Cybersecurity Risk of IoT on Smart Cities 3030885232, 9783030885236

Table of contents :
Preface
Acknowledgments
Contents
1 Cybersecurity Risks of IoT on Smart Cities
1.1 Cyber Risk in IoT Systems in the Context of Smart Cities
1.1.1 Challenges of the Cities: Sustainability
1.1.2 Smart Cities for the Construction of Sustainable and Resilient Cities
1.1.3 Smart Cities Under Attacks
Smart Traffic
Smart Grids
Smart Home
Smart Health
1.1.4 IoT Systems, Components, Operation, and Security Issues
IoT Infrastructure and Models
IoT Device to IoT Device
IoT Device to Fog/Cloud
IoT Device to Gateway
IoT Device to Third Parties
IoT Technologies and Protocols
IoT Physical Devices and Operating Systems
IoT Vulnerabilities
1.2 Summary
References
2 Uncertainty and Its Role in IoT Risk Management
2.1 Evaluating the Security in IoT Systems
2.2 Define the IoT Attack Surface
2.2.1 Sensing Layer Attack Surface
Physical Device Security, Hardware and Firmware Vulnerabilities
2.2.2 Communication Layer Attack Surface
2.2.3 Data Layer Attack Surface
2.2.4 Application Layer Attack Surface
2.3 Evaluation of Security Risk on IoT Attack Surface
2.4 Uncertainty in the Evaluation of Cyber Risks in IoT
2.5 Management of Uncertainty
2.6 Summary
References
3 Risk Methodologies for IoT on Smart Cities
3.1 The Challenges of Cyber Risk Management on IoT Systems
3.2 The Cyber Risk Management Process
3.3 Cyber Risk Management of IoT Systems on Smart Cities
3.3.1 Establish the Context on Smart Cities
3.3.2 Risk Identification on Smart City
3.3.3 Risk analysis on smart city
3.3.4 Risk Evaluation on Smart City
Fundamental Principles of Risk Evaluation
3.4 Use of IT Risk Methodologies and Its Possible Limitations on Smart City
3.5 Summary
References
4 Decision-Making Based on Risk Assessment on Smart Cities
4.1 Modeling Smart City for Decision-Making
4.1.1 Digital Twin
4.2 Modeling the Prediction of Cyber Risk
4.3 Bayesian Network for Risk Analysis
4.3.1 Experiment
4.4 Summary
References

Citation preview

Roberto O. Andrade Luis Tello-Oquendo Iván Ortiz

Cybersecurity Risk of IoT on Smart Cities

Cybersecurity Risk of IoT on Smart Cities

Roberto O. Andrade • Luis Tello-Oquendo Iván Ortiz

Cybersecurity Risk of IoT on Smart Cities

Roberto O. Andrade Instituto Geofísico de la Escuela Polit Quito, Ecuador

Luis Tello-Oquendo Universidad Nacional de Chimborazo Riobamba, Ecuador

Iván Ortiz Facultad de Ingeniería y Ciencias Aplicadas Universidad de Las Américas Quito, Ecuador

ISBN 978-3-030-88523-6 ISBN 978-3-030-88524-3 (eBook) https://doi.org/10.1007/978-3-030-88524-3 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Roberto: To María, Alejandro, and Sebastián for their patience and understanding during this process. Luis: To my family, for their everlasting love, support, and encouragement.

Preface

Over the years, cities have undergone continuous change due to social, technological, economic, or environmental factors. To mention a few examples, factors such as migration and urban mobility, health and life expectancy, environmental pollution, and waste management have pushed cities to consider the appropriate use of their renewable and non-renewable resources for current and future generations of cities. This approach, aligned with the sustainable development goals set out in the 2030 Agenda, has encouraged cities to propose new urban planning and management models. Some urban management models consider the incorporation of technology for the generation of data-driven decisions. However, incorporating technology to develop city management models is not a new concept and has evolved from the so-called digital cities to smart cities. In recent years, the strengthening of technologies such as big data, cloud, artificial intelligence, and Internet of Things (IoT) has been the fundamental support to boost urban planning and management projects under the framework of the concept of smart cities. The incorporation of IoT has allowed generating the sensorization of the different physical components of the city to generate an abstraction of the city’s values, such as temperature, CO2 levels, traffic density, and occupation of public spaces, among others, to the digital world. Through big data and artificial intelligence techniques, the analysis of thousands or millions of data generated by IoT devices in the city can be performed to determine behavioral patterns or outliers of the different elements of the city and even make predictions that allow executing positive actions for the city. The whole process of data collection, processing, and analysis through big data and artificial intelligence requires the support of fog and cloud computing technologies for its implementation and operation. This whole environment of digitization and hyperconnectivity created without proper management or control can also have negative impacts. From the perspective of the digital world, cyber-attacks on cities have occurred over the years, affecting organizations providing electricity, gasoline, health, and others and causing economic losses and social effects. This context has led international organizations such as the World Economic Forum to consider cyber-attacks as one of the top 10 threats that could have a global economic impact. This scenario does not necessarily imply that the technologies that support the vii

viii

Preface

development of smart cities are insecure. The problem arises from the inherent characteristics of these technologies that attackers can exploit. Artificial intelligence algorithms can be hacked and modified to change their operation, or the data analysis process can have data manipulated to alter the result. In the case of IoT, its characteristics such as heterogeneity of technologies, possible lack of security in design, hardware limitations to implement security mechanisms, and locations in external places such as streets represent opportunities for attackers and challenges for security specialists. This book aims to address the aspects of IoT that directly or indirectly generate security issues in smart cities. An approach based on cyber risk analysis in smart cities from an IoT perspective has been considered to address this context. ISO 31000 proposes a set of steps for risk management such as establishing the context, identifying assets, vulnerabilities, and threats, categorizing and prioritizing assets, assessing risk, and establishing countermeasures. In order to execute the risk analysis steps proposed by ISO 31000 from the IoT perspective, this book presents a description of the importance of technology in the development of smart cities. A snapshot of IoT architectures, communication models, vulnerabilities that allow modeling the attack surface for the risk assessment process is presented. It addresses the possible limitations that the risk analysis methodologies traditionally used in information systems may have concerning IoT systems due to their dynamic characteristics and uncertain environments resulting from the different technologies used in IoT and the attack vectors and actions that attackers can perform in this environment. This book discusses how authors have addressed this aspect to adapt them to the IoT environment. Finally, a proposal for risk modeling based on a Bayesian network approach is presented. Quito, Ecuador

Roberto O. Andrade

Riobamba, Ecuador

Luis Tello-Oquendo

Quito, Ecuador August 2021

Iván Ortiz

Acknowledgments

We want to acknowledge S. G. Yoo for the support and comments on the drafts. We also express our appreciation to Susan Evans and Kritheka Elango for their support while developing this manuscript. Finally, our thanks go to Springer for the opportunity to publish our research to enhance the security of IoT systems in the domain of smart cities.

ix

Contents

1

Cybersecurity Risks of IoT on Smart Cities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Cyber Risk in IoT Systems in the Context of Smart Cities . . . . . . . . . . . . 1 1.1.1 Challenges of the Cities: Sustainability. . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.2 Smart Cities for the Construction of Sustainable and Resilient Cities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.3 Smart Cities Under Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1.4 IoT Systems, Components, Operation, and Security Issues . . . 13 1.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2

Uncertainty and Its Role in IoT Risk Management . . . . . . . . . . . . . . . . . . . . . . . 2.1 Evaluating the Security in IoT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Define the IoT Attack Surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 Sensing Layer Attack Surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Communication Layer Attack Surface. . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.3 Data Layer Attack Surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 Application Layer Attack Surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Evaluation of Security Risk on IoT Attack Surface . . . . . . . . . . . . . . . . . . . . 2.4 Uncertainty in the Evaluation of Cyber Risks in IoT . . . . . . . . . . . . . . . . . . . 2.5 Management of Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23 23 27 27 28 29 29 30 34 38 41 42

3

Risk Methodologies for IoT on Smart Cities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 The Challenges of Cyber Risk Management on IoT Systems . . . . . . . . . 3.2 The Cyber Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Cyber Risk Management of IoT Systems on Smart Cities . . . . . . . . . . . . . 3.3.1 Establish the Context on Smart Cities . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2 Risk Identification on Smart City . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.3 Risk analysis on smart city . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.4 Risk Evaluation on Smart City . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45 45 48 51 52 52 54 55

xi

xii

Contents

3.4 Use of IT Risk Methodologies and Its Possible Limitations on Smart City. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4

Decision-Making Based on Risk Assessment on Smart Cities . . . . . . . . . . . 4.1 Modeling Smart City for Decision-Making. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Digital Twin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Modeling the Prediction of Cyber Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Bayesian Network for Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

69 69 69 73 74 77 85 85

Chapter 1

Cybersecurity Risks of IoT on Smart Cities

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities The inclusion of technological solutions in modern cities opens the possibility to new attacks that can significantly affect the continuity of cities’ services operations. From a security perspective, there is a need for reducing the impact of these attacks through technical and non-technical controls [1]. Since improving cybersecurity has an associated cost, security experts must prioritize the risks that could have more significant impacts to optimize the use of the resources, while maximizing security measures performance. On the other hand, smart city has an uncertainty related to cybersecurity attacks: when, how, and where they could occur, which attack vectors are used, and what level of impact or loss could cause; to try control this uncertainty, it is necessary to manage a security strategy such as analyzing and managing the potential cybersecurity risks [2]. Nowadays, IoT is becoming a critical element of the smart cities’ implementation. However, the inherent characteristics of IoT ecosystems, such as heterogeneity and a lack of security in design, introduce new challenges from the cybersecurity perspective.

1.1.1 Challenges of the Cities: Sustainability Cities worldwide face challenges related to pollution, economic growth, employment, gender equality, among others, which are embodied in the 17 sustainable development goals (SDGs) proposed by the United Nations in 2015 (see Fig. 1.1). In addition to SDGs, cities also face other challenges, among which we highlight the following: Urban Migration The population migrates from rural to urban areas of the city, which generates an increase in the population in some regions, generating an © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 R. O. Andrade et al., Cybersecurity Risk of IoT on Smart Cities, https://doi.org/10.1007/978-3-030-88524-3_1

1

2

1 Cybersecurity Risks of IoT on Smart Cities

Fig. 1.1 The United Nations’ sustainable development goals

increase in the consumption of resources in urban areas. For instance, in the year 2000, the number of inhabitants in Spain’s urban area grew from 30.937.864 to 38.04300, whereas in the rural area decreased from 9.630.000 to 9.034.000 [3]. This migration from rural to urban areas is a continuous process in human evolution caused by the industrialization, economic growth, and centralization of social and economic well-being. Urban Growth The Global Migration Data Portal mentions that, for the year 2030, urban areas will concentrate the 60% of the population due to: • • • •

Natural population growth Migration of people from rural to urban areas Extension of urban boundaries Creation of new urban centers

This migration of people has allowed some cities to become into megacities. Megacities are metropolitan areas with a population of over 10 million of people [4]. National Geographic’s website mentions that according to the United Nations, there are 28 megacities around the world; some of them are: Tokyo with 37 million of inhabitants, Shanghai with 27 million, Sao Paulo with 22 million, and Mexico with 22 million [5]. Urban Mobility The increase in population density in urban areas increases the capacity to move people from one point to another inside of the city. The management of public and private transportation and the establishment of alternative routes are essential elements in reducing traffic and pollution in cities. According to the American Public Transportation Association (APTA), 9.9 billion trips were taken by people in 2019, representing 34 million times that people board public transportation each weekday. APTA also mentions that every USD invested in

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

3

transportation generates five USD of economic return and the investment of one billion of USD can create 50,000 jobs. This means that public transportation generates important economic opportunities for cities. On the other hand, COVID19 pandemic impulsed changes in mobility patterns during 2020. For instance, San Diego’s percentage of mobility using private cars increases by 10%. In contrast, the use of public transportation was reduced by 55%. Another example is what happened in New York City; in this city, there were an increase of 24% in driving private cars and there were a reduction of 53% in the usage of public transportation. This change of patterns is similar in other cities in the United States [6]. Life Expectancy and Aging According to data provided by the World Bank, in the USA, life expectancy of people has increased from 76 years old in 2000 to 79 years old in 2019. The tendency of increase of life expectancy was affected in 2020 due to COVID-19 [7], but it is expected to continue with the growth tendency after the pandemic. This increase in life expectancy is not just in the USA; for instance, life expectancy in Canada is 82, Germany 81, and Spain 83. Overall, life expectancy in the European Union is 81, Latin America is 76, North America is 79, Asia is 78, and Africa is 74 years old. This leads to an increase in the older adult population (age over 70 years) [8]. In the USA, the number of people over 85 years old is projected to increase 33%, which represents 98 million individuals by 2060, while in Europe is projecting to have an increase to 29%, which represents 160 million of individuals by 2060 [10]. According to the United Nations, there were 703 million people aged 65 years in 2019 worldwide. The number of older people is projected to double to 1.5 billion in 2050. According to the Census data of some states of the USA, most of people over 65 years old are living in urban areas [11]. For instance, New York has 85.8%, Washington 78.5%, and Nevada 91.8%. The degenerative process of the human as a result of aging generates the need for different medical programs. The statistics indicates that, in average, 68% of the older adults have at least two chronic diseases and they need home-based care [9]. However, the number of physicians is very limited to cover such number of patients worldwide. For instance, there are 2.6 physicians per 1000 people in the USA; there are 3.8 physicians per 1000 person in Spain, Denmark has 4 physicians per 1000 people, while in Ecuador, there are two physicians per 1000 people. In some cases, the transportation for moving older adults to health care centers is also limited. This context pushes cities to develop health care programs and transportation options for this population. In these circumstances, as a part of the solution to all these limitations, it has prompted the generation of a technology called Assisted Living Environments. Environmental Pollution and Waste Management Industrial processes, increase of automobiles, and consumption based lifestyle of people have contributed to environmental contamination and increase of waste generation. According to the United States Environmental Protection Agency (EPA), transportation and industry contribute to the 14% and 21% of the U.S. gas emission, respectively [12]. Another example of pollution worldwide is the case of Lake Titicaca in Bolivia, the lake with an extension of 1000 km that has been polluted by a large amount of waste due

4

1 Cybersecurity Risks of IoT on Smart Cities

to urban and industrial discharges. The social transformation and urban growth in Bolivia have increased the threshold of pollution, which represents a risk for human and animal populations [13]. The World Health Organization (WHO) has set a limit for average outdoor ambient air pollution of 10 micrograms (thousandths of a gram) of PM2.5 per cubic meter of air (10 µg/m3 ). However, the average concentrations in Mexico City are about 27.1 µg/m3 in Toluca, 26.1 in Tijuana, 24.6 in Puebla, and 25.5 in Guadalajara, converting these cities with the highest air particulate concentration in Mexico during 2020. An interesting fact is that, during the COVID19 lockdown between January 2021 and March 2021, a significant decrease of 19% was observed in comparison to the previous 5 years [14]. Pandemic and Natural Disaster Management The COVID-19 pandemic had its initial outbreak in December 2019 and presented some challenges for cities due to the confinement of people in their homes, and therefore, the need for new online services in public and private organizations. Digital transformation caused by COVID-19 in work and educational contexts generated greater consumption of technological services such as the online and virtual platforms. Additionally, the control of the pandemic through data-driven decision-making processes drives the use of data analytics, big data, and artificial intelligence. For instance, educational sectors are accelerating digital transformation due to the COVID-19 pandemic. 1.2 billion children around the world were affected by school closures due to the pandemic [15], and it generated the need for online classes; for example, in some cities of Italy such as Emilia-Romagna, 83.9% of the students took classes online, and in the same way, cities like Lombardy and Veneto, 77.8% and 71.8% of the students received classes online [16]. However, in these circumstances, 27% of the Italian families did not have the suitable technology, and 30% of the parents did not have time to support educational activities of their children. According to UNICEF, 1 of 3 families in Italy has not been able to support online educational activities [17]. In both contexts, cities need to support Information and Communication Technology (ICT) infrastructure to enhance actual users and expand the cover for new users. Another example related to COVID-19 pandemic effect was online food delivery. In this case, the impact was positive. The online food delivery segment has grown incredibly, and it is projected to have an annual growth of 6.36% from 2021 to 2024. The revenue expected in 2021 is $151,526 million of dollars [18].

1.1.2 Smart Cities for the Construction of Sustainable and Resilient Cities Faced with the aforementioned challenges, modern cities must manage their renewable and non-renewable resources in a sustainable, equitable, and environmentally friendly manner. This model of city management was discussed during the Habitat III meeting held in the city of Quito in 2015, to establish the appropriate policies

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

5

to take advantage of urbanization across physical space, bridging urban, peri-urban, and rural areas [19]. During the Habitat III event, Agenda 2030 was proposed, which defined guidelines and milestones to make cities more sustainable and resilient. Under this precept or construct, cities have incorporated the use of planning tools based on the inclusion of ICT in their management models. Currently, cities incorporate data-driven decision-making, as in New York or Milano, which has an open data portal with different information such as those related to traffic, crime, and health centers. The portal of New York City is https://opendata.cityofnewyork. us/, while Milano’s one is https://dati.comune.milano.it/. The greater the amount of available data is greater the effectiveness of the decision-making process. Different types of technologies have allowed to manage cities in smarter manner, for example, digital twin technology proposes building a city replica for manipulating different elements of the city to analyze possible scenarios. The digital twin also generates the possibility to interact with real physical elements in a remote way. To generate this digitization, a sensorization process is needed for gathering the physical values of different elements of the city (e.g., services, infrastructure, and citizens). In this context, the growth of Internet of Things (IoT) has significantly contributed to the generation and digitalization of data. Through IoT, it is possible to obtain parameters such as the alkalinity or fertility of the soil in an agricultural plantation, the water quality in a shrimp reservoir, or the levels of environmental pollution. According to Forbes, by 2050, there will be a total of two billion connected devices. In this aspect, the large amounts of data generated by IoT generate the need for platform for processing and storing such data, e.g., cloud and big data platforms. The computational analysis of the city’s data has driven the computational model called urban computing and has risen a city management model called “Smart City.” Some authors have defined the concept of a smart city as: • Definition 1. Smart cities are equipped with sensors and infrastructure communications that can provide a large amount of data. In addition, citizens can use their smartphones to share information with the city and with other users [20]. • Definition 2. Smart cities: the automation strategy based on mass deployment of IoT devices to collect big data and obtain information about the behavior of the city to improve its services [21]. • Definition 3. Smart cities could be considered as a model to abstract the physical and behavioral aspects of the different elements of the city (citizens, services, and physical infrastructure) to the digital environment through the interoperability of technological subsystems made up of sensors, actuators, and processing capabilities. This allows identifying patterns of the city’s social, environmental, and economic aspects for executing real-time decision-making by the city’s actors to maintain the city’s sustainability and resilience [22]. For the operation process of the smart city model, often an architecture that includes vertical domains and pillars of the city is established, how it is shown in Fig. 1.2. The vertical domains include: agriculture, healthcare, energy, environment,

6

1 Cybersecurity Risks of IoT on Smart Cities

Fig. 1.2 Smart city model architecture

waste management, industry transportation, among others [23], and the pillars consider: • Governance: the ability for administrating policies in the vertical domains of the city. Vertical domains included in this pillar are: e-government, emergency response, public safety, public service, and transparent government. • Society: the ability for supporting well-being for citizens. Vertical domains included in this pillar are: entertainment, healthcare, public transport, smart traffic, and tourism. • Economy: the ability to make possible the generation of jobs, economic growth, and entrepreneurship. Vertical domains included in this pillar are: advertisement, agriculture, enterprise management, logistics, transaction, entrepreneurship, and education. • Environment: the ability to be sustainable in the consuming of resources for the present and future generations. Vertical domains included in this pillar are: housing, public space, renewable energy, pollution control, smart grid, waste management, and water management. Based on the architecture proposal in Fig. 1.2, the smart city is supported by an architecture and information model for the management of the process of collection, processing, and analysis of data generated by the information systems (IT) and operational systems (OT) of the city. The smart city is supported by a networking and information security infrastructure that assures the availability, confidentiality, and integrity of the information of the city and its citizens. Additionally, the information flow is supported by different components such as sensors, storage, connectivity technologies that are established in the sensing, communication, data, and application layers.

