Cloud Architecture Offers Security to Cities
Local governments can employ the tool to guard against cyber attacks and protect citizens’ privacy.
Digital structures are needed to protect government information and operations. A group participating in a National Institute of Standards of Technology challenge is offering a secure cloud-based platform that can improve the digital and actual health of a city and protect its information.
For several years, the National Institute of Standards and Technology, known as NIST, has hosted the Global City Teams Challenge (GCTC), a public-private partnership meant to encourage collaboration and standards development. The GCTC includes more than 200 projects directed at advancing the ability of cities to operate safely and effectively in the digital age. NIST is currently drafting related framework standards for cities or local governments to use.
As part of the GCTC efforts, NIST and the Department of Homeland Security Science and Technology Directorate (DHS S&T) have sponsored the GCTC/Smart and Secure Cities and Communities Challenge (SC3) program, in which participating groups examine or develop innovative cybersecurity and privacy tools for smart cities.
One such group under the GCTC Cybersecurity and Privacy Advisory Committee, called the SC3 cloud privacy, Security, and Rights-Inclusive Architecture (cpSRIA) Action Cluster, is developing a secure cloud architecture. The platform would help local governments guard against cyber attacks, protect citizens’ information and safely rely on Internet of Things (IoT) or other advanced technologies in their course of doing daily governmental business.
The secure cloud architecture is privacy, security and rights inclusive, explains Lee McKnight, associate professor, School of Information Studies, Syracuse University. He suggests that the NIST framework standards could potentially include the group’s secure cloud architecture. “Essentially, everybody needs a secure cloud architecture these days, and that’s not something that’s widely understood,” he notes.
The SC3 group consists of officials from local government, civil liberties, Internet governance, law, electric utility, military, academic, computing and cybersecurity sectors. SC3 is working directly with the city of Syracuse, New York, and its Mayor Ben Walsh and Deputy Mayor Sharon Owens, as well as Los Angeles Unified School District, East Los Angeles Performing Arts Magnet School Principal, Carolyn McKnight. In late February, at its third meeting in Syracuse, the group presented an updated version of the secure cloud architecture to New York state agencies, cloud companies, energy providers, city officials and others.
“We’ve been developing the secure cloud architecture for a little over a year and a half now, building on prior work,” McKnight indicates. “The overall conception was to help not just city governments but also small businesses, community organizations and schools. Every community needs to do more cybersecurity and privacy awareness and have better plans to prevent ransomware and all kinds of cyber vulnerabilities that we know are coming not just from nation states but also from criminal enterprises that are holding city governments, school systems, small businesses and large businesses ransom.”
The architecture applies to cloud-based platforms, including on-premises cloud or hybrid cloud. “We’re not making the cloud simpler per se,” the professor explains. “We’re recognizing it’s going to be more complicated. And when we say cloud, really it could be a hybrid cloud, a federated cloud, or it could be a multicloud environment. In fact, in most organizations you’re dealing with all of those. Every single IOT device is actually a cloud service on the back end, and every analytical application is really a cloud service.”
The key principles of the secure cloud architecture include an assessment of data risk related to critical infrastructure categories and services a city may provide, as well as a color-coding schema that makes it easy to understand how to classify different types of data that a city uses.
“We boil all this down to three categories of data risk: red, yellow or green,” he notes. “Red equals sensitive information, personally identifiable information or information that you really should keep track of. Yellow information has some controls on it and has some privacy rights attached to it, but it can be shared a little more widely. Green is open data, civic data or public data that we are trying to get out to the public anyway.”
The SC3 group wanted to make the application easily understood, McKnight states. “Just like a stop light, or dashboard in some security operations center, it is something that’s translated down that anyone can understand,” the professor observes. “A teacher can understand it; a principal and a city mayor can understand it. And everybody can start having more intelligent conversations about, ‘What data do we need to protect? What do we need to back up?’ or ‘Do we need to make sure there’s a recoverable copy in the cloud that cannot be hacked?’ If you do this secure cloud architecture correctly, then there is no more ransomware because you have locked down the physical devices and the cloud, and everything can still operate even if the legacy devices are locked up. We can make it simple with a secure cloud architecture, building in privacy and rights protections.”
