1. Technology in our lives - an introduction to the technological context

2. Cybersecurity - the security of technology - an introduction to Cybersecurity

3. Nuances of Cybersecurity - a summary of the facets of Cybersecurity domain

4. Cybersecurity approaches - common best practices in the applied field of Cybersecurity

5. The human link - the role of human in the cybersecurity chain

6. Action pillars - main measures to be taken to create a cybersecurity foundation in a technological ecosystem

1. Technology in our lives

Digital and emerging technologies are becoming more present in our daily lives, both in the physical environment and in the virtual space that supports our evolution and comfort. Everything around us seems to be more automatic, responding to our needs in customized manners and in real-time. Many of the private and social areas receive technological improvements, offering us a broader spectrum of choices at our disposal, in order to personalize our experiences and to increase our well-being.

In the same time, technology conditions us to some extent, since it creates the appropriate context for a new kind of risks (i.e., cyber risks) to arise and manifest, predisposing us to harm and losses. Every modern, high-tech environment that we create also has its shortcomings, which we need to treat accordingly in order to prevent and counteract any undesired related outcomes.

The current and future technologies that shape our social and physical environment increase the level of interconnectedness and complexity, and contribute to production of large amounts of data that map our actions and traits.

The digital social organization (i.e., information technology systems, networks, communications, services, etc.), as well as the digital footprints (i.e., data), offer a generous playground for hackers to express their destructive and exploitation intentions. More so, unintended harmful effects may be generated by technology on individuals, society and environment, as a consequence of wrong development, misconfiguration or misuse.

As a general behavior to be followed at individual, organizational and social levels, we need to pay attention to both sides of technology – i.e., good and bad – by compensating the enjoyment of its benefits with explicit efforts of risk management. The permanent vigilance related to the harmful side of technology helps us all to proactively avoid malicious incidents, thus maintaining safe and proper conditions for life, work, well-being and evolution.

2. Cybersecurity - the security of technology

Technology has two main features – functionality and security – that need to be developed equally and embedded intrinsically, in order to ensure stability in operation. The high rise of the malicious interests and activities in the virtual world poses any technological asset to risk, regardless of its place and purpose, thus making security a compulsory attribute to be implemented in the entire life cycle of the asset, from scratch to scrapping.

Then, the high interconnection of technologies forming the current and future Smart environments – e.g., the Internet, specialized or commercial IoTs, the merging between IT and OT, Artificial Intelligence, 5G and other high-rate communications, the human-tech integration – creates the context for shared risks, making each of the components to be responsible for the security of the entire ecosystem. More so, Smart environments create bridges between physical and virtual worlds, making it easier for the risks to emerge, adapt and scale in an unbounded fashion, leveraging on all the characteristics and vulnerabilities of the cyber-physical realm (which can be specific either to the physical/ virtual sides alone, or to their blending).

Security is a feature that needs to be implemented in all the technology life cycle stages, namely: research, design, production, regulation, use, influence/modeling, update/improvement, and scrapping. Depending on the specificities of each of the stages, security may consist of multiple forms of expression: research and design may develop security concepts, mentalities and architectures; production needs to build functional security features, mechanisms and controls; regulation may set security principles, rules and standards to be followed; deployment and use of technology are prone to security experiences; the influence that technology brings on human, society and environment needs to be analyzed and managed according to a set of sanity and balancing criteria; and the scrapping needs proper security procedures, at least for data and environment protection. 

3. Nuances of Cybersecurity

Security of technology – or, Cybersecurity – consists in the optimal implementation of specific requirements, in a holistic way (across all the technological life cycle stages), to ensure an extensive state of safety and protection for all the parties involved in technology’s existence and functioning: the humans, the environment and the technology itself. Cybersecurity is a multi-lateral field of study and practice, that encompasses both technical aspects, as well as complementary ones.

3.1. Technical cybersecurity

Technical cybersecurity is in direct relation to technology’s main purposes of existence. The production, management and use of systems, as well as the regulation, policies, rules and procedures supporting development and deployment of systems (at any level, be it organizational, national or of any other kind), are all meant to ensure the implementation of the functionality for which technology has been created [Popescu, 2021, pg. 56-126].

3.2. Complementary cybersecurity

Complementary cybersecurity compounds all the collateral aspects, that emerge from the existence of technology, such as: the influence brought on human, society and nature; the changes in the social landscape (in terms of education requirements, or workforce evolutions); the criminality arisen from the use of technology (cyber-dependent and cyber-enabled crimes); the judicial implications at social level (e.g. in relation to human rights) and at individual level (e.g. in relation to personal data and privacy); the changes brought by digital transformation; the implications of the human-tech integration, a.s.o. These facets need to be considered and approached accordingly (in all the technological life cycle stages, as well), to ensure a proper control on the subtle effects that technology may have as a consequence of its use [Popescu, 2021, pg. 127-162].

