• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ CSIAC Reports / Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Posted: 10/26/2020 | Leave a Comment

Introduction

Smart cities critical infrastructure, economy, and governance is designed to sustainably improve the well-being of residents. (United States Government Accountability Office [GAO], 2019) Critical infrastructures such as energy, electricity grids, communications networks, transportation and water systems are digitally enhanced to provide smart services to city residents while ensuring security issues are well monitored and effectively addressed (GAO, 2019).

Smart Cities => Smart Bases

The smart city concept is readily applicable for military installations, and their neighboring communities, as military bases and cities may share residents, physical infrastructures, employment opportunities and the provision of a broad range of services. (Sharma & Raglin, 2019; CSIAC, 2020) This article illustrates how the smart city concept and especially regional secure cloud architectures can be applied in the military environment, and in mixed civilian – military contexts as well. (McKnight, 2020) For example, integrating a federated secure cloud architecture can lessen the risks of ransomware and other malicious cyber threats, and brings other benefits by increasing visibility for the base commander into all digital and cyberphysical systems operating on the base. (AFCEA, 2020; Lee, Bohn & Michel, NIST-SP 500-XXX, 2019)  Of course, critical differences exist between cities and military bases. Military installations exist to train and house soldiers for peaceful and combat operations at home and in foreign countries. Bases also provide operational and logistical support for these missions. Because of their mission, military bases require a heightened level of cybersecurity; classified systems are beyond the scope of this article.

Cyberphysical 5G+ Security Risk Management for Smart Bases

Cyber threats are significant and all-encompassing threats to US national security. They target all American institutions, including federal, state, and local government, military, financial, healthcare, and educational institutions, and critical infrastructures. These threats are unrelenting.

A risk management approach to smart city/smart base cybersecurity and privacy can assist military installations and their associated decision-makers and technology implementers as they consider, develop, implement, and/or operate Smart City capabilities and solutions. (McKnight 2020, NIST SCCF 2021) This approach engages stakeholders and begins the conversation around cybersecurity and privacy risk management. It verifies, supplements, and refines existing cybersecurity and privacy risk management processes. This approach can also identify key cybersecurity and privacy considerations that may be specific to smart base environments and solutions.

Smart Data Risk Classification Scheme

A smart data risk classification scheme can be applied to cities, counties, regions, states, nations, and bases. It assists both officials, service providers, the public and other stakeholders to recognize their shared responsibilities for smart city data security, privacy, ethics, and other rights (McKnight et al., 2019a).

  • Red Data: sensitive data including personally identifiable information – most controlled and restricted
  • Yellow Data: medium sensitivity information with possibly controlled access but by law can be shared more widely, although still with controls and monitoring
  • Green Data: low sensitivity data which can be shared openly – smart city civic and public data

An objective of a secure cloud architecture is to ensure that sensitive personal, corporate, and public service data are comprehensible and handled with safety. All users will be able to use the same simple cloud data classification language after reviewing these guidelines, allowing a unified approach to secure community cloud infrastructure. (McKnight 2019b, Underwood 2020)

Privacy and security challenges for smart cities, communities and bases are multi-faceted and complex. Lack of an overarching smart city cloud and privacy security architecture that articulates high level principles and practices which are plain and unambiguous to implement has contributed to the problem. The secure cloud architecture we present has a high likelihood of reducing the range of cyber-vulnerabilities that smart cities and their residents, and the public, community, and commercial firms confront. (McKnight, 2019a) A smart city architecture increases privacy, security, and rights-inclusive standards awareness by utilizing a simple cloud architecture that protects data and upholds privacy practices across sectors. Additionally, this framework lessens city operating costs and creates greater regional data transparency, which in turn increase service and product innovation.  Implementation of the architecture can potentially contribute to a growth in commercial activities. (Kanowitz, 2019) With common cloud architecture guidelines ensuring smart community privacy, security, and data- rights are considered by design. (Goldstein, 2019) The economic benefits from emerging personal data revenue streams, new products, jobs, economic growth, and exports can contribute to growth of regional tax bases and positively serve energy, health, safety, and environmental objectives which include improvements in safety and quality of lives and widespread community acceptance, which will be replicated across the United States and adapted in other nations.

The vulnerabilities and threats experienced in many smart city environments are like those commonly found in the traditional enterprise information technology environment (Wong, 2019). As dependence on systems increase, there is a corresponding increase in the number of threats (Johnson et al., 2011). An overarching smart city cloud architecture is needed to provide guidelines on privacy and security, independent of industry or use case. (McKnight, 2019b) This framework aims to direct municipalities and other smart city implementation partners towards a secure and privacy-considerate smart city deployment. Risk is often calculated as a formula of Vulnerability (V) times Threat (T) times Consequence (C) (R = V x T x C) (Wong, 2019). Vulnerabilities are the weaknesses in a system; on their own, vulnerabilities are not a risk. A risk exists only when a threat that could misuse the vulnerability and a (negative) consequence are combined. Vulnerabilities can be eliminated by installing updates (e.g., patches) and altering configuration settings (Fagan et al., 2020).

