Cities face increasing threat from cyber-attacks. In 2016, a quarter of cities in the U.S. faced attempted cyber security attacks every hour. Three years later, governments reported 163 successful ransomware attacks with more than US$1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs, a nearly 150 percent increase in reported attacks from 2018.
Technologies utilised in the creation of smart cities pose both societal benefits and unique cyber security risks. The convergence of Information Technology (IT) systems with Operational Technology (OT) systems provides numerous ‘entry points’ for cyber attackers targeting the city, and the disparate technology platforms and devices used by cities can create hidden vulnerabilities. This is exacerbated by the lack of common standards governing critical and interconnected devices, resulting in the use of devices from multiple vendors with different communication and security protocols.
The value-add of improved government services offered by advanced technology drives the adoption of IoT devices globally. This explosive growth of interconnected devices exponentially increases the exposure to cyber-attack— and the number of such devices in the world is expected to jump from 8.4 billion in 2019 to 20 billion by the end of 2020. As a result, governments face a mounting challenge to increase their cyber-security preparedness and resilience while recognizing that the alternative could result in more than just data loss, financial impact, and reputational damage risks. Instead, the societal costs could include a cascading effect among government systems resulting in total disruption of services from emergency response and transportation to power grids, education, and more.
As well as increasing services to citizens, cities are also dealing with the new operational realities of a highly distributed, work from anywhere, workforce. Traditional siloed network monitoring based cyber security approaches are not effective in these highly distributed environments where everything connects with everything. The result of the important technology initiatives being undertaken by cities is that the overall cyber-attack surface continues to grow and government systems are becoming more vulnerable to attack.
Cities offer a multitude of services dependent upon dispersed and varied digital critical infrastructure. These systems, often referred to as OT systems, have traditionally been in isolated networks and contain sensitive, often legacy, hardware and software, controlling infrastructure that can have significant physical implications if disrupted. Increasingly, these areas of critical infrastructure are embracing IoT, cloud, and third-party digital integrations. Due to this combination of factors, such systems are high areas of risk.
As governments grow more sophisticated in their response, we have seen a number of cities appoint a Chief Information Security Officer (CISO) position, or similar. This accountable person, regardless of title, evaluates, directs and monitors the design and deployment of effective information security of smart services, and is accountable for lapses in security impact. Regardless of whether a city has a specific CISO position, having a robust model for cyber security accountability sets the foundations for an improved cyber security position and therefore a more cyber secure city.
The purpose of this policy is to define the key areas for a model of accountability for cyber security which is applicable for all cities worldwide, thereby protecting the informational and operational assets owned by the city and its citizens. These measures provide a structure that cities can follow to prioritize their operational execution of cyber security.
This is an aspirational policy which aims to create clearer lines of accountability within a city context, despite differing examples of city governance structures.
How to use this policy
We have found through research and interviews that CISO’s in cities may be held accountable for systems that they do not have direct control over, as these may be procured or managed by departments other than central IT functions. We believe that accountability sits best within one single person’s domain, however understanding that changing governance structures within cities takes time, we acknowledge that single person accountability might be something to work towards. The policy below is written for single person accountability, however an interim step may be to have a model of shared accountability in place between a central IT team / CISO’s office and operations departments.
Cities have flexibility to implement this accountability model in different ways, and accountability could sit with multiple senior officers as long as all of the responsibilities are covered and cities can show who ultimately has responsibility for each of these areas. These roles (if more than one) should have a clearly defined level of cooperation/coordination to ensure that all responsibilities are shared between them and regular updates take place, including but not limited to; Key Performance Indicators, associated schedule of authority amongst domains, and a clear escalation hierarchy.
This policy could be a published internal or external policy document, and/or the basis for one or more job descriptions for those accountable for cyber security in the city.
What is cyber security?
Preservation of confidentiality, integrity and availability of information in the Cyberspace.
Cyberspace is a complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which do not exist in any physical form.
What is cyber-resilience?
