This presentation has been delivered by Graeme Parker at the PECB Insights Conference 2017.

1. Standards, Security, and Audit
Smart Cities – The Security Aspects

2. Graeme Parker
Managing Director - Parker Solutions Group
Extensive experience delivering Cyber Security, Business Continuity and Risk
Management solutions in multiple sectors including Government, Financial
Services, City Authorities, Health Services, Electrical and Power to
organizations across the globe.
Graeme provides consulting at the strategic, tactical and operational levels,
conducts and leads audits and leads numerous training events worldwide.
Contact Information
+44(0)1609 760293
graeme@parkersolutionsgroup.co.uk
www.parkersolutionsgroup.co.uk
https://uk.linkedin.com/in/graemeparker
twitter.com/parkerinfosol
https://www.facebook.com/Parker-
Solutions-Group-113377915344272/

3. 3
City, Town, Municipality
Definition
• a large or important town.
• (in the U.S.) an incorporated municipality, usually governed by a
mayor and a board of aldermen or councilmen.
• the inhabitants of a city collectively:
• The entire city is mourning his death.
• (in Canada) a municipality of high rank, usually based on population.
• (in Great Britain) a borough, usually the seat of a bishop, upon
which the dignity of the title has been conferred by the crown.
• the commercial and financial area of London, England.
• a city-state.

4. 4
Urbanization
UN 2015
• 50% of today’s world population live in urban areas (3.5 Billion)
• By 2030 this is predicted to rise to 60%
• 60% then now will be much different to 60% today
• 1 in 8 currently live in one of the worlds 28 “Mega Cities”
• By 2050 it is predicted that 64% of the developing world and 86% of
the developed world will be “urbanized”
• 95% of Urban Growth by 2050 is expected to take place in
developing countries

5. 5
Challenges and Opportunities
Challenges
• Greater demand for natural resources – e.g. water and energy
• Demands on services – Education, healthcare, waste management
etc.
• Increasing pollution and impacts on biodiversity
• Climate change impact – cities take up 2% of Earths land but
account for 80% energy use and 75% carbon emissions (UN 2014)
• Pressure on housing and other resources can contribute to poverty
and crime and other social problems
• Cities are at risk of climate change impacts such as flooding and
weather events.

6. 6
Challenges and Opportunities
Its not all bad..
Cities provide many opportunities including:
• Job and career opportunities
• Flow of ideas and business
• Ability to meet social aspirations of people
• Global connectivity and influence
• Incubators for new ideas, business and innovation
• Centres for education and learning

7. 7
Rising to the Challenge
To meet these challenges cities are aiming to become:
But what does that mean??

8. 8
Smart City
BSI 2014 one of many definitions
‘the effective integration of physical, digital and human systems
in the built environment to deliver sustainable, prosperous and
inclusive future for its citizens’ (BSI, 2014).

9. 9
Smart City Vision
http://in.nec.com/en_IN/blog/smart-cities-
shaping-indias-future.html

10. 10
Smart City Examples
Masdar City – A brand new sustainable City

11. 11
Smart City Examples
Rio – An existing city adopting Smart technologies

12. 12
Smart Cities Core Elements
Element Issues
Citizens Trust, accessibility, ease of use, top
down/bottom up, co-creation
Leadership and Strategy Strategy, effective leadership, inclusive
decision making, stakeholder
engagement, partnerships
Innovation and Enterprise Ecosystems, data economy, finance
business models
Infrastructure, technology, and data Future proofing, resilience, sensors, data,
privacy, security and ethics
Measurement and learning City performance, metrics and indicators,
ideas sharing

13. 13
Open Data
Open Data Institute
Open data is data that anyone can access, use or share. Simple
as that. When big companies or governments release non-
personal data, it enables small businesses, citizens and medical
researchers to develop resources which make crucial
improvements to their communities.

14. 14
Smart City Information and System Assets
City Assets
Assets
Infrastructure Publically Owned
Private sector infrastructure
Citizen owned data
Open data
Private data
Sensors and IoT devices
Industrial Control Systems
Citizen assets
Databases
Applications
Smart Devices

15. 15
Threats – Traditional definition
ISO 27000, clause 2.77
Potential cause of an unwanted incident
which may result in harm to a system or an
organization
But what about the city?
The harm is much wider!!

16. 16
Sources of Threat
Threat Source Examples
1 Organized Crime
Theft of personal data
Ransomware
2 Terrorist Groups
Distributed Denial of Service Attack
Intelligence gathering
3 Disgruntled Citizens
Service disruption
Website de-facement
4 Suppliers
Human error
Design and security flaws
5 Foreign Intelligence or Hostile
State
Eavesdropping and surveillance
Sabotage
6 Commercial Entities
Resale of citizen data
Invasion of privacy
7 Natural Events
Floods
Power Outages

17. 17
Security Programme
A city wide security programme is required
To manage the many different assets and potential risks a city
wide security programme is needed
• All cities differ in terms of stakeholders and their contribution
to security but ultimately security policy should be set by the
city authorities (e.g. sponsors of the city initiatives)
But where do we start? Are there any standards?

