1. Perspectives for technology evolution - a depiction of the main trends for the evolution of technology

2. Glimpse on the evolution of cybersecurity risks - a review of the main trends for the evolution of risks

3. Needs for adaptation - a set of high-level actions needed to manage the evolution of risks

1. Perspectives for technology evolution

In the rapid pace of technology’s evolution, the changes of the social environment may become challenging. On the one hand, digital technology tends to evolve at a higher rate than the one needed by the human to adapt to changes (e.g., the quantity of information produced by the digital environment may sometimes exceed the human natural capacity to process and assimilate, thus leading to poor or misguided use of technology).

On the other hand, the complexity of some technological environments (e.g., Smart City ecosystems) can make it difficult to track and update all the functional and security requirements, which may lead to a lack of control over the overall image of the targets to be protected. Thus, unnoticed vulnerabilities may become weak links that can pose the entire chain of protection at risk.

Moreover, automation and autonomation predispose humans to lose control over technology (e.g., Artificial Intelligence designed to facilitate decision making processes may become a partial or a total black-box due to self-evolving algorithms). Lack of knowledge regarding the background processes generates uncertain effects, thus predisposing to a profound weakening of the security of the social realm.

Considering the high dynamics of technology’s evolution, the security mindset needs to follow a principled approach that maintains its validity regardless of the particularities of any technologies that we may face in the future in any context of Smart City. Cybersecurity needs to offer a basis for proper adaptation, to keep technological eco-system safe and balanced in the long run.

As a general landmark, cybersecurity seeks to ensure optimal conditions for technology’s functionality, serving both security and safety purposes (i.e., it considers both threats and vulnerabilities, in its efforts to manage the risks). The associated risks are facilitated by (and sometimes even dependent on) a series of factors specific to the evolution of the technological and social landscape, that may be shortly enumerated as follows:

1.1. At the applied level

-        Systemic complexity and sensory abundance will continue to grow, especially in the Smart environments.

They impose robust and reliable architecture, clean implementation and focused attention to configuration. Management, performance and resilience of services depend on the quality of network partitioning, as well as on the accessibility to each of the technical facilities. Simplicity is solved complexity.

-        Interconnection and diversity of the service delivery platforms (e.g., via IoT, 5G) will support fluency and customization of experiences.

They impose uniform and unitary protection of networks, to avoid single flaws and weak links. The development of an all-round compulsory level of security may require substantial effort, but it is also indispensable for maintenance of the proper functioning conditions of technology.

They also impose custom adaptations of security configurations to fit some particular/explicit needs, as well as raising awareness to involve humans (i.e., users, operators, managers, decision-makers etc.) as direct participants in the maintenance of security.

-        Interleaving between IT and OT will make it difficult to discern between critical and non-critical infrastructures.

This imposes an adjustment on the perception of criticality both in terms of the level of granularity, as well as related to the associated scope.

IT and OT networks have different purposes and specificities, leading them to manage different sets of data having different needs of security. Any merging between the two imposes a strict definition and assignment of specific/separate measures for the proper management of the security requirements.

More so, the specialized terminology of “critical infrastructure” should be assigned not only to organizations, but also to industries or to similar complex ecosystems (e.g., Smart Cities, civil aviation, energy sector, e-government). To ensure a seamless and real-time protection of broad and heterogeneous technological environments having great importance for the community security or for the national security, the responsibility over cybersecurity needs to be assumed in the most extensive manner. Any weak point of protection may endanger the overall technological architecture. 

-        Automation and autonomation (e.g., via Artificial Intelligence) will empower technology with easiness of action and with decision-making capabilities.

As a general security requirement, people need to ensure they keep their control over technology and over the influence it has on its users and on the environment. Self-awareness and knowledge of technological background processes will be indispensable for maintaining proper human-technology interaction in the future.

1.2. At the information level

-        Information overload, due at least to excessive data generated by equipment, increase of general human knowledge base, increase in customization of services and marketing activities, growth of digital disinformation.

It hinders the domestic/daily management of information, predisposing people to misguide themselves, to encounter difficulties in decision making processes, or to experience unconscious psychological adaptations. On a large scale, the abundance of information may generate subtle influences both in individuals and in society, leading us to unknown risks.

Also, the information overload may affect the operational processes, the technical analysis of data, thus lowering the capability to react and counteract the manifestation of risks.

-        Continuous novelties in technology landscape.

Digital technology evolves at a rapid pace, forcing us to maintain a continuous effort of adaptation to its specificities. Cybersecurity cannot be set as a static/one-time state of protection; it must be updated and refined permanently, to be able to respond correspondingly to the changes that occur in the threats’ realm. Cybersecurity requires a continuous effort for adjustment and improvement, as well as a correct perception and understanding at the management and operational levels, in this regard.

-        Overlapping responsibility, due to multivalent fields of work and complex multi-industry phenomena (e.g., urban mobility via autonomous UAVs).

Some of the future technologies that will be deployed in the urban area may bring great challenges to the safety and security of the population. Autonomous UAVs, for example, will comport multi-valent risks (reaching from physical injury of individual people to disturbance of large urban/social assets) that need to be approached in unison by multiple authorities: the police, the local administration, the civil aviation authority, the national security authorities (e.g. in cases of terrorism) and maybe others.

Such complex phenomena need proper preparation and clear understanding of roles, to overcome difficulties in management and operation, and to reduce the reaction time to security incidents and crisis. Firm allocation and separation of responsibilities, as well as full coverage of the protection measures over the entire socio-technological realm, are needed to ensure unitary, relevant and efficient counteraction of risks.

