Benefits and Cybersecurity and Privacy Risks

From OpenCommons
Revision as of 18:47, December 19, 2021 by Pinfold (talk | contribs)
Jump to navigation Jump to search


Cybersecurity and Privacy
Cybersecurity and Privacy
Sectors Cybersecurity and Privacy
Contact Lan Jenson
Topics
Activities
Cctvcompanies.jpg Cybersecurity and Privacy Resilience Center
COVID-19 crisis has amplified Cybersecurity & Privacy Risks for organizations with their transition to remote and virtual work arrangements. These risks range across infrastructure, data security, data privacy, remote access, policies, security awareness and compliance.
Authors

Lan Jenson.jpegDavid BalensonOC.jpgAdnan BaykalOC.jpgGary Dennis.jpegWayne DennisOC.jpg[[File:|x100px|link=Alex Huppenthal]]Damon KachurOC.jpgBennyLee.jpgCarmen MarshOC.jpgAleta Nye.jpegCarmen ParadaOC.jpgRenil-paramel.jpgBillPugh.jpgMaryam RahmaniOC.jpegCarter SchoenbergOC.jpgSushmitaSenmajumdar.jpgDeborahShands.jpgDean Skidmore.jpegScott Tousley.jpg[[File:|x100px|link=Ed Walker]]Ruwan Welaratna.jpegPaul Wertz.jpegPeterWong.jpeg

{{{summary}}}


Cities and communities stand to harvest unprecedented benefits from advances in information and communications technologies (ICT), in general, and Internet of Things (IoT) and Artificial Intelligence (AI), in particular. Smart cities inevitably introduce new or heighten existing cyber risks, which demand proper consideration in design to ensure the optimal realization of intended Smart City outcomes.

Smart Cities Benefits

Smart cities are associated solutions and capabilities defined by the integration of technology, connectivity, and data to improve the quality of and accessibility to citizen services and to improve the livability of the city and community. Smart cities have the potential to address key challenges, including air and other environmental pollution, traffic congestion, crime, and economic development. Many of these challenges can be directly connected to a direct and/or an indirect fiscal impact (e.g., operational costs, lost economic productivity); conversely, Smart City solutions may have direct benefits in terms of improved services or livability as well as associated benefits of cost savings through enhanced efficiency and a boost in economic productivity, development, and opportunity.

National Cybersecurity Center of Excellence research on mitigating IoT-based DDoS as presented by Tim Polk, Russ Gyurek, and Joshua Lawton at CPAC Cybersecurity Symposium for Smart Cities in San Jose, California, on October 3, 2018. Migrating IoT-Based

While there are many benefits associated with the promise of Smart Cities, there are also many risks and opportunities for unintended consequences. For Smart Cities to truly be successful and reach their full potential, it is important for those designing, developing, and implementing Smart City solutions to properly manage risk. Risk, in the context of Smart Cities, may be found in many common categories such as operational, financial, technical, contractual, legal, reputational, and political risk; however, one area of risk that is becoming increasingly important is cybersecurity and privacy risk. Addressing cybersecurity and privacy by design is critical to risk mitigation and enabling the successful development of Smart Cities and its benefits to citizens.

Cybersecurity and Privacy Risk

Risk (R) is commonly considered a function of three factors: vulnerability (V), threat (T), and consequence (C). While there is some contention on what the appropriate formula is, there is a clear, positive relationship between risk and each of its three variables (e.g., as consequence increases, risk increases). A common mathematical expression of risk is that risk is the product of vulnerability, threat, and consequence – or R = V x T x C.

This general notion of risk certainly applies in the cybersecurity and privacy context. With the increasing ubiquity of connectivity, cybersecurity and privacy risk is a concept that must be thoroughly considered in most, if not all, domains, including the Smart City environment. Risk in the Smart City context can be attributed to a wide variety of factors given the nearly infinite permutations of potential Smart City-related vulnerabilities, threats, and consequences.

Example Smart City Cybersecurity and Privacy Vulnerabilities, Threats, and Consequences
Shopping List Vulnerabilities Threats
  • Lack of awareness of all authorized and unauthorized devices/assets
  • Poorly-implemented encryption or lack of encryption
  • Inability to patch or update software/firmware
  • Use of default administrator passwords
  • Susceptibility to distributed denial of service (DDoS) attacks
  • Lack of security assessment and software code testing
  • Inadequate security and privacy awareness and training
  • Weak or immature supply chain risk management practices
  • National-state and state-sponsored actors
  • Organized crime and other criminal groups
  • Terrorist groups
  • Hacktivists
  • Insiders/employees – whether malicious, unintentional, or negligent
  • External suppliers, service providers, vendors, and partners (e.g., supply chain risk, interdependence and integration risk)
  • Other individual hackers or hacking groups
  • Natural and man-made disasters
  • Disruption of government services to citizens
  • Loss or leakage of citizen personally identifiable information (PII)
  • Financial loss or expense (e.g., lawsuits, regulatory penalties, theft of funds, cost of response and remediation)
  • Facilitation of terrorist event – whether physical, digital, or combined
  • Degradation of trust in government and government services
  • Danger

Many of the vulnerabilities and threats that could affect Smart City environments are similar to the cybersecurity vulnerabilities and threats commonly found in the traditional enterprise information technology (IT) environment. Additionally, it is unarguable that the consequences in the Smart City context are potentially more complex and catastrophic given the cyber-physical aspects of Smart Cities as well as the broad reach and expansiveness of Smart City implementations (e.g., citizens, government, the private sector, cross-jurisdictional elements).

Moreover, it is important to recognize that cybersecurity and privacy risks to Smart City environments is not merely hypothetical or notional. Indeed, there have been several high-profile cybersecurity and privacy events (among countless data breaches and attacks around the globe) that have had real, damaging effects on some cities and communities who are leading the Smart City movement.

The following four tangible examples of Smart City cybersecurity and privacy risk are based on publicly-available information.

Atlanta Ransomware (March 2018)
In March 2018, the City of Atlanta, Georgia, fell victim to a SamSam ransomware attack. Government agencies were locked out of their systems, and applications and services were forced offline - in some cases for months. The attackers were asking for approximately $51,000 in Bitcoin as a ransom payment. Similar attacks were allegedly conducted in ten U.S. states and Canada - including Newark, New Jersey; the Port of San Diego; and the Colorado Department of Transportation.
Vulnerability Likely weak access control measures, which allowed a successful brute force attack (i.e., attackers guessed credentials to access system). In addition, a January 2018 audit of Atlanta’s IT systems identified 1,500-2,000 vulnerabilities in the city’s IT systems, which may have facilitated initial access to or the eventual lateral movement with the city’s infrastructure.
Threat In November 2018, two Iranian nationals were charged with executing the SamSam ransomware attack; they are not considered to be associated with a nation-state actor.
Consequence Hundreds of municipal online applications and services (e.g., court systems, bill payment, law enforcement ticketing) were disabled, and many data records were lost, including police dash camera recordings and legal records. Many of these functions were considered “mission critical.” Nearly 4,000 computers were locked by the ransomware. The financial cost of response, remediation, and recovery has increased from early estimates of $2.7 million to $17 million (including $6 million in contracts for security services and software updates and $1.1 million in new IT equipment).