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

7

Table 1.1 Description of smart city applications on vertical domains of the city Smart city application Air quality Energy efficiency Natural disaster monitoring Security and surveillance Smart home Transportation Water quality

Description Senses and monitors the air quality for reducing the carbon footprint Conserving energy Warning before a disaster Tracking crime, vandalism, loitering For example, smart meters optimize electricity and gas consumption Exchange information for buses, taxis, trains, and underground railway. Vehicle to vehicle (V2V) communication Different sensors are implemented in water supply system to manage the quality of the vital liquid

The development of smart city applications is focused on the accomplishment of the requirements of each vertical domain city’s services, how is described in Table 1.1. Additionally, the development of the applications takes as source the results generated by the planning and management of the urban growth, city infrastructure, livelihood outcomes, and peri-urban transformation of the city. The smart city architecture must be based on standards and regulations for an adequate planning and management such as ISO 37120 for smart city indicators, IEEE-P2413 for IoT architecture, ISO/IEC-14513 for low power consumption, IEEE-1547 for smart grid critical infrastructure, among others.

1.1.3 Smart Cities Under Attacks While the technological components in cities create a set of possibilities for improving city planning, they also open the possibility of new security attacks. As an example, it is possible to mention the ransomware attack that suffered the major U.S. pipeline system; the computer system of the Colonial Pipeline that transports gasoline and other fuels from Texas to the Northeast and supplies about 45% of the fuel to the East Coast was hacked. Through the attack the hackers took more than 100 GB of data from the cloud, then encrypted the data, and stopped operations for 1 week. Another case was in the computer system of the city of Baltimore; it had a ransomware attack that demanded $13 million of dollars on bitcoins in 2019. City chose not to pay the ransom and then spend $18 million to repair the damage. Figure 1.3 presents the taxonomy of cyber-attacks on smart cities that was developed based on ITU’s four domains, i.e., society, economy, economic, and environment. However, there is a need to consider two additional domains: technology and security [24].

8

1 Cybersecurity Risks of IoT on Smart Cities

Fig. 1.3 Taxonomy of cyber-attacks on the smart city. Adapted from [24]

Recent attacks indicate a much more dangerous trend for the smart cities environment, being one of the most important one the DDoS attacks carried out using IoT devices. For example, in October 2016, companies such as the New York Times, Twitter, eBay, Netflix, PayPal, and Spotify had serious difficulties in providing their service or were inaccessible. The reason was a massive DDoS attack executed against DNS provider Dyn. The attackers used mainly IoT elements (e.g., IP surveillance cameras, digital video recorders, and home routers). This is only one example of the different attacks that could be done to the different services of smart cities. In the following, the different services that are implemented in smart cities and the attacks that could be generated in these services are explained.

Smart Traffic Smart traffic is based on sensors, road detectors, cameras, and other road side units (RSU), to get patterns of the traffic flow in real-time, such as traffic congestion, vehicle speed, road accidents, and traffic density. The data obtained for sensor is delivered to a traffic controller, which is used to make decisions about the traffic flow according to the deployed control strategy. Smart traffic is implemented on legacy traffic infrastructure that was built without concern for cybersecurity. Therefore, the intelligent traffic management system could be vulnerable to attacks. Attackers can exploit vulnerabilities in these systems using, for example, tampering attacks (i.e., providing controllers with false detection information) or disrupting control and communications (i.e., denial of service attack) to cause phantom traffic jams or degrade the quality of transportation service.

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

9

Smart traffic depends on data generated by sensors that could have low security protection. So, they must be accompanied by monitoring strategies for detection of attacks. The use of anomaly detectors can identify malicious activity. Also, it is important to take into consideration that attacks could be deployed at various levels of smart traffic infrastructure, and the countermeasures should be designed for each level; for instance, smart traffic uses machine learning models for route prediction or vehicle prioritization. Attacker could inject fake data in the machine learning model or retrieve the side channel information.

Smart Grids Smart grids emerged as a response to the need for modernizing the electricity grid, articulating control, and monitoring processes with green technologies, also known as non-polluting or ecological technologies. Smart grids integrate computing and digital communication technologies and services into the electrical system infrastructure. Therefore, smart grids go beyond smart home and business energy meters and deliver bi-directional energy flows and bi-directional communication and control capabilities with new functionalities. As an example, smart grids can provide a platform to maximize reliability, availability, efficiency, economic performance, and the highest security against attacks and natural power outages. Even though the different benefits of smart grids, these interconnected networks generate new vulnerabilities, leading to varying attacks with devastating physical effects and considerable economic losses. The number of risks also increases significantly. For instance, new nodes in the power grid create new entry points that attackers could exploit. In addition, new threats to computer systems appear day by day due to the rapid increase in sophisticated hacking tools, which increases the level of danger to the different telecommunication links of the smart grids. Although the direct physical destruction of generators, substations, and power lines may be the most obvious strategy for causing blackouts, other activities such as attacks to sensors, communication devices, and control systems could also disrupt the electrical system, causing power outages, and in some cases, physically damage to critical components of the system.

Smart Home Some relatively new technologies, such as the smart home, have been targeted by the attackers since they incorporate important level of vulnerability. It is important to take into account that, in most cases, users of this technology do not have indepth technical knowledge for using it properly and worst configuring and using it securely. Smart homes potentially provide additional “comfort” and “safety” to their users, as well as greater ecological sustainability. For example, a smart air conditioning system can use a wide variety of home sensors and web-based data sources to make smarter operational decisions than simple manual or fixed-time

10

1 Cybersecurity Risks of IoT on Smart Cities

control schemes. This system can predict the expected occupancy of the house by tracking location data to ensure that the air conditioner reaches the desired comfort level when the house is occupied and saves energy when it is not. Additionally, smart homes can help with daily tasks such as cleaning, cooking, shopping, and laundry. However, probably none of these benefits would be used if the smart home system is not secure or reliable. In this sense, many of the devices incorporated in smart homes have important security-related limitations that could end in vulnerabilities. For example, one of these limitations is the low level of computing power; in the market, there are a lot of devices that use small microcontrollers, which limits its ability to implement complex security algorithms. Another limitation is that there are many devices that come with software components with vulnerabilities, and they do not include software update capabilities. Additionally, it is important to indicate that the networks and protocols used by the smart home technologies are complex and the users do not understand them; therefore, they cannot have an adequate management of the whole system, rising high possibility of generation of security vulnerabilities.

Smart Health Nowadays smart health solutions based on IoT is being implemented successfully in different kinds of services. However, they can have serious problems if proper security mechanisms are not implemented. If the necessary measures are not taken to protect the devices from attacks, the smart health solution can have devastating consequences in patients. For example, it is known that an insulin overdose for a diabetic patient occurs when the blood glucose levels are below 70 mg/dL; in this case, if the patient is given insulin through an IoT device that is under attack, it could cause hypoglycemia under symptoms such as fainting, weakness, seizures, respiratory problems, among others. The attackers can be economically motivated opportunists and/or highly organized criminal syndicates and Advanced Persistent Threat (APT) groups. Each of them could target their attack on health and life science organizations to steal sensitive data or valuable pharmaceutical/biomedical intellectual properties. Vulnerable medical devices and applications increase the risk of healthcare organizations, particularly healthcare providers. Most of the cases, the risk is attributed to older medical devices and applications that often run on outdated and unsupported operating systems. The techniques used to attack smart city’s infrastructures are similar to those used against traditional technology systems, but the relevant difference is the level of impact. Cyber-attacks that affect any information assurance components on smart cities can impact enormously in the cities’ economical, social, or environmental domains. Additionally, the impact can directly or indirectly affect citizens. Therefore, smart cities should cover the following essential components of information assurance (IA), as is done in public and private organizations:

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

11

• Confidentiality: Keeping secure sensitive information • Integrity: Ensuring that information is not altered • Authentication: Ensuring that information is accessed only for authorized individuals or systems • Non-repudiation: Ensuring that the source of information is known • Availability: Ensuring that the information is available There are a lot of cyber-attacks that can affect the smart city sub-domains. Cyberattacks use different attack vectors, and their goals are different depending on the kind of attack. In the following, some examples of cyber-attacks on smart city domains are presented: • Man-in-the-middle: It consists of attacks performed by hackers who intervene, interrupt, or modify the communications between two devices. For example, the attacker can disconnect the air conditioning system simply by sending false information about the temperature to the device. • Theft of data and identities: Connected devices that obtain personal data, but do not have good security mechanisms, are susceptible to leak sensible information. The stolen information could be used by the attacker to carry out possible fraudulent transactions, identity theft, among others. • Device hijacking: The attacker takes control of a device, but does not modify its functionality, but uses it as a vehicle to infect other connected devices with malware. In this way, for example, by infecting a smart lock, the attacker could change the access PIN and open the door. • Distributed Denial of Service (DDoS): This attack tries to overhead devices to paralyze the normal service to its legitimate users. Permanent Denial of Service (PDoS): This is the “strong” variant of DDoS, since its purpose is to cause physical damage to the target devices, so that they must be repaired or replaced. An example of this attack can be attacking a thermostat to provide false data and causing irreparable damage to other devices due to extreme overheating. • Ransomware: Software whose purpose is to compromise the availability of information and systems. In most cases, a financial outlay is required by the affected party to recover the data, since the operation of the affected organization can be completely compromised, depending on the severity of the infection. The ransomware is a threat not only in the traditional computer systems but also smart cities. For example, researchers have demonstrated the attack capacity of ransomware on IoT devices such as thermostats. Attacks against availability such as denial of service or ransomware to critical infrastructures could paralyze city services such as traffic control, power supply, or toxic waste control. • Phishing: Attack that uses the impersonation of services and websites, deceiving the user for, among other purposes, stealing confidential information, as well as injecting malicious software. An example could be the phishing attack executed to Anthem (a health insurance company). This attack allowed the stealing of 79 million people’s data. Most of the attacks are aimed for stealing credit card information and personal data, and there is a tendency to direct this type of attack toward cloud systems which use is increasing constantly. In the same way, the

12

1 Cybersecurity Risks of IoT on Smart Cities

theft of Office 365 credentials has been the target of recent Phishing campaigns. Now, the phishing could also be an important threat for smart cities since the theft of credentials could allow attacker to control important devices and systems and steal sensible information of critical infrastructures. The aforementioned attacks could happen in sensorization, communication, data storage, or application layers of the smart city model, which are characterized to use important technologies such as Internet of Things (IoT) and Cloud Computing Platforms. In the last years, the growth of Cloud Computing market has allowed the emergence of different public providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Due to the size of these companies and the experience in the technology sector, they have introduced different security features to their services (see Table 1.2). However, the area of IoT is still a growing market managed mostly by small- and medium-size companies that makes that they could not invest a considerable amount of budget for developing security mechanisms. Moreover, since the IoT solutions have a faster development time than cloud solutions, the gap in security becomes larger.

Table 1.2 Security techniques that cloud providers offer [22] Technique Logging trail Multi-factor authentication Encryption key management Single Sign-on Functionality Logging trail Multi-factor authentication Sensitive data protection (DLP) Encryption end to end (motion data) Encryption in rest data Encryption keys Data masking

AWS CloudTail Amazon identity and access management (IAM) AWS Key Management Service (KMS) Yes

Google cloud Cloud Audit Logs Cloud identity platform

Azure Azure Search Azure multi-factor authentication

Customer-supplied encryption keys Cloud KMS Yes

Azure key vault

Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

13

Fig. 1.4 A common IoT operation model

1.1.4 IoT Systems, Components, Operation, and Security Issues Lately, the sensing capabilities of IoT devices have taken advantage for generating data used for decision-making processes in smart cities [25]. However, the inherent characteristics of IoT ecosystems, such as heterogeneity and a lack of security in design, introduce new challenges in cybersecurity management. To understand the security issue of IoT, it is necessary to know the operation of an IoT solution. Overall, how a common IoT solution in smart city works is represented in Fig. 1.4; in such figure, it is possible to see how IoT devices get data about physical parameters of the city elements such as temperature, humidity, and CO2 level. Then, IoT devices use a gateway to send the gathered data to the cloud infrastructure for its process. Later, the processed data is delivered to the city actors through different types of information systems such as mobile apps. Additionally, there can also be scenarios where the IoT data is sent directly from the gateway to the user’s apps.

IoT Infrastructure and Models The main goal for IoT solutions is to get data from different sources, process them, and use the processed information for reaching the preset objectives. For accomplishing this goal, the infrastructure illustrated in Fig. 1.5 is used typically. This typical IoT infrastructure is built in five modules: sensor data acquisition, data aggregation, data transmission, data store and event processing, and analysis/visualization. The first layer of sense/data acquisition associates different IoT

14

1 Cybersecurity Risks of IoT on Smart Cities

Fig. 1.5 Typical IoT infrastructure

Fig. 1.6 IoT communication models

devices for monitoring different parameters of the city. Then, the data gathered by IoT devices are aggregated through a gateway that connects the core network to transmit the data from the IoT devices to a server or cloud platform for its processing. Finally, the processed data is presented to the city stakeholders (managers, providers, citizens) for its use through a computer or mobile application. In this IoT infrastructure, different types of IoT device communication models could be used:

IoT Device to IoT Device Devices exchange information between them to execute an action. An example could be an intelligent switch that controls a light (see Fig. 1.6).

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

15

Fig. 1.7 IoT communication models

IoT Device to Fog/Cloud IoT devices communicate with a fog/cloud platform to send the gathered data for its analysis and processing. Additionally, through fog/cloud platforms, IoT devices could exchange information between them. This communication model uses protocols such as HTTP, TLS, MQTT, COAP, DTLS, and XMPP (see Fig. 1.7).

IoT Device to Gateway IoT devices communicate with a gateway or hub to connect to a server, fog/cloud platform, or other IoT devices. In this communication model, protocols like Bluetooth, WiFi (802.11), LP-WPAN (802.15.4) can be used (see Fig. 1.8).

IoT Device to Third Parties Devices exchange data with Third Party Fog/Cloud platforms (see Fig. 1.9).

IoT Technologies and Protocols The connection of IoT devices with sensors, gateways, servers, or fog/cloud platforms can be done with different wireless communication technologies such as NFC and RFID with range up to 1 m, short-range communication technologies such as Bluetooth, Zigbee, and WiFi between 1 and 100 m, or medium- and longrange wireless technologies upper 1 km such as LoRa, Sigfox, and NB-IoT. Also, IoT devices can use wired communication technologies such as Ethernet and MoCa. IoT solutions use different protocols of different layers for their operation depending

16

1 Cybersecurity Risks of IoT on Smart Cities

Fig. 1.8 IoT communication models

Fig. 1.9 IoT communication models

on the used technology. At the upper layers, different protocols such as HTTP, MQTT, MQTT-SN, REST, XMPP, XMPP-IoT, TLS/SSL, DTLS, and COAP can be used for establishing communication between IoT devices, servers, and users’ apps, while at the lower layers, different communication technologies such as 6LoWPAN, LTE, CDMA, GPRS, LoRa, Sigfox, Zwave, and WiFi can be used. Additionally, in the sensing/device layer, technologies such as Bluetooth, NFC, WirelessHART, and Zigbee can be used for communication between sensors and IoT devices. More

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

17

Fig. 1.10 Power and range of some technologies used in IoT systems

details of the aforementioned technologies and protocols used in IoT systems are illustrated in Fig. 1.10, Table 1.3, Fig. 1.11, and Table 1.4.

IoT Physical Devices and Operating Systems IoT devices often are built in hardware with constraints in physical size. This limitation is related to the use of IoT devices in different domains. For instance, thousands of sensors could be used to monitor soil moisture and humidity in a big farm. So, if the size of IoT devices is extensive, it is more difficult to locate them in the farm’s physical elements such as plants or reservoirs. Furthermore, this physical size constraint affects the capacity of resources related to hardware (memory, processing, storage) and a power source. Therefore, specific operating systems have been developed for IoT devices to be customized for this size and for real-time processing called a real-time operating system (RTOS). Some RTOSs are Green Hills IntegrityOS, TinyOS, Contiki, Mantis, FreeRTOS, BrilloOS, and Ubuntu Core. More details of operating systems for IoT are shown in Table 1.5. IoT devices could be the target to steal account passwords, cryptographic keys, configuration settings stored in the device. In addition, the limitation of IoT devices related to hardware resources could limit the inclusion of security mechanisms. However, RTOS needs development security features such as kernels, high assurance process isolation, information flow control, and/or tightly integrated cryptographic.

18

1 Cybersecurity Risks of IoT on Smart Cities

Table 1.3 Some communication technologies used in IoT systems Technology BLE WiFi

Range 100 mts 70–100 mts

Power consumption 10–50 mW 80 mW

Zigbee

300 m outdoor with line of sight, 75–100 m indoor 5 km (urban), 20 km (rural) 10 km (urban), 40 km (rural) 1 km (urban), 10 km (rural)

10 mW

LoRa Sigfox NB-IoT

Data rate 1 Mbps 802.11ax 2.4 Gbps; 802.11ac-wave2 1.73 Gbps; 802.11n 450 Mbps 20 kbps, 40 kbps, 100 kbps, 250 kbps

Topology Mesh, Start Mesh, Start

20 mW

27 kbps

Mesh, Start

0.21–0.24 mW

100 bps

Mesh, Start

0.21–0.24 mW

200 kbps

Mesh, Start

Mesh, Start

Fig. 1.11 Protocols and technologies used in IoT systems organized by layers

IoT Vulnerabilities Security challenges in IoT systems are due to vulnerabilities in any of the layers of the IoT architecture. Additionally, one IoT node (device, gateway, server) has a dependency on other IoT nodes. Therefore, the vulnerabilities of one IoT node could allow the amplification of an attack through cascading effect process. From a security perspective, the inclusion of IoT systems expands the attack surface in the city due to the number of IoT nodes installed, the interconnection with multiple networks, and several vulnerabilities in each IoT layer. The attack surface is based on four elements: • Channel: includes protocols, transmission channels (communication media), and input/output ports • Attack: include all types of attacks against critical assets

1.1 Cyber Risk in IoT Systems in the Context of Smart Cities

19

Table 1.4 Some protocols and technologies used in IoT systems Layer Application

Protocol MQTT

CoAP

XMPP

REST

Communication

Cellular

WiFi

LPWAN

Sensing

Bluetooth

NFC/RFID

Zigbee

Description Publish/subscribe model connecting clients with a broker server. Broker determines which clients should receive the messages generated in a specific topic. MQTT-SN is an optimized version for WSN. It is built over TCP Request/Response communication that operates with a set of messages: GET, POST, PUT, and DELETE, and Uniform Resource Indicators (URIs). It is built over UDP Extensible messaging and presence protocol (XMPP) uses Publish/Subscribe and Request/Response models, and it is based on Jabber Instant Messaging (IM). Supports the transmission of XML messages over TCP transport. XMPP-IoT is an IoT adapted version of XMPP REST (REpresentational State Transfer) is an architectural style for developing web services that can also be used for IoT services LTE operates in a frequency band of 600 MHz to 5.25 GHz, with a channel bandwidth of 20 MHz, a data rate of 1 Gbps, and a latency of 15 ms. 5G uses frequency bands of 600 MHz to 80 GHz, channel bandwidth 100 MHZ below 6 GHz, and 400 MHz above 6Hz. Data rates of 20 Gbps and a trip latency of 1 ms Standardized IEEE 802.11. Data rates of 600 Mbps in IEEE 802.11n and 7 Gbps in IEEE 802.11ac. IoT operates in bands of 2.4 and 5 GHz LoRa data rates of 50 bps and 300 kbps. LoRa uses star-of-stars topology, where gateway relay messages between end devices and a central server. LoRa, three types of devices (Classes A, B, and C). Sigfox uses unlicensed band, and it uses 100 Hz bandwidth and it is constrained to 140 per day with 12 bytes of length payload. NB-IoT uses a bandwidth of 200 KHz. A data rate of 250 Kbps. The three technologies support a battery life of 10 years IEEE standard 802-15-1. Data packets are sent in channels of bandwidth 1 MHz between 2.402 and 2.480 GHz. Bluetooth Low Energy (BLE) is customized for IoT. BLE defines 40 usable channels, 3 for advertisement channels and 37 for data channels. The maximum number of devices in any given Bluetooth mesh network is 32.767 Based on 802.15.4 -Low Rate Wireless Personal Area Networks (LRWPAN). Include IPv6 with UDP header compression Zigbee operates in the unlicensed bands at 2.4 GHz and optionally at 868 or 915 MHz. It uses 16 channels of 2 MHz bandwidth, and it can connect up to 255 devices. The data rates from 20 to 250 kbps

20

1 Cybersecurity Risks of IoT on Smart Cities

Table 1.5 Operating systems’ development for IoT systems Operating systems Zephyr

Private/open source Open

Apache Mynewt Windows IoT

Open Proprietary

Amazon FreeRTOS

Proprietary

TinyOS

Open

Contiki

Open

VxWorks Nucleus RTOS

Proprietary Proprietary

UbuntuCore

Open

Features Based on Apache License, Support boards such as AVR, MSP430, ESP8266, ESP32 Preemptive multithreading; Multitasking User friendly UI. Could be used on Raspberry architecture. Run on both ARM and x86/x64 devices Ease to connect to AWS IoT and AWS Greengrass. Support multiple threads and shared memory. Not need smart gateways. Could use MQTT to communicate with the Greengrass core Uses nesC programming. Low power consumption Useful to build complex wireless systems such as 6LoWPAN, RPL, CoAP Multicore support for AMP and SMP Development for Siemens. Multicore support for xAMP and SMP. Support for UI graphics Full disk encryption. Support protocols such as RPL, UDP, and CoAP

• Data: includes the data in different stages: rest and transmit; store or processing • Method: includes the methods and techniques used to make attacks

1.2 Summary The management and planning of cities to respond to the effects of urban mobility, population growth, health and quality of life, pollution and waste management, among others, through the use of methods and mechanisms that are environmentally friendly and sustainable concerning the use of resources have driven the adoption of a new management model called “Smart City” by cities around the world. The smart city models are supported by the use of technologies and datadriven decision-making. Technologies such as IoT, big data, cloud, and machine learning have enabled the development of applications in the domains of health, energy, transportation, homes, and e-government, allowing the support of plans and actions in the pillars of the city such as economy, government, and sociocultural development. However, the hyper-connectivity and heterogeneity resulting from technological solutions can open the door to cyber-attacks that generate a risk to the city’s daily operations. Understanding this security issue in smart cities and identifying the possible causes (threats, vulnerabilities) will establish adequate

References

21

security mechanisms (safeguards) to protect the city’s critical assets. In this context, applying a risk management methodology can be vital for city managers to minimize and control the impact of cyber-attacks.