Cyber security plays a critical role in mitigating the impact of a cyber disruption by protecting the confidentiality, integrity, and availability (commonly abbreviated to CIA) of data and data-enabled infrastructure. However, security alone is not enough. Cyber resilience goes a step further by ensuring that Information and Communications Technology (ICT) systems continue delivering services in the event of a cyber incident.
What is cyber security and cyber resilience in a smart city context?
For cities, cyber resilience can be understood through their capacity for readiness, response, and reinvention. Efforts to build cyber resilience are critical to both surviving and even thriving in the face of cyberattacks or physical disasters .
The convergence of physical and digital infrastructure, the ensuing interoperability, and interconnectedness between city systems and data is an ongoing effort in many cities. The security goals of a smart city—confidentiality, integrity, availability, safety, and resiliency—should be grounded on both the objectives of traditional IT (to secure data) as well as those of Operational Technologies or OT (to ensure safety and resiliency of systems and processes). These combined security objectives can help cities maintain a more secure and resilient operating environment.
Cyber security accountability in this context may include a single person for both Information Technology (IT) and Operational Technology (OT) or a person for each domain (IT and OT) – each city may decide what is appropriate for the accountable person to have under their remit.
What is responsibility and accountability in a smart city context?
Good governance as it relates to cyber security in a city, meaning that one Senior Officer or group of key senior individuals within a city hold the final responsibility for any cyber security breaches. The accountable person(s) has to evaluate, direct and monitor the design and deployment of effective information security of smart services, and be answerable for responding to and recovering from any cyber incident.
1.1 This policy may be cited as the “Cyber security accountability policy”, and shall come into effect upon publication in the [official city document or internal document];
2.1 1. [City] is committed to ensuring the cyber security and resilience of all information and physical infrastructure, including but not limited to physical and cloud infrastructure, devices, networks, data, applications and users.
2.2 The objective of this policy is to provide an accountability model for cyber security in order to ensure that either one senior officer (or multiple senior officers) have the oversight, accountability, responsibility, authority and resources to make decisions on cyber security and protect [city] from potential harm, including but not limited to brand degradation, operational disruption, financial loss, legal liabilities, and the loss of public trust and confidence as a result of cyber attacks.
3. Critical responsibilities (essential)
3.1 Leadership and accountability
- Cyber security, including smart city cyber security, is owned, governed and delivered at the Senior Leadership level.
- One Senior Officer has accountability and authority to execute cyber security for all Information Technology (IT) and Operational Technology (OT) infrastructure (users, devices, networks, data and applications).
- The Senior Officer is a member of, or reports directly to, the Senior Leadership team.
- The Senior Officer is responsible for reporting on all cyber security related matters in accordance with the cities defined performance indicators.
- The Senior Officer sets the overall governance framework and policy on cyber security which is reviewed and approved by the Senior Leadership no less than once a year.
- The Senior Officer must work with legal teams to ensure that all policies and directives comply with local, regional, national and applicable international standards and laws.
- The Senior Officer has the ultimate authority to make decisions on the cyber security aspects of all existing IT/OT products, services, procurements and internal application development, including any significant investment in IT/OT products or services procured by the city.
- The Senior Officer is responsible for ensuring that an inventory has been done of existing infrastructure including devices, users, networks, data and applications, and must have an understanding of the inventory and current landscape to be able to ensure the security of existing assets. The Senior Officer must have a level of understanding of the threat landscape of that infrastructure, the dependencies of various systems, user access rights, and who the accountable person is for the inventory (including who owns and manages them).
- For new systems being procured, the Senior Leadership group, or equivalent, has a written Service Level Agreement (SLA). Any technology program, utilizing either internal or external resources, must be registered with the Senior Officer prior to funding approval. If the request falls within usual policies, then the Senior Officer signs off and is accountable. In exceptional cases when a business need is paramount and overrides a security concern (e.g. COVID), procurement processes may fall outside standard procedures. In this circumstance, the Senior Leadership team can sign this off and the departments are held jointly responsible.
- The Senior Officer has the authority to execute digital forensics and the technical execution of privacy regulations (e.g. conducting privacy impact assessments and implementing Privacy by Design principles within business processes and technology solutions).
