The Telecom Regulatory Authority of India in a white paper on smart cities, released on Tuesday, said that it is important to address cybersecurity issues that will arise due to information exchange that takes places in such urban centres. The paper said that security issues can arise out of a lack of testing components that go into a smart network, and poor data security of devices, among other things. It also said that the imminent National Cyber Security Strategy 2020 should take these issues into consideration and address them. It also recommended to set up a National Trust Centre which will be responsible for testing devices in smart networks from a security perspective.

“The present cyber threat landscape poses significant challenges due to rapid technological developments such as Cloud Computing, Artificial Intelligence, Internet of Things, 5G, etc. New challenges include data protection/privacy, law enforcement in evolving cyberspace, access to data stored overseas, misuse of social media platforms, international cooperation on cybercrime and cyber terrorism, and so on. Threats from organized cybercriminal groups, technological cold wars, and increasing state sponsored cyber-attacks have also emerged. Further, existing structures may need to be revamped or revitalized. Thus, a need exists for the formulation of a National Cyber Security Strategy 2020,” TRAI said in the white paper.

Apart from that, TRAI also batted for bringing in standardisation in devices and protocols within a smart city infrastructure. In the white paper, titled ‘Smart Cities in India: Framework for ICT Infrastructure’, TRAI said that in absence of any regulation or standards, non-standardised proprietary devices and solutions have come up in the market. These solutions have been created in “silos” and pose problems of interoperability and prevent sharing of data amongst divergent applications, TRAI added. It also said that the current implementation practices of smart cities in India are rather “disjointed”, since most smart cities programmes and projects are primarily local initiatives, and considered just as technology projects.

Key security and privacy issues

Even though the government has put in place measures to check for an ill-intentioned bug or component in systems, they don’t offer a “high level of assurance if there is [an] intentional built-in mechanism meant to compromise security of system”, TRAI said. It noted that it is difficult completely fool-proof a system, and there is a clear lack in infrastructure to test and certify high volumes. “It becomes even more challenging when majority of Indian companies import this equipment, which is seldom checked or just sample checked,” it added.

“Poorly secured IoT [Internet of Things] devices and services can serve as potential entry points for cyber-attack and expose user data to theft by leaving data streams inadequately protected,” TRAI said. This challenge is amplified by other considerations like the mass-scale deployment of homogenous IoT devices, the ability of some devices to automatically connect to other devices, and the likelihood of fielding these devices in unsecure environments, it added.

Smart cities also throw a number of challenges at protecting Critical Information Infrastructure (CII), including a lack of visibility, and classification of CII, and a standardised framework to identify and classify critical information infrastructure. There is also little knowledge about factors that can potentially impact critical information infrastructure. Apart from that, an inadequacy of relevant and workable information to help take decisions at the national level, has also been seen.

The infrastructure mostly relies on SCADA (Supervisory control and data acquisition) systems, which allow industrial organisations to control industrial processes locally or at remote locations. However, there has been a “perceptible shift” towards running such smart applications on COTS (Commercial off-the-shelf) computing systems, running on an operating system which is either open source or commercial in nature. “Such systems traditionally run in client-server mode. These, in particular, need to be protected. All best practices relevant to a large IT base network will have to be incorporated,” TRAI said.

5G, wireless tech: other gaps and challenges

5G will be a key enabler of smart city projects in India, however, a major requirement for 5G network roll-out is the availability of a strong reliable backhaul, which is high bandwidth at very fast speeds, but is currently “non-existent” in India. As 5G networks will have to support large volume of data from emerging applications like IoT, smart cities, requirement of a strong and reliable backhaul becomes a critical concern. Further, to support 5G requirement for latency reduction (from 50ms to 1ms) and speed from 100 Mbps to 20Gbps, the fibre deployment in India needs to be increased from current market of 16-18 million fibre kilometre per year to at least 50 million fibre kilometre per year.