References 1. R. Román-Castro, J. López and S. Gritzalis, “Evolution and Trends in IoT Security,” in Computer, vol. 51, no. 7, pp. 16–25, July 2018, https://doi.org/10.1109/MC.2018.3011051. 2. Li J., Ou X., Rajagopalan R. (2010) Uncertainty and Risk Management in Cyber Situational Awareness. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA 3. Alvarez-Palau, E.J.; Martí-Henneberg, J.; Solanas-Jiménez, J. Urban Growth and Long-Term Transformations in Spanish Cities Since the Mid-Nineteenth Century: A Methodology to Determine Changes in Urban Density. Sustainability 2019, 11, 6948. https://doi.org/10.3390/ su11246948 4. Urbanization and migration. (2021). Retrieved 2 June 2021, from https://migrationdataportal. org/themes/urbanisation-et-migration 5. Society, N. (2021). The Age of Megacities. Retrieved 2 June 2021, from https://www. nationalgeographic.org/interactive/age-megacities/ 6. Fewer people are using public transportation in the US. Here’s why that’s trouble in the long run. (2021). Retrieved 2 June 2021, from https://news.northeastern.edu/2020/08/13/fewerpeople-are-using-public-transportation-in-the-us-heres-why-thats-trouble-in-the-long-run/ 7. Andrasfay, T., and Goldman, N. (2021). Reductions in 2020 US life expectancy due to COVID-19 and the disproportionate impact on the Black and Latino populations. Proceedings of the National Academy of Sciences, 118(5), e2014746118. https://doi.org/10.1073/pnas. 2014746118 8. Life expectancy at birth, total (years) - United States | Data. (2021). Retrieved 2 June 2021, from https://data.worldbank.org/indicator/SP.DYN.LE00.IN?locations=US 9. Cristea, M.; Noja, G.G.; Stefea, P.; Sala, A.L. The Impact of Population Aging and Public Health Support on EU Labor Markets. Int. J. Environ. Res. Public Health 2020, 17, 1439. https://doi.org/10.3390/ijerph17041439 10. PRB. The U.S. Population Is Growing Older, and the Gender Gap in Life Expectancy Is Narrowing | PRB. (n.d.). Retrieved June 2, 2021, from https://www.prb.org/resources/u-spopulation-is-growing-older/ 11. United States Census Bureau. Older Population in Rural America. (n.d.). Retrieved June 2, 2021, from https://www.census.gov/library/stories/2019/10/older-population-in-ruralamerica.html 12. Carbon Pollution from Transportation | Transportation, Air Pollution, and Climate Change | US EPA. (n.d.). Retrieved June 2, 2021, from https://www.epa.gov/transportation-air-pollutionand-climate-change/carbon-pollution-transportation 13. Archundia, D., Duwig, C., Spadini, L., Uzu, G., Guédron, S., Morel, M. C., Cortez, R., Ramos Ramos, O., Chincheros, J., and Martins, J. M. F. (2017). How Uncontrolled Urban Expansion Increases the Contamination of the Titicaca Lake Basin (El Alto, La Paz, Bolivia). Water, Air, and Soil Pollution, 228(1), 1–17. https://doi.org/10.1007/s11270-016-3217-0 14. Statista. Most polluted cities in Mexico 2020 | Statista. (n.d.). Retrieved June 2, 2021, from https://www.statista.com/statistics/1029122/mexico-air-pollution-city/ 15. World Economic Forum | WEF. The rise of online learning during the COVID-19 pandemic. (n.d.). Retrieved June 2, 2021, from https://www.weforum.org/agenda/2020/04/coronaviruseducation-global-covid19-online-digital-learning

22

1 Cybersecurity Risks of IoT on Smart Cities

16. Statista. Italy: online school classes due to coronavirus 2020 | Statista. (n.d.). Retrieved June 2, 2021, from https://www.statista.com/statistics/1106536/online-school-classes-due-tocoronavirus-in-italy/ 17. UNICEF and Università Cattolica. 1 in 3 Italian families unable to support children’s remote learning during the lockdown. (n.d.). Retrieved June 2, 2021, from https://www.unicef-irc.org/article/2109-1-in-3-italian-families-unable-to-support-childrensremote-learning-during-the-lockdown-unicef-and-università-cattolica.html 18. Statista. Online Food Delivery - Worldwide | Statista Market Forecast. (n.d.). Retrieved June 2, 2021, from https://www.statista.com/outlook/dmo/eservices/online-food-delivery/worldwide 19. Habitat III. (n.d.). Retrieved June 2, 2021, from https://habitat3.org/ 20. F. Casino, E. Batista, C. Patsakis and A. Solanas, “Context-aware recommender for smart health,” 2015 IEEE First International Smart Cities Conference (ISC2), 2015, pp. 1–2, https:// doi.org/10.1109/ISC2.2015.7366176 21. O. B. Mora, R. Rivera, V. M. Larios, J. R. Beltrán-Ramírez, R. Maciel and A. Ochoa, “A Use Case in Cybersecurity based in Blockchain to deal with the security and privacy of citizens and Smart Cities Cyberinfrastructures,” 2018 IEEE International Smart Cities Conference (ISC2), 2018, pp. 1–4, https://doi.org/10.1109/ISC2.2018.8656694. 22. R. O. Andrade, S. G. Yoo, L. Tello-Oquendo and I. Ortiz-Garcés, “A Comprehensive Study of the IoT Cybersecurity in Smart Cities,” in IEEE Access, vol. 8, pp. 228922–228941, 2020, https://doi.org/10.1109/ACCESS.2020.3046442 23. Sánchez-Corcuera, R., Nuñez-Marcos, A., Sesma-Solance, J., Bilbao-Jayo, A., Mulero, R., Zulaika, U., Azkune, G., and Almeida, A. (2019). Smart cities survey: Technologies, application domains and challenges for the cities of the future. International Journal of Distributed Sensor Networks. https://doi.org/10.1177/1550147719853984 24. B. Hamid, N. Jhanjhi, M. Humayun, A. Khan and A. Alsayat, “Cyber Security Issues and Challenges for Smart Cities: A survey,” 2019 13th International Conference on Mathematics, Actuarial Science, Computer Science and Statistics (MACS), 2019, pp. 1–7, https://doi.org/10. 1109/MACS48846.2019.9024768. 25. Nassar A.S., Montasser A.H., Abdelbaki N. (2018) A Survey on Smart Cities’ IoT. In: Hassanien A., Shaalan K., Gaber T., Tolba M. (eds) Proceedings of the International Conference on Advanced Intelligent Systems and Informatics 2017. AISI 2017. Advances in Intelligent Systems and Computing, vol 639. Springer, Cham. https://doi.org/10.1007/978-3-319-648613_80

Chapter 2

Uncertainty and Its Role in IoT Risk Management

2.1 Evaluating the Security in IoT Systems The inclusion of technological solutions in modern cities opens the possibility of new attacks that can significantly affect the continuity of cities’ service operations. Therefore, from a cybersecurity perspective, there is a need for reducing the impact of these attacks through technical and non-technical controls [1]. However, improving cybersecurity has an investment cost; for that reason, security experts must prioritize the risks that affect a particular group of assets that could have a more significant impact. Furthermore, smart city has an uncertainty related to the security attacks, when, how, and where they occur, which vectors attacks are used, level of impact or severity of the loss; to try to control this uncertainty, one security strategy is to analyze and manage the potential cyber risks [2]. Two maturity security models could be used to evaluate the security maturity of cities, namely C2M2 and NIST. Although the NIST models have the following subcategories, “Business Environment” and “Governance,” it allows that the maturity model is associated with the organizational strategy, whereas, in C2M2, this association is made indirectly through the “situation awareness” domain. Furthermore, NIST requires the development of a risk assessment, while C2M2 does not consider it. However, the C2M2 model can be used complementarily as a first step to apply the NIST framework. A relevant aspect related to NIST is that runtime is higher compared to C2M2. The following are some features of these two models. Cyber Security Capability Maturity Model (C2M2) measures the maturity of the cybersecurity capabilities of systems. This model considers the following ten domains: • Situational awareness • Risk management • Asset, change, and configuration management © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 R. O. Andrade et al., Cybersecurity Risk of IoT on Smart Cities, https://doi.org/10.1007/978-3-030-88524-3_2

23

24

• • • • • • •

2 Uncertainty and Its Role in IoT Risk Management

Identity and access management Threat and vulnerability management Information sharing and communications Event and incident response Continuity of operations Supply chain and external dependencies management Workforce management and cybersecurity program management NIST Cybersecurity Framework consists of five categories:

1. Identify • • • • • •

Asset Management Business environment Governance Risk assessment Risk management strategy Supply chain risk management

2. Protect • • • • • • •

Identity management Authentication and access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology

3. Detect • Anomalies and events • Security continuous monitoring • Detection processes 4. Respond • • • • •

Response planning Communications Analysis Mitigation Improvements

5. Recover • Recovery planning • Improvements • Communications Each model has its strengths, and their combination could be used to assess the security level of a smart city. For example, to evaluate the security of an IoT

2.1 Evaluating the Security in IoT Systems

25

Fig. 2.1 Security model for IoT includes the four macro activities of NIST and C2M2

ecosystem in the smart city domain, we propose a maturity model based on four processes that could be covered with the application of NIST and C2M2 activities (see Fig. 2.1). The first step to evaluate the security of the IoT ecosystem in the smart city is to establish the “Cybersecurity Situation Awareness.” This step is necessary to identify the city’s critical assets. These assets could include critical infrastructure, city services, and urban infrastructures. The process of evaluating the city’s critical assets could be complex considering the number of assets in the city and the high impact that some of them could have on the normal development of the city’s activities. Therefore, in this step, it is necessary to formalize an exemplary process of categorization. For example, it could be based on the number of affected citizens, type of service (e.g., essential services such as water or energy provision), social impact (e.g., level of impact on older adults), or operational impact (e.g., traffic lights). An alternative to identifying critical assets could be to determine those contributing to archive some specific cybersecurity measurements. Table 2.1 shows a set of common security and performance metrics for Cybersecurity Situation Awareness (CSA) developed based on the analysis of three components: network vulnerability assessment, attack risk evaluation, and mission impact analysis [2]. The second step is the establishment of the attack surface. The attack surface can be defined as the identification of the entry and exit points, channels, protocols, and accesses that are associated with the operability of the object [1]. The attack surface allows identifying the possible points that could be most vulnerable from a successful attack and those that could have a more significant impact. In IoT, establishing an attack surface could be more complex due to certain factors such as the large number of IoT devices connected daily, interoperability with different systems such as the cloud, transaction systems, and communications networks. To evaluate the IoT system, there are several architecture models proposed by international and academic organizations. We propose to use the International Telecommunication Union (ITU) model in its Y.2060 recommendation for that

26

2 Uncertainty and Its Role in IoT Risk Management

Table 2.1 Security metrics for CSA [3]

Security metrics Asset capacity Average length of attack paths Compromised host percentage Exploit probability Impact factor Number of attack paths Network preparedness Network resilience Operational capacity Resource redundancy Service availability Shortest attack path Severity score Vulnerable host percentage

Nomenclature AC ALA CHP EP IF NAP NP NR OC RR SA SAP SS VHP

evaluation [2]. The attack surface can be established based on the components associated with the four layers of the model proposal by ITU. The third step is to prioritize the assets that could have a higher risk or impact when attacked. In this step, some qualitative or quantitative risk analysis methodologies could be used. However, the context of IoT presents some challenges for risk analysis methodologies, so it is crucial to analyze which one is more adaptable to the dynamism of the IoT ecosystem. In general, a security risk is expressed based on threats, vulnerabilities, and impact. • Risk = Vulnerability x Threat x Asset Value x Probability of Occurrence [3] Elements for risk assessment [4] in general view are the following: • Calculation of Asset Value: Estimate the assets that may require more resources for your security based on their criticality. • Calculation of Potential Loss: Estimate the confidentiality breaches, integrity breaches, availability breaches, productivity breaches, and liability breaches. • Measurement of Security Spending: Measure the enterprise-wide security spending. • Attack Risk Analysis: Define a risk model as follows: manifest risk (the ratio of malicious events to total events), inherent risk (the likelihood that system configurations will contribute to a compromise), and contributory risk (a measure of process errors or mistakes made during the operations).

2.2 Define the IoT Attack Surface

27

2.2 Define the IoT Attack Surface Features of IoT systems such as heterogeneity and a lack of security in design introduce new challenges in the cybersecurity perspective [5]. For example, modeling attack surfaces in the city could be a challenge due to the number of IoT nodes installed, and the interconnection with multiple networks and the possibility of several vulnerabilities on each layer of information model of smart city architecture [6]. To better understand surface attacks in IoT systems, the following subsections describe each layer’s security features.

2.2.1 Sensing Layer Attack Surface Physical Device Security, Hardware and Firmware Vulnerabilities Physical security focuses on physically accessing IoT components (devices, fog/cloud platform, or app). The goal of an attacker is access to taking control of power, memory, and processing capabilities. Once the attacker is inside the IoT component, the attacker could get sensitive key material, passwords, configuration data, and other sensitive parameters. Attackers take advantage of the places where IoT devices are located and use JTAG or UART for taking access or stole the SD cards if they do not have tamper control mechanisms (proof enclosure automatic wiping of memory). For example, an attacker could tamper with an eMMC flash chip and, through a standard SD card reader, retrieve the firmware, operating system, and software used for IoT devices, and then through UART pins access to the command prompt with the capability to execute commands [7]. JTAG and UART are the hardware access points for debugging process. Through the debug access, attacker could get access to contents of memory, registers, and flow instruction. Debug processes are helpful during the development and testing stages, but they will be disabled in the production stage to avoid attackers gain access to the root shell. However, the attacker could also be soldering transmission (TX) and reception (RX) pins of JTAG and UART to get access. So, IoT devices located in outdoor places must use tamper enclosures. Firmware-related vulnerabilities for IoT devices are similar to computers or networking devices. With access to firmware, an attacker can look for vulnerabilities and introduce new security holes. This can be achieved by downloading the firmware, modifying it, and re-uploading it to the device with a backdoor or other new vulnerabilities [8]. Sensors on IoT devices could also be attacked. In a general way, the attackers focus the attack on injecting false patterns on sensors to alter the information used for decision-makers or the process of automation. Some attacks to sensors are the following:

28

2 Uncertainty and Its Role in IoT Risk Management

• Information leakage; sensors could be exploited to get sensitive data. Techniques such as eavesdropping or keystroke interference could be used. • Malicious information, patterns, and commands; an attacker could use malicious information to change the behavior of IoT systems. Through attack on sensors, the attacker could also be used to create extra communication channels. • Fake sensor data injection; an attacker introduces fake sensors for injecting false data for modifying the IoT behavior or the information provided to decisionmakers. • RFID/NFC attacks; attackers access to physical spaces through the drawbacks of RFID/NFC systems. Some techniques are RFID/NFC spoofing, RFID/NFC cloning, and RFID/NFC unauthorized access.

2.2.2 Communication Layer Attack Surface The communication layer of the IoT is responsible for the transportation of data between devices, gateways, fog, cloud, and applications. Therefore, security defense needs to be considered for all elements of the IoT system’s attack surface. Elements of the IoT attack surface on the communication layer could include vulnerabilities in the following elements: • The sensor network • The IoT gateway • The enterprise IT network TCP/IP is one of the most used communication protocols stack in IoT systems. However, the TCP/UDP protocol is vulnerable to port scanning. Threat actors conduct port scans of target devices to discover which services are available. Port scanners can supply very detailed information about the services running on the network, and then these services can be vulnerable to exploitation by threat actors. Therefore, network services such as Telnet and other undesirable applications should not run on IoT devices. The attacker also could obscure port numbers. So, any IoT node must be evaluated to identify communication protocols enabled on it by default and which listening ports are open [9]. Poor handshake methods could be used for an attacker to get data of control. During the handshake process, IoT devices could share sequence numbers or passwords. The last one could be used for an attacker to get access to organizational systems. The use of incorrect versions of SSL in broker-based messaging protocols could make the communication not secure; an attacker could elaborate man-in-themiddle (MITM) and TLS renegotiation attacks [10] (Table 2.2).

2.2 Define the IoT Attack Surface

29

Table 2.2 Cyber attack to communication layer Technique Sinkhole Wormhole Blackhole Flooding Increased rank Decreased rank Version attack Sniffing

Description Compromised node tries to attract network traffic by advertising its fake routing update [11] Attacker records packets at one location in the network, then tunneling to another location [12] Attacker becomes parent over an active area to attract packets [13] Malicious node in IoT consumes the network resources like bandwidth and nodes processing capability [14] The malicious node increases its rank value to force its neighbors to choose another parent [15] The malicious node decreases its rank value to attract neighboring nodes to choose it as a preferred parent [15] Malicious node can change the version number of the indicator of control messages and force the network to rebuild over and over again [16] Attack can successfully transmit the captured packets of the victim device to attacker [17]

2.2.3 Data Layer Attack Surface Data in motion can be intercepted, damaged, or altered. In addition, applications could have access to data storage areas of mobile devices, even when they do not need it. Therefore, data storage must be secured, and applications must be tested to ensure no data leakage. Data processing occurs at the gateway, fog, or cloud components; short cryptography could expose sensitive data. Data is shown in a dashboard to understand better. Data presentations must be done in a secure environment and avoid unauthorized users can access information. However, attackers could use shilling attacks to introduce “shilling profiles” for altering ratings in order to affect recommendation in decision support systems or recommender systems [18].