3.3. Extensive coverage

The two sides of cybersecurity cover a wide spectrum of security mentalities that need to be managed correlatively, in the context of Smart City architectures and phenomena.

The rationale around systems and networks security architectures, desirable human behavior and supportive organizational procedures is covered by the technical side of cybersecurity, which describes direct protection mechanisms. They are approached in the current documentation, the Cybersecurity Framework.

The considerations related to protection of human rights and other correlated ethical issues are approached extensively in Ethics and Privacy PG, and only tangentially in the current documentation.

The landmarks of evolution of technology are covered by internal deliverable Envisioned evolutions of the operational environment, and are approached from a security perspective in the current documentation.

4. Cybersecurity approaches

In the context of high interconnection of devices, systems and networks, the component with the least level of cybersecurity becomes the weakest link in the overall technological architecture, putting the entire ecosystem in danger, through its predisposition to be exploited by the attackers as an access point to other assets of interest.

4.1. Compactness and robustness

The level of cybersecurity is dependent on the compactness and robustness of the measures meant to reduce the attack surface of the protected assets.

Compactness consists in finding the proper balance of measures that would ensure an optimal level of protection. Due to the high complexity of the technological ecosystems, too abundant security measures may become less efficient, thus generating waste of investment. Too few measures may also result in a low level of security, due to a lack of coverage of the vulnerable points, thus leading to exposure in front of attacks.

There is a Gauss curve that describes the balance of the cybersecurity protection level depending on the complexity and abundance of the overall measures taken. In these terms, the optimal cybersecurity is achieved in the context of sufficient protection measures (somewhere in the middle, not too many, not too few), implemented adaptively and customized in such a manner to serve strictly the requirements identified in the risk assessment processes.

The attack surface is the sum of the vulnerabilities that can be exploited by the attackers to penetrate the systems or communications, allowing them to move and manifest afterwards, at the level of the network.

4.2. Multi-layered protection

Compact security may be obtained by means of holistic approaches that seek to protect all the intrinsic and contextual levels of technology, in a logically correlated manner. Defense-in-depth [Popescu, 2021, pg. 86], Zero-trust model, Software Defined Perimeter are examples of the most robust models that offer fluent workarounds to ensure extensive protection of the technology.

Firstly, technology needs protection at all layers, starting with the physical perimeter (where the hardware equipment is hosted) and the procedural controls (that ensure the mapping of human actions on technology requirements), to the software levels of organization, such as: IT&C, OT (operational technology) and ETs (emerging technologies). All the cyber-physical components of technology need to be taken into account, all-round, especially in the cases of the on-premises infrastructures, with proper rules for network separation depending on the level of the assigned criticality.

Then, firm rules for software-level management of security need to be implemented – especially for the on-cloud services – in order to properly protect the communications and remote service platforms from any harmful tools meant for automatic discovery and penetration. Identity-based and role-based protection mechanisms (that allow users to access resources only according to their real identity and purpose/ need-to-know allowance) ensure that complex interconnected systems keep the functionality safe and shielded against unauthorized access.

4.3. Integration

Smart City fundamentally needs an integrated approach on cybersecurity, with a focus on implementation of compact built-in security and on ensuring real-time incident prevention and reaction capabilities [Pradhan, 2019].

Smart City environments compound all kinds of technologies (IT&C, OT, ETs), that are interconnected in complex logical architectures (at both hardware and software level) functioning in a wide variety of locations and contexts. The specific attack surface is vast and difficult to assess, making cybersecurity dependent not only on technical and administrative measures, but also on multi-layer cooperation and synchronization. Horizontal, seamless coordination of security operations is paramount to ensure protection of people and assets in case of cyber incidents.

5. The human link

5.1. Knowledge and expertise

Human is the most important factor in the entire cybersecurity life cycle. Beyond all the perfection of the measures taken to secure technology and organizational processes, the presence of human can strengthen or weaken the robustness of the cybersecurity status of the protected infrastructures.

As with any process, cybersecurity needs knowledge and expertise to be properly implemented, configured, maintained, deployed and managed.

Specialized competences are paramount for achieving an optimal cybersecurity level of the protected technology. Security thinking needs to leverage all the corresponding particularities and specificities of the physical and technological environment, in an adapted and customized manner, in order to completely harness the investments made for this purpose.

