Cybersecurity and Privacy
|Cybersecurity and Privacy
This blueprint has been developed by the Cybersecurity and Privacy Action Cluster (CPAC) with the primary goal of providing a source document for all entities interested in learning how to manage upcoming Smart City cybersecurity and privacy challenges and risks.
The National Institute of Standards and Technology (NIST) launched the Global City Teams Challenge (GCTC) program in 2014 as a means to encourage collaboration across the global Smart Cities community. The goal of GCTC is to “establish and demonstrate replicable, scalable, and sustainable models for incubation and deployment of interoperable, standards-based solutions using advanced technologies such as IoT and CPS, and demonstrate their measurable benefits in communities and cities.”
- In 2018, NIST and the Department of Homeland Security Science and Technology Directorate (DHS S&T) partnered to initiate the Smart and Secure Cities and Communities Challenge (SC3) as an effort to build on the GCTC program and demonstrate the “value and return on investment for designed-in trustworthiness for smart city deployments.”
- In support of the SC3 effort, the Cybersecurity and Privacy Advisory Committee (CPAC) was established as a public working group comprised of cybersecurity and privacy professionals and practitioners across the GCTC community. The CPAC has representation from all levels of government, non-profit organizations, academia, and the private sector.
The CPAC public working group is intended to provide a forum for members to share their expertise, leverage industry best practices, and further collaborate with relevant organizations. The CPAC also serves as a cybersecurity and privacy resource for the GCTC-SC3 SuperClusters and Action Clusters.
Advances in information and communication technologies (ICT) and the advent of Internet of Things (IoT) devices are enabling municipalities’ development and deployment of Smart City capabilities and solutions. Municipalities are leveraging these smart solutions to provide enhanced services to their citizens; improve the livability of their communities; and promote economic opportunity.
Ubiquitous connectivity, the proliferation of computing power, and the emerging linkages between cyber and physical infrastructure introduce new and potentially greater cybersecurity and privacy risks than those found in the traditional IT enterprise. Effectively and proactively managing these emerging risks is critical to successfully developing and implementing solutions and to fully realize promised Smart City benefits.
This Guidebook seeks to present an approach to Smart City cybersecurity and privacy risk management that can be adapted to meet the needs of individual municipalities and communities. This Guidebook also provides some key considerations that decision-makers will need to recognize and account for in their risk management approach.
In addition, the appendices of this Guidebook provide additional resources, including a set of use cases to help demonstrate the application of risk management concepts in real-world situations (see Appendix A) and the “CPAC ‘Top X’ Questions for a Trustworthy Smart City,” a discussion tool for initiating the conversation around cybersecurity and privacy risk management (see Appendix C).
- Intended Audience
The primary audience for this guidebook is municipal policymakers and leaders (e.g., mayors, council members, city managers, department heads, innovation officers, chief information officers, chief information security officers) actively involved in or considering the development of Smart City capabilities. However, it is also important for all other Smart City stakeholders (including technology/solution implementers and providers) to understand cybersecurity and privacy risk management processes and to be able to prepare and plan accordingly.
- Key Takeaways
Readers can take away best practices for a trustworthy Smart City from planning to design to implementation. Specifically, best practices include managing cybersecurity and privacy-related risks for smart solutions, IoT systems, as well as the existing information systems:
- What is cybersecurity and privacy risk and why is risk management important?
- How might cybersecurity and privacy risk management in a Smart City environment be different from a traditional IT environment?
- How can cybersecurity and privacy risk management practices be operationalized and applied in the Smart City context?