1. Levels of integration - an integrated perspective on all the Cybersecurity requirements

2. Protection mechanisms - fundamental mechanisms to ensure Cybersecurity

3. High level and horizontal synchronization - requirements for collaboration on cybersecurity matters

4. Specific vulnerabilities and threats - a depiction of the main cyber vulnerabilities and threats

5. Essential lines of action - a description of the main sets of cyber-related measures to protect Smart City environments

1. Levels of integration

1.1. Facets of incidents

Smart City is a complex technological environment that needs proper integration, in order to ensure real-time synchronization of actions for prevention and response to cyber incidents. The organization of protective measures in Smart City revolves around two basic approaches:

-     Cybersecurity in Smart City – putting focus more on compactness and robustness of security in order to ensure protection against cyber-dependent crimes and attacks.

-     Cybersecurity for Smart City – with a focus on implementation of specific security tools in order to ensure protection against cyber-enabled crimes and attacks.

Cyber-dependent attacks consist in the use of technology as both a means and a target for exploitation. They are generally focused on gaining access to technological assets (especially for data), in order to get leverage that can be used for further attacks or benefits. They may usually generate loss of money or data, but can also affect physical security in particular cases (e.g., encryption of data in hospitals for ransom can lead to human life damage or losses). Protection against cyber-dependent attacks is mainly based on resilience of technology.

Cyber-enabled attacks consist in the use of technology as a means to conduct classical crimes. Smart City is prone to malicious exploitation of technology for terrorism purposes, for example. Discontinuing water, energy or other utilities supply services directly affects masses of people, entire districts or cities. As well, attacks on digital public administration infrastructure may cause losses of financial assets, denial of critical services, access to health services, bogus changes on decision-making processes, etc. This kind of attacks pose direct pressure on people and social processes.

Protection against cyber-enabled attacks tends to be based more on the behavior of people and compactness of processes. Hackers usually seek to exploit human vulnerabilities (e.g., by the means of social engineering) and human social organization (e.g., by interposing in social flows or in supply chains), with the purpose to manipulate behaviors and decisions in such a way that would come to their final benefit.

1.2. Technological perspective

The digital ecosystem of Smart City may contain all kinds of technologies – from IT&C, to OT and ET – structured in network architectures both connected to Internet and isolated.

The administrative and business-as-usual networks, as well as the ones linking remote branches are, usually, connected to or over the Internet. The interconnectivity offered by the Internet creates the premises for quick centralization and management of cybersecurity services associated to the protected assets.

Nonetheless, the more sensitive and critical the technological network, the bigger the need to keep it disconnected from the Internet and other on-grid facilities. Industrial technology (e.g., ICS/SCADA) is often required to be physically separated from any other network and from the Internet, since it hosts critical services and data that need special, dedicated security measures. But any physical separation of networks leads to lack of unitary visibility and synchronization of cybersecurity operations, making the responsible SOCs lag behind in terms of prevention and reaction to cyber incidents.

The need for security integration becomes even more difficult to accomplish when considering also specific Smart City technology, which often consists in networks of distributed sensors that monitor critical assets/ networks/ services and need centralized management.

And last, but definitely equally important, the evolution of technology tends to create vast networks of interconnected and intelligent devices that are, basically, tools for unitary and coordinated peripheral implementation of centralized decision-making capabilities. These tools (the peripheral devices) usually have weak cybersecurity protection, since they are built supple from the start, due to functional and commercial restrictive requirements.

Artificial Intelligence over Internet of Things creates a broad network of distributed simple devices that can only act intelligently by following strategic instructions from the main server or cloud. The overall security of these kinds of systems are prone to exploitation due to the vulnerabilities residing in the edge devices (which play the role of the weakest links).

Integration of cybersecurity over a Smart City environment may be a difficult task. Though, there is a set of basic principles in relation to this purpose, that ​should ensure proper functionality of security services while maintaining operation of technology undisturbed:

-      Cybersecurity centralization and management consists in aggregation and processing of meta-data related to devices and network activity, while leaving the main functionality of technology untouched. It is done by the means of dedicated services related to cyber events management and orchestration (such as SIEMs, SOARs).

-      Internet connected networks may be fully centralized and managed from a cybersecurity standing point (unless specific local security requirements do not state otherwise). As an annotation, the cybersecurity integration should not affect any logical separation of networks envisioned in their functional architecture (which remains a paramount requirement for individual security of the protected services).

