SMART AND SECURE CITIES AND COMMUNITIES CHALLENGE (SC3 .
SMART AND SECURE CITIES AND COMMUNITIESCHALLENGE (SC3)A Risk Management Approach to Smart CityCybersecurity and PrivacyA Guidebook from theCybersecurity and Privacy Advisory Committee(CPAC) Public Working GroupJuly 2019
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookAcknowledgementsThis publication was developed by the Cybersecurity and Privacy AdvisoryCommittee (CPAC) public working group. The CPAC is a public-private partnershipdedicated to promoting built-in cybersecurity and privacy best practices andidentifying key considerations for Smart Cities and Communities. This publicworking group consists of cybersecurity and privacy professionals and practitionersfrom governments, non-profit organizations, academia, and the private sector. TheCPAC acts as a resource to the Global City Teams Challenge (GCTC) and Smart andSecure Cities and Communities Challenge (SC3) effort and the GCTC SuperClusters(e.g., Data, Public Safety, Transportation).We would like to acknowledge and thank the organizers and hosts of the GCTC-SC3program for their ongoing support of the CPAC.In addition, we would like to recognize the following CPAC participants for theircontributions to this Guidebook: David Balenson, SRI InternationalAdnan Baykal, Global CyberAllianceGary Dennis, Booz Allen HamiltonWayne Dennis, AccentureAlex Huppenthal, AspenworksLan Jenson, Adaptable SecurityDamon Kachur, SectigoBenny Lee, County of San MateoCarmen Marsh, InteligencaAleta Nye, J.D., CertifiedInformation Privacy ProfessionalCarmen Parada, 1CSR, IncRenil Paramel, Strategy of ThingsBill Pugh, Smart Connections Consulting LLCMaryam Rahmani, MaryamRahmani LLCCarter Schoenberg, HEMISPHERECyber Risk Management LLCSushmita Senmajumdar,Adaptable SecurityDeborah Shands, SRI InternationalDean Skidmore, IoT LTEConsulting GroupScott Tousley, SplunkEd Walker, City of San JoseRuwan Welaratna, Evo, Inc.Paul Wertz, AT&TPeter Wong, The Soter GroupWe would especially like to thank those who have read and reviewed this Guidebookthroughout its development and provided comments and feedback to help makethe Guidebook a better resource for the Smart City community.We would also like to express our gratitude to all the cities, municipalities, andjurisdictions who have participated in and supported the activities of the CPAC,including San Mateo County, California; San Leandro, California; and San Jose,California.Finally, we would like to acknowledge the GCTC-SC3 SuperClusters and theirleadership for their ongoing support and parallel efforts to elevate cybersecurity and2 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee Guidebookprivacy as priorities in Smart City initiatives. Agriculture and Rural SuperClusterData SuperClusterEducation SuperClusterPublic Safety SuperCluster Smart Building SuperClusterTransportation SuperClusterUtility SuperClusterWireless SuperCluster3 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookIntent and Relationship to Existing Risk Management ApproachesThe intent of this Guidebook is to promote a risk-managed approach todeveloping and implementing Smart Cities and Smart City solutions andcapabilities, particularly as it pertains to cybersecurity and privacy. While thisGuidebook is largely based on the National Institute of Standards and Technology’s(NIST) Risk Management Framework (RMF), the Guidebook is not intended toobviate any existing cybersecurity and privacy risk management practices, policies,or processes. Rather, it is intended to supplement existing practices, policies, andprocesses and provide some Smart City-specific cybersecurity and riskmanagement considerations.If your organization already uses the NIST RMF or another broadly-adopted riskmanagement framework or standard, such as the ISO/IEC 27000 InformationSecurity Management Systems (ISMS) standards, then this Guidebook can providesome additional critical Smart City-specific cybersecurity and privacyconsiderations to understand and possibly incorporate into your existingapproach.If your organization uses the NIST Cybersecurity Framework (CSF) as a means todescribe and guide cybersecurity activities, this Guidebook can provide additionaland more robust cybersecurity and privacy management processes to consider(some aspects of which you may already be doing) and potentially implement tosupplement existing practices.Lastly, if your organization does not have a systematic approach to Smart Citycybersecurity and privacy, this Guidebook provides a high-level overview of arisk-based approach to managing Smart City cybersecurity and privacy. Inaddition, Appendix C includes the “CPAC ‘Top X’ Questions for a Trustworthy SmartCity” as a tool for organizations to engage stakeholders and start the conversationaround cybersecurity and privacy risk management.The approach presented in this Guidebook is not prescriptive and will necessarilyhave to be adapted to meet the specific needs of your organization andenvironment.4 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookDisclaimerWhile the i ntent of this Guidebook is to promote cybersecurity and privacy forSmart Cities, your municipality or organization should identify the riskmanagement processes and the Smart City products, services, and solutions thatbest fit your environment and requirements.The CPAC includes cybersecurity and privacy professionals and practitioners froma variety