22.1 Introduction to Cybersecurity for Smart Cities

Critical infrastructures (CI) are those assets or systems that are essential for the maintenance of vital societal functions, which include energy, utilities, and transportation. A smart city is a city that incorporates smart solutions in order to optimize its resources and improve the quality of service. Resource management includes waste management, water management, and energy management. The quality of service includes e‐governance and citizen services, urban mobility, and telecommunications. This purpose is associated with a mission of driving economic growth and improves the quality of life of smart city citizens.

Smart cities services may be categorized into transportation, environment services, utility management, administration, and public safety, as shown in Figure 22.1. A more detailed taxonomy of smart cities services can be found in Lee and Lee (2014).

The concept of smart city embraces several definitions depending on the meaning of the word “smart.” In Bowerman et al. (2000), it is a city that monitors and integrates all its critical infrastructures, including roads, bridges, tunnels, rails, subways, airports, seaports, communications, water, power, and even major buildings. Additionally, it can better optimize its resources, plan its preventive maintenance activities, and monitor security aspects while maximizing services to its citizens. In Harrison et al. (2010), it is a city connecting the physical infrastructure, the IT infrastructure, the social infrastructure, and the business infrastructure to leverage the collective intelligence of the city. According to Toppeta (2010), a smart city is a city that combines information and communication technology (ICT) and Web 2.0 technology with other organizational, design, and planning efforts to dematerialize and speed up bureaucratic processes and help to identify new, innovative solutions to city management complexity, in order to improve sustainability and livability. A systematic literature review of the definition can be found in Cocchia (2014). The evolution of the definition, over the years, highlights the importance of data and the integration between physical and cyber‐systems in the design and operation of smart cities.

One of the challenges confronting smart cities is the volume of data collected from critical infrastructure subsystems. These data vary in type, importance, and sensitivity, which introduces a new challenge for any cybersecurity solution proposed for smart cities. In addition, any cybersecurity solution must be usable by the operators and end users. Usability is defined as the degree to which a user can complete tasks effectively and efficiently. A usable system is one that meets the needs of the user. Usability is concerned with functionality/usefulness, ease of learning, ease of use, aesthetics, user satisfaction and quality Rubin and Chisnell (2008). Usability consists of five factors: ease of learning, task efficiency, ease of remembering, understandability, and subjective satisfaction (Lauesen and Younessi, 1998). This raises the need for an innovative approach to designing cyber‐fusion centers that aim at enabling the operator to make informed decisions and providing informed data‐driven insights for future improvements.

Chourabi et al. (2012) identified two categories of challenges that smart cities would face: (i) managerial and organizational challenges and (ii) technological challenges. Gil‐Garcia and Pardo (2005) identified the managerial and organizational challenges as well as the strategies to tackle them. From a cybersecurity point of view, the most important strategies are preplanning, setting clear and measurable deliverables, end‐user involvement in the decision process by providing a feedback mechanism, and continuous improvements to the system. The technological challenges were outlined by Ebrahim and Irani (2005). They include operational challenges, organizational challenges, and IT skills. These challenges and strategies should be taken into consideration when designing any cybersecurity solution for smart cities.

The chapter is presented as follows. A typical cyberattack surface is presented in Section 22.2. Then, we present the design science approach to secure smart city systems in Section 22.3. After that, we present the risk‐based NIST Cybersecurity Framework in Section 22.4. Then, we propose the use of a cybersecurity fusion center with big data analytics in Section 22.5. Finally, we conclude the chapter in Section 22.6.

22.2 Smart Cities Enablers

In October 2016, the Internet witnessed a record‐breaking massive distributed denial of service (DDoS) attack of over 1.2 Tbps against Dyn, a domain name service (DNS) provider. Arbor Networks Inc. reported that the original attack was conducted by at least one Mirai IoT botnet and spread into 500,000 IoT devices, with clusters around the world, including China, Hong Kong, Taiwan, South Korea, Southeast Asia, Brazil, Spain, and elsewhere. This caused a sudden outage of popular sites and services, including Twitter, SoundCloud, Spotify, and Shopify. This incident highlights the vulnerability of one of the key enablers in smart cities.

Three key enablers of smart cities are the Internet of things (IoT), smartphones, and cloud computing. Their integration with smart city critical infrastructure should be considered with cybersecurity threats in mind.