2.2.4 Application Layer Attack Surface Mobile Applications Compromised mobile applications provide threat actors access and control of mobile devices. Insecure authentication of app sessions does not offer the process to identify users when is necessary. Session management and authentication can be incorrectly implemented; this allows the attacker to discover keys and passwords or masquerade as other users. Everyone does not always follow the password policy. Attackers try to crack passwords to gain access to the target system. The biggest problem with the password is the user because they define passwords as easy to remember and easy to crack. Mobile apps use features built into

30

2 Uncertainty and Its Role in IoT Risk Management

the platforms such as TouchID, Keychain, and Android intents, but these options could also be attacked [19]. If these security controls are misused or misconfigured, the access to the IoT device and other apps could be compromised. Web Applications Attackers can execute commands in the interpreter to access the data without authorization. An injection attack often performed SQL or NoSQL queries on an application. Application programming interfaces (APIs) and web applications could expose sensitive data exposure. A threat actor may use this data to perform identity theft and commit fraud. OWASP defines a top ten attacks to web applications [22]: • • • • • • • • • •

Injection Broken authentication Sensitive data exposure XML external entities (XXE) Broken access control Security misconfigurations Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging and monitoring

2.3 Evaluation of Security Risk on IoT Attack Surface Sensorization of smart cities is based on IoT systems due to its easy deployment and adaptability to different technologies such as RFID, NFC, and networks such as Zigbee, WiFi, Bluetooth, and LoRa. However, IoT could have some security issues due to drawbacks on IoT solutions such as: • • • • •

Limited hardware capacity Reduced security at the time of IoT solution design Interconnection with a heterogeneity of technologies Implementation on different types of devices (Arduino and Raspberry) Difficulty in firmware update processes

Establishing security strategies to ensure the continuity of city operations and citizens’ privacy in a context where there are multiple types of attacks and attackers, various protocols, networks, and devices could be a complex challenge. For this reason, one of the first steps to establish a current security awareness situation should be to develop a risk analysis. However, IoT environments tend to present dynamic features in their topology, data flow, or traffic patterns. The components, relationships between nodes, and processes continuously change to support new business requirements or services in the city (see Fig. 2.2). For example, new IoT devices could be added in the different verticals of the city, or IoT devices could be incorporated new functionalities by modifying the software programming; this

2.3 Evaluation of Security Risk on IoT Attack Surface

31

Fig. 2.2 Cause of the dynamic of IoT systems

will generate a different behavior of the IoT device, possibly opening new network ports or establishing connections with new networks, services, and critical city infrastructures. From the perspective of technology, the sources of changes that generate dynamics in IoT systems can be summarized in the following key points: • Scalability; new connected devices, new networks, and new services are built to support the requirements of different city stakeholders (citizens, organizations, and enterprises). Additionally, there is a massive growth of data generated by IoT devices. • Speed; transmission communication between IoT devices has increased. The use of 5G, 6G technologies has been considered to support IoT environments. • Inter-connectivity; the number of IoT devices connected to the network could reach a billion by 2030. IoT devices can be connected to different networks such as WiFi, Bluetooth, Sigfox, NB-IoT. • Diversity of devices; IoT connected devices are of different types, among which we can mention: smart TV, refrigerators, smart light, sensors, among others.

32

2 Uncertainty and Its Role in IoT Risk Management

The product of this dynamic on IoT systems from a security perspective generates the following aspects: • Complexity; by having hyper-connected environments with multiple nodes geographically distributed at the city level, they extend the attack surface, which generates a higher probability of cyber-attack risk. Additionally, hyperconnectivity can increase the likelihood of cascading effects, where an attack on a single node can expand its impact to other nodes in the IoT environment. Due to many devices and interconnections, it can be complex to maintain complete control at the time of cyber-attacks. • Software flaws; the need to generate a new product that meets the need of the city in a timely manner, or from the perspective of companies to produce a new product before the competition can cause that the product has a lack in the level of security. While software quality testing has been widely used in software application development, it is a developing area even in the IoT solution environment. • Propagation of threat through the attack surface; hyper-connectivity allows a threat to propagate through the different elements that make up the attack surface of IoT environments. Additionally, due to the size of the attack surface, a threat can take different paths or infect multiple devices in the IoT environment. • Timing of attacks. Attackers exploit IoT vulnerabilities to reach critical infrastructure. This can allow an attacker to take advantage of a specific time to perform multiple attacks to generate more significant disruption or chaos, for example, an attack on critical infrastructure associated with healthcare during a health pandemic. • Opacity; IoT systems work in conjunction with machine learning algorithms. Algorithms could be manipulated and not be detected by humans. Expandable machine learning. • New attack vectors focus on insecure technologies, unauthorized access, and outsourcing risks. • Growth in harm; cyber-attacks have grown in the level of social, economic, or environmental impact. The World Economic Forum has ranked cyber-attacks among the top ten threats to the global economy. This context has prompted the consideration of security attacks as a source of systemic risk that has been widely researched in the banking environment. • Cascade harms; the inter-connectivity between IoT devices could allow that an attack on a single device generates the repeatability of attack to another attached device. The security issues generated by IoT dynamics create uncertainty in the security management process due to: • • • •

The identification of vulnerabilities in dynamic and large-scale environments. Malware can take any of the n paths of the IoT environment for its propagation. The attack can exploit any of the n vulnerabilities. Any set of n nodes in the IoT environment can be part of cascading effects.

2.3 Evaluation of Security Risk on IoT Attack Surface

33

There are a number of methodologies for modeling the attack surface and assessing the impact of threats. Tables 2.3 and 2.4 show the attack surface modeling for a smart traffic scenario using STRIDE and the threat impact assessment using DREAD. STRIDE identifies the presence of the following threats: spoofing identity,

Table 2.3 Modeling threats in attack surface using STRIDE Threat Spoofing

Device layer False sensors can be added to the network

Tampering

Sensors can be manipulated to produce false data

Repudiation

Time stamping tampered on sensors Firmware can be decompiled and files inspected for credentials Power source of sensors can be disconnected Theft of passwords through access to firmware

Information disclosure

Denial of service Escalation of privilege

Communication layer False access point intercepts and decodes traffic Fake device can join network and submit false data Time stamping tampered on gateways Gateway could be compromised for sniffing Replay attack consumes network resources Weak password on gateways allows access to network information and control

Application layer Fake mobile apps could steal data Unsecured messaging protocols (MQTT) could allow false data to be submitted into the system Logging not configured in mobile apps Fake apps could steal information

Repeated brute force attacks intentionally lock out legitimate users Weak or default passwords on stolen phone can enable unauthorized users to access and control the system

Table 2.4 Modeling impact of threat in attack surface using DREAD Threat to attack surface Physical device—firmware can be decompiled and file system and files inspected for credentials Physical device—data can be faked by bogus devices or injected by man-in-the-middle attacks Communications—ICMP DoS ping attack from outside IP network Communications—a lack of message or payload authentication enables false data to be sent on the network Application—unchanged default passwords enable making IoT devices into bots that work in DDoS attacks Application—weak or default passwords can enable unauthorized users to access a lost or stolen phone and control the system

D 2

R 3

E 2

A 2

D 2

Total 11

2

3

2

1

2

10

2

3

1

3

2

11

3

3

2

2

2

12

2

3

3

3

2

13

2

3

2

2

2

11

34

2 Uncertainty and Its Role in IoT Risk Management

tampering with data, repudiation threats, information disclosure, denial of service, and elevation of privileges, in the system, while DREAD prioritizes the severity of risk presented by each threat that is classified using STRIDE based on the score of damage, reproducibility, exploitability, affected users, and discoverability of the threat in the system. The effects of the dynamics of IoT have some degree of uncertainty. For instance, there is uncertainty about which n paths may be selected for malware propagation or which nodes might be affected by the cascading effect or the techniques used for developing the attack.

2.4 Uncertainty in the Evaluation of Cyber Risks in IoT In the context of IoT, there is a set of uncertainty values, and the probability of attack to IoT device depends on factors such as: • Attacker decides not to attack IoT device after attacking all IoT gateways. • Attack fails due to type of exploit or technique used by an attacker. • Capability to define the true path; an attacker could constantly change the attack vector path. • CTP could be defined for vague judgments. • Infeasible; ask a human expert for each CTP parameter for modeling attack. To understand the role of uncertainty in the evaluation of cyber risk on IoT systems, three scenarios of uncertainty are analyzed: in the attack structure, in the attack’s effectiveness, and in the action of the attacker. Uncertainty in Attack Structure Figure 2.3 represents an IoT generic architecture that is built for an IoT server (A), an IoT cloud (B), two IoT gateways (C1, C2), and an IoT Device (D). A possible representation of the attack surface of IoT generic infrastructure is illustrated in Fig. 2.4. The possible conditional probability tables (CTP) indicate that if all D’s parents are true, D’s probability is 0.8. In other words, if the two IoT gateways are being attacked, the probability of attack to IoT device is 80%. The value of 0.8 was established based on the criteria that obtaining 100% of a successful attack depends on the type of attack and the technique used. Thus, the value of 0.8 could be established for expert judgment but is also dependable on vulnerabilities of IoT devices and the level of access in IoT gateways by the attacker. Based on the assumption that the attacker decides to attack IoT device D1, the attacker first could decide to attack IoT gateway C1 and then execute the attack to D1 from C1. Nevertheless, the attacker also could decide attack to IoT gateway C2 and then execute the attack to D1. In a similar scenario, the attacker could access IoT device D2 and then execute the attack from D2 to D1. Attack surface defines the possible entry and exit points to develop the attack; also, it considers channels and protocols used for communication that could be used during a cyber-attack.

2.4 Uncertainty in the Evaluation of Cyber Risks in IoT

35

Fig. 2.3 Generic architecture of IoT systems

Fig. 2.4 Attack paths in IoT generic scenario

The path of attack selected by the attacker could be based on the one that has the most of the components with vulnerabilities easily exploitable. However, the attacker could decide to use the more secure path and take advantage of zero-day attacks. So, there is uncertainty about the path used by an attacker. Uncertainty in Attack’s Effectiveness After the attacker selects the path for the attack, the second step is to exploit the vulnerabilities and then execute the actions to get the attack goal. For instance, the

36

2 Uncertainty and Its Role in IoT Risk Management

following attack process for DDoS attack is described in a summarized way, and nodes represent each step of the attack to show the probability of attack and the grade of dependency among steps of attack: • Node 1: The attacker scans for open ports • Node 2: Attacker sends bad packet to MTTQ subscriber. • Node 3: Attacker disrupts IoT service. Enabling node one and node 2 allows the enablement of node 3. The probability of attack could not be 100% because the tool or technique used for a DDoS attack could not be effective for the type of vulnerability present in the IoT system. In this context, to reduce the attack’s effectiveness, the action will be developing security strategies in two axes: • (i) Block the actions developed for the tool or technique. The problem is that there are a lot of techniques and tools. For instance, MITRE defines 185 techniques and 367 sub-techniques used in cyber-attacks [20]. Some of the techniques according to MITRE are described in Table 2.5. However, the attacker could use a mix of these techniques. • (ii) Reduce the number of vulnerabilities in the components of IoT systems to block the probability of attack. However, vulnerabilities are not static, new vulnerabilities could be created for new updates, or also, the inclusion of new IoT devices could come with new vulnerabilities. Therefore, to evaluate the vulnerabilities’ impact, metrics related to vulnerabilities are often defined; they are based on the relation between the vulnerability and the attack probability. In the context of the IoT layer, the attack complexity could be dependable on the level of security of each IoT layer, as depicted in Fig. 2.5. For example, there are many attacks on the application layer components, such as XSS or SQL injection attacks. However, IoT devices could add more gaps in security. For instance, IoT devices could be located outside, and the constraint of resources limits security mechanisms’ capabilities to physical or communication attacks. The predisposition of IoT devices to be a victim of attacks often depends on the vulnerabilities. For instance, exploitability CVSS metrics are based on indicators: access complexity, attack vector user interaction, privileges required, and scope. Access complexity is the metric that indicates the conditions beyond the attacker’s control to exploit the vulnerability, and the attack vector is the metric associated with the level of access required for an attacker to exploit the vulnerability. Establishing a value to the vulnerability allows defining a strategy of cyber-defense focus on controlling the flaws points, intending to reduce the weakness in the attack surface. An overview of the rest of the metrics of CVSS is presented in Fig. 2.6. Other vulnerabilities databases are the following: • • • •

NVD, The National Vulnerability Database CNVD, China National Vulnerability Database JVNDB, Japanese Vulnerability Database SVD, Software Vulnerability Disclosure

2.4 Uncertainty in the Evaluation of Cyber Risks in IoT

37

Table 2.5 Techniques used in cyber-attacks according to MITRE [20] Techniques Reconnaissance Resource development

Initial access Execution Persistence

Privilege escalation Defense evasion Credential access Discovery Lateral movement Collection

Command and control Exfiltration Impact

Mobile

Description Techniques for actively or passively gathering information Techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting Techniques that use various entry vectors to gain their initial foothold within a network Techniques that result in adversary-controlled code running on a local or remote system Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access Techniques that adversaries use to gain higher-level permissions on a system or network Techniques that adversaries use to avoid detection throughout their compromise Techniques to gain access to accounts when passwords are unknown or when password hashes are obtained Techniques an adversary may use to gain knowledge about the system and internal network Techniques that adversaries use to enter and control remote systems on a network Techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives Techniques that adversaries may use to communicate with systems under their control within a victim network Techniques to collected data, adversaries often package it to avoid detection while removing it Techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes Techniques to intercept or manipulate network traffic to and from the mobile device

• ICS-CERT-CN, Industrial Control Systems Cyber Emergency Response Team • US-CERT, US-CERT Vulnerability Database However, similar to risk analysis methodologies, metrics related to vulnerabilities are mainly built for traditional IT systems and are not designed for IoT systems. Nowadays, there are academic proposals to adapt these metrics to evaluate the vulnerabilities to IoT systems. Uncertainty in Attacker Action After the attacker gets the attack goal, there is new uncertainty about the following action of the attacker. For example, the attacker could attack a new IoT device, install a backdoor, or stop the attack. In this context the scenarios described in

38

2 Uncertainty and Its Role in IoT Risk Management

Fig. 2.5 Attack complexity dependable of IoT layer

Fig. 2.6 Types of vulnerabilities metrics according to CVSS

Fig. 2.7 could appear. In the scenarios, the attacker action could be to generate a cascading effect by attacking several IoT systems, or attacker could affect different IoT systems, or attacker can generate independent attacks to IoT systems that could or not have relationship between them.

2.5 Management of Uncertainty To summarize, two types of uncertainties are important to consider for security risk assessment (see Fig. 2.8): • Epistemic uncertainty is associated with a lack of information due to subjectivity, vagueness, measurement errors, or ignorance about changes.

2.5 Management of Uncertainty

39

Fig. 2.7 Cascading effects. (a) Cascading. (b) Common cause. (c) Independent

• Random or dynamic uncertainty is associated with natural variability or randomness. This type of uncertainty is associated with the uncertainty of quantifiable probabilities. This type of uncertainty has a variability in spatial and temporal dimensions. Different types of uncertainties may require various approaches to identify and manage the uncertainty. The management of uncertainty is a topic of interest in several areas of research. There is not an easy way to manage uncertainty. According to [2], an administrator cannot have complete monitoring of every computer in the organization; if this aspect is extrapolated to smart city context, the problem of monitoring any sensor, any IoT device, or any smart device could be more prominent (see Fig. 2.9). Monitoring any resource in the city could be expensive from the perspective of tools and staff needed. According to [2], to manage uncertainty, a combination of two approaches could be used: 1. The logical approach is based on deterministic logic in modeling: if the precondition of an attack is true, the post-condition is true. The problems with this kind of approach are establishing the pre- and post-conditions and the capability

40

2 Uncertainty and Its Role in IoT Risk Management

Fig. 2.8 Types of uncertainties in evaluation of cybersecurity risks

Fig. 2.9 Management of uncertainty in evaluation of cybersecurity risks

to make a deterministic judgment about the existing vulnerabilities of type zeroday. 2. The statistical approach follows a statistical pattern to detect outliers (anomalous behaviors); however, the attacker could also find various forms of evading techniques. Epistemic and aleatory uncertainties can be modeled mathematically. In the case of epistemic, uncertainty could be modeled based on a parametric approach.

2.6 Summary

41

For instance, the modeling of epistemic uncertainty could consider the following aspects: • Probabilistic events, either the occurrence of an event or the data values associated with an event. It could be modeling with statistical models. • Probabilistic impacts, the effect caused for a materialized risk. It could be modeling with Bayesian Network (BN) models. • Period of exposure, the observed number of events during a period of time. It could be modeling with Poisson distributions. The problem of uncertainty in IoT environments is that the scenario is nondeterministic, and the probabilities of attack may not always be known. The dynamic environment of IoT not always allows to have historical data, and the attacks can have a cascading effect, i.e., an attack on one node can propagate to other nodes. The cascade effect has the characteristic of propagating the security incident and producing other disruptions. Initially, there is not precision on which of the nodes could be attacked; there is also a lack of information on which nodes can be affected by the cascade effect (epistemic uncertainty). The first step is analyzing the vulnerabilities of different elements and defining the probability of exploiting this vulnerability (static uncertainty). The next step is to define the possible attacks or threats that could affect the IoT systems. In organizations, intrusion detection systems (IDS) are used to identify anomaly patterns, which could be signals of attacks. So, the threats and attacks present dynamic, temporal, and random behaviors (dynamic uncertainty). When assessing the degree of dependency, the experts’ subjectivity could be a new uncertainty; to avoid this kind of subjectivity, risk analysts could use the Fuzzy Delphi Method.

2.6 Summary One of the steps in establishing a risk management plan is based on identifying the attack surface. In the context of IoT, this attack surface is built for the entry and exit points, protocols, and channels of each device and technology in each layer (sensing, communication, data, and application) of the IoT system. This aspect generates a challenge from a security perspective due to the heterogeneity of technologies, protocols, and devices used in IoT systems. Additionally, having complex, large environments that may have security gaps generates a level of uncertainty related to the attack vector, elements of the cyberattack chain, and the possible actions of the attacker. In this sense, cyber risk analysis should consider these uncertainty values within its evaluation process. The management of uncertainty can be based on logical or statistical approaches. However, in the context of IoT with multiple connections and dynamics (e.g., as new devices are introduced every day), it is not so feasible to handle a simple deterministic process, or if there is an attack on node A, the next attack will be

42

2 Uncertainty and Its Role in IoT Risk Management

on node B. In this sense, using these approaches in conjunction with the techniques for the analysis of cascading effects could be an alternative to evaluate uncertainty values.

References 1. Manadhata, P. K., and Wing, J. M. (2011). A Formal Model for a Systems Attack Surface. Moving Target Defense. 2. A vision of Internet of Things. (2020) Retrieved from https://www.itu.int/rec/T-REC-Y.2060201206-I/es 3. Cheng, Y. Deng, J. Li, J. A.DeLoach, S. Singhal, A. and Ou, X. (2014). Metrics of Security. Springer, Cyber Defense and Situational Awareness. 4. Lindstrom, P. (2005). Security: Measuring Up. Retrieved from http://searchsecurity.techtarget. com/tip/Security-Measuring-Up 5. Anwar, R. W., Zainal, A., Abdullah, T., & Iqbal, S. (2020). Security Threats and Challenges to IoT and its Applications: A Review. 2020 Fifth International Conference on Fog and Mobile Edge Computing (FMEC). https://doi.org/10.1109/fmec49853.2020.9144832 6. Latif, S., & Zafar, N. A. (2017). A survey of security and privacy issues in IoT for smart cities. 2017 Fifth International Conference on Aerospace Science & Engineering (ICASE). https:// doi.org/10.1109/icase.2017.8374288 7. Vishwakarma, G.; Lee, W. Exploiting JTAG and Its Mitigation in IOT: A Survey. Future Internet 2018, 10, 121. https://doi.org/10.3390/fi10120121 8. Xie, W., Jiang, Y., Tang, Y., Ding, N., & Gao, Y. (2017). Vulnerability Detection in IoT Firmware: A Survey. 2017 IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS). https://doi.org/10.1109/icpads.2017.00104 9. Echeverría, A.; Cevallos, C.; Ortiz-Garces, I.; Andrade, R.O. Cybersecurity Model Based on Hardening for Secure Internet of Things Implementation. Appl. Sci. 2021, 11, 3260. https:// doi.org/10.3390/app11073260 10. A. Liu, A. Alqazzaz, H. Ming and B. Dharmalingam, “Iotverif: Automatic Verification of SSL/TLS Certificate for IoT Applications,” in IEEE Access, vol. 9, pp. 27038–27050, 2021, https://doi.org/10.1109/ACCESS.2019.2961918. 11. C. Cervantes, D. Poplade, M. Nogueira and A. Santos, “Detection of sinkhole attacks for supporting secure routing on 6LoWPAN for Internet of Things,” 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), 2015, pp. 606–611, https://doi.org/10. 1109/INM.2015.7140344. 12. Yih-Chun Hu, A. Perrig and D. B. Johnson, “Wormhole attacks in wireless networks,” in IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 370–380, Feb. 2006, https:// doi.org/10.1109/JSAC.2005.861394. 13. S. Ali, M. A. Khan, J. Ahmad, A. W. Malik and A. ur Rehman, “Detection and prevention of Black Hole Attacks in IOT & WSN,” 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), 2018, pp. 217–226, https://doi.org/10.1109/FMEC.2018.8364068. 14. A. Gajbhiye, D. Sen, A. Bhatt and G. Soni, “DPLPLN: Detection and Prevention from Flooding Attack in IoT,” 2020 International Conference on Smart Electronics and Communication (ICOSEC), 2020, pp. 704–709, https://doi.org/10.1109/ICOSEC49089.2020.9215381. 15. Boudouaia, M. A., Ali-Pacha, A., Abouaissa, A., & Lorenz, P. (2020). Security Against Rank Attack in RPL Protocol. IEEE Network, 34(4), 133–139. https://doi.org/10.1109/mnet.011. 1900651 16. Aris, A., & Oktug, S. F. (2020). Analysis of the RPL Version Number Attack with Multiple Attackers. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). https://doi.org/10.1109/cybersa49311.2020.9139695

References

43

17. M. S. Wara and Q. Yu, “New Replay Attacks on ZigBee Devices for Internet-of-Things (IoT) Applications,” 2020 IEEE International Conference on Embedded Software and Systems (ICESS), 2020, pp. 1–6, https://doi.org/10.1109/ICESS49830.2020.9301593. 18. P. Kaur and S. Goel, “Shilling attack models in recommender system,” 2016 International Conference on Inventive Computation Technologies (ICICT), 2016, pp. 1–5, https://doi.org/ 10.1109/INVENTIVE.2016.7824865. 19. Taneja, Archit & Tayal, Aakriti & Malhotra, Aakarsh & Sankaran, Anush & Vatsa, Mayank & Singh, Richa. (2016). Fingerphoto spoofing in mobile devices: A preliminary study. 1–7. https://doi.org/10.1109/BTAS.2016.7791201. 20. MITRE. The MITRE ATT&CK Framework. 2021. [online] Available at: [Accessed 22 August 2021].