of public and private sector organizations; however, this Guidebook doesnot endorse any commercial products or services. Similarly, this Guidebook maypresent specific approaches or solutions used in individual deployments orjurisdictions; these are included for illustrative purposes only and are not intendedto be endorsements of specific products or implementations.5 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookTable of ContentsChapter 1. Executive Summary8Background8Purpose8Intended Audience9Key Takeaways9Chapter 2. Smart Cities: Benefits and Cybersecurity and Privacy Risks10Smart Cities Benefits10Cybersecurity and Privacy Risk11Enabling Trustworthy Smart Cities through Risk Management15Chapter 3. Trustworthy Smart Cities through Risk Management17What is Cybersecurity and Privacy Risk Management?18Existing Risk Management Guidelines, Standards, and References21NIST Risk Management Framework23Step 0: Prepare24Step 1: Categorize25Step 2: Select27Step 3: Implement29Step 4: Assess29Step 5: Authorize30Step 6: Monitor30Chapter 4. Key Smart City Risk Management Considerations32Strategic Considerations32Coordination and Communication Considerations33Resource Planning Considerations34Procurement, Contractual, and Supply Chain Considerations34Technical and IoT-Specific Considerations36Legal and Liability Considerations37Chapter 5. Conclusion39Appendix A. Smart Cities Use Cases40Use Case #1: Tampa Hillsborough Expressway Authority (THEA) ConnectedVehicle (CV) Pilot Security Management Operating Concept (SMOC)40Use Case #2: Risk Assessment and Prioritization in the Smart City CyberResilience Planning Process43Use Case #3: Risk Assessment in the County of San Mateo, California476 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookUse Case #4: Managing Cybersecurity and Privacy Risk for Smart Public Safety IoTDevices and Systems48Use Case #5: Risk Management in a Privacy-Specific Context50Appendix B. Risk Assessment Example53Appendix C. CPAC “Top X” Questions for a Trustworthy Smart City61Appendix D. References637 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookChapter 1. Executive SummaryBackgroundThe National Institute of Standards and Technology (NIST) launched the Global CityTeams Challenge (GCTC) program in 2014 as a means to encourage collaborationacross the global Smart Cities community. The goal of GCTC is to “establish anddemonstrate replicable, scalable, and sustainable models for incubation anddeployment of interoperable, standards-based solutions using advancedtechnologies such as IoT and CPS, and demonstrate their measurable benefits incommunities and cities.”1In 2018, NIST and the Department of Homeland Security Science and TechnologyDirectorate (DHS S&T) partnered to initiate the Smart and Secure Cities andCommunities Challenge (SC3) as an effort to build on the GCTC program anddemonstrate the “value and return on investment for designed-in trustworthinessfor smart city deployments.”2In support of the SC3 effort, the Cybersecurity and Privacy Advisory Committee(CPAC) was established as a public working group comprised of cybersecurity andprivacy professionals and practitioners across the GCTC community. The CPAC hasrepresentation from all levels of government, non-profit organizations, academia,and the private sector.The CPAC public working group is intended to provide a forum for members toshare their expertise, leverage industry best practices, and further collaborate withrelevant organizations. The CPAC also serves as a cybersecurity and privacy resourcefor the GCTC-SC3 SuperClusters and Action Clusters.This Guidebook has been developed by the CPAC with the primary goal of providinga source document for all entities interested in learning how to manage upcomingSmart City cybersecurity and privacy challenges and risks.PurposeAdvances in information and communication technologies (ICT) and the advent ofInternet of Things (IoT) devices are enabling municipalities’ development anddeployment of Smart City capabilities and solutions. Municipalities are leveragingthese smart solutions to provide enhanced services to their citizens; improve thelivability of their communities; and promote economic opportunity.1“About GCTC,” NIST. h ttps://pages.nist.gov/GCTC/about/the-gctc/ Smart and Secure Cities and Communities Challenge presentation by Dr. Douglas Maughan at the2017 GCTC Expo in Washington, DC.28 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookUbiquitous connectivity, the proliferation of computing power, and the emerginglinkages between cyber and physical infrastructure introduce new and potentiallygreater cybersecurity and privacy risks than those found in the traditional ITenterprise. Effectively and proactively managing these emerging risks is critical tosuccessfully developing and implementing solutions and to fully realize promisedSmart City benefits.This Guidebook seeks to present an approach to Smart City cybersecurity andprivacy risk management that can be adapted to meet the needs of individualmunicipalities and communities. This Guidebook also provides some keyconsiderations that decision-makers will need to recognize and account for in theirrisk management approach.In addition, the appendices of this Guidebook provide additional resources, includinga set of use cases to help demonstrate the application of risk management conceptsin real-world situations (see Appendix A) and the “CPAC ‘Top X’ Questions for aTrustworthy Smart City,” a discussion tool for initiating the conversation aroundcybersecurity and privacy risk management (see Appendix C).Intended AudienceThe primary audience for this guidebook is municipal policymakers and leaders (e.g.,mayors, council members, city managers, department heads, innovation officers,chief information officers, chief information security officers) actively involved in orconsidering the development of Smart City capabilities. However, it is alsoimportant for all other Smart City stakeholders (including technology/solutionimplementers and providers) to understand cybersecurity and privacy riskmanagement processes and to be able to prepare and plan accordingly.Key TakeawaysReaders can take away best practices for a trustworthy Smart City from planning todesign to implementation. Specifically, best practices include managingcybersecurity and privacy-related risks for smart solutions, IoT systems, as well as theexisting information systems: What is cybersecurity and privacy risk and why is risk managementimportant? How might cybersecurity and privacy risk management in a Smart Cityenvironment be different from a traditional IT environment? How can cybersecurity and privacy risk management practices beoperationalized and applied in the Smart City context?9 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookChapter 2. Smart Cities: Benefits and Cybersecurity and Privacy RisksCities and communities stand to harvest unprecedented benefits from advances ininformation and communications technologies (ICT), in general, and Internet ofThings (IoT) and Artificial Intelligence (AI), in particular. Smart cities inevitablyintroduce new or heighten existing cyber risks, which demand proper considerationin design to ensure the optimal realization of intended Smart City outcomes.Smart Cities BenefitsSmart cities are associated solutions and capabilities defined by the integration oftechnology, connectivity, and data to improve the quality of and accessibility tocitizen services and to improve the livability of the city and community. Smart citieshave the potential to address key challenges, including air and other environmentalpollution, traffic congestion, crime, and economic development. Many of thesechallenges can be directly connected to a direct and/or an indirect fiscal impact (e.g.,operational costs, lost economic productivity); conversely, Smart City solutions mayhave direct benefits in terms of improved services or livability as well as associatedbenefits of cost savings through enhanced efficiency and a boost in economicproductivity, development, and opportunity.3While there are many benefits associated with the promise of Smart Cities, there arealso many risks and opportunities for unintended consequences. For Smart Cities totruly be successful and reach their full potential, it is important for those designing,developing, and implementing Smart City solutions to properly manage risk. Risk, inthe context of Smart Cities, may be found in many common categories such as3National Cybersecurity Center of Excellence research on mitigating IoT-based DDoS as presented byTim Polk, Russ Gyurek, and Joshua Lawton at CPAC Cybersecurity Symposium for Smart Cities in SanJose, California, on October 3, 2018.10 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee Guidebookoperational, financial, technical, contractual, legal, reputational, and political risk;however, one area of risk that is becoming increasingly important is cybersecurityand privacy risk. Addressing cybersecurity and privacy by design is critical to riskmitigation and enabling the successful development of Smart Cities and its benefitsto citizens.Cybersecurity and Privacy RiskRisk (R) is commonly considered a function of three factors: vulnerability (V), threat(T), and consequence (C). While there is some contention on what the appropriateformula is, there is a clear, positive relationship between risk and each of its threevariables (e.g., as consequence increases, risk increases). A common mathematicalexpression of risk is that risk is the product of vulnerability, threat, and consequence– or R V x T x C.This general notion of risk certainly applies in the cybersecurity and privacy context.With the increasing ubiquity of connectivity, cybersecurity and privacy risk is aconcept that must be thoroughly considered in most, if not all, domains, includingthe Smart City environment. Risk in the Smart City context can be attributed to awide variety of factors given the nearly infinite permutations of potential SmartCity-related vulnerabilities, threats, and consequences.Example Smart City Cybersecurity and Privacy Vulnerabilities, Threats, andConsequencesVulnerabilities Lack of awareness of allauthorized andunauthorized devices/assetsPoorly-implementedencryption or lack ofencryptionInability to patch or updatesoftware/firmwareUse of default administratorpasswordsSusceptibility to distributeddenial of service (DDoS)attacksLack of security assessmentand software code testingInadequate security andprivacy awareness andtrainingWeak or immature supplychain risk managementpracticesThreats National-state andstate-sponsored actorsOrganized crime and othercriminal groupsTerrorist groupsHacktivistsInsiders/employees –whether malicious,unintentional, or negligentExternal suppliers, serviceproviders, vendors, andpartners (e.g., supply chainrisk, interdependence andintegration risk)Other individual hackers orhacking groupsNatural and man-madedisastersConsequences Disruption of governmentservices to citizensLoss or leakage of citizenpersonally identifiableinformation (PII)Financial loss or expense(e.g., lawsuits, regulatorypenalties, theft of funds, costof response and remediation)Facilitation of terrorist event– whether physical, digital, orcombinedDegradation of trust ingovernment andgovernment servicesDanger to public health orsafety11 of 65
