#IMCUS: NIST Cybersecurity Framework Can Address Big Smart City Challenges

Cities are increasingly looking to use integrated information and communications technology (ICT) systems to not only cope with rapid urbanization, but also to improve efficiency, manage complexity and enhance citizen quality of life, leading to sustainable improvement in city operations. This can be thought of as the implementation of the internet of things (IoT) in the city context. But, just like the IoT itself, smart-city projects face significant security challenges—which NIST continues to address with the Cybersecurity Framework.

“Managing the transition to becoming a smart city is an exercise in information-sharing and measuring success—as well as meeting fresh challenges that hyper-connected systems bring to bear,” said Kevin Stein, chief of the Applied Cybersecurity Division at NIST, speaking at the Infosecurity Magazine Conference in Boston event this week. “Cybersecurity is a major concern.”

A Kaleidoscope of Challenges

Cities are looking to get smart for a number of different reasons. One of the major challenges facing cities today is the increase in worldwide urban population, and the inevitable strain this puts on city systems and resources. According to the United Nations, in 2014, 54% of the world’s population lived in urban areas, and this figure will increase to 66% by 2050. In all, there will be 2.5 billion more people living in cities by 2050 than there are today, with nearly 90% of the increase coming in Asia and Africa.

This has many consequences, including from the transportation, energy, and health and safety perspectives. On the transit front, cities are dealing with more cars and more modes of transport (bikes and light rail, for example) than ever before—which is leading to gridlock. They’re also running out of real estate to increase capacity—they often can’t just add a new lane to a thoroughfare. Urban sprawl exacerbates this and contributes to gridlock by increasing the time and distance that citizens spend in their cars. And, of course, vehicles have to be stored somewhere once they’ve arrived at their destinations.

On the energy front, cities consume 75% of all energy, and are responsible for 40% to 60% of greenhouse gasses, according to Stein. The grids are aging as well, and we need modernization and new sources of power to cut carbon emissions and meet sustainability goals.

And finally, when it comes to health and safety, air quality remains a concern, including so-called “black rivers” of pollution in urban areas that are leading to an increase of respiratory disease. The impact of congestion on emergency response and waste management also falls under this heading.

A Federal Smart Cities Push

To address these issues, the Smart Cities Initiative was announced in 2015 by the White House. As Stein explained, “The idea is to target federal resources to meet local needs and support community-led solutions.” The government has invested $240 million in federal research dollars into the program to date.

Smart city solutions integrate computing and municipal systems, and explore how to use technology to make cities as habitable and productive as possible, including bi-directional communications from sensors and consumer products to various grids and back again. For instance, in the federally funded StormSense project, sensors and crowdsourced data are being used in the Newport News, Va. area to model and address different flood types given different broader weather systems. It’s being used to forecast storm surges, improve disaster recovery plans, mapping ideal evacuation routes and so on, all geared to reduce property damage and save lives.

“We’re seeing new models, like first responders and hospitals interacting with other smart networks in the city, i.e., transportation sensor information,” Stein said.

Security Dimensions and the NIST Framework

A special commission has delivered a report with cybersecurity recommendations for the federal government going forward. It’s assessment of the status quo is straightforward enough: “The growing convergence, inter-connectedness, interdependence and global nature of cyber and physical systems means that cybersecurity must be better managed in all contexts—international, national, organizational and individual.”

Stein noted that a perfect example of this need can be seen in smart cities and smart infrastructures, where automation (and a lack of manual operation mode) may mean that problems may propagate faster than they can be fixed. It’s also an avenue for bad actors to launch attacks on multiple fronts with little effort.

“The risks are increasing, thanks to a greater dependence on IT infrastructures, more systems connected, and systems working without a human in the loop,” he explained. “This is a significant attack surface that can be used to scale attacks in a significant way.”

The other challenge is one of privacy. “The challenge lies in the fact that to gain operational awareness, these systems are conceivably collecting behavioral information on citizens or their vehicles, so understanding privacy and security challenges is key,” he said. “There’s a significant amount of behavioral data that could be collected, not necessarily with nefarious purposes in mind—but it’s a ripe source for others to have an interest in.”

In February 2013, President Obama issued an executive order calling for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack.

The resulting NIST Cybersecurity Framework is dedicated to creating interoperability and standards that can be used to manage smart-city implementations in a consistent way. It’s a voluntary framework to improve cybersecurity for critical infrastructure in the United States, consisting of a documented a set of control objectives and a common language for cybersecurity.

NIST is preparing a revision of the framework for public comment, which will be made available in early 2017. The revision will better address supply-chain risk management, data sharing, and identity and access management. It will also discuss how to use the framework to help with measuring the effectiveness of the tools and processes put in place in response to the risk assessment that the framework was used to determine.  

“If we want to understand the risks in the context of the mission, we must have a common language and taxonomy to discuss what level of cybersecurity is needed and what’s been achieved, and to understand the level of cybersecurity offered by the other participants in a given project,” Stein said. “The NIST Cybersecurity Framework is intended to create a consistent set of business objectives across all participants, creating a common understanding of risk, allowing risk to be understood and translated into action. This is more important in smart city deployments than ever before.”

What’s Hot on Infosecurity Magazine?