Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Introduction

Smart cities critical infrastructure, economy, and governance is designed to sustainably improve the well-being of residents. (United States Government Accountability Office [GAO], 2019) Critical infrastructures such as energy, electricity grids, communications networks, transportation and water systems are digitally enhanced to provide smart services to city residents while ensuring security issues are well monitored and effectively addressed (GAO, 2019).

Smart Cities => Smart Bases

The smart city concept is readily applicable for military installations, and their neighboring communities, as military bases and cities may share residents, physical infrastructures, employment opportunities and the provision of a broad range of services. (Sharma & Raglin, 2019; CSIAC, 2020) This article illustrates how the smart city concept and especially regional secure cloud architectures can be applied in the military environment, and in mixed civilian – military contexts as well. (McKnight, 2020) For example, integrating a federated secure cloud architecture can lessen the risks of ransomware and other malicious cyber threats, and brings other benefits by increasing visibility for the base commander into all digital and cyberphysical systems operating on the base. (AFCEA, 2020; Lee, Bohn & Michel, NIST-SP 500-XXX, 2019)  Of course, critical differences exist between cities and military bases. Military installations exist to train and house soldiers for peaceful and combat operations at home and in foreign countries. Bases also provide operational and logistical support for these missions. Because of their mission, military bases require a heightened level of cybersecurity; classified systems are beyond the scope of this article.

Cyberphysical 5G+ Security Risk Management for Smart Bases

Cyber threats are significant and all-encompassing threats to US national security. They target all American institutions, including federal, state, and local government, military, financial, healthcare, and educational institutions, and critical infrastructures. These threats are unrelenting.

A risk management approach to smart city/smart base cybersecurity and privacy can assist military installations and their associated decision-makers and technology implementers as they consider, develop, implement, and/or operate Smart City capabilities and solutions. (McKnight 2020, NIST SCCF 2021) This approach engages stakeholders and begins the conversation around cybersecurity and privacy risk management. It verifies, supplements, and refines existing cybersecurity and privacy risk management processes. This approach can also identify key cybersecurity and privacy considerations that may be specific to smart base environments and solutions.

Smart Data Risk Classification Scheme

A smart data risk classification scheme can be applied to cities, counties, regions, states, nations, and bases. It assists both officials, service providers, the public and other stakeholders to recognize their shared responsibilities for smart city data security, privacy, ethics, and other rights (McKnight et al., 2019a).

• Red Data: sensitive data including personally identifiable information – most controlled and restricted
• Yellow Data: medium sensitivity information with possibly controlled access but by law can be shared more widely, although still with controls and monitoring
• Green Data: low sensitivity data which can be shared openly – smart city civic and public data

An objective of a secure cloud architecture is to ensure that sensitive personal, corporate, and public service data are comprehensible and handled with safety. All users will be able to use the same simple cloud data classification language after reviewing these guidelines, allowing a unified approach to secure community cloud infrastructure. (McKnight 2019b, Underwood 2020)

Privacy and security challenges for smart cities, communities and bases are multi-faceted and complex. Lack of an overarching smart city cloud and privacy security architecture that articulates high level principles and practices which are plain and unambiguous to implement has contributed to the problem. The secure cloud architecture we present has a high likelihood of reducing the range of cyber-vulnerabilities that smart cities and their residents, and the public, community, and commercial firms confront. (McKnight, 2019a) A smart city architecture increases privacy, security, and rights-inclusive standards awareness by utilizing a simple cloud architecture that protects data and upholds privacy practices across sectors. Additionally, this framework lessens city operating costs and creates greater regional data transparency, which in turn increase service and product innovation.  Implementation of the architecture can potentially contribute to a growth in commercial activities. (Kanowitz, 2019) With common cloud architecture guidelines ensuring smart community privacy, security, and data- rights are considered by design. (Goldstein, 2019) The economic benefits from emerging personal data revenue streams, new products, jobs, economic growth, and exports can contribute to growth of regional tax bases and positively serve energy, health, safety, and environmental objectives which include improvements in safety and quality of lives and widespread community acceptance, which will be replicated across the United States and adapted in other nations.

The vulnerabilities and threats experienced in many smart city environments are like those commonly found in the traditional enterprise information technology environment (Wong, 2019). As dependence on systems increase, there is a corresponding increase in the number of threats (Johnson et al., 2011). An overarching smart city cloud architecture is needed to provide guidelines on privacy and security, independent of industry or use case. (McKnight, 2019b) This framework aims to direct municipalities and other smart city implementation partners towards a secure and privacy-considerate smart city deployment. Risk is often calculated as a formula of Vulnerability (V) times Threat (T) times Consequence (C) (R = V x T x C) (Wong, 2019). Vulnerabilities are the weaknesses in a system; on their own, vulnerabilities are not a risk. A risk exists only when a threat that could misuse the vulnerability and a (negative) consequence are combined. Vulnerabilities can be eliminated by installing updates (e.g., patches) and altering configuration settings (Fagan et al., 2020).

Once risks are identified, it is important to assign a likelihood, impact, and overall rating to each risk. The overall rating is determined based on the likelihood and impact rating.

Each smart city deployment should create and distribute its own policies and procedures about all aspects of the smart city. Components that should be addressed in a dedicated policy/standards document include Data Security/Data Integrity, Information Security & Assurance, Identity and Access Management, Information Security Governance, Change Management and Business Continuity/Disaster Recovery.