Chapter 3

Risk Methodologies for IoT on Smart Cities

3.1 The Challenges of Cyber Risk Management on IoT Systems Smart cities take advantage of different technologies such as data analysis to understand the needs of citizens in real-time. City officials can promote their strategies for improving the quality of life based on data-driven decisions. Smart parking, smart lighting, and smart waste management are some strategies adopted in smart cities [2]. In the last decade, city officials have embraced smart city strategies to develop more resilient and sustainable cities [3]. One of the essential components for the development of smart cities is the technological infrastructure [4]. Emerging technologies such as IoT, Big Data, and Cloud Computing are growing faster, and they are allowing to improve the decisionmaking processes performed by city officials (see Fig. 3.1). These technologies support the generation of data for the decision-making in real-time, through the gathering of urban data such as traffic signals, grades of pollution, or levels of traffic congestion [5]. The incorporation of IoT is a key aspect in the development of smart cities because it allows the establishment of a sensing layer in different urban elements for abstracting their physical reality to the digital world. IoT projections are favorable for the following years, e.g., Forbes estimates that the Industrial Internet of Things (IIoT) could add 14.2 trillion dollars to the global economy by 2030 [6]. Figure 3.2 shows some challenges to security management among which we mention those that are considered most relevant [22]: A. Heterogeneity of IoT Solutions IoT solutions are designed using different communication technologies such as LoRa, SigFox, NB IoT, Zigbee, and Wifi and different devices such as Arduinos or Raspberry Pis. B. Limitation of Computational Resources Several IoT devices do not have large memory and process capacities. Therefore, such devices cannot include robust © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 R. O. Andrade et al., Cybersecurity Risk of IoT on Smart Cities, https://doi.org/10.1007/978-3-030-88524-3_3

45

46

3 Risk Methodologies for IoT on Smart Cities

Fig. 3.1 Emerging technologies used in smart city

Fig. 3.2 IoT layer model and their features in cybersecurity

security algorithms; the battery capacity is also a limitation since more robust security algorithms require more energy. C. Geographical Expansion of the Attack Surface IoT solutions can reach several km of coverage, especially those designed to operate at the city level that uses LP-WAN (Low Power-Wide Area Network) technologies. From the security point of view, this situation increases the probability that the attack can be carried out from remote sites.

3.1 The Challenges of Cyber Risk Management on IoT Systems

47

D. Lack of Security in the Design IoT solutions frequently are developed in a short period. These developments are performed optimizing times, and sometimes, the security processes or validation tests are not included in the development timeline. Another important aspect is that IoT is a new and versatile technology; therefore, some developers do not apply adequate security mechanisms to IoT solutions. Finally, several IoT solutions are developed by non-technical people causing issues in terms of security. E. Lack of Standardization IoT is a relatively new technology; therefore, its standardization is still in process. Standards and recommendations about IoT are not specific at this moment. There is a lack of standards about IoT forensic, IoT risk analysis, and high-quality IoT developments [1]. IoT produces a significant improvement in the services provided to citizens, but it collaterally can generate security issues, i.e., more connected cities could become more vulnerable. IoT can considerably expand the number of attacks [7]. Security attacks not only affect information systems. They could affect the resilience of the city, especially if they are focused on critical infrastructures. The main difference between a security attack on an information system and a city could be its level of impact, e.g., an attack on a critical infrastructure could leave all citizens without electricity for hours. Under this perspective, several international organizations such as [8] in America and [9] in Europe have considered cybersecurity as a critical element in smart cities. Smart cities need to develop the capacity to assess the level of impact of cyber risk; for this reason, it is necessary to identify critical assets and risks that could affect the continuous operation of different services of the smart city (See, Fig. 3.3).

Fig. 3.3 Attack surface and their implication on smart city cyber risk

48

3 Risk Methodologies for IoT on Smart Cities

Cyber risk in smart cities can be considered any disruption to information systems and technologies that may result in financial losses, damage to the city’s reputation, or unavailability of electronic government services. This can be caused by unintentional or accidental actions but can also be associated with espionage, extortion, terrorism, and embarrassment. The impact of cyber risk on the city can be significant due to the services that are provided and the direct and indirect incidence on the economic, environmental, and social aspects of the city, and the number of users affected by an attack on smart cities that could exceed the millions of citizens in the case of megacities. This context drives cities to implement strategies to control cyber risk, identify potential threats, detect security breaches, and evaluate the impact of security attacks and in the context of IoT.

3.2 The Cyber Risk Management Process Establishing security strategies to ensure the continuity of city operations and citizens’ privacy in a context where there are multiple types of attacks and attackers, various protocols, networks, and devices could be a complex challenge. For this reason, developing a risk management process allows establishing a current security awareness situation of the city. In general, the risk management process establishes a set of decisions (accept, mitigate, transfer, and ignore) that can be selected to manage the cyber risk. • Accept decision, the risk has an acceptable level according to appetite of organization. • Mitigate decision, the existing or potential risk is reduced or eliminated. • Transfer decision, the risk is transfer to third party. • Ignore decision, the risk is just ignored. This one could be the most dangerous decisions. In order to make this decision related to how to manage the risk, it is necessary to evaluate the levels of risk. So, Risk assessment process defines how a critical activity in risk management assesses the risks related to organizational assets and operations. The risk assessment includes three sub-processes [10]: • Risk identification: In this sub-process, possible risks are identified. • Risk estimation: In this sub-process, the risk is quantified. • Risk prioritization: In this sub-process, the risk strategy is designed based on the prioritization of risks. For the development of these three sub-processes, we can use a risk analysis methodology, which allows the assessment of the level of risks. Classification of risk analysis methodologies is a proposal by Alberts et al. [11]:

3.2 The Cyber Risk Management Process

49

1. Tactical Risk Analysis Tactical risk analysis is based on the decomposition of the components that constitute a system to evaluate potential failures. The steps in the tactical risk analysis are carried out with the stakeholders; this aspect could be considered a limitation of this type of analysis due to the subjectivity. Therefore, tactical risk analysis presents only a partial view of the risk. The steps in this type of analysis include the following: • Decompose a system into the components. • Prioritize and categorize the criticality of each component. • Evaluate the risk of each component. The limitation of this type of analysis is that the evaluated components are only the critical ones. The analysis does not consider non-linear relationships. Another limitation is that the confidence of a component does not guarantee the performance of the entire system. 2. Systematic Risk Analysis The systematic risk analysis evaluates the aggregate effects of each of the components to fulfill a specific mission. This type of analysis presents a complete view of the system and the influence of the environmental factors. In addition, this type of analysis considers the non-linearity of causal factors. The steps of the systematic risk analysis include the following: • Set the objectives that must be achieved. • Identify the systematic factors (“drivers”) that have a strong influence on the outcome. Driver states can be set as “success” and “failure.” • Analyze the drivers to establish an overall risk. The drivers are associated to the key objectives of the mission so that analysts can enable effective decisionmaking. Other classification of risk analysis methodologies is the qualitative or quantitative approach. 3. Qualitative Risk Analysis Qualitative risk analysis identifies critical levels of risk, categorizing them as high, medium, and low to decide the best security defense strategy. For this goal, qualitative risk analysis is based on the development of a risk assessment matrix through the use of the following techniques: • • • •

Interviewing, Delphi technique, Brainstorming, Strength, weakness, opportunity, and threats analysis (SWOT analysis), Risk rating scales, Analysis of historical data (Time series or correlations).

Qualitative risk analysis tends to be more subjective; for this reason, it is important to manage the possible sources of bias.

50

3 Risk Methodologies for IoT on Smart Cities

Fig. 3.4 Risk metrics based on smart city axes

4. Quantitative Risk Analysis Quantitative risk analysis establishes the weight of the risk of a security attack, generally assessed against a monetary value. A highlight of quantitative risk is that it allows having values; it can be an input for budget analysis support. However, if there are no historical values, this may reduce the accuracy of the results obtained. Some of the drawbacks of the quantitative analysis are: • Large amount of work to collect the information from the different assets. • The time to develop the quantitative analysis may require, in some cases, 5– 6 months due to the data gathering process. In actual scenarios where the assets, attacks, and threats can vary every day, especially in IoT environments, if the time is so long, this type of analysis can delay the information for decision-making. • Some data assets can be difficult to obtain, which reduces the accuracy of the risk analysis. Qualitative or quantitative risk analysis methods have their strengths and weaknesses, which are summarized in Fig. 3.4. So, the risk analysis process evaluates the different components or elements (assets, vulnerabilities, threats) that contribute to the level of security risks and must be carried out through a rigorous and validated monitoring process. From an epistemological perspective, the risk analysis process is the validation process related to knowledge about risks such as their origin and internal and external factors that affect their value. Risk analysis has been widely studied in different fields such as finance, crisis and disaster management, and cybersecurity, emphasizing the

3.3 Cyber Risk Management of IoT Systems on Smart Cities

51

growth of computer systems in the late 1960s. Researchers from the technological, natural, behavioral, and social sciences joined to create a new interdisciplinary research area related to risk analysis [19]. This risk analysis aims to establish knowledge about possible risks, to allow managers, regulators, and third parties to make decisions about the impact of security on economic, social, and environmental domains. However, security risk methodologies could have limitations on IoT systems due to the accelerated growth of IoT devices and the location of IoT devices in non-traditional places. Furthermore, the incorporation of IoT devices changes the attack surface due to new vulnerabilities that are introduced in each device; this context increases the probability of risk of cybersecurity attacks [20].

3.3 Cyber Risk Management of IoT Systems on Smart Cities To understand in more detail the development of risk analysis on IoT context inside the smart city domains, we based on the standard ISO 31000, which provides a generic risk management framework with a set of principles and processes to evaluate the cyber risk (see Fig. 3.5). The following subsections describe the proposal of the application of ISO 31000 to the smart city context. The main aspect to consider the ISO 31000 for this proposal is that it takes a balance of uncertainties within the environment versus the achievement of objectives [12]. The ISO 31000 defines the following processes [13]:

Fig. 3.5 Components of risk management process. Risk identification, assessment, and control

52

3 Risk Methodologies for IoT on Smart Cities

• Establish the context; it includes defining the organization’s objectives, the scope of risk management, and establishing the risk indicators for the evaluation of the risk. • Risk identification considers the method to identify the type of risks based on the assets, hazards, threats, vulnerabilities, and nodes of failure. • Risk analysis defines a method to estimate the risk factors and the severity, probability, and detection of attacks to assets. • Risk evaluation; it defines a method to set a risk score. • Risk treatment establishes the recommendations for risk reduction, increases the detection of threats, reduces the risk occurrence, and establishes the delimitation of the efforts of security strategies.

3.3.1 Establish the Context on Smart Cities Smart cities are aligned to the goals of Agenda 2030 and the Sustainable Development Goals (SDG). Smart cities try to accomplish the principles of sustainability to assure the resources for actual and future generations in the different vertical domains such as Healthcare, Education, Agriculture, Home, Energy, among others. Additionally, cities are also trying to convert them into resilience spaces to continue their operations against social, natural, and economic events. Therefore, the objective of assessing the cyber risks in smart cities could be associated with strategies to support city goals. The ITU-T-FG-SSC considers six domains: Information and communication technology, Environmental sustainability, Productivity, Quality of life, Equity and social inclusion, and Physical infrastructure, to build smart cities. Whereas that the proposal of KPIs for smart city formulated by Hara et al. [14] defines three macro pillars: economy, society, and environment. The second domain of ITU-T-FG-SCC could be associated with the environmental pillar, the third domain of ITU-T-FG-SCC could be linked with the economic pillar, the fourth and fifth ITU-T-FG-SCC domains could be associated with the social pillar. In contrast, the first and last domain of ITU-T-FG-SCC provides the operational and tactical infrastructure for accomplishing smart city’s goals. So, we can add a four pillar “Technology” to the proposal by Hara et al. [14]. Based on the smart city proposal (see Fig. 3.6), the context for risk management to establish the scope and the definition of risk indicators on smart city needs to consider all domains and pillars of the city.

3.3.2 Risk Identification on Smart City Smart city is built based on social, economic, and environmental pillars. Under this context different types of risk could be identified in the cities:

3.3 Cyber Risk Management of IoT Systems on Smart Cities

53

Fig. 3.6 Pillars and domains of the smart city

• Political Risk is focused on electoral uncertainty, social unrest, corruption, and political instability [15]. • Financial Risk is related to funding problems, economic growth/decline, interest rates, and unemployment [16]. • Social Risk is related with citizen participation. It includes the exclusion, or resistance to proposed services, population growth rate, and cultural norms and expectations [16]. • Environmental Risk is related with environment conditions, such as local climate as well as unanticipated natural hazards, and global warming [16]. • Technical Risk is associated with technology selection, availability, and implementation, and new technologies [16]. • Strategic Risk has a large-scale approach and requires the development of a strategic plan for its management. The authorities or committee should focus on the development of policies and delegations that allow risk management [17]. • Operational Risk is associated with daily activities. It has a relationship with the people or processes in charge of the provision of services [17]. • Multi-hazard risk is associated with the risk of disease, disaster, fire, and accidents. It takes into consideration that multiple threats could appear at the same time [12]. • Systemic Risk, the World Economic Forum (WEF) defines systemic cyber risk as “the risk that a cyber event (attack(s) or other adverse event(s)) at an individual component of a critical infrastructure ecosystem will cause significant delay,

54

3 Risk Methodologies for IoT on Smart Cities

denial, breakdown, disruption or loss, such that services are impacted not only in the originating component but consequences also cascade into related (logically and/or geographically) ecosystem components, resulting in significant adverse effects to public health or safety, economic security or national security.” [18]

3.3.3 Risk analysis on smart city Cyber-attacks have been considered a significant threat to countries’ economies, which is why the World Economic Forum has ranked cyber-attacks as one of the top 10 threats worldwide [15]. The World Economic Forum has pushed the need to understand and prepare nations to deal with the systemic risk generated by cyberattacks. The existing dependence on critical infrastructure and the linking of IT and OT through IoT has created a greater openness to cyber-attacks that could disrupt city operations. This disruption can have a social, environmental, or economic impact. Additionally, the hyper-connectivity of smart cities can make a city more susceptible to systemic risk events. Systemic risk is related to the breakdown of a complete system. For example, this type of risk has been widely used in the financial sector to consider the possible losses in an attack on a widely interconnected system such as the financial system. Similarly, smart city exposes the risk concentration via the complex interconnections that could amplify the effects of attacks. As a result, a smart city has a large attack surface, and it has the possibility that a single point of failure may be sufficient to carry out a large-scale attack. Under this context rise the following questions: • What is the impact of a DDoS on the city, and can it develop a systemic risk? • Can we evaluate the domain or cascade effect of an attack on the smart city? • What is the effect of contagious malware through cyber-physical exposures due to IoT in smart cities? • Can an attack on a small IoT node affect the global economy? Security attacks can affect the complete trust of the city and the continuity of critical services such as health, transportation, or financial services. The hyperconnectivity of IoT systems in smart cities presents some aspects that must be considered when assessing security risk, among which we highlight: • • • • •

Creation of single points of failure and amplification factor, Dependency on third party software and hardware, Interdependence between data and operational processes, Cross-vertical attacks, and Random and epistemic uncertainty.

Risk analysis could be developed based on two approaches: Tactical and systematic.

3.3 Cyber Risk Management of IoT Systems on Smart Cities

55

• Tactical risk analysis is focused on decomposing the multiple components and evaluating the failures in each one to determine the risks; in a smart city context where there are millions of connected devices and vertical domains, this kind of approach may require a considerable amount of staff, time, and investment. • Systematic risk analysis focuses on analyzing the risk factors of the components that may affect the achievement of goals or missions; it does not require an extensive decomposition process. Instead, it contributes to revealing a complete scenario related to the possible impact on the city’s operation against attacks. The systematic analysis is a goal-based approach; this allows defining the results in strategic levels, which may be more beneficial for city officials. The systematic risk analysis focuses on establishing the risk values against security attacks based on the goals essential for the city’s operation in its macro domains, i.e., economic, environmental, and social aspects. Understanding the level of impact of this affectation on each part would allow establishing better security strategies.

3.3.4 Risk Evaluation on Smart City City officials could apply qualitative and quantitative methodologies to establish the risk score. However, both methods are based on fundamental principles to evaluate the level of risk. In this subsection, we highlight some of these principles.

