The National Security Council (NSC) Secretariat has spelt out cyber security measure for smart cities, suggesting that multiple infrastructures be made to converge into one central platform for ease of management, reports Gautam Debroy of Elets News Network (ENN)
In the backdrop of Government of India’s Smart Cities Mission, the National Security Council has drafted a model framework related to cyber security in smart cities.
With increasing emphasis on eGovernance, entire systems and processes of banking & finance, administration and national security-related issues, among others, would be at risk if adequate security measures to counter the challenges to the cyber space in India are not in place.
Keeping this in mind, the National Security Council Secretariat has said that while it is necessary to converge multiple infrastructures into one central platform for ease of management, it is mandatory that such applications hosted in the Central Data Centre support multi-tenancy with adequate authentication and role based across control mechanism for each tenant pertaining to their respective infrastructure.
“The generic architecture of smart city generally consists of four layers – a sensing layer, a communication layer, a data layer and an application layer, and these four layers are overseen by the smarty city security system. Architecture of Information Technology systems deployed in smart city need to be open, interoperable and scalable,” the Security Council framework said.
A copy of the Security Council’s model framework says that message exchange between various applications in the smart city should be fully encrypted and authenticated. Any application outside the data centre should talk to the applications hosted in the data center through only predefined APIs.
According to cyber security expert, Mr BN Ramesh, while the Information & Communications Technology empowers Indians, who are living in rural and inaccessible areas, there is always a possibility of an attack on the privacy as well as fundamental rights of these groups and also to spread communal venom and confuse the people through SMS and website uploading and YouTube transmissions.
“The smart city architecture should be capable of managing heterogeneous data, which would be continuously communicated through numerous devices following different protocols. In order to ensure that the flow of data between devices does not run into latency issues, appropriate protocols need to be deployed so as to minimise latency,” the framework said.
Data Layer should also be capable of communicating with various types of sensors and devices and their management platforms for single and multiple services irrespective of software and applications they support.
“Data exchange between various sensors and their management applications must strictly happen through this layer (Data Layer), thus making it one true source of data abstraction, normalisation, correlation and enable further analysis on the same,” the Security Council framework said.
The security framework further said that from a network security perspective, all information that flows on the network should be encrypted to ensure safety privacy of confiden-tial data. The devices at each endpoint of the network should be authenticated. The authentication system so used on these endpoint devices should ensure that only authorised users are sending data over the network, and there is no rogue data that is sent to the control system to generate false alarms or sabotage the systems.
“Wireless broadband plan and architecture for the specific city may be prepared detailing the existing Fiber System and other supporting infrastructure so as appropriately interfacing another or citywide wireless network,” the Security Council framework said.
All sensors deployed as part of IT and ITbased systems in the smart cities, according to the framework, should talk only to the authorised wireless network, and do not hook on the rogue networks.
Wireless layer of the smart city network should be segmented for public and utility networks by suing Virtual Private Networks (VPN) or separate networks in the wired core, so that any traffic from the internet users is not routed into the sensors networks and vice-versa.
The Security Council framework, which has already been circulated to the selected smart city Commissioners and SPV CEOs, said that all traffic from the sensors in the smart city to the applications servers should be encrypted Secure Socket Layer (SSL) and authenticated prior to sending any information. The data at rest and transit must be encrypted.
“Authentication of sensors in the smart city should happen at the time of provisioning the sensors, and adding them into system, and should be based on physical characteristics of the sensors like MAC ID, Devices ID, etc.,” the framework said.
It further said that the sensors or an edge device deployed in the smart city should not have any physical interface for administration. Monitoring of systems and networks should be undertaken remotely. “The sensors deployed in smart city should be of low power consumption and should work on self-sufficient power sources,” it said.
The framework said that appropriate teams may be set up to monitor cyber incidents and mitigation of same.
“All the information on incidents be shared regularly with Indian Computer Emergency Response Team (CERT-In) and National Critical Information Infrastructure Protection Centre (NCIIPC) and take help to mitigate and recover from the incidents,” the Security Council framework said.
All “applications” and “apps” will undergo static and dynamic security testing before deployment and be tested with respect to security on regular basis at least once in a year.
The document said that all the sensors in the smart city should connect to a completely separate network.
“The data centre should be segmented into multiple zones with each zone having a dedicated functionality e.g. all sensors for one operational domain can connect to the data centre ion one zone, and the Internet facing side of the data centre should be in another zone,” the Security Council framework said.
In particular, the Security Council framework has highlighted some systems which should be implemented in the data centre: firewalls, intrusion detection & intrusion prevention systems, web application firewalls, behavioral analysis system for anomaly detection, correlation engine, denial of service prevention device, advanced persistent threat notification mechanism, federated identity and access management system.
“The cyber security is one of the vital issues that we all must deal with while making a smart city,” said CEO-SPV of Jabalpur Smart City Mr GS Nagesh.