Global City Teams Challenge 2019: Smart and Secure Cities and Communities Challenge (SC3)GCTC-SC3 Cybersecurity and Privacy Advisory Committee GuidebookMany of the vulnerabilities and threats that could affect Smart City environments aresimilar to the cybersecurity vulnerabilities and threats commonly found in thetraditional enterprise information technology (IT) environment. Additionally, it isunarguable that the consequences in the Smart City context are potentially morecomplex and catastrophic given the cyber-physical aspects of Smart Cities as well asthe broad reach and expansiveness of Smart City implementations (e.g., citizens,government, the private sector, cross-jurisdictional elements).Moreover, it is important to recognize that cybersecurity and privacy risks to SmartCity environments is not merely hypothetical or notional. Indeed, there have beenseveral high-profile cybersecurity and privacy events (among countless databreaches and attacks around the globe) that have had real, damaging effects onsome cities and communities who are leading the Smart City movement.The following four tangible examples of Smart City cybersecurity and privacy risk arebased on publicly-available information.Atlanta Ransomware (March 2018)4In March 2018, the City of Atlanta, Georgia, fell victim to a SamSam ransomwareattack. Government agencies were locked out of their systems, and applicationsand services were forced offline - in some cases for months. The attackers wereasking for approximately 51,000 in Bitcoin as a ransom payment. Similar attackswere allegedly conducted in ten U.S. states and Canada - including Newark, NewJersey; the Port of San Diego; and the Colorado Department of Transportation.VulnerabilityLikely weak access control measures, which allowed a successfulbrute force attack (i.e., attackers guessed credentials to accesssystem). In addition, a January 2018 audit of Atlanta’s IT systemsidentified 1,500-2,000 vulnerabilities in the city’s IT systems, whichmay have facilitated initial access to or the eventual lateralmovement with the city’s infrastructure.ThreatIn November 2018, two Iranian nationals were c
Smart City cybersecurity and privacy challenges and risks. Purpose Advances in information and communication technologies (ICT) and the advent of Internet of Things (IoT) devices are enabling municipalities’ development and deployment of Smart City capabilities and solutions. Municipalities are leveraging
to technology suppliers to Smart Cities, Smart City program managers, academics researching innovation and Smart Cities, and disability organizations and advocates working to make innovation and Smart Cities more inclusive. This Playbook has been designed to complement other tools that make up the . Smart Cities for All . Toolkit.
smart grids for smart cities Strategic Options for Smart Grid Communication Networks To meet the goals of a smart city in supporting a sustainable high-quality lifestyle for citizens, a smart city needs a smart grid. To build smart cities of the future, Information and Communications Techn
Smart City Platform Platform Platform Service Application IoT World Bank Korea Week 2020 Smart Cities of Korea. 2 Trends. Gen 1 : Sustainability Development of Smart City 3 2017 Google, Sidewalk Master Plan 2014 Singapore, Smart Nation 2012 China, announced a plan to build 320 smart cities 2018 Korea, National Pilot Smart City 2011
smart cities in Cape Town, South Africa and the privacy concerns associated with smart cities. C. HARACTERISTICS OF . S. MART . C. ITIES Cities around the world are attempting to transform into smart cities, in order to be more economi-cally competitive and promote sustainable gr
2019), the term "smart city" has not been officially defined (OECD, 2019; Johnson, et al., 2019). However, several key components of smart cities have already been well-established, such as smart living, smart governance, smart citizen (people), smart mobility, smart economy, and smart infrastructure (Mohanty, et al., 2016).
a speci c, commonly used, case of secure computation. To implement secure computation and secure key storage on mobile platforms hardware solutions were invented. One commonly used solution for secure computation and secure key storage is the Secure Element [28]. This is a smart card like tamper resistant
Smart. cities Europe.connected In this context, the digitalisation of cities, underpinned by emerging technologies such as 5G, IoT, edge computing and the further application of Big Data solutions will be key to the transformation of cities to
and social challenges, need to become future cities that are smart, resilient, inclusive, and sustainable. By Robert Brears, Our Future Water hand-pointerRight-click on the name of the article that you want to read 2 Future Cities: Smart, Resilient, Inclusive and Sustainable Future Cities: Smart, Resilient, Inclusive and Sustainable 3