-      The physically separated networks may be integrated in the overall cybersecurity architecture, but only ensuring one-way outbound flows of meta-data. This may be done using unidirectional systems for meta-data transfer (e.g., data diodes) at the edge of the network. Thus, the separated networks may be only monitored for situational awareness of cyber incidents. The incident management needs to be done locally (at the level of the protected network), via close cooperation with the centralized overseeing SOC.

-      Cloud-based services (and especially ones that use networks of peripheral devices, i.e., IoTs) need to have proper security measures implemented in the core of the architecture, where all the data and intelligence reside. This does not exempt the peripheral devices from having their own security measures developed or implemented.

-      Integration of meta-data needs deep correlation, processing and analysis, in order to allow a valid representation of the overall phenomena of the protected technological ecosystem. It needs to be done holistically, so as to reveal logic, human-readable information related to the existing cyber threats and incidents.

1.3. Humanistic perspective

Cybersecurity needs to integrate measures related both to technology (i.e., devices, infrastructure, communications, data), as well as to processes (i.e., organizational, commercial, industrial, urban) and humans (i.e., decisions, behavior), in order to ensure coherent and fluent flows of action. Alongside the technological approach, layering out security measures according to the humanly specificities consolidate the overall cybersecurity architecture, thus lowering the chances for cyber risks occurrence.

Considering the scale of its fundamental purposes (e.g., improvement of public services, digitalization of social services, facilitation of public-citizen interaction, ensuring environment protection, public security and safety, etc.), Smart City needs seamless correlation between all its functionalities with cybersecurity measures:

-      Each purpose is accomplished by a set of corresponding services, that – in their turn – have rules of functioning, dynamics, technologies and impacted people.

-      The services need to be holistically described and organized in a logical and unitary flow.

-      Then, the services architecture needs to be mapped with the technological one, in order to identify the synchronization requirements that would allow early warning to cyber incidents and quick reaction times for their prevention and counteraction.

The more complex the Smart City environment, the simpler it needs to be represented in the cybersecurity architecture, so as to facilitate prompt decision making.

Cities are one of the most complex forms of human organization, posing a high challenge to physical security and cybersecurity. The protected targets need to be clearly represented by proper sensors (to offer explicit situational awareness), the technical analysis need to offer clear and certain information (to fundament the decision-making process) and the actions need to be firm, coordinated and efficient (to avoid or limit manifestation of risks).

2. Protection mechanisms

Cybersecurity in Smart Cities needs to be approached strategically, making use of instruments and mentalities that would simplify the understanding and the tasks needed to be done in the entire ecosystem. In the end, simplicity is complexity being organized and solved.

Apart from leveling the integration of networks, protection of Smart Cities from risks that can affect cyber-physical environment can be obtained by setting high-level mechanisms for management of cybersecurity, according to specificities of the urban services. Thus, cybersecurity measures need to cover domains such as: utility, public safety, transportation/ mobility, agricultural and environmental services, smart buildings, public Wi-Fi, administration, etc. [NIST, 2021]

Moreover, specific high-level protection mechanisms should ensure continuity of processes and holistic management of cybersecurity, throughout all the points and links that may contain/ represent cyber-physical vulnerabilities. The series of protection mechanisms shall include:

-      Edge security. Implementation of security measures at the level of sensors or peripheral devices, in order to avoid physical and cyber tampering with. It is also highly recommended that their physical location to be known and managed in strictly controlled conditions.

-      Core security. Strong resilience should be implemented in the cloud, servers and databases architectures where the main services, intelligence and functionality are hosted. For Smart Cities, it is especially recommended to ensure high-availability (HA), as well as full replication of resources in separate physical locations (for backup and redundancy).

-      Communications protection. Along with edge devices/sensors and core computational structure, communications are one of the three main pillars of technological networks, that need to be thoroughly protected. This is ensured by measures such as: end-to-end encryption, physically separated and protected lines, redundancy in communications channels, DNS-layer security, access control rules and role-based management of resources.

-      Big Data management. Data is the logical resource managed across the entire technological infrastructure. It is accessed, stored, processed, transported and registered in each device or server, and in the communication links. Cybersecurity explicitly protected confidentiality, integrity, availability, authenticity and non-repudiation of data. The high amounts of data generated by technology need proper protection and management at the level of both the useful content, as well as the meta-data (technical and Intelligence-based) used for security purposes. In the current and future perspectives related to Smart Cities, a high attention should be paid to the Big Data coming from municipal IoT networks and AI-based services, which need integration and normalized analysis for proper understanding, evaluation and substantiation of decisions.