Organizations will still have to perform a data-archiving risk assessment, looking at the different types of data related to critical infrastructure, and how to classify it under the simple red, yellow and green categories. McKnight advises against the tendency to want to protect all data, even open-data platforms. “Some people have objected saying, ‘Oh no, we still need to secure that,’” he states. “No, you don’t have to secure it the same way as personally identifiable information. You don’t have to secure it the same way as industrial control systems that would shut down the city or some public service. Essentially the architecture itself is just saying there’s data; there’s categories of infrastructure in a smart city and a community and to apply the red, yellow, green schema to it.”
As part of its efforts working with the city of Syracuse, the SC3 group is providing advice on the secure cloud architecture being applied in four use cases, so the city can evaluate whether or not to use the architecture and how to best employ data and protect privacy rights, the professor shares. The four scenarios involve: smart streetlights; water metering; catch basins; and facial recognition, machine learning and artificial intelligence.
For the city’s smart streetlight network of 17,000 street lights, the group is examining streetlight data and applying the secure cloud architecture. In that case, there may not be privacy concerns—as to the brightness of the light, for instance, the professor ventures, compared to data on citizen’s water usage—another use case—which has privacy concerns that need to be addressed. With water meter monitoring, the water utility could tell if there is a water leak in a home, based on abnormal water usage. But in greater detail, water metering data could show when a person runs the faucet or takes a shower, crossing into privacy concerns, the professor explains.
Applying the architecture to catch basin and monitoring data could help the city in operation of those basins. “We get a lot of rain in upstate New York,” McKnight states. “And normally in a pre-smart environment, blockages can occur in the catch basins from debris, and municipal workers have to come around and check it. On the other hand, you could have sensors on the basins that would automatically tell the city of any concerns. That is very helpful. Is there a privacy issue there? Probably not. We’ve applied the architecture, and it is not a violation of anybody’s privacy or security rights, and it is just public, green data.”
For the other use case of facial recognition, artificial intelligence and machine learning, the SC3 group is not trying to solve all the surrounding ethical issues, the professor clarifies. “NIST has analyzed 300 different facial recognition studies and applications and conclusively confirmed what we suspected,” he states. “There is a built-in bias against non-white people, or non-white men specifically, in those systems. Obviously that is something that is very concerning, on how that data is being classified.”
The city wants the group to consider and examine the data implications, the privacy issues and the classification scheme of the secure cloud architecture. “Part of what we’re trying to do is think about what we’re doing in these smart cities, and what new risks are you creating around the data. Where is the data going, and how is it being handled,” McKnight notes.
In addition, stakeholders in the SC3 have helped shape the drafting of the architecture. The local chapter of the American Civil Liberties Union is an active member, working to inform data protection needs based on citizens’ privacy rights with the architecture use. “The American Civil Liberties Union for the region, for example, they are going to be concerned about facial recognition, and what about that data?” he states.
The New York State Energy Research & Development Authority, known as NYSERDA, is advancing innovative energy solutions for the state—including moving off of coal- and natural gas-fired power generation. The organization is looking at energy-related data needs for a distributed energy grid and how the secure cloud architecture could play a role, says NYSERDA’s chief information officer Dave Adkins. In addition, the SC3 group has conducted webinars and briefings and is working with officials from the Cyber & Infrastructure Security Agency, Syracuse’s chief data officer, the Internet Governance Forum, the Community Resilience Center at George Mason University in Virginia and the Fiber Broadband Association.
The Defense Department’s Cyber Security and Information Systems Information Analysis Center (CSIAC) in Utica, New York, led by Joseph Caroli, conducts analyses and provides scientific and technical information. CSIAC, one of three such Defense Department Defense Technical Information Centers in the country, performs cybersecurity systems analyses for smart cities and military bases and provides key input to the SC3 group’s architecture.
Moreover, support from Syracuse Mayor Ben Walsh is targeting not just the potential application of the architecture—after careful examination of the results of the four use cases—but wants to improve the city’s and the upstate New York region’s health, the professor says.
“If you get the right political leadership in that can bring a community together pursuing inclusive growth, that will help change some of some of these deep pockets of urban poverty that are in Syracuse that have been left behind by the rust belt,” McKnight says. “We’re helping cities, communities and small businesses make progress in this space.”
The professor expects the architecture to be applied in any community, not just an identified smart city. “Every community has IOT devices or machine learning systems or artificial intelligence systems being applied,” he suggests. “And so going forward we expect this to be essential guidelines for every region across the country. If it isn’t done with a secure cloud architecture, we’re just creating a bigger mess, with new vulnerabilities, privacy invasions and new security concerns.”