For that reason, many cities and metropolitan areas are embracing the smart city concept: that is, adopting a more efficient management of services, and turning cities into enablers of innovation, economic growth and well-being, but also making them safe, dynamic and inclusive.

Building citizen trust in multi-application digital solutions

Over the past few years, automation in our everyday environments has noticeably increased. Smart devices that are capable of regulating everything from the water in large-scale facilities to the temperature in our homes have started to proliferate and will continue to do so in the future. As the associated sensors and actuators monitor and control significant parts of our everyday lives, they are bound to be considered by cyber attackers as potential targets. To address this challenge, smart cities are being forced to implement the appropriate mechanisms to provide their citizens with a safe and secure environment, assuring them of privacy and data protection by design and full control of how their personal data is processed. To this end, it is important to identify measures, approaches and technical solutions that support responsible smart cities and stakeholders in the entire process of privacy and data protection, from risk assessment to solution elicitation and enforcement.

Digital solutions, supported by locally-generated data, are capable of providing high-quality services both to the public and to businesses. These solutions incorporate smart urban mobility, energy efficiency, sustainable housing, digital public services and civic-led governance. To receive public trust for such systems, data must be used responsibly via digital platforms, and their quality, security and privacy must be ensured.

Smart city attacks can happen at least at two levels, requiring different kinds of tools and approaches:

• Individuals, principally citizens and civil servants, require tools related to social engineering, phishing, data ownership and possibly training.
• Businesses and other organisations, including public authorities and third parties, require tools related to risk assessment, predictive analysis, and mitigation activities, according to the existing legislation on data protection and privacy.

Developing trustworthy federated platforms

The desired transformation process needs all levels of government together with organisations and networks of cities and communities of all sizes, with strong cooperation through multi-level governance and co-creation with citizens. To do this, a first step is needed: the smart city enablers’ adoption. The role of these enablers is to connect consumers and producers, enabling a federated publication of context data, allowing service providers to find and use data from city and third-party sources while preserving data sovereignty.

The variety of services, systems and applications behind most smart city initiatives usually share servers and resources. Thus, the platform needs to tie different protections together and ensure that there are no privacy leaks at any point. Additionally, a security platform should be deployable across the many disparate systems that compose the smart city environment, maintaining the required level of trust. Finally, it should support on-premises, IaaS (infrastructure as a service), SaaS and hybrid cloud environments, to ensure that no device or server remains unconnected.

Addressing the challenges

As part of its roadmapping activity, CyberSec4Europe has identified a series of challenges with associated research goals to the fulfilment of its vision for secure smart cities, some of which it wishes to address over the remainder of the project. Among these are the following:

• Trusted Digital Platform, a digital platform enabling citizen-centric services delivered seamlessly for all citizens, with the caveat that it will only work if citizens perceive it to be trustworthy i.e., it must guarantee the protection of personal data
• Cyber threat intelligence and analysis platform. Information sharing, active defence and automation methods should be integrated into the smart city platform by developing efficient methods to create, disseminate, and consume threat intelligence in a standardised, usable and legal way. To make the solutions effective, automation should be considered, and solutions integrated into business workflow, governance and structure control.
• Cyber response and resilience of the overall framework, governance, and business of smart cities will benefit form a higher security level if response measures and resilience to cyber threats are made an essential part of smart city design in terms of volume, velocity and variety of networked traffic
• Cyber competence and awareness program focussed on improving knowledge about possible risks and hardware/software attacks, as well as techniques such as encryption, anonymity and access control. Both training software engineers about possible security vulnerabilities and current technical solutions and informing end users about the security and privacy risks they could face and the correct security behaviour they should apply.
• Privacy by design solutions are a must when new public services use citizen data, particularly with the requirement to be GDPR compliant, meaning:
  • proactive privacy protection rather than post violation remedial action;
  • privacy as the default setting, privacy embedded into the design;
  • full functionality with full privacy protection through the entire data lifecycle;
  • visibility and transparency as well as respect for user privacy.

In parallel, data minimisation approaches should be considered as a best practice for the adoption of privacy by design.

• End user trusted data management encompasses approaches to gain citizens’ trust in the collection and processing of data that concerns them:
  • Assuring transparency
  • Managing consent and control
  • Implementing auditing and accountability procedures

Beyond the end of the project

It is almost inconceivable to imagine beyond the next two-three years how cities will adapt to the transformatory visions being laid down today, given the speed with which they are evolving today. However, we are confident that the roadmap, together with the accompanying strategies and solutions, provided by CyberSec4Europe will help stimulate the growth and development of digitally robust cities in Europe and beyond in the 21^st century.

For more on the roadmap for smart cities and the other six verticals, please read the CyberSec4Europe report deliverable.

Marco Angelini, Engineering Ingegneria Informatica S.p.A.