Other gaps that TRAI identified:

  • Applications not optimised for wireless networks: Many smart city applications are poorly adapted for the constraints posed by wireless networks, TRAI said, as it noted that wireless communication is essential in bridging the digital divide, especially in rural areas. Protocols that manage the services and devices efficiently are essential if the promise of untethered applications is to be fulfilled. Another challenge is how do mobile operators deploy networks that efficiently serve populated areas with connectivity to various M2M devices as well as rural areas that need both high speed data and M2M services.
  • Lack of standardisation: “True convergence is still eluding the evolved citizens of today’s super industrial society because of lack of harmonized standards” in the ecosystems of smart homes, smart buildings, and smart grids among other things. “The smart nodes of one network cannot talk to smart nodes of the other networks. Multitude of ‘proprietary systems/solutions’, or ‘systems/solutions with very limited interoperability’, are being deployed in each application area for today’s Home Automation, Building Automation, Industrial Automation, or even the Infrastructure Automation needs of the society (sic),” TRAI said. There is no common framework and architecture defined for the various physical infrastructures to be deployed in proposed smart cities, to work in an integrated, harmonised, and optimised manner.
    • Gaps in standards development: There is lack of holistic efforts and pro-activity on parts of countries and equipment manufacturers to participate in standards development, which provides an open and democratic approach to product development and ensures compliance with regulatory and national testing procedures, TRAI said.
    • “The problem is not the lack of standards but the lack of understanding on relevance and usage of the right standard for Indian ecosystem. Internationally there are too many standards available and very often with duplicities, hence, these are required to be simplified and modelled for Indian Civic Infrastructure and Utilities. Utilities shall incorporate such standards, which are drafted by national organization,” it suggested.
  • Closed solutions: Currently available solutions are “extremely closed” with an ecosystem that is highly locked-in by vendors, where a single vendor owns the vertical application, platform, communication, services, and data. While convergence of technology, unified standards, and interoperability, are necessary to ensure customer-centric systems, open markets are essential for competitive, affordable, and sustainable solutions. “The existing ecosystem allows minimal or no flexibility. This leads to a high risk of a large-scale fragmentation, undermining the country’s ambitious goals,” TRAI said.
  • Inappropriate last mile solutions: Existing last mile technology for wireless sensor networks is undergoing rapid changes to meet radically lower levels of capital and operation costs, and much higher levels of reliability for mass usage in smart cities, TRAI noted. “We may need to contract wisely to encourage experimentation and migration to successful new approaches rather than get locked into a high cost solution such as the Dabhol Power Station,” it added.

TRAI’s recommendations to address security issues

Digital solutions are among the most complex and critical infrastructures of a modern digital society, serving as the backbone for its economic activities and security. It is, therefore, in the interest of country to secure its operation against cyber-risks and threats, TRAI said, as it recommended to have:

  • A concise yet comprehensive ‘National Cyber Security Strategy’ that sets clear, top-down directions to enhance the cyber resilience for the ecosystem
  • A separate ‘National Cyber Security Policy’ based on principles laid down in the ‘Strategy’
  • A crisis management plan for CII sectors at the National Critical Information Infrastructure Protection Centre

Since cloud computing will play a major role in smart cities, TRAI said that it should be mandatory to use data centres located in India to ensure unhindered lawful Interception (as and when needed for national security reasons) and maintaining data sovereignty.

Machine to Machine (M2M) devices, a key part of smart networks generate huge amounts of data, including data which can be personal in nature, TRAI said. One of the points where data security can be compromised is at the device layer itself. Hence to ensure data protection, “security by design” principle should be implemented, or, at the very least, “integrity by design”. M2M device manufacturers should also be regulated by rules of product safety, it suggested.

Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorised people, TRAI said. From a user safety standpoint, integrity is critical, and privacy of user data and fraud prevention may require confidentiality and additional mechanisms, it added.

Unique device identifiers, National Trust Centre: Other recommendations

To support the recommended cyber security strategy and policy, TRAI said it is important to set up a National Trust Centre (NTC), which will undertake the security testing and evaluation of devices, systems, networks, applications, software, firmware, and communication stacks among other things, to make sure that these solutions are completely trustworthy, TRAI said. It said that the National Test Centre is being set up under the aegis of TEC, and will be “empowered by a comprehensive and granular Cyber Security and Trustworthiness Reference Architecture to address all the stakeholders’ concerns in a wholistic manner duly supported by granular Compliance Testing Framework and Test Labs ecosystem for total assurance to the stakeholders”.