Fundamental Principles of Risk Evaluation Assets are any resources that are critical or valuable to continue the operations of the city. Assets could be people, data, buildings, systems, Cyber-Physical Systems (CPS), among others. Likelihood or probability is the potential hazard that will materialize and harm any of the city’s components. The likelihood is often used in the qualitative analysis; it has a value of high, medium, and low. Probability is used in quantitative analyses; it has a numerical value between 0 and 1, where 1 represents the certainty that an event will happen. In some cases it is possible to predict the probability or likelihood of the occurrence of security events, while in other cases that is not possible due to the lack of information or new types of attacks (techniques, exploits, attack-path). Vulnerability are gaps, weakness, or security loopholes in any component of the city that can be exploited by a threat. Impact, the degree or value of negative affectation due to the materialization of the hazard. Organizations establish the risk level to evaluate the impact. The risk level is considered based on the determination of elements that could have a negative impact on the organization in case of presence of threats but it could exclude the critical elements which are aimed for organizational objectives. Other important aspect to evaluate the impact is the effect of multiple risk, the risk assessment needs

56

3 Risk Methodologies for IoT on Smart Cities

Table 3.1 Hierarchical values of risk score Risk score Very Low Low Medium High Very High

Likelihood The event occurs 1 each 100 times The event occurs 1 each 10 times The event occurs 1 each 5 times The event occurs more than 5 times The event occurs more than 10 times

Table 3.2 Risk score based on time Severity score Very Low Low Medium High Very High

Time 1 day 1 week 2 weeks 1 month >1 month

to consider the combination of threats and risks and the multiple consequences to different components of the city. Qualitative analysis risk is generally faster, but some authors consider it less accurate. The methodology is based on the evaluation of the factors such as asset value, threat frequency, impact, and safeguard, but the establishment of likelihood values corresponds to hierarchical values such as high, medium, or low. Some authors define a range of values to establish these hierarchical values based on the likelihood of occurrence, similar to Table 3.1. This could be a drawback of qualitative analysis because the scale is dependent on risk analysts. Moreover, having subjective characteristics may make it more difficult to defend the results obtained. So, one strategy is to include expert judgment. On the other hand, the flexibility to select the value range allows the customization for each scenario. Qualitative risk analysis methodology has a personal characteristic.However, the qualitative analysis is instrumental when it is complex to obtain some data to estimate the value of an asset since it requires to establish different factors such as the number of users, value of the loss as a function of the unavailable time, or the relevance of the service provided by the asset. In addition, qualitative risk uses the severity of impact for estimating risk scores. These values have a subjective character and could be customized to each scenario. For instance, in Table 3.2 we evaluated the severity based on the time to recovery. The values of the qualitative risk analysis often are not expressed in monetary terms. So, it could not be used easily for cost-benefit analysis. The most relevant qualitative risk analysis formulas are the following: Risk = Severity of I mpact × Likelihood ,

(3.1)

Risk = T hreat × V ulnerability ,

(3.2)

3.3 Cyber Risk Management of IoT Systems on Smart Cities

57

Table 3.3 Risk values for quantitative risk analysis Risk value Exposure factor (EF) Annual occurrence rate of the event (ARO) Annual Loss Expectancy (ALE) Single Loss Expectancy (SLE)

Safeguard Value

Description Percentage of assets loss caused by threat Corresponds to the annual occurrence rate of the security event Establishes the expected loss based on the possible occurrence of an event within a period of 1 year. ALE is obtained by multiplying the SLE value by the ARO value Is the expected loss value for the occurrence of a single security event. SLE is calculated based on an exposure factor (EF) that represents the loss value of an asset in case of a security event of an event Is the value of a countermeasure to reduce the risk. Safeguards can be procedural, technical (logical and physical). The implementation of safeguards makes it possible to reduce the value of the exposure factor (EF) which reduces the SLE and ARO values. In some scenarios the cost of implementing the safeguard could be expensive so there may be a decision not to implement the safeguard and accept the possible risk

Quantitative analysis risk is considered more accurate and objective because of the use of mathematical operations. This kind of analysis is considered more objective because it is less susceptible to subjective measures and judgment but requires more time to prepare the inputs for math operation. Quantitative risk analysis methodologies establish a numerical value to the probability of occurrence of an event. The value of a single asset must consider all direct and indirect values related to the asset. Values used in quantitative risk methodologies are described in Table 3.3. A set of mathematical formulas or computational processes are used to establish the numerical value in quantitative analysis. Following some of them: ALE = SLE × ARO ,

(3.3)

SLE = Asset V alue × EF ,

(3.4)

Saf eguard V alue = ALE Bef ore − ALE Af ter − Annual Cost of Countermeasure ,

(3.5)

58

3 Risk Methodologies for IoT on Smart Cities

3.4 Use of IT Risk Methodologies and Its Possible Limitations on Smart City The risk analysis process evaluates different components or elements (assets, vulnerabilities, threats) that contribute to the level of security risks and must be carried out through a rigorous and validated monitoring process. From an epistemological perspective, risk analysis processes are validation related to knowledge about risks such as their origin and internal and external factors that affect its value. Risk analysis has been widely studied in different fields such as finance, crisis and disaster management, and cybersecurity, emphasizing the growth of computer systems in the late 1960s. Researchers from the technological, natural, behavioral, and social sciences joined to create a new interdisciplinary research area related to risk analysis [19]. This risk analysis aims to establish the knowledge about possible risks to allow managers, regulators, and third parties to make decisions about the impact of security on economic, social, and environmental domains. However, security risk methodologies could have limitations on IoT systems due to the accelerated growth of IoT devices and the location of IoT devices in non-traditional places. Furthermore, the incorporation of IoT devices changes the attack surface due to new vulnerabilities that are introduced in each device; this context increases the probability of risk of cybersecurity attacks [20]. Waiting for long periods to do a security risk assessment is not recommended; however, the inventory of IoT devices can be a lengthy task. Several risk assessment methodologies are available for information systems, but they are in early development in the IoT area. For instance, [20] mentions that current risk assessment methods fail in IoT systems due to the following aspects: • Traditional risk methodologies are generally not focused on being carried out in short periods. However, since the IoT ecosystem changes continuously because of the incorporation of new devices daily, it is necessary to assess risks in a short period. • Limited knowledge on IoT systems: Most risk assessments are focused on traditional systems and do not consider IoT aspects. • Connections to other systems: IoT devices connect to other systems or technologies like cloud computing, big data, and traditional systems. This situation expands the attack surface of IoT ecosystems. • Failure to consider asset as an attack platform: IoT devices can be used to carry out attacks; if the devices lack minimum security aspects, they could expand the possibility of new attacks. The smart city is built on social, economic, and environmental pillars and supports the development of programs in the domains of health, transportation, education, agriculture, and other verticals. Risk analysis in the smart city must focus on and consider each of these elements. So, it is important to establish risk indicators that establish the smart city’s direction. Two types of essential indicators for having

3.4 Use of IT Risk Methodologies and Its Possible Limitations on Smart City Table 3.4 Key Performance Indicator for a smart city

Dimension Environment Society

Economy

59 Sub-dimension Natural resource Energy Safety Health Comfort Satisfaction Economy

a proper risk management process are the KPI (key performance indicators) and KRI (key risk indicator). KPI is focusing on the accomplishment of strategic goals; an example of KPI for a smart city is described in Table 3.4. KRI, also known as the risk metrics, allows indicating the level or trend of a risk. This metric can indicate the deviation or possible deviation from the strategic objective. Additionally, it is essential to select the correct number of metrics; too many can reduce the time to critical activities, and the excess of information can cause that relevant information is not visible on time. On the other hand, the decision-making process can be done without considering critical information if there is too little information. The metric should cover details like name of the metric, objective of the metric, entry criteria, involved tasks, formula to calculate the metric value, the target value for the metric, verification and validation, and exit criteria [21]. The smart city should consider aspects such as the resilience of its components to continue with its operations despite adverse events or the effect on the privacy of the information of a sensitive or personal nature, which may generate atypical operation of city services. The operability, resilience, and privacy are supported by physical and technological infrastructures (CPS), for which the risk assessment must consider these two infrastructures. Several norms, frameworks, and methodologies have been developed for risk analysis; the most relevant are summarized in Table 3.5. In addition, some authors propose the use of a combination of methodologies for evaluating risk, similar to the proposal in Fig. 3.7. The selection of each methodology could be based on the smart city domain, which is going to be evaluated. For instance, FAIR, RiskLens, or Cyber-Var can analyze the economic domain, while OCTAVE, CMMI, or NIST could be more appropriate for the technological component. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a qualitative analysis method developed by the Software Engineering Institute of Carnegie Mellon University. OCTAVE provides guidelines and checklists for development of the risk assessment process. OCTAVE is based on three phases: (1) asset-based threat profiles, (2) infrastructure vulnerability identification, and (3) security plan and strategy development. The level of security is aligned with that individual assets, and it is established for Judgment-based attributes such as prioritization. Judgments are made through a mapping of security-related attributes to more business-focused use cases. Octave has worksheets available to support the

60 Table 3.5 Frameworks and standards for risk analysis

3 Risk Methodologies for IoT on Smart Cities Name NIST SP 800-37 FAIR TARA CMMI OCTAVE CVSS RISKlens CyberVar

Type Semi-quantitative Quantitative Qualitative Quantitative Qualitative Qualitative Quantitative Quantitative

Scope Security Controls Financial Project Maturity models Impact Base metrics BetaPERT VaR

Fig. 3.7 Smart City risk security framework

process of risk analysis. The relation between threats and vulnerabilities could be weak because Octave does not profoundly analyze vulnerabilities. So, there is no accuracy-related to whether the threat could take advantage of this vulnerability. Risk analysis can be complemented with CVSS3 or other vulnerability scores. Related with the process of assets, Octave has a catalog of assets (hardware, software, among others), but it drives information assets in a general way; this could affect the impact to privacy. In relation with IoT, there is no specific catalog of assets. A drawback about of Octave, is related with not have a cost-benefits result [22]. NIST 800-30. Guide for Conducting Risk Assessments, proposals work with technical controls in stages of design, implemented, operational on basis of

3.4 Use of IT Risk Methodologies and Its Possible Limitations on Smart City

61

impact analysis; For this process the NIST 800-30 can be supplemented with the NIST Special Publication 800-213 “IoT Device Cybersecurity Guidance for the Federal Government” focus on device cybersecurity capabilities and supporting non-technical capabilities may be needed from or around IoT devices, and with the NISTIR 8259A, NISTIR 8259B and NISTIR 8259C to build controls that meet security and privacy needs. Other complementary document by NIST for management risk is the NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” The NISTIR 8228 explored three high-level considerations for IoT security and privacy risks and provided three risk mitigation goals: • Goal 1: Protect device security. • Goal 2: Protect data security. • Goal 3: Protect individuals’ privacy. NIST 800-30 proposed six task for conducting risk assessment: 1. 2. 3. 4. 5. 6.

Identify threat sources Identify threat events Identify vulnerabilities and predisposing conditions Determine likelihood Determine impact Determine risk

NIST analyzes the dependency of assets in moderate way in contrast with OCTAVE, which uses the probability of Bayes to evaluate the dependency. NIST allows to establish a threat modeling based on network topology [23]. COBIT. Control Objectives for Information and Related Technologies is a comprehensive set of best practices and “Enablers” that support the requirements for risk management focus on the business goals. From a perspective of IT Governance to support IoT projects, the Enablers should be adapted to IoT. Some examples of IoT enablers are the following [24]: • IoT services are built on top of strong standards and protocols • Implementing people as an important role in IoT acceptance • Assignment of roles, responsibilities, and tasks in IoT COSO. Committee Of Sponsoring Organizations of the Treadway Commission is very broad and does not provide guidance at the level of risk event type or category. In COSO, a risk is any event that could impede or promote business objectives (market, credit, etc.). Five components of COSO are: control environment, risk assessment, control activities, information and communication, and monitoring activities. FAIR (Factor Analysis of Information Risk) proposed a quantification method to evaluate the potential losses based on the estimate of Loss Event Frequency (LEF), the Threat Event Frequency (TEF), The Derive Vulnerabilities(Vuln), the Resistance Strength(RS), and the Loss Magnitude (LM). Fair does not allow

62

3 Risk Methodologies for IoT on Smart Cities

the opportunity for customization, but it could be complemented with other risk methodologies [25]. MAGERIT is based on the analysis of assets, dependencies, threats, and safeguards. MAGERIT has a complete documentation related with the process of risk analysis, and it includes a free tool called PILAR. MAGERIT is based on qualitative and quantitative methods. A drawback of MAGERIT is that it does not consider a deep analysis of vulnerabilities. Therefore, the following formulas are used for MAGERIT [26]: I mpact = Assets V alue × Assets Degradation ,

(3.6)

Residual I mpact = I mpact × (1 − Eff ectiveness) ,

(3.7)

Residual Risk = Residual I mpact × F requency ,

(3.8)

The Asset identification development on MAGERIT considers the following category of assets: • Business layer [B]: Includes assets that support business goal such as: web, application and database servers, BI dashboards, among others. • Internal services [IS]: Includes assets to support internal operations such as telephony, internet, among others. • Equipment [E]: Includes assets to support business layer and internal services such as computers, routers, servers, among others. • Outsourced services [SS]: Includes assets related with outsourced services such as Internet, energy, among others. • Locations [L]: Describes the location of offices, data centers, among others that allow the operation of the organization. • Personnel [P]: Describes the administrative, technical, and management staff that allow the operation of the organization. ISO 31000. Risk Management is generic guide and it is not specific to any industry or sector. It proposes a standardized model for risk management (principles, framework, and process) and language (vocabulary, definitions). The ISO 31000 is structured into eleven principles, five components, and seven process. The eleven principles of ISO 31000 are the following: 1. 2. 3. 4. 5. 6. 7. 8. 9.

Risk management establishes and sustains value. Risk management is an integral part of all organizational processes. Risk management is part of decision-making. Risk management explicitly addresses uncertainty. Risk management is systematic, structured, and timely. Risk management is based on the best available information. Risk management is tailored. Risk management takes human and cultural factors into account. Risk management is transparent and inclusive.

3.4 Use of IT Risk Methodologies and Its Possible Limitations on Smart City

63

10. Risk management is dynamic, iterative, and responsive to change. 11. Risk management facilitates continual improvement of the organization. The five components of ISO 31000 are the following: 1. 2. 3. 4. 5.

Mandate, Plan, Implementation, Checks, and improvement. Finally, the seven process of ISO 31000 are the following:

1. 2. 3. 4. 5.

Communication and consultation, Context, Risk assessment (identification, analysis, and evaluation), Treatment, and Monitoring.

Risk management, according to ISO 31000, comprises preventive, corrective, and mitigating actions. Because ISO 31000 is a generic guide, it can be easily used in IoT systems. For example, ISO 3100 could be used complementarily with the ISO/IEC DIS 27400. “Cybersecurity—IoT security and privacy–Guidelines” provide guidelines on risks, principles, and controls for security and privacy of the Internet of Things (IoT) solutions. Most risk assessment methodologies described are available for information systems, but not all of them have been adapted, considering IoT features. According to [1], the current risk assessment methods fail in IoT ecosystems due to the following aspects: • Short periods of assessment: Risk methodologies are generally not focused on being carried out in short periods of time. However, since the IoT ecosystem changes continuously because of the incorporation of new devices on a daily basis, it is necessary the assessment of risks in a short period of time. • Limited knowledge on IoT systems: Most risk assessments are focused on traditional systems and do not consider IoT aspects. • Connections to other systems: IoT devices connect to other systems or technologies such as cloud computing, big data, and traditional systems. This situation expands the attack surface of IoT ecosystems. • Failure to consider asset as an attack platform: IoT devices can be used to carry out attacks, if the devices lack minimum security aspects, they could expand the possibility of new attacks. Additionally, Randaliev et al. [27] mention that one of the limitations in the current risk analysis methodologies is that they do not consider the recovery aspects. However, contingency and recovery plans have a high impact on economic aspects, so recovery should be considered as a factor in risk analysis. A comparative analysis

64

3 Risk Methodologies for IoT on Smart Cities

between the application of risk methodologies to evaluate traditional IT systems versus IoT systems is presented in Fig. 3.8. Although traditional and IoT systems have similar characteristics in terms of protocols or technologies used, they present relevant differences when considering a risk analysis methodology. For example, some of the differences described in Fig. 3.8 are the following: • Time: Traditional IT systems have more static and deterministic behaviors than IoT systems. Risk assessment processes are often carried out over periods of 6 months or a year. This period is due to the economic and human resources necessary to execute the risk analysis processes (identification, categorization, prioritization, and analysis). However, IoT systems have dynamic and nondeterministic characteristics since new devices are included every day. These devices do not always comply with a standard but depend on the developers of the solution. • Dynamic aspects: Traditional IT systems have new solutions according to organizational needs. However, IoT systems have a greater dynamism because new solutions are developed for different verticals of the city every day. This makes it a complex and dynamic system. • Patterns: Traditional IT systems tend to have more familiar patterns in the flow of information and interaction between components. On the other hand, IoT systems, due to the dynamism and new relationships that are created by newly included devices, cause that a permanently defined pattern cannot be established. In this context, although the risk analysis methodologies widely used to evaluate traditional IT systems can be applied to IoT systems, it is necessary to consider the particularities related to time, dynamics, and patterns of IoT systems to obtain better effectiveness and accuracy of the risk analysis.

Fig. 3.8 Risk methodologies on traditional IT systems versus IoT systems

References

65

3.5 Summary According to ISO 31000, risk can be considered with the positive or negative affectation of the uncertainty in achieving the organizational objectives. There can be different types of risks such as: • Hazard or pure risks. • Control or uncertainty risks. • Opportunity or speculative risks. Risk management enables organizations to support compliance, assurance, decisions, and efficiency of their operations. Risk management in the smart city should have a direct relationship with decision-making processes for strategic purposes and the effective delivery of projects and programs of the city. Therefore, sound risk management must be clear about the outcomes and benefits expected from its execution. Risk management involves a set of processes such as risk identification, risk assessment, and risk control. Generally, organizations define the risk classification system that suits them depending on the nature of the organization and its activities. The risk assessment is based on determining the likelihood and magnitude of the risk using a risk map, sometimes referred to as a risk matrix. Risk control focuses on a continuous process of assessing the risk levels and decisions such as acceptation, mitigation, or transfer of the risk. Risk analysis involves many resources and time, and its development can be costly for the city. In particular, the dynamics introduced by IoT could increase the cost because it forces to perform the risk analysis in shorter periods and a vast number of devices. Therefore, the smart city’s risk analysis model should consider the components of the city such as economy, environment, social aspect, technological, and cyber-physical. Therefore a combination of risk methodologies may be necessary to perform this process.

References 1. Nurse, J. Creese, S and De Roure, D. “Security Risk Assessment in Internet of Things Systems,” in IT Professional, vol. 19, no. 5, pp. 20–26, 2017. 2. Connecting cities and communities with the Sustainable Development Goals. (n.d.). Retrieved from https://www.itu.int/en/publications/Documents/tsb/2017-U4SSC-DeliverableConnecting-Cities/index.html 3. Collection Methodology for Key Performance Indicators for Smart Sustainable Cities. (n.d.). Retrieved from https://www.itu.int/en/publications/Documents/tsb/2017-U4SSC-CollectionMethodology/index.html 4. Al-Hader, M., Rodzi, A., Sharif, A. R., and Ahmad, N. (2009). Smart City Components Architecture. 2009 International Conference on Computational Intelligence, Modelling and Simulation. https://doi.org/10.1109/cssim.2009.34

66

3 Risk Methodologies for IoT on Smart Cities

5. Hughes, M. (2019, September 27). Council Post: What Does The Next Generation Of Smart Cities Look Like? Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/09/27/ what-does-the-next-generation-of-smart-cities-look-like/ 6. Columbus, L. (2018, June 6). 10 Charts That Will Challenge Your Perspective Of IoT’s Growth. Retrieved from https://www.forbes.com/sites/louiscolumbus/2018/06/06/10-charts-that-willchallenge-your-perspective-of-iots-growth/ 7. Tola, K. (2020, March 3). Council Post: A Cyber View Of Smart Cities. Retrieved from https:// www.forbes.com/sites/forbestechcouncil/2020/03/03/a-cyber-view-of-smart-cities/ 8. Internet of Things (IoT). (2020, February 3). Retrieved from https://www.nist.gov/topics/ internet-things-iot 9. Internet of Things (IoT). (2019, January 31). Retrieved from https://www.enisa.europa.eu/ topics/iot-and-smart-infrastructures/iot 10. Guide for Conducting Risk Assessments SP 800 30 Revision 1, NIST, 2012 11. Alberts, C., Allen, J. Stoddard, R. Risk-Based Measurement and Analysis: Application to Software Security. (2012). Carnegie Mellon University. 12. Ziegler, S., Rolim, J., and Nikoletsea, S., “Internet of Things, Crowdsourcing and Systemic Risk Management for Smart Cities and Nations: Initial insight from IoT Lab European Research project,” 2016 30th International Conference on Advanced Information Networking and Applications Workshops (WAINA), 2016, pp. 611–616, https://doi.org/10.1109/WAINA. 2016.177. 13. ISO 31000 - Risk management. (2020, March 12). Retrieved from https://www.iso.org/iso31000-risk-management.html 14. Hara, M.; Nagao, T.; Hannoe, S.; Nakamura, J. New Key Performance Indicators for a Smart Sustainable City. Sustainability 2016, 8, 206. 15. Giambona, E., Graham, J.R. & Harvey, C.R. The management of political risk. J Int Bus Stud 48, 523–533 (2017). https://doi.org/10.1057/s41267-016-0058-4 16. Gupta, K., Zhang, W., & Hall, R. P. (2021). Risk priorities and their co-occurrences in smart city project implementation: Evidence from India’s Smart Cities Mission (SCM). Environment and Planning B: Urban Analytics and City Science, 48(4), 880–894. https://doi.org/10.1177/ 2399808320907607 17. Ullah, Fahim & Qayyum, Siddra & Thaheem, Muhammad Jamaluddin & Al-Turjman, Fadi & Sepasgozar, Samad. (2021). Risk management in sustainable smart cities governance: A TOE framework. Technological Forecasting and Social Change. 167. 120743. https://doi.org/ 10.1016/j.techfore.2021.120743. 18. Carias, J. F., Borges, M. R. S., Labaka, L., Arrizabalaga, S. and Hernantes, J., “Systematic Approach to Cyber Resilience Operationalization in SMEs,” in IEEE Access, vol. 8, pp. 174200–174221, 2020, https://doi.org/10.1109/ACCESS.2020.3026063. 19. Otway, H. and von Winterfeldt, D. (1992), Expert Judgment in Risk Analysis and Management: Process, Context, and Pitfalls. Risk Analysis, 12: 83–93. https://doi.org/10.1111/j.1539-6924. 1992.tb01310.x 20. Radanliev, P.; De Roure, D.C.; Maple, C.; Nurse, J.R.; Nicolescu, R.; Ani, U. Cyber Risk in IoT Systems. Preprints 2019, 2019030104 (https://doi.org/10.20944/preprints201903.0104.v1) 21. ISACA. Steps in a risk management. Retrieved from https://www.isaca.org/resources/newsand-trends/isaca-now-blog/2018/key-steps-in-a-risk-management-metrics-program 22. Suroso, J., Januanto, A. and Retnowardhani, A., “Risk Management of Debtor Information System At Bank XYZ Using OCTAVE Allegro Method,” 2019 International Conference on Electrical Engineering and Informatics (ICEEI), 2019, pp. 261–265, https://doi.org/10.1109/ ICEEI47359.2019.8988890. 23. Setiawan, H., Putra, F. A., and Pradana, A. R., “Design of information security risk management using ISO/IEC 27005 and NIST SP 800-30 revision 1: A case study at communication data applications of XYZ institute,” 2017 International Conference on Information Technology Systems and Innovation (ICITSI), 2017, pp. 251–256, https://doi.org/10.1109/ICITSI.2017. 8267952.