Once risks are identified, it is important to assign a likelihood, impact, and overall rating to each risk. The overall rating is determined based on the likelihood and impact rating.

Green Data that can be shared freely (i.e.: Open Data Lake, Civic Data Repository, Open Data Observatories, etc.)
Yellow Data that can be shared with selected parties

  • Certain types of PII and other controlled information that may or may not be shared beyond an application with permission.
  • Some of this data could be shared with the permission of the individual from which the data was collected in return for compensation.
Red Data that cannot be shared

  • Controlled proprietary information.
  • No automated sharing of data if not by a vetted and approved smart contract; sharing of data requires explicit approval.
Table 1. Three level Data Risk Classification Scheme (Source: McKnight 2019a)
The large amount of data and infrastructure has resulted in systems continually becoming more complex, and requiring clear and consistent security, in addition to privacy requirements and policies. Smart cities run largely on cloud services for efficiency and affordability reasons. (Kanowitz, 2019) Architecture guidelines and security policies help protect citizens’ rights and ignite growth of smart city open data lakes, therefore encouraging civic engagement and data privacy security/rights-inclusive innovation, entrepreneurship, and economic development. Policy design and implementation are critical within the cloud architecture framework presented here to improve outcomes.

Each smart city deployment should create and distribute its own policies and procedures about all aspects of the smart city. Components that should be addressed in a dedicated policy/standards document include Data Security/Data Integrity, Information Security & Assurance, Identity and Access Management, Information Security Governance, Change Management and Business Continuity/Disaster Recovery.

The failure to proactively manage cybersecurity and privacy risks can be a detriment to smart city initiatives and can negatively impact the very systems intended to improve city services and citizens’ livelihoods (McKnight, 2020). Implementation of this architecture can help to focus and prioritize resources on sensitive data in need of protection more efficiently. It also enables and encourages wide access to open government data so that researchers, students, non-profits, start-ups, and technology companies supporting the city and the public can participate and conduct their own analyses on civic data. Additionally, creating jobs while building more effective constituent services are among the objectives of many smart city projects. These guidelines suggest that jobs created are more likely to be sustainable and scalable if designed to work with NIST standards and best practice recommendations.  (NIST SCCF, 2021)

Likelihood Almost Certain Medium Medium High Extreme Extreme
Likely Medium Medium High High Extreme
Possible Low Medium Medium High High
Unlikely Low Low Medium Medium High
Rare Low Low Low Medium High
Insignificant Minor Moderate Major Critical
Impact
Table 2. Risk Matrix (Likelihood x Impact)

Smart Base SARS2 Early Warning Wastewater Surveillance Platform

The SARS2 Early Warning Wastewater Surveillance Platform is a use case of implementation of the cloud privacy security rights-inclusive architecture during a global disaster. Goals of the Platform are to estimate SARS-CoV-2 transmission trends in real time, include provision of instant feedback on social distancing and reopening phases, predict hospitalizations from COVID-19 and provide confidence in the absence of transmission for areas with zero cases.

Severe Respiratory Acute Syndrome Corona Virus 2 (SARS COV2), part of the Corona Virus group, is the virus that causes CoVid-19 (National Institutes of Health, 2020). Disease is a nationally and globally destabilizing factor because it damages economic, social, political, and other infrastructures, and contributes to increased conflict within and between countries. Impacts of CoVid-19 include socio-economic and political disruption, impeded economic development, diversion of resources and a significant threat to national and international security.

Pandemic illness presents a particular challenge to the military’s mission readiness and preparedness. During World War I, pandemic influenza and other infectious diseases caused more fatalities than combat and led to an estimated 8.7 million lost duty days among enlisted soldiers (Byerly, 2010). The impact of epidemic infectious disease on military readiness cannot be overstated, as infectious disease epidemics have frequently altered the course of military campaigns (Roy et al., 2018). With increasing numbers of novel infectious diseases emerging across the globe (Jones et al., 2008; Jappah & Smith, 2015), early warning of these threats, in the military context, is vitally important.