TRAI also recommended that a National Charter of Trust  — along the lines of the Charter of Trust, founded in 2018 by a group of tech companies such as IBM, Dell, Cisco — be set up. “India needs its own National Charter of Trust,” to develop an ecosystem of trustworthy vendors that cities, utilities, and other critical national infrastructure agencies can trust absolutely, TRAI said.

Having a unique identity for every connected device

Any device in the smart city infrastructure could potentially be replaced with a rogue device that could provide access to the core of any network, and infrastructure. To avoid such risks, each and every device that connects to the city or nation’s infrastructure must be securely identifiable through a “Unique Secure Identity”. At the same time, it recommended to allocate a unique address to each device connected in any network, which goes beyond the MAC address of network devices, or even the Unique Secure Identity.

Standardisation and Interoperability

It is essential to develop a standardised digital Infrastructure with secure, reliable connectivity between government offices to improve government’s efficiency, citizens’ access to services digitally and thus impacting positively on the citizens’ perception of the government, TRAI said. The standardisation will have to happen at the basic system architecture level rather than at the final product level, as it can help in saving costs of ownership of any infrastructure. This will also enable “true interoperability” between different devices, as well as applications while maintaining identity and access control. With standardisation, the sharing of data with “ensured security and privacy becomes a practical feasibility”. TRAI recommended:

  • To adopt the standards for “unified digital infrastructure” developed and being developed by standards development organisations (SDO), such as Telecommunications Standards Development Society, India (TSDSI), and the Telecom Engineering Center (TEC).
  • There is a need of consensus among the city administration, consulting companies, service companies, and technology companies on what components are necessary and how cities should approach to have a standard and interoperable reference framework.

How standards can help:

  • Improving assessment and funding of smart/sustainable city initiatives with common agreed references and tools for stakeholders
  • Improving and facilitating procurement, especially of tailor-made solutions which are adaptable to different circumstances
  • Standards can contribute to lowering investments costs, facilitating integration with existing infrastructure, and controlling operational costs.

Non-standardised solutions will pose a risk as they will suffer from the following constraints:

  • Proprietary solutions will have proprietary maintenance and vendor lock-in
  • Upgradation and scalability will also be proprietary and hence costly
  • Replicability in other areas will be a challenge
  • Integration of various applications and information sharing will be a challenge
  • In disaster situations, it will be difficult to have integrated relief operations

Interoperability and compliance testing

Organisations and citizens of a city have a need to share data. At an operational level, systems can interoperate, and at a strategic level, information is used to manage the effective use of resources to bring about beneficial change. However, data is often labelled using language and terminology specific to the sector which is collecting the data. Each sector has its own models and terminologies that enable data to be discovered and understood within that sector but it may form a barrier to interoperate with terminology of other sectors. Interoperability features should be able address this issue and achieve seamless interoperability among different ecosystems. It is critical to develop a comprehensive compliance testing scheme to ensure efficient testing of all the products, systems, and solutions for interoperability, TRAI said.

Smart cities: India vs elsewhere

“The perspective of Smart Cities is a little different in the developed nations from the developing nations like India,” TRAI noted. The smart city paradigm is about integration of all the utilities, infrastructure, and citizen services on a single platform and a unified dashboard for efficient, reliable, and resilient operation of the city. “In developed nations, when they started discussing the Smart City paradigm, most of their respective utilities were already smart, with their respective albeit siloed platforms and dashboards. Hence, what they needed was to just build/create another layer of IT Platform and dashboard to get all the data on this common platform and providing a unified, comprehensive, and user-friendly view of the O&M of the whole city. We in India have an opportunity to look at the Smart Infrastructure Design with a fresh perspective that shall be rather more relevant in the coming decades,” TRAI noted.

It added that India is primed for witnessing smart city initiatives because of unique Open Data integration with planning and execution of such projects, and a large and growing base of internet users and connected devices.