18. 18
Smart City Standards
BSI
PAS 180:2014 – Smart Cities – Vocabulary
PAS 181:2014 – Smart city framework – Guide to establishing
strategies for smart cities and communities
PAS 182:2014 – Smart city concept model – Guide for establishing a
model for data interoperability
Hypercat – A standard for secure and interoperable IoT for Cities – PAS
212:2016 – Automatic resource discovery for the Internet of Things –
Specification
ITU – FGSSC – Sustainable Cities Focus Groups

19. 19
Security Standards
Standard Purpose
ISO/IEC 27001 Specifies the requirements for an Information
Security Management System
ISO/IEC 27002 Specifies a code of practice and security controls
to manager risks
NIST SP 800-82 Specifies a security programme and control for
SCADA and Industrial Control Systems
OWASP Describes web application security controls
PCI-DSS Details requirements for the security of
cardholder data
ISO/IEC 29100 Specifies the requirements for a Privacy
Framework
Government Standards and
Guides
Designed to address local risks and protect
government assets
ISO/IEC 27035 Designed for Incident Response
But where is the IOT Security Standards???

20. 20
Highlights of the Smart City Security Programme
• Clearly Defined Roles and Responsibilities
• Clear Asset Ownership
• Security by Design
• Privacy Impact Assessments
• Vendor Management and Partnership
• Engagement with Authorities
• Citizen Education and Engagement
• Security Incident Response Processes

21. 21
Roles and Responsbilities
• Roles and Asset Ownership need to be clear
• This could be within a city authority, vendor, or other
organisation but must be clear to all involved

22. 22
Highlights of the Smart City Security Programme
Security by Design
• Security by design means:
• Ensuring security professionals are engaged from the initiation of an
idea
• Defining an approach to Security Architecture
• Ensuring relevant security standards are consulted and minimum
standards are defined
• Challenging vendors and suppliers to meet standards
• Making security criteria part of quality criteria
• Ensuring security is tested at logical points with clear acceptance
criteria
• Considering an Accreditation Strategy
• Agile is not a reason to ignore all of the above

23. 23
Highlights of the Smart City Security Programme
Privacy by Design
• If we consider Security by Design then we need to also consider Citizens
Privacy
• Privacy Impact Assessments should be integral to the launch of all new
Citizen services or to changes in Citizen Services
Privacy impact assessments (PIAs) are a tool that you can use to identify and
reduce the privacy risks of your projects. A PIA can reduce the risks of harm to
individuals through the misuse of their personal information. It can also help
you to design more efficient and effective processes for handling personal
data.
- UK Information Commissioner

24. 24
Highlights of the Smart City Security Programme
Vendor Management
For most smart cities vendors will be appointed or even play an
integral role through public/private partnerships or joint
ventures.
• Ensuring that vendors at all levels address security issues is
vital.
• An error in the chain can have significant impacts
• A clear vendor management process will be central to the
programme.

25. 25
Engagement with Authorities
National, Regional and International Standards
City Authorities should stay ahead of developments and can play
a key role in shaping future standards, laws and regulations.
This could be at an International Level – E.g. ISO standards.
Sector level – E.g. influencing standards on IoT security amongst
vendors
Multinational Level – E.g. influencing policy or guidance at EU or
OECD level

26. 26
Citizen Engagement and Education
Smart Citizens
Engaging Citizens is key to seizing the opportunities of Smart
Cities. It can also ensure understand their rights and how they
can protect themselves and other stakeholders
Citizens can be:
• Consumers
• Producer
• Prosumer
• Co-creators

27. 27
Citizen Engagement and Education
Smart Citizens
How to engage and educate?
• Community Platforms such as Smart Citizen
• Projects aimed at all age groups and sectors of society
• Project Engagement – Waag Society
• Hackathons
• Soliciting feedback/surveys
• Information Security Awareness Campaigns
• Engagement events

28. 28
IncidentsDisaster
Management Incidents and Events
High Risk occurrence
and low impact
Low Risk occurrence and
high impact
 Managed by the incident management
process
 Managed by the business continuity and
emergency management processes
Management of Residual Risk

29. 29
Key Messages
• Smart City Security is a multi stakeholder activity
• It takes leadership and engagement
• It is vital not just to protect information but to protect citizens
and everything that a citizens depend upon
• It is a mutli disciplinary activity with security touching every
part of smart city planning, development, maintenance and
operations
• Industry needs to work on IoT Security Standards so we can
be confident in the devices deployed in Smart Cities

30. 30
Key Messages
A Truly Smart City
http://in.nec.com/en_IN/blog/smart-cities-
shaping-indias-future.html

31. THANK YOU
?
123 456 789
name.surname@domain.com
www.domain.com
linkedin.com/name.surname
twitter.com/name.surname
fb.com/name.surname