References

67

24. Henriques, David and Pereira, Ruben and Scalabrin Bianchi, Isaias and Almeida, Rafael and Mira da Silva, Miguel. (2020). How IT Governance can assist IoT project implementation. 8. 25–45. https://doi.org/10.12821/ijispm080302. 25. Traoré, M., and Yamamoto, S., “Healthcare CloudEcosystem Risk Analysis and Modeling: A FAIR Approach—A Case Study of Arterys TM on AWS,” 2018 7th International Congress on Advanced Applied Informatics (IIAI-AAI), 2018, pp. 841–844, https://doi.org/10.1109/IIAIAAI.2018.00171. 26. Fernandez, A., and Garcia, D. F. (2016). Complex vs. simple asset modeling approaches for information security risk assessment: Evaluation with MAGERIT methodology. 2016 Sixth International Conference on Innovative Computing Technology (INTECH). https://doi.org/10. 1109/intech.2016.7845064 27. Radanliev, P., De Roure, D. C., Nurse, J. R. C., Mantilla Montalvo, R., Cannady, S., Santos, O., Maddox,L., Burnap, P. Maple, C. (2020). Future developments in standardisation of cyber risk in the Internet of Things (IoT). SN Applied Sciences, 2(2). https://doi.org/10.1007/s42452019-1931-0

Chapter 4

Decision-Making Based on Risk Assessment on Smart Cities

4.1 Modeling Smart City for Decision-Making A smart city brings innovation and connects government, industry, and citizens through data with a wealth of information. In contrast, cybersecurity has raised concerns about data privacy and threats to smart city systems. An analysis of the various definitions of smart cities found that technology is a constant element. For instance, the Institute of Electrical and Electronics Engineers (IEEE) envisions a smart city that brings together technology, government, and society to facilitate smart features on the economy, mobility, environment, people, life, and governance. TechTarget describes a smart city as a municipality that uses information and communication technologies to share information with the public, boost operational efficiency, and enhance the quality of government services and citizen welfare. Sivrikaya mentions that the smart city shows the following challenges [1]: • Functionality: all information that is needed by smart city services has to be accessible. • Heterogeneous Environment: The domain of a smart city consists of several subdomains. The data model needs to respond to a requester from a different domain. • Dynamic environment: The environment is permanently changing; this means that the data model used has to be dynamic. • Huge amount of devices: There are thousands of devices or services in a cityscale environment.

4.1.1 Digital Twin Cities are complex systems that connected economic, environmental, and social dynamic elements. According to Dembski et al. [2], complex systems include © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 R. O. Andrade et al., Cybersecurity Risk of IoT on Smart Cities, https://doi.org/10.1007/978-3-030-88524-3_4

69

70

4 Decision-Making Based on Risk Assessment on Smart Cities

innovative and technological concepts, such as car-sharing and autonomous driving, decentralized smart energy grids, smart home, or digitization of administration tasks. A digital twin is associated with producing a parallel virtual version of the smart city that replicates humans’ integration, infrastructure systems, and technology. According to Mohammadi and Taylor [3], connectivity and analytical capabilities enabled by IoT are the base for the cognitive development of smart city digital twins. IoT allows for the convergence of the physical and virtual worlds, and using machine learning algorithms focuses on the data provided by IoT solutions; the digital twin tries modeling behaviors to detect anomalies and predict failures. Batty mentions that numerous studies define a digital twin as a “cyber-physical integration” that can mirror real-world things with the same fidelity. On the other hand, the digital twin is considered the forefront of the Industry 4.0 revolution because it allows real-time decisions. Moreover, the potential for digital twins within a smart city is associated with rapid developments in connectivity through IoT. As a result, the digital twin is considered in Gartner’s top ten strategic technology trends since 2017 [4]. According to the Smart Cities World Community, digital twins connect urban built environment spatial modeling, electrical and mechanical systems modeling based on deep learning informed training or mathematical descriptions, and realtime sensor data derived from IoT platform solutions [5]. Among the advantages of modeling are cost savings, enhanced services for citizens, operational efficiencies, preventive maintenance, raised safety and security, and the inherent feasibility of the automated generative design. Digital twins can be employed for decision support, operator training, process control and monitoring, predictive maintenance, product development, real-time analytics, and behavior simulation [6]. Some sectors that considered the use of digital twins are healthcare, maintenance, and urban sustainability. Three main components constitute a digital twin (see Fig. 4.1): • Physical environment that includes physical objects like human resources, cars, or buildings. • Virtual environment that includes the virtualization model of the system or physical object. • Connections of data between physical and virtual environment. Data is collected for sensors on physical objects, and then the data is processed using cognitive computational techniques; next, the virtualization model is built based on the behaviors or patterns detected on the data. The main objective of a digital twin is to establish a decision context. There are four areas for decision-making in a digital twin [7]: 1. Knowledge representation: it means classifying and cataloging unstructured data using cognitive computing techniques. 2. Intelligent decisions: artificial intelligence (AI) can add context to these internal and external data sources and monitor processes.

4.1 Modeling Smart City for Decision-Making

71

Fig. 4.1 Digital twin components

3. Autonomous execution: AI identifies values and thresholds for specific decision points based on past data for automated decision-making. 4. Enhanced assistance: multiple channels can allow users to interact with intelligent knowledge bases and drive value from the automated processes. Industrial Internet of Things (IIoT) utilize digital twins for implementation in the manufacturing industry. IoT systems can be controlled and optimized throughout their data lifecycle: • Data from the manufacturing systems • Data from Internet/users • Data from manufacturing Digital twin generates a virtual environment that can replicate an infinite number of scenarios. The simulated data is propagated and perpetuated through continuous embedding AI algorithms to establish the best decisions for specific scenarios [8]. With the introduction of AI, autonomous systems could learn from observation and experience and build the surrogate models of their environment to predict events and optimize decisions, for instance, using reinforcement learning (see Fig. 4.2). Additionally, digital twins contain much information; however, they will be incomplete and imperfect. On the other hand, current risk models could be computationally heavy to run in real-time during operation, or they do not capture the dynamics of risk for operational decisions due to a lack of necessary detailing level. Establishing a dynamic risk model that can manage the lack of information and uncertainties under this context is essential. Boje et al. [8] mention that digital twin implementation possibly represents a fully semantic digital twin and leveraging acquired knowledge with the use of AI-enabled agents. On the other hand, Tundis modeled Bayesian network mapping rules from the SysML/UML of platform-independent models to risk analysis platform-dependent models. Infor-

72

4 Decision-Making Based on Risk Assessment on Smart Cities

Fig. 4.2 Artificial intelligence applied to digital twin

mation systems could be modeling for using UML diagrams [9]. This subsection defines one approach to modeling a smart city and determining its nodes and relationships. Dembski et al. [2] mention that cities are complex systems connected to economic, environmental, and social conditions and their changes. Additionally, they are also characterized by the perceptions and interests of citizens and stakeholders. Tremendous efforts have been conducted to build city information models for encoding city objects and relations and supporting decision-making. A knowledge base is required with vocabularies and ontologies to manage the information diversity and overload [10]. Austin et al. [11] mention that a digital twin is a cyber representation of a physical system on the real-time trough of monitoring and synchronization of data with events. According to Austin, smart city digital twins’ implementation is complicated by many physical, cyber, social, and natural domains and difficulties in defining semantics and rules for their interaction. When faced with the challenge of representing a complex socio-technological system, the use of OWL models is a critical step to ensure correct alignment among multiple domains such as actors, sensors, management workflows, web resources, BIM model data, among others. Petrova-Antonova et al. [10] propose that digital city modeling follows the concept of a digital twin for providing data-driven decision-making. According to proposal of Petrova-Antonova, the city consists of ENTITIEs and performs different FUNCTIONs summarized as the following: 1. 2. 3. 4. 5. 6. 7.

ENTITY could be an OBJECT or an ACTOR. ENTITIES have STATE. ACTORs have GOALs. GOAL can be quantified using INDICATORs. ACTOR can perform ACTIONs. FUNCTIONs are used by a GROUP of ACTORS. FUNCTIONs can be grouped into SERVICEs.

4.2 Modeling the Prediction of Cyber Risk

8. 9. 10. 11.

73

SERVICEs can be supported by PROCESS. ENTITIES participated in a PROCESS. PROCESS consisted of EVENTs. ACTIONS can change STATE and impacted ENTITY.

Some OBJECT instances are car, SCADA system, or traffic light, ACTOR is driver or analyst, and FUNCTIONs are water and energy supply, waste collection, and traffic control. The EVENTs are recording according to the vocabulary of recording and incident sharing (VERIS).

4.2 Modeling the Prediction of Cyber Risk The development of rigorous methods to evaluate cyber risk could minimize the effects of cyber-attacks and the management of uncertainties to improve the smart city’s cybersecurity posture and ensure their long-term resilience. Wu et al. [12] mention that the vulnerabilities are severe security threats that an attacker can misuse to obtain unapproved access to the system. Additionally, an attacker can strike additional hosts due to the inter-dependency among vulnerabilities. Moreover, Wu indicates that the attack success is the likelihood that (1) the vulnerabilities are favorably exploited and (2) the vulnerability susceptibility depends on factors such as complexity, exploitability, and remediation level (see Eq. (4.1)). Pi =

Aci × Avi × P Ri /REi , m  (ACi × Avi × P Ri /REi )

(4.1)

i=1

where • Ac denotes attack complexity; • Av denotes attack vector; it reveals the context by which vulnerability exploitation is probable; • P R denotes required privileges; it defines the level of privileges an attacker must hold; • RE denotes the remediation level. The main objective of the attacker is to damage the control systems [13]; therefore, the attacker must follow the actions: 1. Infiltrate the field network. 2. Invalidate system functions. 3. Provoke incidents. The big issue of this kind of cyber-attack in the smart city context is the capability to generate a systemic risk event.

74

4 Decision-Making Based on Risk Assessment on Smart Cities

According to Renn et al. [14], the four major components for dealing with systemic risk are: complexity, uncertainty, ambiguity, and ripple effects beyond the source of risk. The systemic crisis context considers two main phases: (1) the quiet phase and (2) the crisis phase. The inclusion of cognitive sciences (fuzzy engineering, Bayesian networks, convolutional networks) in cybersecurity could be considered to evaluate and predict attacks, threats, and risk more adaptive and dynamic [15]. One typical modeling that is widely used to represent relationships or cause–effect is the Bayesian network.

4.3 Bayesian Network for Risk Analysis Tundis et al. [9] mention that a growing interest in system risk analysis is the capability of showing the system under analysis interdependence with other systems and their interactions. Moreover, Tundis indicates that each systematic risk system’s entity system is a complex and heterogeneous network. Any network shock could be propagated in a non-uniform way, and it has the most significant speed depending on both exogenous and endogenous amplification factors. According to Tundis, modeling systemic risk is complicated because need represents a risk in its dynamic and static characteristics. Tundis proposes developing a systematic risk analysis using Bayesian networks (BNs) based on goal diagrams. According to Tundis, the BN could describe the probabilistic relationships between faults/causes and failures/consequences. A probability function is used to associate each node with a particular set of values. Bayesian networks (BNs) are also known as acyclic graph models or belief networks. A BN is a probabilistic model that connects a set of random variables and their dependency relationships. These models use Bayesian inference, estimating the posterior probability of the unknown variables based on the known variables. BNs are a powerful form of machine learning to help decrease these models’ falsepositive rates. The BN could establish models of attack knowledge and employ them to predict upcoming attacks and determine the risk [16, 17]. Likewise, BN can be used to evaluate the connectivity risk of protected core networking [18]. A risk assessment approach for telecommunication networks by utilizing the BN is introduced in [19] to examine the impact of attacks on the workflow. Zhang et al. [20] introduced a dynamic risk assessment using a Fuzzy Probability Bayesian Network (FPBN) approach. Information Risk Factor Analysis (FAIR) is one of the most traditional models for quantitative assessment of cybersecurity risks; Wang et al. [21] proposed a more flexible alternative approach (FAIR-BN), which implements the FAIR model using BNs. Zhu et al. [22] proposed a BN to analyze the spread of the attack over time and the consequences of the cyber-attack on the industrial production process. Both proposals focused on evaluating dynamic cybersecurity risk quantitatively. BN is emphasized as a risk management tool for the financial sector, due to its significant contributions in the definition of probabilistic conditions of inference,

4.3 Bayesian Network for Risk Analysis

75

with comprehensive management of variables, which will be used to enhance the efficiency of the cybernetic attack detection systems. Definition Let G = (V , E) be an acyclic directed graph, where V is a set of nodes and E is a set of edges. Then, let X = (Xi)(i ∈ V ), the random variable is represented by the node i ∈ V . The joint probability assigned to the node can be expressed as p(x) =



  p xi | xpa(i) ,

(4.2)

i∈V

where pa(i) is the node i parent. Moreover, for any random variable, their joint probability can be obtained by p (x1 , . . . , xK ) = p (xK | x1 , . . . , xK−1 ) . . . p (x2 | x1 ) p (x1 ) .

(4.3)

Dynamic Bayesian networks (DBNs) are a temporal extension of BNs that allows to model dynamic processes. According to Onisko et al. [23], missing data signifies the most challenging task in developing a dynamic model. Nevertheless, there are several ways to handle this difficulty: to use an additional state to represent missing values. Onisko mentions that reasoning algorithms for BNs do not require complete information. Moreover, the posterior probability distribution over a variable in analysis can be derived given any subset of possible observations. Sequential or temporal information appears in many areas of engineering and science. On the one hand, the data analysis to predict future data may be of interest. However, on the other hand, analysis of the complete data sequence may be also necessary to identify patterns. This analysis can be carried out using Dynamic Bayesian Networks, a particular type of Bayesian Networks specifically designed to model time series. Ayele et al. [3] mention that DBNs are simply BN for modeling temporal dependencies and/or time series structures. Simple BNs do not consider changes in time, and they cannot handle time-variant operating environments. DBNs are more innovative tools for handling time-dependent risk scenarios. The following steps are proposed to build DBNs: 1. Transforming indicator factors into a Markov chain process. 2. Define the discrete nodes’ state. 3. Designate a marginal probability table (MPT) for discrete root nodes and a conditional probability table (CPT) for other discrete nodes. 4. Calculate the discretized conditional probability distributions (CPDs) of each continuous node. 5. Select prior probability distribution for the defined system. 6. Construct the likelihood function, considering the system failure rate data. 7. Learning in a DBN. 8. Computing the probabilistic inference (i.e., posterior distribution).

76

4 Decision-Making Based on Risk Assessment on Smart Cities

Some relevant aspects related to building DBNs that are mentioned by Ayele are the following: 1. A continuous variable (node) can take on a value between any other two values. Commonly, two approaches are used for managing continuous variables: static and dynamic discretization. The former needs to split the total range of the continuous variables into a finite number of intervals, while the latter provides fine-grained discretization in the regions that contribute notably to the density functions’ structure. 2. The representation of a real-world problem by a DBNs structure often needs the introduction of several nodes, and in such cases, conditional probabilities cannot be determined for all nodes precisely. This process is based on expectation– maximization. According to Frigault et al. [15], a model based on DBNs could be used to incorporate temporal factors; this graphical model is used for probabilistic inferences in dynamic domains that can permit users to monitor and update the system as time progresses and even predict other system behaviors [24]. Besides, they explain that the system is represented as a BN sequence in a standard DBNs model. Each BN represents a time interval of the DBNs corresponding to a given instant of time. Furthermore, the DBNs will have arcs between specific vertices of next time sectors. Therefore, the Markovian property can be assumed to be satisfied in a DBNs model, and the vertices can be classified as either observable or unobservable. The observable vertices value is known earlier during the analysis process, whereas unobservable vertices are not available but can be inferred. A DBN is an extension of BNs in which random variables evolve over time [25]. Figure 4.3 illustrates an example of DBNs with two variables: xt e yt where the instant of time is denoted by t. DBNs can contain two variables: observations represented by a square and hidden variables or state variables represented by a circle. In DBNs, the system’s state only depends on the previous instant y of the current observations (Markovian

Fig. 4.3 HMM model DBNs [25]

4.3 Bayesian Network for Risk Analysis

77

property). The DBNs in Fig. 4.3 model a Hidden Markov Model (HMM), which is the simplest type of DBNs: it contains a single discrete state variable and a single observation. However, DBNs are a more generic model. It may contain more variables, and the state variables may not be directly dependent on the observation. Given the topology of Fig. 4.3, the factorization of the DBNs at time T is P (X, Y ) =

T 

p (xt | xt−1 )

t=1

T 

p (yt | xt ) p (x0 ) .

t=0

Therefore, to specify DBNs, you need to define: • Transition probability p (xt | xt−1 ) • Probability of observation p (yt | xt ) • Initial state probability p (x0 )

  The inference problem in DBNs consists of calculating p XT | Y T , where XT denotes a finite set of observations, and Y T = {y0 , y1 , . . . , yT } y XT the set of corresponding hidden variables. Let αt (xt ) be the joint probability of all observations y states up to time t : αt (xt ) = p (yt | xt )



p (xi | xt−1 ) αt−1

xt

with the initial condition of α0 (x0 ) = p (x0 ) . To calculate the most probable value of the hidden variable in the next instant, given the observations, Bayes’ theorem needs to be applied:   p xt | Y t =

 xt

p (xt+1 | xt ) αt (xt ) p (yt )

.

4.3.1 Experiment Based on economic, environmental, and social aspects, the smart city could consider aspects such as the resilience of its components to be able to continue with its operations despite adverse events or the effect on the privacy of the information of a sensitive or personal nature, which may generate atypical operation of city services (see Fig. 4.4). The operability, resilience, and privacy are supported by physical and technological infrastructures (CPS), for which the risk assessment must consider these two infrastructures. Therefore, the metric should allow evaluating a specific value; in the case of the smart city regarding cybersecurity, we propose based on the qualitative analysis in this study three axes (see Fig. 4.5):

78

4 Decision-Making Based on Risk Assessment on Smart Cities

Fig. 4.4 Cyber risk metrics on smart city domain

Fig. 4.5 Risk metrics based on smart city axes

• Continuity of operations: The normality of operations to provide the services of the smart city. • Resilience: The capability of smart city to respond to adverse events. Cyberresilience is the capability to respond to cyber incidents, breaches, and DDoS attacks. • Privacy: Protecting sensitive information about the city and its citizens. According to MITRE, some strategies for the design of cyber-resilience that are focused on [26]: • • • • •

Focus on common critical assets. Support agility and architect for adaptability. Reduce attack surfaces. Assume compromised resources. Expect adversaries to evolve.