Internet of things (IoT): The IoT is one of the major technologies that will shape the future of the digital world including smart cities and homes. It is a mesh network of physical objects that either exchange data in peer‐to‐peer (P2P) mode or communicate and relay information with the service provider (Atzori, Iera, and Morabito. 2010). There are many connected objects today such as electronic appliances (microwaves, cameras, refrigerators, etc.) that rely on RFID technology and state‐of‐the‐art software and sensors (Xiaohang, 2004) in their proper operation. IoT objects can be sensed and controlled across local area networks (LANs) or wide area networks (WANs). Here are a few key applications of smart dust in the context of smart cities and homes:

• habitat monitoring;
• indoor and outdoor environmental monitoring;
• security and tracking of people and objects;
• traffic monitoring and management; and
• human health and well‐being monitoring.

Smartphones: Smartphones today contain a variety of chips and sensors such as GPS, gyroscope, microphone, camera, and accelerometer, among others, that are generating a lot of raw data (Soldo, Quarto, and Di Lecce, 2012).

In the context of a smart home, for instance (Balakrishna, 2012), there are already some applications that run on smartphones to control many appliances in the home, such as TV sets, lights, garage doors, and security cameras. Moreover, users can operate their smartphones in order to interact with their city, receive live information, and connect with local authorities and public transportation systems.

Cloud Computing: Cloud computing has become a de facto platform to enable content delivery to consumers (Obaidat and Nicopolitidis, 2016). Provided pervasive computing today, largely enabled by smartphones and IoT devices, massive amounts of data need to be processed in order to transform raw data into insightful information. Current computing paradigms are no longer suitable for such endeavors. Cloud computing has three main offers:

• SaaS: software as a service;
• PaaS: platform as a service; and
• IaaS: infrastructure as a service.

A combination of the aforementioned service cloud offering leads to the emergence of other types commonly known as XaaS (everything as a service) such as storage as a service, communications as a service, network as a service, monitoring as a service, analytics as a service, data as a service, and so on (Obaidat and Nicopolitidis, 2016).

22.3 Smart Cities Attack Surface

In this section, we use the list of software weaknesses known as common attack pattern enumeration and classification (CAPEC) to describe the common patterns based on the attack domains and attack mechanisms (MITRE Corporation, 2017). This classification helps smart city security designers to understand the cybersecurity attack surface.

22.3.2 Attack Mechanisms

Table 22.1 describes the different possible attack mechanisms on smart cities critical infrastructure. Each of these mechanisms must be taken into consideration when designing a security solution for smart cities.

22.4 Securing Smart Cities: A Design Science Approach

Design can be defined as the process of inventing objects that perform specific functions (Hatch, 2001). Design science has been successfully applied to many domains (Romme and Endenburg, 2006). Muegge and Craigen (2015) proposed a five‐step design process to be applied to cybersecurity design problems. The five steps are presented in Figure 22.2 as follows:

1. Gather lessons learned from theory and practice: this includes published research, security reports, surveys, and input from security practitioners in the field.
2. Formulate design principles: develop a set of prescriptive propositions based on Step 1.
3. Formulate design rules: produce detailed guidelines specific to the design context.
4. Design: apply design rules to create a design representation.
5. Implementation and experimentation.

In the following, we propose a set of design principles for securing smart cities infrastructure based on the literature survey in Sections 22.1 and 22.2. These principles are enabled by utilizing the NIST Framework in a cybersecurity fusion center with Big Data analytics capabilities.

• Design systems around secure design principles.
• Understand your attackers.
• Use a risk‐based approach to prioritize resource allocations.
• Build your solution around continuous monitoring of system logs and components.
• Implement a threat prediction mechanism.
• Implement a feedback mechanism from end‐user to report security incidents.

22.5 NIST Cybersecurity Framework

The NIST cybersecurity framework is a risk‐based approach for managing cybersecurity risks. It consists of three components: core, profile, and tiers. The framework core presents the cybersecurity activities and informative references (subcategories) organized around particular outcomes (categories) to achieve five functionalities. The framework core functions are identify, protect, detect, respond, and recover. Identify can be thought of as the answer to the question “What are the assets that need protection?” Protect is an answer to the question “What safeguards are available?” Detect is an answer to “What techniques can identify incidents?” Respond is an answer to “What techniques can contain impacts of incidents?” And recover is an answer to “What techniques can restore capabilities?” The NIST cybersecurity framework core is presented in Table 22.2 (NIST, 2014).