In the same time, general and on-the-job awareness related to cybersecurity is key to avoid accidents and undesired happenings generated by mistakes, negligence, and other kinds of unintentional human behavior that may endanger all the efforts consumed for security.

5.2. Trust

More so, proper management of human relations with own and contractual personnel is required, in order to prevent and counteract any situation of inside jobs. Even though this is rather a management issue, than a cybersecurity one, in practice, inside jobs are one of the most damaging threats an organization can face in terms of cybersecurity. At least in the critical industrial sectors or critical infrastructures, some cautionary actions need to be carried out in these regards, such as: conscientious background checks (prior to employment), two-factor validation approaches (during activity) and safe disconnection from services and accounts (when necessary or at the job endings).

5.3. Improvement and calibration

Human presence, knowledge and decisions are the backbone of cybersecurity. They need to be focused on prevention and counteraction of cyber risks, in a proactive manner. A high level of situational awareness, and well configured and tested technical capabilities, should be able to prevent the occurrence of the most mainstream cyber incidents, as well as to warn in early stages and react in real-time to any eventual cyber-attacks that would pass by the outer security perimeters.

Ideally, cybersecurity would need predictive capabilities able to dismantle all the vulnerable conditions that favor the occurrence of cyber incidents. But, while this is only a theoretical desiderate (at least from technical perspective), human presence may facilitate the prediction of cyber events by the means of suited knowledge, experience, intuition, Intelligence, threat hunting and other humanly methods and tools.

6. Action pillars

Any technological architecture needs a set of measures to be taken to ensure proper implementation, monitoring and improvement of cybersecurity status. The plethora of corresponding measures revolve around the three following principles that describe the general conditions for a contiguous and functional cyber ecosystem.

6.1. Complete implementation

Security is not a patch to be attached to products, but an inherent feature. There are also stages in the technological life cycle when security is patched, but it is done only as an ultimate option to cover unforeseen vulnerabilities.

Security is best implemented from scratch, starting with the phases of design, research and development. Built-in security (or security by design) ensures robustness and compactness, offering technology an indispensable root layer of protection from the discovery and penetration actions done with malicious purposes.

Then, all the other stages in technology’s life cycle need to be approached diligently and consciously from a security standing point, in order to avoid weaknesses and loose ends. The physical context, the hardware architecture, the software configuration, the communication channels, the deployment and operation actions, as well as the decommissioning, need security implemented alongside the base functionality. Reaching and maintaining key performance indicators of technology are dependent on the responsible implementation of security measures, as fundamentally as possible.

6.2. Standing by procedures

Apart from the technology-related measures, human behavior is paramount for leveraging on all the efforts invested in security. Firm rules need to be created around the deployment, use and maintenance of technology, and a due diligence awareness needs to be developed with respect to both on-the-job responsibilities and the overall organizational rigors.

All the organizational security rules and workflows need to be assimilated by the employers and contractors, to ensure protection of the entire technological supply, management and use chain, and to allow coordination and integration of efforts.

Knowledge and exercising (i.e., education, training, exercising) around the procedures are mandatory, in order to test and confirm the validity of the envisaged policies and controls, as well as to discover the flaws and the requirements for improvement and update.

Organizations – as high-level beneficiaries and managers of cybersecurity – need to take account of human predispositions and behavior, in order to prevent and limit any risk that may come from the inside of the technological ecosystem (be it proprietary or collaborative). A series of human risk clearance measures – e.g., background checks, two-factor management of critical infrastructures, procedural checks and balances, critical-job redundancy – can contribute to ensuring uninterrupted and performant functioning of services.

6.3. Unitary action

Timely prevention and reaction are accomplished through synchronization of all actors and capabilities responsible for cybersecurity. First of all, management buy-in is mandatory for a correct understanding, development and administration of cybersecurity requirements at organizational level, since it impacts not only the local security, but also the protection of the entire adjacent technological and commercial ecosystem.

Then, all the technical and human related measures need to be integrated from an actionable standing point. Information needs to be correlated and proactively shared among the stakeholders, in order to limit the spread of newly discovered vulnerability points. Collaboration on cybersecurity management facilitates the reduction in the attack surface of the in-house and shared infrastructures. And operational cooperation ensures quick reaction (containment, counteraction, recovery) to the on-going cyber-attacks.

Above all, unitary decisions mechanisms (e.g., pyramidal CERT/CSIRT structures) should be established and tested, to ensure proper response to cyber incidents. Cybersecurity efficiency is provided only if prevention and reaction capabilities have a dynamic at least comparable to that of the attackers.