Smart Cities: Security Is LackingSecurity Leaders Criticize New Framework as 'Superficial'
The Narendra Modi government has allocated Rs. 98,000 crore for the Smart Cities project. And, together, industry body Nasscom and Accenture India, an IT solutions company, have designed the blueprint for integrated information, communications and technology, as well as geospacial technologies for the 100 Smart Cities by 2022.
See Also: A CISO's Guide to Adversary Alignment
Yet, some security leaders say this framework discusses security aspects only superficially, leaving much to be desired. A lot of the plan, they say, depends upon security teams of large enterprises across industry to bring in their own best practices.
Bangalore-based Raghu RV, international director of ISACA, is amongst those who are not convinced about the ICT's security prescription.
"A smart city requires a very comprehensive security framework - that which considers the eco-system as a whole and is driven by clear principles for ensuring "minimum security standards" across all elements," he says. "This aspect is not clearly defined in the blueprint."
The framework details where the smart resources are coming from, he says, but ignores the details of how it needs to be protected.
Assessing the Framework
Bengaluru-based Rajul Mehrotra, global smart cities SME and India capability lead at Accenture, who is part of the framework development team, says the blueprint has also given impetus to several security aspects, including security framework, standards, policies and tools/solutions for enterprisewide security.
The blueprint highlights three security focus areas in the framework: identity management, infrastructure and application security. Some core IT security components included are:
- Data security and Information protection
- Identity and access management
- Risk management with growing digitalization and number of devices in Internet of Things.
It is argued by proponents that the framework is designed with this assumption: Smart cities are an urban transformation, using the latest ICT to make these communities more efficient with world-class infrastructure, 24-hour power supply, complete Wi-Fi connectivity, green technology, the latest water conservation and waste management techniques and ensuring safety and emergency compliances.
But the critics counter: Not much thrust is given to security.
Experts interviewed for this story say one can foresee security challenges of every sort in a smart city - from physical security issues due to poor configuration of security perimeters to privacy issues. The concept involves much data exchange across various entities - especially for identity management, as an individual's identity must be linked to access all resources.
Krishnan Jagannathan, business security adviser, emerging markets at IBM Security, considers mapping threats to national critical resources a challenge for the smart cities, as most data may not be digital - but in pen and paper. Just digitizing it would be the first challenge, and the blueprint should clearly articulate this.
He says the biggest challenge is malicious actors taking control of data, identities and passwords. They've already been exploiting Internet-connected devices not securely developed, making executive overview content an easier target, even, than PCs, laptops or tablets.
Rahul Sharma, senior consultant at the Data Security Council of India, says CISOs will find securing the facilities, bringing global interoperable standards and developing security by design for each of the resource components challenging, as the key authentication process of the devices is not spelled out
"Security teams will be oblivious of the attack vectors and find testing the smart facilities challenging," he says, "since security's not designed as per the required algorithms."
Recommended Security Measures
Experts say it's time to build in best practices, and CISOs across sectors must take the lead in developing an information-sharing model and a cybersecurity model to protect the cities against attacks.
Accenture's Mehrotra agrees that security response should be holistic, considering every aspect of safety, security, privacy and service delivery.
IBM's Jagannathan says every standard under the ISO framework is suitable for deployment. However, every CISO of each sector must play a strategic role, leading security discussions with business groups, establishing information sharing between peers and from all others involved.
"Information sharing evolves a security-by-design architecture and establishes communication with the state and central departments of the critical sectors involved," Jagannathan says.
Since the cities are connected through various devices, Sharma says establishing Security Operations Centres in each region by the departments collectively helps detect vulnerabilities.
"Establishing city-wide CERTs also addresses complex attacks targeting smart cities and detects abnormalities," Sharma.
For data privacy, he suggests standards recommended by The Internet Engineering Task Force for security by design architecture; ISO standards such as 27001 and for ISMS; cloud and IoT and others for risk framework; and IEEE standards for the physical security layer.
ISACA's Raghu recommends using the ISO/IEC 29100 standard. It approaches privacy risk management issues and provides a privacy framework, which is useful, considering that trillions of bits of data will be generated, analyzed, shared and circulated.
However, he mentions three key security considerations for CISOs, saying security must be:
- By design;
- Built with a dynamic, adaptive model that can be nimble and proactive;
- Able to normalize all risks into a unified dashboard to enable mitigation, contingency planning and review.
"Threat modelling approach is also recommended to analyze application security to safeguard data against threats," Sharma says.
In response to the experts' concerns, Mehrotra says, Nasscom is advised to appoint a central agency to carry out a survey amongst practitioners to understand the vital security measures to be taken, as well as suitable technologies to be deployed along with implementation plans to create framework.
"Government of India may appoint a chief consultant or master system integrator to evaluate the blueprint and also come up with IT and security guidelines to implement the project across all states soon," Mehrotra says.