Using India as a Guide for Designing Secure Smart Cities

For many, the burgeoning concept of smart city development seems far off and far removed. It is difficult to imagine how this great conglomeration of responsibility and risk would be implemented any time soon, especially in the wake of many national cyber-intrusions. Are governmental systems equipped to handle the impending network penetration that would ensue?

Well in 2015, India actually already announced an initiative to develop 100 smart cities [1]. Initially, this sounds like a bit of a reach. But as Indians are increasingly moving into urban areas for higher standards of living, this hope for improved education, healthcare and employment is also leading to expectations for better urban infrastructure in general. Thus, India is planning to implement smart city technology by using:

Smart water management of the city’s water distribution plus supply

Intelligent, real-time traffic management

E-governance to easily provide government services

Smart management of recycling, reusage, and waste

Closed circuit audio and video surveillance intended to mitigate crime

Smart poles that integrate WiFi and lighting

Direct digital access to emergency physicians and other medical services

This list is not only comprehensive, but it is also ever-growing. If the government intends to support all this technology for every urban Indian citizen then it must ensure data integrity, system reliability and ultimately, security. That’s a lot to handle.

With the advent of 5G technology, this means that the large numbers of data collection, processing, and analysis that both IoT and smart cities demand will strengthen the possibility of feasible and efficient smart city development. In fact, due to the quick speeds, reliability, high bandwidth and low costs that 5G offers, we can finally leverage the massive sums of data generated by sensors and IoT devices and effectively handle Big Data in real-time [2].

Although in reality, all this growth and innovation should frighten security-minded professionals and citizens alike. The privacy implications of both surveillance and centralized government data collection should be worrying as well. While smart cities are now becoming easier to visualize and thus manage, the potential attack vectors that they engender are increasingly numerous. This is because the threats that result from smart cities themselves will compound with external threats that emanate from 5G infrastructure. To put this idea into perspective, here is the opinion of a prominent Chinese researcher of AI and telecommunications:

“The significant increase in sensors and data nodes [due to 5G] means an increase of exposure, and an increased risk of being attacked” [2].

Not only that, but the stakes increase with smart city technology. For instance, a smart city trial run occurred in Atlanta’s police department network and hackers ended up distributing a virus that locked users out of the network, encrypted files, disrupted workflow, and destroyed years’ worth of police video camera footage [2]. In Dallas, 156 city-wide emergency sirens were turned on in the middle of the night for about two and a half hours, among numerous other examples [2]. So with an initiative of building 100 smart cities, how is India handling this massive challenge?

In a preliminary report jointly generated by the Data Security Council of India and PwC, the two groups operationalize a smart city cybersecurity framework in an attempt to warn stakeholders of the relevant risks in implementing a smart city. The ultimate conclusion that they emphasize is that the responsibility for proper administration comes in a multi-stakeholder model [1].

In this report, they first identify the expected/observed vulnerabilities and their potential outcomes/risks, and then categorize these risks according to the threat level (marginal, critical, catastrophic). This categorization is pictured below [1]:

Categorized Risks of Smart City Functionalities

In carrying out these functions, there are four major stakeholder groups involved in smart city project planning:

1. The Ministry of Housing and Urban Affairs (MoHUA) is the primary governmental entity that administers this project at the central level, by creating laws/rules and regulations that are related to smart city urban development and security compliance.
2. The next step in their plan outsources the responsibility for implementation of smart city operations to ‘smart city special purpose vehicles (SPVs)’ which then execute the MoHUA’s vision and provide technical teams to do so. The government has created many SPV companies designed to carry out specific infrastructure projects for this mission alone. Thus, only one company in each city will be responsible for owning and managing all projects (i.e. sanitation, roads, housing, etc).
3. The project management consultants (PMC) provide consulting services to the SPVs by helping to manage the design, planning, and daily operations of the infrastructure. This team acts as a typical project manager role might, by ensuring deadlines are met and chosen smart services are inspected to provide quality.
4. Master system integrators (MSI), original equipment manufacturers (OEM), and other third-party entities all operate at the local level to confirm the correct initialization of all components such that they comply with the relevant city regulations created by MoHUA. These groups provide the necessary support and services required to ensure adequate and efficient implementation.