3.2 Security of information assets
- The Senior Officer is responsible and accountable for enforcing the relevant policy which ensures minimum standards are adhered to (including for procurement of new ICT deployments) and approving all operational decisions regarding cyber security, including issues concerning the management of the city’s information assets, for all IT/OT infrastructure as defined in Section 1.
3.3 Security of physical assets including sensors and other IoT devices
- The Senior Officer is not directly responsible for the physical security of the IT infrastructure including but not limited to – data collecting devices in public spaces, data centres, offices, mobile workers and remote devices, however should work closely with whomever within the city has responsibility for this, including third parties and private sector infrastructure owners to ensure that security is maintained as per the policy.
3.4 Revision of information security measures
- A responsible officer under the purview of the Senior Officer is required to revise documents concerning information security (including but not limited to information security policy) on an annual basis (or more frequently if determined to be necessary by the city) in consideration of audit results or as international security standards are developed and/or revised.
3.5 Security incident prevention
- The Senior Officer is responsible and accountable for putting into place the governance, processes, policies, systems and technologies that are focused on preventing cyber incidents.
- The Senior Officer is responsible for city wide awareness and training for city executives, council, employees and contractors in cyber security leading practices. End-user training must be registered / tracked and at minimum should be re-evaluated on an annual basis.
3.6 Incident response
- The cyber security policy shall have a specific plan for incident response, with different responses for operational and communication actions based on the severity of the incident with defined SLAs for responding parties.
- The Senior Officer is responsible for ensuring an adequate Disaster Recovery programme is in place including applications for recovery i.e online / offline backup functionality for all core systems, these backup strategies should be tested at least once per annum for selected systems.
- The Senior Officer is required to review all security incidents and take action required to prevent incidents in the future which utilize the same attack vector.
- The Senior Officer shall immediately report to the Senior Leadership team in written form when any security incident occurs which is considered to be of significance, as defined by the policy.
- Upon confirmation of a cyber security incident, the responsible officer is required to keep a record of the cyber attack and appropriately communicate with supervisory authorities and relevant organizations.
- The Senior Officer will work with Communications/Media Relations and be the key internal and external contact during a major incident.
4. Important responsibilities (additional)
4.1 Information security and risk management training
- A responsible officer, under the purview of the Senior Officer, is required to conduct and keep a record of training on information security and risk management [on an annual basis] (or more frequently if determined to be necessary by the city).
4.2 Security audit
- A responsible officer, under the purview of the Senior Officer, is required for staff to undertake, or appoint a third party to undertake periodic audits of the implementation of information security measures, and work closely with other compliance teams across the city.
4.3 Third party cyber security standards
- A responsible officer, under the purview of the Senior Officer, is required to set policy for risk assessment and vetting of any third parties to whom activities are outsourced.
4.4 Education of citizens around basic hygiene for cyber security
- A responsible officer, under the purview of the Senior Officer, is required to ensure easy reference to online resources, ensuring that the city website has information which citizens can find and utilise.
Yalena Coleman, Applied Data and Technology, Connected Places Catapult
Task Force Members:
Abhik Chaudhuri, Chevening Fellow, Tata Consultancy Services
Daniel Dobrygowksi, Platform for Cybersecurity and Digital Trust, World Economic Forum
Eleri Jones, Head of PETRAS National Centre of Excellence for IoT Cybersecurity, UCL
Gökay Bekşen, Principal Advisor, Istanbul Metropolitan Municipality
Greg McCarthy, Chief Information Security Officer, City of Boston
Saj Huq, Director, London Office for Rapid Cybersecurity Advancement
Sandy Tung, Programme Manager, Greater London Authority
Xiaodong Lee, Founder and CEO, Fuxi Institution
Michael Lake, CEO, Leading Cities
Mirel Sehic, Cyber Security Director, Honeywell
Murray Rosenthal Senior Policy Analyst (Security), City of Toronto
Tadashi Kaji, World Economic Forum Fellow, Hitachi
Thad Eidman, Chief Operating Officer, Acreto Security
Contributors and reviewers:
Kush Sharma, CISO, City of Toronto
Nathan Pawl, CEO, Blacksands