-      SOC capabilities. Security mechanisms are integrated and managed by the means of dedicated Security Operation Centers. The specialized technical capabilities offer SOCs the possibility to gain situational awareness and decision leverage, for proper prevention and reaction to cyber incidents. It is preferable to offer SOCs direct access for management of devices and networks, in order to block, stop, contain and remediate cyber-attacks in real-time. Where this is not possible (e.g. in the physically separated critical infrastructures), appropriate complementary/ alternate communications channels between SOCs and respective networks should be established, as well as frequently tested for high responsiveness and availability.

-      Unitary command and control. Cybersecurity attacks are orchestrated by hackers to gain the malicious purposes with highest efficiency and in shortest time frames, while leaving behind as few traces as possible. The high complexity of Smart City environments reduces the capacity for quick security actions, exposing humans and assets to vulnerabilities, despite all the technical measures in place. Unitary command and control are paramount to ensure real-time security capabilities (both cyber and physical) that would be able to counteract the force and synchronization of cyber-physical attacks. It needs:

o   to have a higher priority of action in face of the business-as-usual operation of the protected services;

o   to be unanimously acknowledged and assimilated across the entire Smart City environment;

o   to be properly documented (standardized by the means of organizational procedures) and periodically tested;

o   to be thoroughly followed when is the case.

-      Knowledge. A great proportion of security efforts shall be oriented towards education, training and exercising of human capabilities. General cybersecurity awareness needs to be formed in order to avoid unintentional incidents, while solid on-the-job and tech-related cybersecurity specializations need to be ensured at all levels of technology management in order to implement built-in security and proper capabilities for prevention and reaction cyber-physical incidents.

-      Ethics. Beyond the main purpose of cybersecurity, which is related to ensuring proper conditions for technology functioning and for direct safety of humans, there are also collateral considerations related to the risks generated by the use of technology. The more (cyber)security technology and decisions are deployed, the more the humans’ privacy may be mismanaged or violated, thus raising suspicions with regards to the efficacy and effectiveness of protection measures in place. There is a balance between security controls and privacy of people, that needs to be respected, in order to keep cybersecurity measures useful and relevant. [More details regarding the Ethics of technology is approached in Ethics and Privacy PG.]

-      General situational awareness. Cybersecurity needs to make use of all tactics, techniques and procedures available to gain knowledge related to technological context/ environment and its generated effects. Technical sensors and equipment offer an understanding of the abstract cyber-physical playground; human Intelligence capabilities gather risk-related information from the physical/ human world and exposes all the cyber knowledge in a readable format for decision makers; trans-disciplinary research and analysis offers a perspective on the technological effects on humans, society and nature. All these processes are needed to integrate information in its most valuable and useful form, in order to substantiate decisions with regards to the development, use and security of technology.

-      Cybersecurity tools. Dedicated tools for cybersecurity purposes cover all kinds of necessities, offering a plethora of functionalities, from prevention and detection of cyber-attacks, to documentation of malicious actions and environments, and to management of ethics requirements and situational awareness. Rather, customizing dedicated ones to fulfill explicitly certain purposes is a more reliable solution to implement, that would ensure also a proper use of the available resources. Considering the characteristics of Smart Cities, particular tools are mandatory to ensure proper prevention and reaction to cyber incidents, focusing on: cyber threats monitoring and detection capabilities, malicious activities and TTPs Intelligence deployment, integration of information and decision at SOC level, education of operators and specialists in cybersecurity domains, exercising and testing overall cybersecurity architecture and procedures, preparation for cybersecurity Crisis Management. In particular, IMPETUS offers a consistent part of these requirements by means of Cyber Threat Intelligence/ CTI and Cyber Threat Detection and Response/ CTDR tools, while managing them in an interoperable architecture, along with other physical security tools (such as Bacteria Detector/ BD, Workload Monitoring System/ WMS, Evacuation Optimiser/ EO, Urban Anomaly Detector/ UAD, Social Media Detection/ SMD, Firearm Detector/ FD, and IMPETUS Platform).

3. High level and horizontal synchronization

The SOCs of Smart City need to be integrated within the pyramidal structure of CERT/CSIRT entities that manage cyber incidents at national and international level, in order to facilitate counteraction of attacks that may be orchestrated at large scale. The multi-layer reporting scheme allows proper situational awareness irrespective of the ownership of the networks, thus serving properly to the overall/systemic security operational needs. Smart Cities represent critical infrastructures whose protection needs to be integrated as a part of national security.