Wastewater monitoring can provide an early warning platform for SARS-CoV-2 infections, and for other diseases. First developed in the 1990s to track poliovirus circulation (Asghar et al., 2014; Brouwer et al., 2018), wastewater monitoring provides a non-invasive and cost-effective method of assessing pathogens circulating within a population. For patients with COVID-19, SARS-CoV-2 RNA is shed in human feces and other bodily fluids (Chen et al., 2020; Wang et al., 2020; Xu et al., 2020), and can be detected in wastewater (Medema et al., 2020; Green et al., 2020; Wu et al., 2020; Nemudryi et al., 2020). Importantly, increases in the levels of SARS-CoV-2 ribonucleic acid (RNA) in the wastewater provides 1 to 2 weeks’ warning relative to increases in the number of COVID-19 cases in a health system (Wurtzer et al., 2020; Peccia et al., 2020). The SARS2 Early Warning Wastewater Surveillance Platform can be applied to military installations and their surrounding communities.

Next steps towards COVID-19 resilient smart bases include agreement on public-facing data, and matching case data with sewer sheds. These steps are necessary to inform interpretation of RNA in wastewater and to improve feedback loops. Public health surveillance authorization is necessary for ethics and approval by Institutional Review Boards. Military installations can partner with area firms and universities to accelerate adoption and innovation of this Platform.

(Source: Re-printed with permission: Larsen/Syracuse University 2019)

Conclusion: Lessons for Smart Cities and Bases

Smart cities and bases should always be vigilant, as both cyberphysical risks and opportunities are ubiquitous. Designing smart cities and bases is a growing challenge, in the face of growing cybersecurity threats. Distributed interests throughout smart cities/communities and bases make progress and coordination difficult, and ad-hoc and hard-to-define architectures and networks continue to challenge cybersecurity. Inherent advantages of attackers include choice of time and place and illicit actors incentivized to strengthen crime industry and grow revenue. The pattern is the same, although the tools – early DDoS, macro viruses, emerging APT, escalating DDoS, Botnets, Ransomware, etc. – are different. Yet, a smart city framework that is not smart by design remains a poor alternative.

Smart base innovators can leverage ISPs/MSPs and set up win/win conditions. They can utilize partnership red teams. Financial and cyberphysical risk analyses are also critical. Innovators must check all enterprise software and user apps to safeguard against software and systems risks. This includes insistence on documentation, cyber-physical risk management and continuous improvement. All workforce should be trained, and a focus should be placed on growing local expertise. And finally, think Red Yellow Green Data!!!

While smart city initiatives offer unprecedented opportunities to enhance the well-being of millions of community residents, their implementation may not necessarily result in benefits for all citizens. As such, these initiatives should be deliberately designed, implemented, and monitored to improve the population well-being of all citizens (OECD, 2020). This framework requires smart governance and multi-sectoral cooperation that aligns with “local and national strategic priorities and that embraces efficiency, effectiveness and sustainability dimensions (OECD, 2020).

With adaptation of the secure cloud framework, the military can continue to make progress in becoming a smart military. This adaptation adds value as the US military works to achieve its operational mission of a smart military. This framework can help in enhancing military operations and meeting emerging challenges of the 21st century.

Download Files:

You must be logged in to download this CSIAC Report. Click here to login.

Author

Dr. Lee McKnight
Dr. Lee McKnight
Dr. Lee W. McKnight is an Associate Professor at Syracuse University’s iSchool (The School of Information Studies). He is actively involved with the National Institute of Standards and Technology (NIST). Professor McKnight is a member of the NIST GCTC Cybersecurity and Privacy Advisory Committee (CPAC), he co-leads the Secure Cloud Architecture Action Cluster and he is a member of the NIST COVID19 Task Force. Via these various activities, Lee is making contributions to the NIST Office of Cyberphysical Systems Smart City and Community Framework series standards. Dr. McKnight is also the Faculty Advisor to the Worldwide Innovation Technology and Entrepreneurship Club (WiTec) and an Affiliate of the Institute for Security Policy and Law (ISPL). Lee lectures annually at MIT on innovation. He is co-inventor of the Internet Backpack as well as edgeware for creating secure ad hoc overlay cloud to edge (cyberphysical) applications, services, and things. Dr. McKnight received his Ph.D. in 1989 from MIT, his M.A. from the School of Advanced International Studies, Johns Hopkins University (Bologna and Washington, DC) in 1981 and his B.A., magna cum laude, from Tufts University in 1978.

Technology Areas: Cybersecurity, Software Intensive Systems Engineering Tags: Cloud Architecture, COVID-19, Cyber Resiliency, Smart Bases, Smart Cities

Previous CSIAC Report:
« Hypergaming for Cyber – Strategy for Gaming...
Next CSIAC Report:
Privacy Impact Assessment: The Foundation for Managing... »

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT