Key Smart City Risk Management Considerations

From OpenCommons
Jump to navigation Jump to search

Cybersecurity and Privacy
Cybersecurity and Privacy
Sectors Cybersecurity and Privacy
Contact Lan Jenson

Lan Jenson.jpegDavid BalensonOC.jpgAdnan BaykalOC.jpgGary Dennis.jpegWayne DennisOC.jpgDamon KachurOC.jpgBennyLee.jpgCarmen MarshOC.jpgAleta Nye.jpegCarmen ParadaOC.jpgRenil-paramel.jpgBillPugh.jpgMaryam RahmaniOC.jpegCarter SchoenbergOC.jpgSushmitaSenmajumdar.jpgDeborahShands.jpgDean Skidmore.jpegScott Tousley.jpgEd Walker.jpegRuwan Welaratna.jpegPaul Wertz.jpegPeterWong.jpeg

Operationalizing and standardizing risk management across the organization is critical for minimizing cybersecurity and privacy risks during the development and operation of Smart City capabilities and solutions. It will be up to cities and their partners to determine the appropriate risk management policies and processes to adopt and implement based on their current risk management practices, risk posture, and their risk management strategy. While aspects of risk management may seem daunting and challenging, there are certainly opportunities that cities can leverage to their advantage.

The following considerations are things that Smart City organizations should keep in mind as they pursue the development, adaptation and maturation of their risk management programs.

Strategic Considerations

  • Risk management as a Smart City enabler - ​ Proper risk management practices and communication of those risk management practices can actually help enable the development, deployment, and operation of Smart City capabilities. Risk management should not be viewed as an encumbrance. Proper cybersecurity and privacy controls can help gain public trust and buy-in and promote requisite participation in Smart City functions.
  • Adapt perspective to look beyond traditional IT enterprise - ​ IoT projects introduce devices with connectivity and computational power at the network edge. Previously, devices with these capabilities were generally contained within data centers or other network segments that could be configured for limited ingress/egress and monitored. Existing threat models and risk management strategies and practices may need to be adapted and extended to cover these new system components.
  • Identifying, understanding, and assessing interdependencies - ​ Smart city functionality may introduce new dependencies (e.g., data dependencies), and risk management decisions will need to consider the nature of these interdependencies. While an information system or an information type may be low impact for some stakeholders, the system or data may be high impact in another stakeholder’s context. Organizations need to consider these differences in classification for such systems and data and ensure that they are protected at the appropriate level. Additionally, it is worth noting that interdependencies between traditionally “cyber” and traditionally “physical” systems is fundamental to Smart Cities. Identifying these interdependencies and understanding and assessing how cybersecurity and privacy risks can potentially translate into, for example, safety-related risks is critical.

NIST SP 1190GB-5: Guide Brief 5 - Assessing Energy System Dependencies,​ provides an example of how system and organizational interdependencies can be identified and evaluated. This publication is specific for energy systems but could be extended for use in other domains.

Coordination and Communication Considerations

  • Intra-governmental coordination and collaboration - ​ Given the interconnectedness and multi-stakeholder nature of Smart City capabilities and solutions, successful risk management will require significant communication, collaboration, and coordination between city departments and agencies. This necessitates the development of consensus, modification of existing structures and processes, and consideration of new shared resource and service models.
  • Public-private and intergovernmental coordination - ​ Smart city systems often involve a mix of assets that are inherently multi-party and multi-jurisdictional (e.g., city-owned and operated; regional; commercially-owned and operated). Implementations involve numerous government, private sector, and quasi-governmental organizations and their associated products, services, capabilities, oversight, etc. Successful risk management will require sharing of information (including potentially business-sensitive information), coordination of risk management and governance practices, and alignment of organizational and system boundaries. Increasingly complex interconnectivity and interdependency will necessitate particular attention to IT and data stewardship. Understanding and clearly delineating system, data, risk, and liability ownership - and ultimately, accountability - will be essential to managing cybersecurity and privacy risk in an effective manner. As Smart City projects have the unprecedented potential to impact residents either positively or negatively, special care needs to be given to engage the residents throughout the project lifecycle.
  • External communication of risk management strategy and policies - ​ It is important for organizations to adequately communicate risk management strategies, policies, and guidance not only to internal departments and agencies but also to existing and prospective external partners, service providers, vendors, and constituents. This enables external parties to understand the risk management environment in which they are expected to participate and also enables providers to develop capabilities based on well-established risk management practices (e.g., security and privacy control aselines). Additionally, capability providers will be better enabled to collaborate with other capability providers and ensure that potential integrations of their offerings are compatible and do not create unmanageable risks.

Resource Planning Considerations

  • Evaluate costs and benefits of cybersecurity and privacy upfront - Cybersecurity and privacy risk mitigations must be considered as part of the overall budget of any IoT project. Some costs may be upfront (e.g., system design reviews, pre-deployment comprehensive penetration testing) and others might be ongoing (e.g., active network traffic monitoring, insurance). Additionally, the potential technical, contractual, and legal costs associated with remediation and recovery from a breach or attack also need to be considered and factored into the risk calculus. Investing in cybersecurity and

privacy risk management capabilities upfront can have the benefit of mitigating or minimizing these potential costs (i.e., paying down risk).

  • Account for and provide resources for capability sustainment and maturation - ​ Risk management and the implementation of cybersecurity and privacy controls is not a one-time, compliance-based effort. It is a repetitive process that will compel updates as technology advances, risk profiles adjust, and the organization’s risk management program matures. Organizations will need to ensure that risk management capabilities and processes can be sustained and allowed to improve and mature as required.
  • Leverage existing IT/system assessment and auditing functions - ​ If a city already has an independent assessor or auditor (whether a government organization or a contractor) for their enterprise IT systems, the scope of work could be expanded to include Smart City systems. However, the city will need to consider whether the assessor or auditor has the requisite, specialized expertise to evaluate the diverse set of Smart City technologies and systems.

Procurement, Contractual, and Supply Chain Considerations

  • Consider both insourcing and outsourcing for risk management functions - ​ The decision to insource or outsource certain capabilities, services, or functions is particularly important from the cybersecurity and privacy risk management perspective. These decisions should also consider initial implementation and ongoing operation and maintenance of capabilities. Some municipalities, particularly those who may be smaller or less mature, may not have the capacity to build out suitable in-house staffs and associated infrastructure. With proper guidance and procurement processes, vendors should be able to build in or provide certain cybersecurity or privacy functions, thereby decreasing the burden on in-house resources. However, a risk decision of whether to trust vendor attestations or to evaluate and validate outsourced cybersecurity and privacy functions in-house or through a third-party will come into play.
  • Leverage acquisition and procurement mechanisms - ​ Risk management needs to include acquisition and procurement offices and personnel – both in the establishment and implementation of risk management strategies and practices. Smart city solutions’ dependence on external services and COTS products provides an opportunity for Smart City buyers to dictate risk management requirements in contractual agreements, service level agreements, product certifications, etc. This is a means for Smart Cities to have some level of control over the security and privacy of systems and products that would otherwise be out of their control and ultimately assist in mitigating enterprise risk. However, procurement strategies and practices need to be flexible and be able to adapt to changing threat environments and corresponding cybersecurity and privacy requirements.
  • Understand supply chain to truly determine risk profile - ​ Smart cities are inherently dependent on industry partners to support new development and capabilities in a variety of dynamic areas - e.g., distributed energy production/management, telecommunications, traffic and facilities management, supporting infrastructure and services and cloud providers. Simply evaluating the cyber hygiene of the Smart City is not enough. To fully understand what exposure to harm (legal or cost related) exists, Smart Cities must carefully evaluate how business partners support or directly interact with Smart City resources. Independent studies show an alarming increase in successful compromises as a result of third parties. Municipalities should solicit assistance from regulatory, legal, and cyber subject matter experts as to how to ensure a lower risk profile by requiring enhanced security posture of the Smart City’s supply chain. The interdependency between municipality and the private sector is extensive and the ability to effectively underwrite insurance for next generation Smart Cities will be dependent on evolving legally binding agreements (e.g., service level agreements, terms and conditions, solicited/unsolicited proposals) to clearly define how to transfer or mitigate risk exposure associated with the supply chain.
  • Management of risk from external services, systems, and products - ​ Smart cities’ reliance on external services, contractor-owned systems, and COTS products necessitates mechanisms to ensure the risks associated with external services, systems, and products are properly managed. This includes all aspects of the risk management process, including the prioritization of systems and assets; the selection and implementation of controls; and the independent assessment and continuous monitoring of systems. This may require contractual agreements, service level agreements, or participation in independent, third-party certification programs; these mechanisms must also be able to adapt to the evolving technology environment, threat landscape, and cybersecurity and privacy requirements.
  • Require vulnerability notification from commercial product suppliers - Smart city deployments will undoubtedly involve COTS products and IoT devices of varying degrees of maturity - including cybersecurity and privacy capability maturity. As products mature and the threat landscape changes, it is essential for system and data owners to be notified of and aware of newly discovered vulnerabilities in a timely manner. Actions that follow notification of vulnerabilities will be dependent on the assessment of risk associated with that particular vulnerability, the available mitigations (e.g., patches), and the costs, including labor, financial, potential system downtime, downstream effects on interdependent systems, etc.

