As cities deploy Internet of Things sensors and IP-connected surveillance cameras to help with everything from easing traffic congestion to improving air quality and public safety, they are also increasingly vulnerable to cyberattacks.
To help smooth adoption of smart city technologies while maintaining security, the Smart City and Community Challenge cloud privacy security rights inclusive architecture (SC3-cpSriA) action cluster last month released a blueprint for smart cities.
Specifically, the blueprint outlines how cities can create a secure, hybrid cloud architecture, including multicloud, intercloud and federated cloud (to edge) service designs. It is aimed at supporting “security, confidentiality, access control, least privileges and safeguarding” personally identifiable information across the IoT and beyond.
“You know about the Baltimore ransomware attacks, you know about the Atlanta one, you know about the two Florida cities that just paid off in bitcoin their ransomware attackers,” Lee McKnight, a professor at Syracuse University who oversees the SC3-cpSriA action cluster’s work on secure cloud architecture, tells GCN.
“All that is a result of essentially a combination of legacy systems from cities with limited budgets. The cities can’t afford the IT staff or numbers of a Google or an IBM or Amazon or Microsoft for securing cloud services," he says. "They’re always going to be more vulnerable because of their limited expertise and awareness.”
Secure Cloud Architecture Can Support Smart City Use Cases
The blueprint notes that the idea behind a secure cloud architecture for open public data obviously means ensuring that sensitive personal, corporate and public service data can be understood and handled with safety.
By reading the blueprint, city IT leaders can learn about how to deploy “mechanisms to better coordinate cloud services, including cloud backups for disaster recovery, and reduce costs by use of common templates and models,” the plan notes. That will help extend the deployment of innovative cloud services and “cyberphysical” systems in smart cities.
The secure cloud architecture is designed to automate processes and reduce risks across smart city systems.
“It minimizes the risk and treats all those legacy systems as honeypots,” McKnight tells GCN. “You don’t care if they’re attacked because you’ve got everything backed up to the cloud. Nothing worse than a day’s loss of data can ever happen because we’ve designed this properly.”
The SC3-cpSriA action cluster tested the secure cloud architecture on a network of city-owned LED smart streetlights in Syracuse, N.Y., according to GCN. It is also looking to expand to other use cases, including catch basin monitoring and water metering projects.
According to the blueprint, those working on smart city projects in those three categories “may consider if and how security, privacy, data protection and rights-inclusive cloud architecture guidelines may be followed.” Further, the action cluster says the “ethics for facial recognition, machine learning and artificial intelligence systems and cloud services in future smart cities with privacy, security and rights-inclusive architecture will also be reviewed.”
The blueprint advocates for a three-level data classification model that ranks data risk classification when building a hybrid cloud architecture.
- Red indicates sensitive data including PII; this is the most controlled and restricted.
- Yellow indicates information of medium sensitivity whose access may be controlled, but which by law can be shared more widely; this data still has controls and monitoring.
- Green indicates low-sensitivity data that can be shared openly; this covers smart city civic and open data.
“Based on the data type, officials can determine the legal and regulatory requirements they will draw around their data, what security they require for it, and how data storage and collection could impact residents’ privacy and security,” MeriTalk reports.