The NIST framework profile aligns industry standards and best practices to the framework core in a particular implementation scenario. Building the profile is an innovation by itself, and it needs prioritization and consideration of resources and capabilities in each of the smart city critical infrastructure systems. The framework profile aligns functions and categories with requirements, risk tolerance, and resources of a critical infrastructure. The framework tiers provide context to how a critical infrastructure deals with a cybersecurity risk. A critical infrastructure can assess current security practices and use the tier system to prioritize improvements. A summarized list of important NIST framework definitions is provided in Table 22.3 (NIST, 2014).

The framework profile describes the current state or desired target state of cybersecurity activities. The profile enables organizations or critical infrastructures to establish a roadmap for reducing cybersecurity risks that is well aligned with organizational and sector goals and management priorities. The references recommended by the framework are standards and practices that are globally accepted, which help facilitate the operation of the framework on a global base. Industry and nonprofits are improving the framework by mapping sector's specific standards, guidelines, and best practices to the framework. They are also developing and sharing examples of how organizations are using the framework. One important example of implementing the framework in a smart city critical infrastructure component (e.g., energy sector) is given in Table 22.4. Table 22.4 summarizes the main highlights and recommendations of implementing the NIST cybersecurity framework at the USA energy sector. These insights align with the importance of implementing a fusion center that simplifies the operations and provides cybersecurity maturity insights, as it is proposed in the next section.

22.6 Cybersecurity Fusion Center with Big Data Analytics

As described in Section 22.1, a smart city is a collection of critical infrastructures that need to be operated with minimum cybersecurity risk. One well‐proven risk‐based approach is the NIST cybersecurity framework that highlights the importance of minimizing the risk in three dimensions (vulnerability, threat, and damage) using five functionalities (identify, protect, detect, recover, and respond).

To enable the implementation of such framework and to provide insights into the adopted design science approach, we are proposing an analytics‐driven cybersecurity fusion center, as given in Table 22.5. The fusion center consists of three phases, each of which has three characteristics inspired by the work in Delen and Demirkan (2013) and Wang et al. (2015).

The first phase is a descriptive phase, where the fusion center utilizes cybersecurity reports and critical infrastructures monitoring dashboards and scorecards and data aggregated from sensors. It aims not only to answer the questions of what is happening and why it happened but also to reach to well‐defined cybersecurity incidents and possible countermeasures. This phase is based on the previously articulated science design approach and provides insights into both identify and detect functionalities in the NIST Framework.

The second phase is the predictive phase, where the answer to questions such as what will happen and why it will happen can be reached. The patterns that are hidden in a big data (volume, velocity, variety, and veracity) collection are immensely valuable in answering those questions. Machine learning with text mining, web/media mining, and forecasting enable an accurate projection of future cybersecurity risks in terms of vulnerabilities, threats, and damages, which align with the NIST framework functionalities such as detect and recover.

The third prescriptive phase tackles the NIST framework's respond functionality and provides valuable insights into the previously articulated design science approach. In this phase (i.e., the prescriptive phase), questions such as what should we do and why should we do it in terms of operations and future designs are raised. To enable the prescriptive phase, optimizations, simulations, decision models, and expert systems are integrated into the fusion center to provide the best possible operations and future design decisions that would minimize the cybersecurity risk in smart cities' critical infrastructure.

The cybersecurity fusion center with big data analytics is visualized in Figure 22.3. The NIST framework functionalities (outer circle) are achieved in the three phases analytics (inner circle).

22.7 Conclusion

In this chapter, we proposed an integrated risk‐based cybersecurity approach with design science in mind and enabled it with a Big Data analytics fusion center solution to help minimize the cybersecurity risk exposure. The risk‐based NIST framework focuses on minimizing the risk to critical infrastructures within smart cities in five functionalities: identify, detect, protect, recover, and respond. These functionalities help improve the smart city cybersecurity in two dimensions: design and operations. The Big Data aggregated by the different smart city systems and users is utilized by the fusion center analytics engine to provide descriptive (identify), predictive (detect and protect), and prescriptive (respond and recover) functionalities that align together to minimize the cybersecurity risk during operations and provide insights for future improved designs.

22.8 Table of Abbreviations

References

1. Atzori, L., Iera, A., Morabito, G., 2010, ‘The Internet of things: a survey’, Comput Netw. 54(5), 2787–2805.
2. Balakrishna, C., ‘Enabling technologies for smart city services and applications’, In: Proceedings of the 6th IEEE international conference on next generation mobile applications, services and technologies, NGMAST'12, 223–227.
3. Bowerman, B., Braverman J., Taylor J., Todosow, H., von Wimmersperg, U., 2000, ‘The vision of a smart city’, In: 2nd International Life Extension Technology Workshop, Paris, Sep. 28, 2000 (Vol. 28).
4. Chourabi, H., Nam, T., Walker, S., Gil‐Garcia, J.R., Mellouli, S., Nahon, K., Pardo, T.A., and Scholl, H.J., ‘Understanding smart cities: An integrative framework’, In: System Science (HICSS), 2012 45th Hawaii IEEE International Conference, 2289–2297.
5. Cocchia, A., 2014, ‘Smart and digital city: A systematic literature review’, In: Smart City , Springer International Publishing, 13–43
6. Delen, D. and Demirkan, H., 2013, “Data, information and analytics as services,” Decision Support Systems 55(1), 359–363.
7. Ebrahim, Z. and Irani, Z., 2005, ‘E‐government adoption: architecture and barriers’, Business Process Management Journal 11(5), 589–611.
8. Gil‐García, J.R. and Pardo, T.A. ‘E‐government success factors: Mapping practical tools to theoretical foundations’, Government Information Quarterly 2005 22(2), 187–216.
9. Harrison, C., Eckman, B., Hamilton, R., Hartswick, P., Kalagnanam, J., Paraszczak, J., and Williams, P, 2010, ‘Foundations for smarter cities’, IBM Journal of Research and Development 54(4), 1–6.
10. Hatch, N.W., 2001, ‘Design rules, Volume 1: The power of modularity’, Academy of Management Review 26(1), 130–133.
11. Lauesen, S. and Younessi, H., ‘Six Styles for Usability Requirements', In: REFSQ’ 1998, 98, 155–166.
12. Lee, J. and Lee, H., 2014, ‘Developing and validating a citizen‐centric typology for smart city services’, Government Information Quarterly 2014 Jun 30(31), S93–105.
13. MITRE Corporation, 2017, ‘Enumeration CA. Classification (CAPEC)’, URL: https://capec.mitre.org.
14. Muegge, S. and Craigen, D., 2015, ‘A Design Science Approach to Constructing Critical Infrastructure and Communicating Cybersecurity Risks’, Technology Innovation Management Review 5(6), 6.
15. National Institute of Standards and Technology (NIST), 2014, ‘Framework for Improving Critical Infrastructure Cybersecurity’, URL: http://www.nist.gov/cyberframework/upload/cybersecurity‐framework‐021214.pdf.
16. Obaidat, M.S. and Nicopolitidis, P., 2016, Smart Cities and Homes: Key Enabling Technologies, Morgan Kaufmann.
17. Romme, A.G. and Endenburg, G., 2006, ‘Construction principles and design rules in the case of circular design’, Organization Science 17(2), 287–297.
18. Rubin, J. and Chisnell, D., 2008, Handbook of Usability Testing: How to Plan, Design and Conduct Effective Tests, John Wiley & Sons.
19. Soldo, D., Quarto, A., Di Lecce, V., 2012, ‘M‐DUST: an innovative low‐cost smart PM sensor', In: Proceedings of the 2012 IEEE International, instrumentation and measurement technology conference, I2MTC’12, 1823–1828.
20. Toppeta, D., 2010, ‘The smart city vision: how innovation and ICT can build smart, “livable,” sustainable cities’, The Innovation Knowledge Foundation. Think.
21. US Department of Energy (DOE), 2015, ‘Energy Sector Cybersecurity Framework Implementation Guidance’, URL: http://energy.gov/sites/prod/files/2015/01/f19/Energy%20Sector%20Cybersecurity%20Framework%20Implementation%20Guidance_FINAL_01‐05‐15.pdf.
22. Wang, H., Osen, O.L., Li, G., Li, W., Dai, H.N., and Zeng, W., 2015, ‘Big data and industrial internet of things for the maritime industry in northwestern Norway’, In: TENCON 2015‐2015 IEEE Region 10 Conference 2015, 1–5.
23. Xiaohang, W., Song Dong, J., Chin, C.Y., Hettiarachchi, S.R., and Zhang, D., 2004, ‘Semantic space: an infrastructure for smart spaces’, IEEE Pervasive Comput. 3, 32–39.