The failure to proactively manage cybersecurity and privacy risks can be a detriment to smart city initiatives and can negatively impact the very systems intended to improve city services and citizens’ livelihoods (McKnight, 2020). Implementation of this architecture can help to focus and prioritize resources on sensitive data in need of protection more efficiently. It also enables and encourages wide access to open government data so that researchers, students, non-profits, start-ups, and technology companies supporting the city and the public can participate and conduct their own analyses on civic data. Additionally, creating jobs while building more effective constituent services are among the objectives of many smart city projects. These guidelines suggest that jobs created are more likely to be sustainable and scalable if designed to work with NIST standards and best practice recommendations.  (NIST SCCF, 2021)

Smart Base SARS2 Early Warning Wastewater Surveillance Platform

The SARS2 Early Warning Wastewater Surveillance Platform is a use case of implementation of the cloud privacy security rights-inclusive architecture during a global disaster. Goals of the Platform are to estimate SARS-CoV-2 transmission trends in real time, include provision of instant feedback on social distancing and reopening phases, predict hospitalizations from COVID-19 and provide confidence in the absence of transmission for areas with zero cases.

Severe Respiratory Acute Syndrome Corona Virus 2 (SARS COV2), part of the Corona Virus group, is the virus that causes CoVid-19 (National Institutes of Health, 2020). Disease is a nationally and globally destabilizing factor because it damages economic, social, political, and other infrastructures, and contributes to increased conflict within and between countries. Impacts of CoVid-19 include socio-economic and political disruption, impeded economic development, diversion of resources and a significant threat to national and international security.

Pandemic illness presents a particular challenge to the military’s mission readiness and preparedness. During World War I, pandemic influenza and other infectious diseases caused more fatalities than combat and led to an estimated 8.7 million lost duty days among enlisted soldiers (Byerly, 2010). The impact of epidemic infectious disease on military readiness cannot be overstated, as infectious disease epidemics have frequently altered the course of military campaigns (Roy et al., 2018). With increasing numbers of novel infectious diseases emerging across the globe (Jones et al., 2008; Jappah & Smith, 2015), early warning of these threats, in the military context, is vitally important.

Wastewater monitoring can provide an early warning platform for SARS-CoV-2 infections, and for other diseases. First developed in the 1990s to track poliovirus circulation (Asghar et al., 2014; Brouwer et al., 2018), wastewater monitoring provides a non-invasive and cost-effective method of assessing pathogens circulating within a population. For patients with COVID-19, SARS-CoV-2 RNA is shed in human feces and other bodily fluids (Chen et al., 2020; Wang et al., 2020; Xu et al., 2020), and can be detected in wastewater (Medema et al., 2020; Green et al., 2020; Wu et al., 2020; Nemudryi et al., 2020). Importantly, increases in the levels of SARS-CoV-2 ribonucleic acid (RNA) in the wastewater provides 1 to 2 weeks’ warning relative to increases in the number of COVID-19 cases in a health system (Wurtzer et al., 2020; Peccia et al., 2020). The SARS2 Early Warning Wastewater Surveillance Platform can be applied to military installations and their surrounding communities.

Next steps towards COVID-19 resilient smart bases include agreement on public-facing data, and matching case data with sewer sheds. These steps are necessary to inform interpretation of RNA in wastewater and to improve feedback loops. Public health surveillance authorization is necessary for ethics and approval by Institutional Review Boards. Military installations can partner with area firms and universities to accelerate adoption and innovation of this Platform.

Conclusion: Lessons for Smart Cities and Bases

Smart cities and bases should always be vigilant, as both cyberphysical risks and opportunities are ubiquitous. Designing smart cities and bases is a growing challenge, in the face of growing cybersecurity threats. Distributed interests throughout smart cities/communities and bases make progress and coordination difficult, and ad-hoc and hard-to-define architectures and networks continue to challenge cybersecurity. Inherent advantages of attackers include choice of time and place and illicit actors incentivized to strengthen crime industry and grow revenue. The pattern is the same, although the tools – early DDoS, macro viruses, emerging APT, escalating DDoS, Botnets, Ransomware, etc. – are different. Yet, a smart city framework that is not smart by design remains a poor alternative.

Smart base innovators can leverage ISPs/MSPs and set up win/win conditions. They can utilize partnership red teams. Financial and cyberphysical risk analyses are also critical. Innovators must check all enterprise software and user apps to safeguard against software and systems risks. This includes insistence on documentation, cyber-physical risk management and continuous improvement. All workforce should be trained, and a focus should be placed on growing local expertise. And finally, think Red Yellow Green Data!!!

While smart city initiatives offer unprecedented opportunities to enhance the well-being of millions of community residents, their implementation may not necessarily result in benefits for all citizens. As such, these initiatives should be deliberately designed, implemented, and monitored to improve the population well-being of all citizens (OECD, 2020). This framework requires smart governance and multi-sectoral cooperation that aligns with “local and national strategic priorities and that embraces efficiency, effectiveness and sustainability dimensions (OECD, 2020).

With adaptation of the secure cloud framework, the military can continue to make progress in becoming a smart military. This adaptation adds value as the US military works to achieve its operational mission of a smart military. This framework can help in enhancing military operations and meeting emerging challenges of the 21^st century.