Based on these criteria, it is possible to establish risk metrics for the IoT environment in the smart city context. For example, a possible metric for the “Reduce attack surface” criteria could be the number of entry and exit points identified in the attack surface in the smart city.

4.3 Bayesian Network for Risk Analysis

79

To evaluate the security in the smart city, we propose a quantitative assessment based on the result of the weights assigned to each of the three domains considered for the preparation of the KPIs on the smart city, i.e., economy, environment, and society. We have considered the technology and physical infrastructure domain as the factors for the evaluation. Therefore, we propose the security of the smart city as W SC = f 1 ∗ W E + f 2 ∗ W F + f 3 ∗ W S + f 4 ∗ W T + f 5 ∗ W P , where W SC is the security weight of the smart city, W E is the weight assigned to the environmental aspect; W F is the weight assigned to the economic aspect, W S is the weight assigned to the social aspect, W T is the weight assigned to the technological aspect, and W P is the weight assigned to the physical infrastructure domain. Additionally, the calculation of W SC includes the level of contribution of each weight that was defined as f 1, f 2, f 3, f 4, and f 5; these values were defined since one city could consider the economic impact more relevant than the social one, while another could consider the environmental component more important than the other aspects. The city officials estimate the level of contribution of f factors. The contribution of the experts can generate diffuse information and, in some cases, may lack complete information, so we will face the uncertainty of the epistemic type [27]. In this aspect, it is essential to avoid the subjectivity [28]. If there is incomplete information, the use of the Delphi fuzzy technique could be considered [29]. For modeling a smart city, we follow the structure in [30]. A risk index is introduced to identify the vulnerability of a distribution system to be studied under cyber-attack, and this index is calculated as follows: RI = V ∗ C, where V denotes the probability of the vulnerability used to initiate a successful attack; C indicates the outcomes produced by the attack. Given that a dynamic network is used, according to Wang et al. [31], we need to consider the matrix of Table 4.1. to build the DBN of Fig. 4.6 that models the components of a smart city. . . Table 4.1 Probability of cyber-attacks on smart city

(t) time Very high High Middle Low Very low

(t + 1) time Very high High 0.4 0.2 0.2 0.4 0.1 0.2 0.1 0.1 0.1 0.1

Middle 0.2 0.2 0.4 0.2 0.2

Low 0.1 0.1 0.1 0.4 0.2

Very low 0.1 0.1 0.1 0.2 0.4

80

4 Decision-Making Based on Risk Assessment on Smart Cities

Fig. 4.6 BN of the smart city

The Bayesian Network helps to visualize the state and connections of the nodes in all the times, as shown in Fig. 4.6. For each time, the network is the same, but the temporal node will have different probabilities depending on the time (see Fig. 4.7). The following results have been obtained for each temporal node. These results indicate the probability with which the node that refers to one of the aspects of the city (SO, ECO, ENV) presents an attack or not knowing the information of all the parent nodes. The table’s results were obtained from simulations. Table 4.2 shows the possible combinations of the parent nodes and the node’s corresponding probabilities that refer to the city’s social aspect regarding all the times considered. The resulting probabilities indicate that it is very likely that this aspect will be violated if attacks are carried out on the parent nodes because most of the probabilities of state 2 are greater than 50%. On the other hand, Table 4.3 shows the possible combinations of the parent nodes and the ECO node’s corresponding probabilities that refer to the city’s economic aspect referring to all the times considered. The resulting probabilities indicate that the behavior is maintained over time; that is, if the node at time t = 1 has been violated in subsequent times, the probability that it will be violated again is similar to the probability presented at time t = 1 and in the same way if the node is not violated. Finally, Table 4.4 shows the possible combinations of the parent nodes and the ENV node’s corresponding probabilities that refer to the city’s environmental aspect regarding all the times considered. The scenario is to change since if an attack

4.3 Bayesian Network for Risk Analysis

81

Fig. 4.7 DBN model of smart city

co-occurs, the same thing will not necessarily happen later. From all the possible scenarios, it can be seen that the resulting information suggests that the node has a tendency to be attacked. Now consider another example in which it includes the leaf nodes (temporary nodes); we have the scenario where: P (ECO(t = 1), EN V (t = 3), SO(t = 4)|I oT , Cloud). In Table 4.5 is observed that the probabilities of the possible events at time t = 4 in the social field, knowing that what happened in the environmental field at t = 3 and the economic one at t = 1, considering the parent nodes IoT and Cloud, it is improbable that the city has presented an attack since the probabilities presented are very low in states 1 (No attack) and state 2 (Attack). This result shows that if economic and environmental domains are safe, the social domain also shows a highsecurity level. On the other hand, for instance, if we calculate P (ECO (t = 1), SO

82

4 Decision-Making Based on Risk Assessment on Smart Cities

Table 4.2 Table of probability attacks in node SO BD False False False False False False False False True True True True True True True True

AI False False False False True True True True False False False False True True True True

Cloud False False True True False False True True False False True True False False True True

IoT False True False True False True False True False True False True False True False True

SO(t+1)State1 0.417 0.5386 0.429 0.545 0.314 0.488 0.469 0.512 0.75 0.4 0.25 0.5759 0.261 0.605 0.424 0.475

SO(t+1)State2 0.583 0.462 0.571 0.455 0.686 0.512 0.531 0.488 0.25 0.6 0.75 0.425 0.739 0.395 0.576 0.525

SO(t+2)State1 0.455 0.458 0.538 0.388 0.535 0.458 0.519 0.544 0.333 0.583 0.44 0.452 0.304 0.613 0.467 0.538

SO(t+2)State2 0.545 0.542 0.462 0.612 0.465 0.542 0.481 0.456 0.667 0.417 0.56 0.548 0.696 0.397 0.533 0.462

SO(t+3)State1 0.667 0.655 0.465 0.521 0.375 0.345 0.409 0.537 0.5 0.444 0.333 0.364 0.227 0.567 0.383 0.39

SO(t+3)State2 0.333 0.345 0.535 0.479 0.625 0.655 0.591 0.463 0.5 0.556 0.667 0.636 0.773 0.433 0.617 0.61

SO(t+2)State1 0.417 0.25 0.406 0.362 0.542 0.346 0.469 0.465 0.5 0.25 0.533 0.31 0.429 0.579 0.362 0.341

SO(t+2)State2 0.583 0.75 0.584 0.638 0.458 0.654 0.531 0.535 0.5 0.75 0.467 0.69 0.571 0.421 0.638 0.659

SO(t+3)State1 0.636 0.533 0.635 0.417 0.453 0.448 0.487 0.532 0.464 0.7 0.471 0.485 0.5 0.519 0.516 0.348

SO(t+3)State2 0.364 0.467 0.375 0.583 0.547 0.552 0.513 0.468 0.556 0.3 0.529 0.515 0.5 0.481 0.484 0.652

Table 4.3 Table of probability attacks in node ECO BD False False False False False False False False True True True True True True True True

AI False False False False True True True True False False False False True True True True

Cloud False False True True False False True True False False True True False False True True

IoT False True False True False True False True False True False True False True False True

SO(t+1)State1 0.8 0.515 0.375 0.389 0.486 0.495 0.463 0.441 0.625 0.353 0.19 0.435 0.353 0.6 0.327 0.317

SO(t+1)State2 0.2 .485 0.625 0.611 0.514 0.505 0.537 0.559 0.375 0.647 0.81 0.565 0.647 0.4 0.673 0.683

(t = 2) | BD, Cloud, AI, IoT). The model gives the results that if all the parent nodes are violated, there has been a failure in the Economic aspect in time 1; also, there has been a failure in the social aspect in time 2. In this sense, there is a relationship

4.3 Bayesian Network for Risk Analysis

83

Table 4.4 Table of probability attacks in node ENV BD False False False False False False False False True True True True True True True True

AI False False False False True True True True False False False False True True True True

Cloud False False True True False False True True False False True True False False True True

IoT False True False True False True False True False True False True False True False True

SO(t+1)State1 0.471 0.611 0.659 0.389 0.486 0.495 0.463 0.441 0.625 0.353 0.19 0.435 0.353 0.6 0.327 0.317

SO(t+1)State2 0.529 0.389 0.341 0.611 0.514 0.505 0.537 0.559 0.375 0.647 0.81 0.565 0.647 0.4 0.673 0.683

SO(t+2)State1 0.533 0.063 0.661 0.362 0.542 0.346 0.469 0.465 0.5 0.25 0.533 0.31 0.429 0.579 0.362 0.341

SO(t+2)State2 0.467 0.031 0.333 0.638 0.458 0.654 0.531 0.535 0.5 0.75 0.467 0.69 0.571 0.421 0.638 0.659

SO(t+3)State1 0.6676 0.8 0.633 0.417 0.453 0.448 0.487 0.532 0.464 0.7 0.471 0.485 0.5 0.519 0.516 0.348

SO(t+3)State2 0.333 0.2 0.367 0.583 0.547 0.552 0.513 0.468 0.556 0.3 0.529 0.515 0.5 0.481 0.484 0.652

Table 4.5 Table of P (ECO(t = 1), EN V (t = 3), SO(t = 4)|I oT , Cloud) BD False False False False False False False False True True True True True True True True

AI False False False False True True True True False False False False True True True True

Cloud False False True True False False True True False False True True False False True True

IoT False True False True False True False True False True False True False True False True

ECOFalse 0.571 0.606 0.612 0.382 0.459 0.461 0.528 0.489 0.714 0.529 0.565 0.419 0.462 0.367 0.508 0.32

ECOTrue 0.429 0.394 0.388 0.618 0.541 0.539 0.472 0.511 0.286 0.471 0.435 0.581 0.538 0.633 0.492 0.68

ENVFalse 0.6 0.645 0.675 0.452 0.581 0.675 0.45 0.596 0.5 1 0.222 0.5 0.478 0.714 0.396 0.416

ENVTrue 0.4 0.355 0.325 0.548 0.419 0.325 0.55 0.404 0.5 0 0.778 0.5 0.522 0.286 0.604 0.584

SO-False 0.615 0.385 0.604 0.404 0.444 0.415 0.409 0.534 0.5 0.313 0.591 0.405 0.357 0.522 0.453 0.48

SO-True 0.385 0.615 0.396 0.596 0.556 0.585 0.591 0.466 0.5 0.688 0.409 0.595 0.643 0.478 0.547 0.52

in the affectation of the economic and social domains caused by the affectation of the technological domain. To observe a scenario more specific, we evaluate the probability that a Smart Traffic node (ST) of the city is attacked (state 2) or that it is not attacked (state 1)

84

4 Decision-Making Based on Risk Assessment on Smart Cities

Table 4.6 Table of P (ST |I oT , BD, Cloud, AI ) BD False False False False False False False False True True True True True True True True

AI False False False False True True True True False False False False True True True True

Cloud False False True True False False True True False False True True False False True True

IoT False True False True False True False True False True False True False True False True

ST-False 0.70 0.44 0.85 0.05 0.36 0.70 0.38 0.89 0.28 0.32 0.54 0..31 0.98 0.14 0.47 0.04

ST-True 0.30 0.56 0.15 0.95 0.63 0.30 0.62 0.11 0.72 0.68 0.46 0.69 0.02 0.86 0.53 0.96

based on the information about all the parent nodes, which are IoT, BD, AI, and Cloud. Table 4.6 shows the possible scenarios that can happen in the Smart Traffic node concerning the attack or not of the parent nodes. It is logical that if the attacker decides not to take any action, the probability that there is no attack on the ST node should be greater than 0.5, which occurs. In the opposite case, if the attacker manages to damage all the parent nodes’ systems, the probability of an attack on the ST node is high. Another exciting result of this table is that if the attacker decides to damage only the IoT and AI systems, the probability of an attack on the ST node is 82%. Thus, of all the possible combinations, it can be seen that the IoT nodes must have mainly been compromised for the ST node to present an attack. The modeling of the dynamic Bayesian network is interactive, allowing knowledge of the network with which one is working. The model can be improved if a priori information given by experts is considered. Since the nodes are of type Boolean, state 1 represents no attack in the node, and state 2 represents the existence of an attack. The current network can be improved by considering more states in the temporary nodes, as indicated by Wang et al. [31]. Based on the results of the simulations, the intention shows the relevance of the security of attacks on IoT systems. For example, an IoT node would attack a node of a traffic system or compromise an entire city system. The effects are not only of an economic nature but can also impact a social and environmental level.

References

85

4.4 Summary Cities are complex systems that connected economic, environmental, and social dynamics elements. The different infrastructures and services in the smart city’s domains may present vulnerabilities and expose the smart city to cyber-attacks that expose confidentiality, integrity, and smart city availability. Digital twins can be applied for developing decision support, real-time analytics, and behavior simulation in a smart city context that could support the modeling to detect cyber-attacks. Ecosystems, organizations, or informatic systems enhanced their cybersecurity posture based on reducing vulnerabilities. However, attackers exploit vulnerabilities to perform cyber-attacks. Security should be considered a key fact in the IoT environment since various devices communicate with multiple technologies. When heterogeneous devices interact, security vulnerabilities of each device are gathered, and new security vulnerabilities may happen. IoT is a crucial element of the evolution of a smart city. In the upcoming years, billions of devices will be raised and interconnected by IoT, as endorsed by international consulting firms. However, it is worth noting that IoT is vulnerable to cybersecurity attacks; this would strike the safety of smart cities. The combination of risk-based layered security with machine learning or data mining techniques could enhance the evaluation and measurement of the security level on IoT solutions adopted in smart cities.

References 1. Sivrikaya, F., Ben-Sassi, N., Dang, X.-T., Gorur, O. C., and Kuster, C. (2019). Internet of Smart City Objects: A Distributed Framework for Service Discovery and Composition. IEEE Access, 1–1. https://doi.org/10.1109/access.2019.2893340 2. Dembski, F., Wössner, U., Letzgus, M., Ruddat, M., and Yamu, C. (2020). Urban Digital Twins for Smart Cities and Citizens: The Case Study of Herrenberg, Germany. Sustainability, 12(6), 2307. https://doi.org/10.3390/su12062307 3. Mohammadi, N., Taylor, J. E. (2017). Smart city digital twins. 2017 IEEE Symposium Series on Computational Intelligence (SSCI). https://doi.org/10.1109/ssci.2017.8285439 4. Gartner. 2020. Top 10 Strategic Technology Trends for 2017: Digital Twins. [online] Available at: [Accessed 23 September 2020]. 5. Smart Cities World. 2020. The Rise of Digital Twins in Smart Cities. [online] Available at: [Accessed 21 September 2020]. 6. Fuller, A., Fan, Z., Day, C., and Barlow, C. (2020). Digital Twin: Enabling Technologies, Challenges and Open Research. IEEE Access, 1–1. https://doi.org/10.1109/access.2020.2998358 7. Cronrath, C., Aderiani, A. R., and Lennartson, B. (2019). Enhancing Digital Twins through Reinforcement Learning. 2019 IEEE 15th International Conference on Automation Science and Engineering (CASE). https://doi.org/10.1109/coase.2019.8842888 8. Boje, C., Guerriero, A., Kubicki, S., and Rezgui, Y. (2020). Towards a semantic construction digital twin: Directions for future research. Automation in Construction, 114, 103179. https:// doi.org/10.1016/j.autcon.2020.103179

86

4 Decision-Making Based on Risk Assessment on Smart Cities

9. Tundis, Andrea and Garro, Alfredo and Gallo, T. and Saccà, Domenico and Citrigno, Simona and Graziano, Sabrina and Mühlhauser, Max. (2017). Systemic Risk Modeling and Evaluation through Simulation and Bayesian Networks. 1–10. https://doi.org/10.1145/3098954.3098993 10. D. Petrova-Antonova and S. Ilieva, “Digital twin modeling of smart cities,” in Human Interaction, Emerging Technologies and Future Applications III,T. Ahram, R. Taiar, K. Langlois, and A. Choplin, Eds.Cham: Springer International Publishing, 2021, pp. 384–390. 11. Austin, M., Delgoshaei, P., Coelho, M., and Heidarinejad, M. (2020). Architecting Smart City Digital Twins: Combined Semantic Model and Machine Learning Approach. Journal of Management in Engineering, 36(4), 04020026. https://doi.org/10.1061/(asce)me.1943-5479. 0000774 12. Wu, W., Kang, R., and Li, Z. (2015). Risk assessment method for cybersecurity of cyberphysical systems based on inter-dependency of vulnerabilities. 2015 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM). https://doi.org/ 10.1109/ieem.2015.7385921 13. Q. Zhang, C. Zhou, N. Xiong, Y. Qin, X. Li and S. Huang, “Multimodel-Based Incident Prediction and Risk Assessment in Dynamic Cybersecurity Protection for Industrial Control Systems,” in IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 46, no. 10, pp. 1429–1444, Oct. 2016, https://doi.org/10.1109/TSMC.2015.2503399 14. Renn, O. (2020). New challenges for risk analysis: systemic risks. Journal of Risk Research, 1–7. https://doi.org/10.1080/13669877.2020.1779787. 15. Frigault, Ma., Wang, Lingyu and Singhal, Anoop and Jajodia, Sushil. (2008). Measuring network security using dynamic Bayesian network. 23–30. https://doi.org/10.1145/1456362. 1456368. 16. N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk management using Bayesian attack graphs,” EEE Trans. Depend. SecureComput., vol. 9, no. 1, pp. 61–74, Jan./Feb. 2012. 17. P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy, “Using Bayesian networks for cyber security analysis,” in Proc. IEEE/IFIP Int. Conf. Depend. Syst. Netw. (DSN), Chicago, IL, USA, Jun. 2010, pp. 211–220 18. K. Wrona and G. Hallingstad, “Real-time automated risk assessment in protected core networking,” Telecommun. Syst., vol. 45, nos. 2–3,pp. 205–214, 2010. 19. M. Szpyrka, B. Jasiul, K. Wrona, and F. Dziedzic, “Telecommunication networks risk assessment with Bayesian networks,” in Computer Information Systems and Industrial Management (LNCS 8104). Berlin, Germany: Springer, 2013, pp. 277–288 20. Zhang, Q., Zhou, C., Tian, Y., Xiong, N., Qin, Y., & Hu, B. (2018). A Fuzzy Probability Bayesian Network Approach for Dynamic Cybersecurity Risk Assessment in Industrial Control Systems. IEEE Transactions on Industrial Informatics, vol. 14, pp. 2497–2506, 2018. 21. Wang, J., Neil, M., Fenton, N. A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model. Computers and Security, vol. 89, 2020. 22. Zhu, Q., Qin, Y., Zhou, C., Gao, W. Extended multilevel flow model-based dynamic risk assessment for cybersecurity protection in industrial production systems. International Journal of Distributed Sensor Networks, vol. 14, 2018. 23. Onisko, Agnieszka and Druzdzel, Marek and Austin, Robert. (2009). Application of Dynamic Bayesian Networks to Cervical Cancer Screening. 24. Mihajlovic, V., Petkovic, M. (2001) Dynamic Bayesian Networks: A State of the Art. University of Twente. 25. Cabañas, R (2011). Reconocimiento de gestos mediante Redes Bayesianas Dinámicas. 26. MITRE, Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring. September 2018. Retrieved form https://www.mitre.org/publications/technical-papers/cyber-resiliency-metricsmeasures-of-effectiveness-and-scoring 27. Sun, Molin, Zheng, Zhongyi and Gang, Longhui, (2018), Uncertainty Analysis of the Estimated Risk in Formal Safety Assessment, Sustainability, 10, issue 2, p. 1–16 28. Elahi, G., Yu, E., and Zannone, N. (2011). Security Risk Management by Qualitative Vulnerability Analysis. 2011 Third International Workshop on Security Measurements and Metrics. https://doi.org/10.1109/metrisec.2011.12

References

87

29. Dubois, D. (2010). The Role of Epistemic Uncertainty in Risk Analysis. Scalable Uncertainty Management, Pages 11–15. 30. Q. Dai, L. Shi and Y. Ni, “Risk Assessment for Cyber Attacks in Feeder Automation System,” 2018 IEEE Power & Energy Society General Meeting (PESGM), Portland, OR, 2018, pp. 1–5, https://doi.org/10.1109/PESGM.2018.8586312. 31. J. Wang, K. Fan, W. Mo and D. Xu, “A Method for Information Security Risk Assessment Based on the Dynamic Bayesian Network,” 2016 International Conference on Networking and Network Applications (NaNA), Hakodate, 2016, pp. 279–283, https://doi.org/10.1109/NaNA. 2016.50