This multi-stakeholder model, coupled with structured collaboration built on role-based duties, engenders full-scale functionality [1]. The report continues on to give each stakeholder guidance on how to continue with each project phase (planning, design/implementation, operations). This list is quite robust, as it even covers specific security recommendations for the OSI layers, so I won’t list it here, but all technical suggestions can be found on pages 21 to 27 of the report [1]. A chart that summarizes this information is pictured below:

Cyber security framework for smart cities

In this model [1], the four key framework layers that are imperative to the success of the multi-stakeholder model in smart city development are:

1. Design and governance
2. Security implementation
3. Security operations
4. Security assurance

It is clear to see that India’s plan is thoughtful, comprehensive, and respects the inherent boundaries/differences in capabilities between the public and private sectors. I think that cooperation between both entities will be the deciding factor in determining the resilience of smart city infrastructure, since the government cannot handle this burden alone.

A piece of criticism of India’s multi-stakeholder model is that it leaves out the most critical stakeholder of them all: the end-user. Ultimately, end-users will need to be more cyber-vigilant, educated, and aware of the adversaries that threaten their livelihood with resilient cyber-intrusion attempts. Through a simple spear phishing attack, one user could easily threaten an entire smart city function such as water management by giving attackers an opportunity to penetrate the network. After all, a known security vulnerability associated with IoT devices is the ease of bouncing off one device and into another if they are within the same network [2].

When it comes to other end-user rights, India’s model has received criticism for not respecting the democratic process [4]. This is because the SPVs that run the city are directed by a board composed of government nominees and private investors, thus rendering the people unrepresented in the functioning of their own communities [4]. There must be a better effort to integrate elected officials into the decision-making of each municipal smart city corporation and its board so that the interests of the community are represented.

On top of that, India has been really slow to develop this plan in the years since 2015, by developing small areas at a time and spending about 7% of the budget so far [4]. Proponents say that they are beginning to take strides by first creating SPVs, and then hiring personnel and town planners, while critics say that their current approach has been worryingly myopic and too focused on “smart enclaves” that neglect to offer enough sustainable or affordable housing for marginalized communities [4][5]. In this regard, India and other nations hoping to build smart cities need to remember to develop them city-wide rather than focus on certain areas. Social inclusion of all economic classes is an important component of this model.

Along that vein, without end-user cooperation, the security of a smart city could be easily compromised. If a citizen is left out of this model, they could commit crimes to intentionally threaten the security of the smart city. Thus, I believe that India should implement national objectives to incorporate its citizens into its framework/threat model and thus operationalize plans towards end-user threat mitigation. Research on this subject was conducted by Anne Adams and Martina Angela Sasse in a paper titled, “Users Are Not the Enemy.” They essentially argue that users act logically when they do not make security-prioritizing decisions, thus rendering users able to make these decisions if the interface mechanisms are user-friendly and security departments effectively communicate with users [3]. This idea can and needs to be operationalized in a smart city environment.

After reading this piece, I hope it is easier to imagine how a secure smart city might be practically implemented, along with challenges that come along with such projects. By publicly discussing different approaches to infrastructure development I believe we will be better equipped to strategize and build ideas off one another, in order to address potential risks before they arise. Just like how cyber security mechanisms and vulnerabilities must be made open/published to the larger community, next generation urban development projects must also become a part of global discourse and research if we all expect to thrive in this new hotbed of critical infrastructure risk and end-user dependency.

Sources

1. https://www.pwc.in/assets/pdfs/publications/2018/creating-cyber-secure-smart-cities.pdf
2. https://www.scmp.com/news/china/military/article/2184493/why-5g-battleground-us-and-china-also-fight-military-supremacy
3. http://discovery.ucl.ac.uk/20247/2/CACM%20FINAL.pdf
4. https://scroll.in/article/908394/the-modi-years-how-close-is-india-to-getting-100-smart-cities
5. https://economictimes.indiatimes.com/news/economy/infrastructure/smart-cities-mission-is-still-very-much-a-work-in-progress-post-three-years-of-its-launch/articleshow/64523035.cms