Internet of Things Coalition Canada report outlining privacy and security risks in IoT environments and providing best practice guidance for prevention and remediation.

IoT Security Foundation, Secure Design Best Practice Guides - This Foundation has developed a number of guides applicable to iot applications in the smart city.

CSA – Cyber Security Guidelines for Smart City Technology Adoption - This document provides guidelines for organizations planning the implementation of smart city technologies. It describes testing and assessments to consider in order to select the best and most secure vendors and technologies.

Articles

Ann Cavoukian and Mark Dixon, “Privacy and Security by Design: An Enterprise Architecture Approach” - A 2013 paper on the fundamental approach to security-by-design for IoT technologies. The paper outlined the basic principles of embedding security into the design, build, testing, and maintenance stages of Enterprise Architecture.

Mohamad Hasbini et al., "Smart Cities Cyber Crisis Management" - Authors discussed securing smart cities, the 15 things that should not go wrong in a smart cities’ environment such as healthcare, identity, water, transport, energy, drones, waste, etc., and proactive measures to take to avoid cyber-attacks and ransomware. If there is a cyber crisis, the authors detailed strategies in Smart Cities Cyber Crisis Management to mitigate and manage such situation using steps such as preparation, detection, response, investigation, containment, remediation, etc.

Canadian Internet Registration Authority (CIRA), Secure Home Gateway Project - CIRA developed a solution called the Secure Home Gateway Project that helps to secure iot connected homes.

Deloitte Centre for Government Insights, “Making Smart Cities Cybersecure” - The Deloitte Centre for Government Insights has produced “Making Smart Cities Cybersecure”, a report summarizing the systemic sources of security vulnerabilities for smart cities and proposing policy solutions for addressing those issues.

Canadian Centre for Cyber Security, An Introduction to the Cyber Threat Environment - The Introduction to the Cyber Threat Environment is intended to describe common concepts of cyber threat activity in Canada and provides baseline knowledge about the cyber threat environment. This document defines a cyber threat as an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. The document covers the different motivations and sophistication of cyber threat actors and provides a non-exhaustive list of common tools and techniques used by these actors. They have also created a guidebook for local governments to learn more about agile software development and new modular contracting approaches.

World Economic Forum, Why 2020 Is a Turning Point For Cybersecurity - This World Economic Forum article suggests that there is an urgent need to advance cybersecurity as countries become more digitized and collect more data than ever. It then discusses various ways in cyber-risks will emerge, and ways in which leaders can adapt and adopt strategies to meet cybersecurity needs. These were categorized under technology, business strategy, and geopolitics and cooperation.

National Research Council of Canada (NRC), Cybersecurity - The NRC conducts research in cybersecurity and offers technical and advisory services to deal with cyber threats to public infrastructure and service operations. Their core competencies cover a variety of different areas of technology and are able to apply the expertise towards public systems. There is also a Cybersecurity Collaboration Consortium (CNCC) based in New Brunswick that researches cybersecurity with a particular focus on critical infrastructure protection, smart homes and cities, and smart grids.

Global Public Policy Institute (GPPI), Advancing Cybersecurity Capacity Building - The GGPI Report defines cybersecurity capacity building (CCB) as a set of initiatives that empowers individuals, communities and governments to reap potential gains from investments in digital technologies. The report advocates for a principle-based approach and presents guiding principles that can provide guidance on scaling CCB as cybersecurity seems to be an afterthought to rapidly expanding connectivity. The report identifies each guiding principle, states the current status quo and makes a number of recommendations under each principle.

Other Reading

Mass Framingham, “Smart Cities Initiatives Forecast to Drive $189 Billion in Spending in 2023, According to a New Smart Cities Spending Guide from IDC”.

Hanny F Altam and Gary B Wills, "IoT Security, Privacy, Safety and Ethics", in Maryam Farsi et al, Digital Twin Technologies and Smart Cities (2020), pages 130 - 147.

Adel Elmaghraby et al, “Cyber security challenges in Smart Cities: Safety, security and privacy”, Sciencedirect.

LSNetwork, "Smart Planning our Smart Cities".

Bell, “How to Overcome IoT Security Concerns”.