More so, cybersecurity efforts shall be exchanged horizontally, among Smart Cities, as a collaboration to mutually support the prevention and reaction to cyber-attacks. Since the entire ecosystem’s cybersecurity is dependent on the protection level of the weakest links, the responsibility for the overall state of protection is uniformly distributed among the participants to the local and national technological network. Exchange of information, reporting of events and incidents, reciprocal awareness related to the patching requirements, transfer of best practices, exercising and testing inter-platform direct cooperation, all contribute to the robustness of the entire Smart City environment, as a whole.

Hackers dispose of an exemplary collective organization and benefit from lack of rules and boundaries in relation to the targeted infrastructures, making attacks a very difficult challenge to overcome. On the other side, bureaucracy, laws, social rules, ownership and managerial implications, decision distribution, lack of clear visibility and understanding of activity inside the virtual space, the complexity of the technological environment, all these represent impediments that lower the efficiency of prevention and reaction to attacks. In these conditions, high level and horizontal cooperation are paramount for ensuring a proper defense against cyber threats.

4. Specific vulnerabilities and threats

4.1. Understanding the incidents specifics

Cybersecurity measures are useful and efficient if adapted to respond specifically to the risks identified as most relevant for Smart City. Risk assessment processes explore the probabilities and the impact associated with the exploitation of vulnerabilities by certain threats, thus offering the premises for prioritization and management of risks according to their corresponding level of importance.

Knowing and understanding vulnerabilities and threats set the path for identification of an extensive list of possible cyber risks, that contain the most probable approaches used by malicious actors to initiate and conduct the attacks.

The good part in preparation for defense is that hackers' mentalities and modus operandi (TTPs – Tactics, Techniques and Procedures) remain mostly unchanged, in time. Understanding the adversary’s “art of war” offers the chance to prepare a good prevention and reaction strategy that would ease the efforts for detecting and dismantling the main channels of attacks. An example and a starting point for deeper understanding of the subject is offered by MITRE ATT&CK, that builds relevant research on TTPs specific topics [MITRE].

The bad part is that attackers’ means and tools are continuously updated and improved, making use of the highest tech capabilities in order to bypass the defense mechanisms and penetrate the targeted ecosystems. This may force the infrastructures’ owners to build cybersecurity mechanisms capable of counterbalancing the level of high-tech threats, thus sometimes leading to a disproportion of value between the protected target and the investment for its security. To avoid these unbalances, different cybersecurity strategies may be deployed, that would capitalize not only on the available technology, but also on the expertise of specialized human resources, and on cooperation.

4.2. Threats

Threats to Smart City cybersecurity may come from:

-      Individuals and groups conduct cyber-criminal activities to gain personal advantages (usually, economic) or fame. Similarly, to theft or fraud in the physical world, hackers focus on cracking systems and databases to get undue resources.

A particularly dangerous, and unique, category of harmful individuals consists in “the insiders”, which are employees that, at some point in time, can turn against the organization with the intention to forcefully solve work conflicts or financial constraints, or with other purposes that may put people and environment at risk.

-      Terrorists and hacktivists, which pursue gaining a manipulation on decisions (be them political, administrative or organizational). Similarly, to terrorism in the physical world, the attackers focus on leveraging mass fear to attract attention and force their will over the public decisions. Cyber-physical terrorism can affect human safety and health, as well as the availability of public services, thus leading eventually to serious disasters.

-      State actors, seeking to gain strategic advantage over a metropolitan or nationwide population or resources. Usually making use of APTs (Advanced Persistent Threats) as tools for conducting attacks, state actors focus their efforts on cyber espionage, in order to get unauthorized access to confidential information that can facilitate disruption of societal processes and dynamics.

4.3. Vulnerabilities

Vulnerabilities of Smart City cybersecurity may consist of:

-      Low built-in security, misconfiguration, negligent and improper administration, as well as lack of knowledge in the use of technology.

-      Misconducting of ethical requirements in relation to technology; unbalanced security-privacy ratio that would result in abuses of people personal data and space.

-      Poor protection and management of Big Data pools, especially of those containing personal data or operational/critical data.

-      Poor setting of decision algorithms (e.g., based on AI technology) that may deliver unacceptable rates of false positives or false negatives. This may result in slow response to incidents.

-      Leaving devices, services or entire network areas without protection, thus creating weak links or spots that can serve as backdoors to hackers for penetration and exploitation of the ecosystem.

-      Misinterpreting, misassigning and mismanagement of the criticality to the protected infrastructure.

