eGovWatch: Secure transition to a resilient smart city
The year 2015 is expected to bring about a massive transformation for Indian citizens, enterprises and government, with the government of India announcing the smart cities project and setting aside funds to achieve this.
India’s vision of setting up 100 smart cities is a major step towards a digital India. This initiative is highly anticipated by the citizens, as they usually encompass advanced systems such as intelligent transportation, connected healthcare, wireless hotspots, and smart energy grids.
Primarily, smart city deployments come with multiple features and state-of-the-art technologies, like critical and complex information communication technology (ICT) implementations, comprising of a diverse ecosystem of technology providers.
At the same time, increasing ICT complexity and hyper-connectivity resulting from IoT environments, as well as generation of significant amounts of data, would also mean increasing vulnerability, both to malicious attacks and unintentional incidents.
Like any other connected environment, these hyper-connected environments could come under potential cyber-attacks that might severely cripple life in the cities, public communities, industrial sites, and essential services. Many of us don’t realise that, left unattended, these security threats can have serious implications for India’s Smart City vision.
In 2012, globally, 22% of targeted attacks were aimed at governments as well as energy and utilities companies, while governments and healthcare institutions were the target of 24% of identity breaches, as per Symantec’s recent Internet Security Threat Report. In 2013 as well, most targeted attacks globally were against governments.
As many countries in the west celebrated Data Protection Day recently, it acts as an apt reminder for individuals, enterprises and the government to take cognisance of some of the devastating data breaches of the recent past with a view to sketch a safer future.
Growth in the interconnected environment has also made it more vulnerable to cybercriminals. Well-orchestrated, new-age targeted and cyber espionage attacks are not a new phenomenon in today’s environment. In 2010, India and the world woke up to the threat to critical infrastructure with the Stuxnet worm. It marked a watershed in virtual warfare, as it directly infected the critical infrastructure, putting the heavily guarded machinery completely out of control. It was known to have reportedly destroyed roughly one-fifth of Iran’s nuclear centrifuges by causing them to spin out of control.
Adding to the trend in recent times, the Dragonfly group attacked more than 1,000 firms crippling critical infrastructure in multiple countries. While the main purpose of these ‘infections’ was to gain a foothold in the networks of targeted companies, the attacks also revealed that the Dragonfly group now had the capability to strike vital infrastructure if it chose to. According to Symantec’s research, this well-resourced attack group that has been functional since 2011, initially targeted defence and aviation companies in US and Canada, before shifting focus to other firms in US and Europe in early 2013. Groups like these had the motive of gaining foothold in the networks of companies—revealing their capability to strike the critical infrastructure any moment.
More recently, Regin—a new piece of malware uncovered by Symantec conducted targeted attacks at numerous international organisations since 2008, including governments, infrastructure operators, businesses, academics and private individuals. Interestingly, around 5% of these infections were confirmed to be in India. Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing.
Cyber threats and data leaks undermine our confidence in technology despite the fact that it enables information sharing, in the infrastructure and, in the quality of our data, and ultimately impact our real world situations and values. In this scenario, the time is now for government administrators to think security while crafting the blueprint for smart cities.
Data and information are the fuels powering our world. Ensuring the privacy and security of data and information is important because it is linked to individuals and their rights. Data “living” in our critical infrastructure is responsible for running our economy and its value has soared significantly, enabling economic growth and prosperity.
Information is taking on an intrinsic value that it has never had any time before. While smart cities will, without a doubt, enable a better lifestyle, it can inadvertently invite cybercriminals—if left unsecured. Worldwide, smart cities are on the rise with city planners competing to attract business and talent. By conceiving and building interconnected urban systems with security and information protection in mind, city administrators will be able to ensure service continuity, safety and well-being for citizens and businesses alike. As they do so, they must strike the right balance between usability, regulation and corporate transparency, as well as security and privacy.
The old models for data security—a castle and moat approach to ring-fence valuable information —has become irrelevant because the perimeter of defense has become elastic. That is why choosing reputed and experienced thought leaders as partners in conceiving such complex developments is rather a necessity. To realise this, city planners must establish a governance framework to help identify and engage key stakeholders. People responsible for modeling the city’s information backbone must embrace an information-centric approach, which includes using content-aware information tools that consider the users’ context before sharing information with them.
Cities aspiring to be “smart” must learn to secure and manage diverse environments. Developing an end-to-end framework to manage critical infrastructure, promote compliance, mitigate fraud, and protect privacy is an important step in the right direction toward building resilient smart cities that will stand the test of time and set new benchmarks in urban development.
By Sanjay Rohatgi
The writer is president, Symantec India