-        Security vs. Privacy balance will be harder and harder to manage.

The growth in the amount of usage data and personal information, as well as the complexity and customization of technology, make privacy management an increasingly burdensome mission for the security departments. Development of security culture and awareness at the level of the general population, and proper development of regulations, are paramount for leveraging on the security-privacy challenge in the best interest for the people.

-        Rapid evolution of the social landscape.

The adoption of smart technology will change the way we interact and evolve in the social landscape, commuting from the classical understanding of the social life to a digital one. Influences and changes brought by technology to humans (and also to nature) need to be known, analyzed and understood, in order to support the decisions that will govern the long-term evolution of society.

2. Glimpse on the evolution of cybersecurity risks

The evolution of technology and society gives rise to a wide range of risks, related both to technical and non-technical aspects of our lives. Since much of our activity moves from physical to virtual space, the threat factors adapt and emerge, to exploit the continuously updating technological environment.

In a general note, we may observe that risks revolve around exploiting data and information, with a diversity of purposes ranging from economic to political ones. In this regard, we might need to take into consideration possible evolutions of threats and vulnerabilities relevant to Smart Cities, such as:

-        Frequent human errors, that may result in misconfiguration and maloperation of equipment, mistaken data management, unintentional data leakage – that ultimately create weak links and points of access to Smart City data, services and tools (in general, not only related to IMPETUS);

-        Lack of overall knowledge and situational awareness over the protected infrastructure and services. A complex and dispersed environment may be difficult to keep under complete supervision and monitorization, especially when having multiple owners.

-        Difficulty in drawing complete risk assessments, due to the multitude and diversity of risk factors.

-        Lack of management buy-in, due to a lack of understanding and perception of the practical cybersecurity needs.

-        Adaptive targeted social engineering, which may be adjusted on-demand. Spear phishing may be easier to conduct due to the rich databases with users' personal data gained through customization services and preferences settings. Moreover, AI-based spear phishing may threaten all levels of users, regardless of their rank or job.

-        Partial or complete loss of human control in the face of automated technology, that may lead to uncertain social effects in the future.

-        Disinformation, that may generate a wide range of destructive effects, from confusion, information overflow, decision obstruction, to political maneuvers, economic imbalances and educational disparities.

-        Next-gen cyber warfare, that can be conducted via the cyber-physical realm, with no borders, no time and resource limitations, and no liability over malevolent and destructive actions. It may seamlessly merge operations related to cyber domain, hybrid warfare, informational conflicts, economic manipulation and industrial disruption, to impose large-scale interests.

3. Needs for adaptation

Considering the high pace of technology’s evolution, we need to deploy agile adaptation mechanisms, to permanently improve our understanding, capabilities and actions. The three facets of the societal realm – technology, people, processes – need to be managed accordingly, to ensure a safe and secure living environment in the Smart Cities:

-        Technology needs a secure lifecycle, from scratch to scrapping, regardless of the dynamics in the changes that it suffers along the configuration, deployment and improvement stages;

-        People need awareness and direct implication to the maintenance of security, regardless of their job or position in society;

-        Processes need to be openly and continuously adjusted to support a seamless implementation of the operational requirements of security, regardless of their bureaucratic constraints and financial limitations.

There may be lots of measures and actions that contribute to the assimilation of technological progress. In the following, we mention some examples that can counterbalance the risks to cybersecurity of Smart Cities:

-        Implementing digital competence training – both general, related to digital technology, and specific, on cybersecurity – that would form a baseline of knowledge for the population and workforce, with regards to the proper use of technology, and to the management of security risks.

-        Setting educational conditions for life-long learning in the technological domains of expertise, to facilitate continuous adaptation to changes.

-        Developing open mechanisms to assimilate the technological evolution at the social level and to adapt the judicial/official processes to the features of the new instrumental realities (e.g. set an appropriate ecosystem for adoption of autonomous urban UAVs networks).

-        Continuous update of the knowledge related to attackers’ tactics, techniques and procedures (e.g., MITRE ATT&CK TTPs Matrices).

-        Improving and implementing due diligence with respect to security requirements, including:

o   Management buy-in and awareness – to understand, take ownership and manage the technological phenomenon (both in terms of security needs and risks).

o   Appropriate investment for capability development (both in terms of security equipment and development of specialized teams/personnel) and compliance with standards and certifications.

o   Setting careful configuration and appropriate procedures, to maintain cyber hygiene both in the area of use/operation and to counter cybersecurity risks.

o   Development and maintaining mechanisms for functional redundancy, data backup, and readiness for crisis management.

o   Development of two-factor high-level mechanisms to supervise and control the proper functioning of smart technology (that involves automated decision management, e.g. AI), so that the error rate is kept at the lowest possible level, and the harmful impact on humans is negligible.

-        Developing AI and Big Data processing capabilities, and increase the degree of automation that support human efforts of security.

-        Developing, modeling and adapting strategic approaches, to comprehensively cover the management of technology and to develop unitary command and control capabilities able to prevent and counteract the materialization of security risks.

-        Increase common ground for operations between agencies with direct interest for security (e.g. Municipalities, Police, National Security, CERTs, SOCs), through shared representation of information. As well, proceeding to a safe integration in the community’s security architecture of any siloed networks.

-        Continuous improvement of mechanisms for early detection and prevention of security events.

-        Developing, maintaining, updating and testing of the trust chain, so that systems and networks evolve in trustworthy and secure conditions, with vulnerabilities and attack surface diminished to the most extent.