-      Lack of cybersecurity knowledge and awareness at the decision making and management levels.

-      Lack of cooperation, collaboration and synchronization on cybersecurity matters, among partners and competitors in the technological and social ecosystem.

-      Lack of correlation and integration of cybersecurity efforts; lack of strategic perspective that would allow proper response to hybrid threats and asymmetric conflicts.

-      Low cybersecurity education level of employees and population.

4.4. Contextualizing incidents

Cybersecurity incidents may arise either from unintentional events (e.g., happenings, accidents, negligence, lack of attention, lack of knowledge), or from intentional acts (i.e., attacks, crime). They may occur only in the virtual world (e.g., cyber-dependent crimes) or in the cyber-physical environment (e.g., cyber-enabled crimes), producing damages at a larger scale than in the case of classical/physical security incidents.

In the context of the high amounts of information that people need to manage in their daily lives, cybersecurity risks may be subtly emerging towards the domain of disinformation, propaganda and manipulation. Depending on the level of interest that the cyber attackers have, cybersecurity incidents may be transformed or used as a leverage for conducting hybrid and asymmetric conflicts that, in the end, may become a matter of national or community security (e.g., economic disruption, energy services DoS/DDoS, political/administrative decision tampering, social order destabilization, biohazards generation).

Threats and vulnerabilities need to be analyzed based on the local Smart City particularities and treated in an adapted approach in order to prevent and counteract the most specific set of risks in that environment.

5. Essential lines of action

There is a set of actions paramount for building proper cybersecurity conditions, focused on preparation, prevention and reaction to cyber-physical incidents.

5.1. Human training

Awareness and specialization of human resources accounts are at least half the investment that needs to be made in cybersecurity efforts. Understanding the technological functioning, as well as the relation between technology, human, society and nature, is mandatory for the ability to represent the accuracy of the activities happening in systems and networks, and in the attackers’ circles. No technological architecture is able to express the analysis and the inferences that humans can do in relation to the security climate; it helps and supports the process, indeed, but human mind is critical for anchoring comprehension and decision in the realities surrounding us (a rationale that remains valid at least until the Artificial General Intelligence capabilities may arise – which is not supposed to actually take form until year ~2050, according to the average of predictions for the technological future).

5.2. Automating technical capabilities

A large proportion (which accounts, roughly, to 80%) of prevention efforts is done by automation of detection and blocking of cyber-physical incidents, using technological capabilities. These are usually focused on threat information management and consist of:

-        vulnerability discovery and patching, making use of vulnerability scanning tools and follow-up remediation activities;

-        technical Intelligence gathering (e.g., Cyber Threat Intelligence/ CTI tool) digging for threats in their forming phase, in order to support timely patching of systems and networks;

-        calibrated monitoring and detection of incidents, using refined SIEM searching rules for specific threats;

-        comparison analysis using registered CVEs, searching for known threats that may still try to exploit unpatched vulnerabilities;

-        behavioral analysis of systems and networks events and activities, searching for anomalies that would detect and prevent intrusions (which usually makes use also of AI and machine learning algorithms);

-        technical analysis used for reporting and exposing the situation to the decision makers (operators and owners).

5.3. Leveraging human capabilities

Then, the automated processes are complemented by manual activities executed by highly specialized technical analysts, with the specific purpose of threat hunting. These experts usually look for APTs and zero-day threats (that have not been discovered and registered anywhere yet), deliver patching recommendations to system administrators and share the information across the cybersecurity community, in order to timely reduce the newly discovered attack surface.

5.4. Optimizing and customizing protection

There needs to be a funnel representation from the totality of cyber-physical risks (both identified in the risk assessment, as well as existent in the real world) to the attack attempts, to the actual attacks bypassing the security mechanisms, and to the ones producing harm. The rate of filtering these attacks at each layer/phase of manifestation needs to be exponential, so that to reduce the harm-producing incidents to zero.

This desideratum may be accomplished by the means of optimized response capabilities (e.g., Cyber Threat Detection and Response/CTDR tool in IMPETUS), that would facilitate the work of rapid reaction and forensic teams, in managing active cyber-physical incidents.

5.5. Exercising and simulation

In order to have all the cybersecurity capabilities in good standing and ready to be deployed at maximum performance, exercising and simulations are required at the level of the personnel involved. Knowledge, skills, as well as procedures need to be tested and improved (when it is the case) by means of specific tools, direct collaboration in teamwork and high level (strategic and management) cooperation in roundtable exercises.