By: Shrikant Shitole, Managing Director, India, Symantec
The ‘Digital India’ program is an ambitious and robust blue-print for transforming the digital identity of India primarily due to its thrust on building smart cites, that could well be a game changer for the country. ‘Smart City’ is fast becoming a buzzword, not only because of the benefits, connectivity and efficiency it offers to people, but also because of the newer avenues of contribution it opens up for organizations engaged in its development. To realize the dream project, Government of India has already allocated INR 48,000 crores for the initiative, with Rs. 100 crore to be given to each city per year for the next five years.
What is so special about smart cities?
A smart city is designed to optimize residents’ quality of life by leveraging technology and integrating several essential functions like managing citizens’ data, intelligent transportation, public safety and security among others. Primarily, smart city deployments come with multiple features and state-of-the-art technologies (ICT implementations) and comprise of diverse ecosystems of technology providers. Various devices like sensors, gateways, communication infrastructure and servers will collectively bring to life the concept of ‘Internet of Things’ – a critical component in shaping the cities of the future.
What can this mean for India where even basic infrastructure is patchy at best? As the vision takes shape, India will transform into a knowledge economy with state-of-the-art infrastructure and technology. As the smart city ecosystem falls into place, a key question is: Will the interconnected smart city be a cyber secure city?
The cybersecurity challenges presented by hyper data-connectivity are not only an integral consideration in the private sector boardrooms, but must also impact policy-making within the public sector.
Dealing with hyper-vulnerability
The connected India of tomorrow is set to see an unprecedented level of advancement in technology and infrastructure. This increase in ICT complexity would mean heightened vulnerability (hyper-vulnerability) to both malicious attacks and unintentional incidents. In scenarios with traditional control systems, exploitation of vulnerabilities can potentially disrupt the data exchange between control centers and end users, thus compromising service delivery. Intruders can also install malware to take control of networks and cause a denial-of-service situation. In the EU, for example, smart meters are expected to be installed in two-thirds of all homes by 2020. But as things stand, they lack security controls. It is possible to manipulate smart meters even in large-scale metering infrastructures. At the end-user level, smart meters may simply be hacked to ‘steal’ energy from other users or for other fraudulent purposes.
In a scenario of overlapping functions like in a smart city infrastructure, the processing and information exchange in the city needs to be interconnected using common middleware. The systems need to be standardized, interoperable and open, taking into consideration third-party information. And above all they need to be completely secure.
The security aspect becomes predominant in the wake of increasingly sophisticated cyber-attacks. To put the impact of the attacks in perspective, a piece of espionage malware – Dragonfly, exposed by experts at Symantec, was in operation since 2011. The Dragonfly group had found a “soft underbelly” of large energy companies by compromising their suppliers, which are invariably smaller, less well-protected companies. Targeted mainly at the energy sector in the U.S. and Europe, it used multiple attack methods centered on extracting and uploading stolen data, installing further malware onto systems and running executable files on infected computers.
Securing vulnerabilities
Network infrastructure and the Internet of Things, which form the backbone of a smart city, offer innumerable benefits but often bring along a set of vulnerabilities in the form of information security challenges. In order to ensure the appropriate level of security and resilience, cities will need to manage ICT leadership and governance, strong processes, people’s mindsets and technology. Having the right cybersecurity master plan can make all the difference between success and failure.
With increased data generation, the smart city will soon become a tempting proposition for cybercriminals. This occurs when an unprecedented amount of additional data (big data) is generated by various smart devices (like sensors, meters) and processed along connected systems. In the interconnected city, the number of devices will multiply and necessitate wider network infrastructure. However, with increased capacity, this will also add to the scope of vulnerable end-points and human error - making data breaches and thefts more viable. In the light of the same, cities should equip themselves with advanced systems for managing, protecting, backing up and recovering mission-critical data, including citizens’ identities, across domains. It is important that smart city designers develop solutions backed by robust strategies around embedded cyber security to help avoid data loss and mitigate cyber-attacks.
Gearing up for a cyber-resilient smart city
Worldwide, smart cities are on the rise and city planners are working tirelessly to attract the business and talent required to realize the true potential of smart cities. Being aware of the dearth of skilled taskforce to combat the burgeoning security threats, apex industry bodies like NASSCOM are working with security vendors like Symantec to develop world-class skilled and certified professionals. These initiatives are an attempt to bridge the cyber security skill gap that exists in the country, thus paving way for the secure smart city of the future.
Smart cities can thrive and prosper only if information security becomes the building block of the design blueprint. Some of the best practices for implementation would be:
-
Establish a governance framework – This will help identify and engage key stakeholders
-
Ensure governance, risk and compliance (GRC) – This will make sure IT departments are able to monitor their environment and meet compliance regulations
-
Enable service continuity – Cities aspiring to be smart must learn to secure and manage diverse environments. There is (as of yet) no alternative to deploying up-to-date solutions for security, backup, data-loss prevention, archiving and disaster recovery
-
Protect information proactively – Administrators responsible for the city’s information backbone must take an information-centric approach. This includes using content-aware information tools that consider users’ context before sharing information with them
-
Authenticate users – Strong authentication techniques can ensure protection for an organization’s public-facing assets by ensuring the true identity of a smart device, system or application
-
Balance traditional vs. cloud delivery – All smart services can be accessed along the traditional client-server route or as cloud-based “pay as you go” services. Smart cities must work toward achieving a happy balance between the two models
-
Embrace managed security services – Cities should seriously consider outsourcing cybersecurity services to minimize security disruption and data loss
-
Protect infrastructure – Top priorities for IT administrators in smart cities should include securing endpoints, messaging/ web environments and critical internal servers. They should also keep provisions for improved data backup and faster recovery
-
Ensure 24x7 availability of critical infrastructure – There is need to ensure resilience in case of untoward incidents through adequate backup and recovery software or appliances, policies, and tools
-
Develop an effective information management strategy – This will include information retention plans and policies and implementation of deduplication techniques in as many places as possible to free up resources. A full-featured archive, an eDiscovery system and data loss prevention technologies would be other components of this strategy
-
Work with seasoned information security partners – On the security front, cities can’t dilly-dally for too long. Given that there is insufficient in-house expertise, city planners must tap expertise from external partners with worldwide visibility in prevention of cyber threats and attacks
The old ‘castle and moat approach’ to ring-fencing valuable information has become part of history. Now that the perimeter of defense has widened, owing to the interconnected environment of the future, protection against security breaches have become relevant for all concerned - the individual, governments, and businesses alike. With some of the recent revelations around state-sponsored cyber-attacks, IT administrators know any serious breach could cost them dearly in terms of money, data, credibility and reputation loss. Facilitators of this plan, must breathe new life into their cyber security plans, making security a key element of the smart cities of the future.