Technical and IoT-Specific Considerations

  • Technological diversity and limitations - ​ Given the diverse array of technologies in the Smart City environment (e.g., IoT devices), selected controls – including common controls – may not be able to be implemented as intended. Factors restricting implementation may include limitations in built-in functionality, processing power, battery life, etc. This may necessitate significant effort in terms of tailoring security and privacy controls, determining compensating controls, or assessing risk acceptance. Organizations and system owners will need to document how controls are actually implemented and configured and determine whether the residual risk is acceptable. Additional discussion of IoT and associated cybersecurity and privacy risks and considerations can be found in the following resources: ​ NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks​; ​NIST Cybersecurity White Paper: Internet of Things (IoT) Trust Concerns​; ​ NIST SP 1900-202: Cyber-Physical Systems and Internet of Things​; and the Cybersecurity and Infrastructure Security Agency’s (CISA) publication titled ​ The Internet of Things: Impact on Public Safety Communications​.
  • Common control challenges and opportunities - ​ Collaboration across government departments and agencies can lead to increased efficiency, for example, with the identification and implementation of common controls. However, diversity of technologies, architectures, and infrastructures could limit the feasibility of common controls. Collaboration from policy, governance, budget, and infrastructure perspectives may be needed to maximize the effective implementation of common controls. Establishing, implementing, and maintaining common controls can be enabled by some of the other considerations identified in this document (e.g., leveraging the procurement process, external communications).
  • Continuous monitoring in highly dynamic smart environment - ​ Smart city environments are highly dynamic with frequent changes to the technology environment. Corresponding cybersecurity and privacy requirements and controls will undoubtedly need to be revised, updated, reconfigured, etc. Organizations and systems owners will need to determine the appropriate minimum frequency at which necessary risk management processes will be conducted. This frequency may vary by system security category and impact level, mission, information type(s), and other organization risk factors. That said, the long-term risk management objective is to continue to move towards increased automation and truly continuous (i.e., real-time) monitoring of risk. Indeed, NIST 800-37 Rev. 2 recommends that “Organizations should maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF). Automation is particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches—together facilitating a real-time or near real-time risk-based decision-making process for senior leaders. Organizations have significant flexibility in deciding when, where, and how to use automation or automated support tools for their security and privacy programs. In some situations, automated assessments and monitoring of controls may not be possible or feasible.”

Legal and Liability Considerations

  • Understand new and/or additional regulatory exposure - ​ Depending on the organization(s) and on the types of data being processed by the IoT system, various regulatory requirements may come into effect. For instance, if a system includes healthcare data (e.g., vital sign information from wearable sensors worn by first responders), HIPAA may apply. Alternatively, if a system includes data that allows members of the public to be identified (e.g., video recordings), various privacy regimes may apply, such as GDPR or California data privacy laws.
  • Risk mitigation through cybersecurity insurance - ​ Smart cities can consider cybersecurity insurance as a risk mitigation measure (i.e., risk transfer). Cybersecurity insurance is an expanding and open area of business support/development, and can reduce potential financial loss (i.e., consequence) and thereby reduce total risk. However, insurance would only be suitable for mitigating certain risks (i.e., those that can directly translate into monetary loss). A recent Wall Street Journal survey suggested that a majority of the 25 largest U.S. cities have cyber insurance or are considering purchasing it.
  • Cautious use of non-disclosure agreements - ​ The use of non-disclosure agreements (NDA) should be carefully considered. The municipality may need to share vendor information with external regulatory bodies or even other vendors (e.g., data formats sent by an IoT device may need to be known by packet inspection engines). NDAs should provide enough latitude to enforce the municipality’s chosen cybersecurity and privacy risk posture while also respecting vendors’ intellectual property and proprietary information. The municipality will benefit from periodic technology audit/risk review assessments, similar to those carried out for financial audits and reviews of banks, financial, and other complex organizations.