new look at risk analysis in smart city (introducing the
TRANSCRIPT
New look at risk analysis in smart city (introducing the SECONOMICS project)( g p j )
Scott CADZOW C3L for i Tour i SCOPE SUNSHINE
1
Scott CADZOW, C3L for i‐Tour, i‐SCOPE, SUNSHINE
1
What is a “Smart City”?
• “A city can be defined as ‘smart’ when investments in human and social capital and traditional (transport) and modern (ICT) communication infrastructure fuel sustainable economic development and a high quality of life, with a wise management of natural resources, through participatory action and engagement” (Caragliu et al. 2009).
2
Refining the definition
• "participatory action and engagement"– Implies give and take– Implies multiple stakeholders
• "The city is not a concrete jungle, it is a human zoo" [Desmond Morris The Human Zoo][ ]
• Cities are multi‐purpose– A centre of population commerce and culture;A centre of population, commerce, and culture; – a town of significant size and importance
3
Security problems in (smart) cities
• Research on security concerns (Eurobarometer) suggests that real worries in cities tend to be focussed on personal safety, privacy (loss of and infringement of), financial security, infrastructure availability, terrorism
• Macro problems– … the security we discuss in standards bodies tend to be focussed on micro solutions
4
Security and cities?
• Human and societal security– Of infrastructure– Of self
• What is the infrastructure of the smart city?– Open data? ICT? Transport? p p
• Who are my adversaries in the city?
5
The security cycle and complexity
• 1 variable, Identifycomplexity level 1
• N variables, let’s call it complexity level N!
PreventRespond
– very rapid escalation in complexity as variables increase
Prepare
6
Risk and countermeasure
• ETSI’s TVRA approach classifies risk in 3 levels– Critical
• Combination of likelihood and impact suggest the attack ill h d h it d it’ll b t t hiwill happen and when it does it’ll be catastrophic
• Always counter
Major– Major• Attack may happen and its impact will be severe• Counter strongly recommendedCounter strongly recommended
– Minor
7
ETSI’s TVRA
• Fits to well controlled environments– Communications channels– Finite State Machines (well designed ones)– Where the ToE can be isolated
• Doesn’t address motivation– Only calculable likelihood given tools, training, access
– Only calculable impact on visible resources
8
Real world security
• Concerns motivation. First question asked by victims is often “Why?”– If we follow the smart city definition we have to be ready to answer this
• Basic ICT security is undermined by human error and laziness– Password selection? User name selection?
• Most people have faith that “it happens to other people”
9
p p
Real world countermeasures
• Society expects security experts to protect them– A “secure” city will protect its citizens
• Society expects that if a problem or disaster happens that somebody will fix it– Resilience managed by the state? g y
10
Trust, privacy or security?
• A lot of today’s fears are centred on perceived loss of privacy
• Security of transactions not sufficient if all parties are not trusted– The PKI definition of trust doesn’t map to real ppeople’s definition
11
The changing privacy landscape?
• Monetisation of PIIPII h l b l bl dit– PII has always been a valuable commodity
– PII is now a traded commodity– The traders may be the beneficiaries but may have– The traders may be the beneficiaries but may have limited liability relationships to the PII owner
• PII is pervasive and largep g– Data sets and behaviours are possibly bigger, certainly more visible than in the past
d ’ di i li (h d kill ff d )– Data doesn’t die – it lingers (hard to kill off or deny)
12
The tools we use
• TVRA– The method defined by ETSI’s TS 102 165‐1
• Adversarial Risk Analysis– Methods developed in the SECONOMICS project
• Intelligent gamingIntelligent gaming– This is essential in building risk understanding with motivational factors taken into account.motivational factors taken into account.
– Allows us to cope with complexity problem that rises as the factorial of the number of variables
13
The role of ARA
• If I want to protect something how would an attacker break my defence?– Colluding attackers (think of a football team where there is only one goalkeeper but several attacking forwards and midfielders – if there was only one player allowed to score goals you’d just prevent theplayer allowed to score goals you d just prevent the ball ever getting to him (DoS attack))
• Does my defence strategy and operations leak• Does my defence strategy and operations leak information about the system itself?
14
The outputs we expect …
• System policies– Limiting the human element to a set of controlled behaviours through training and regulation
• Identification and authorisation policies– As statements of intent and purpose
• Protection (and Crypto) framework– Ensuring that appropriate (cryptographic)Ensuring that appropriate (cryptographic) capabilities exist to maintain and manage protection operations
15
The result we want to achieve• Proof that all data and services acting on data do so in such a way that all data, and all processing, is essentialsuch a way that all data, and all processing, is essential within the privacy and security constraints set for the system
• Ensure that any action by the system or its users whilst• Ensure that any action by the system or its users whilst connected to the system do not give rise to any increased risk to the user that would not exist if the system did not existexist– Noting here that the provision of any new system modifies the behaviour of the systems in which it is deployed so the before/after risks may be incalculable or incomparablebefore/after risks may be incalculable or incomparable
16
Trust as root of privacy?
• Human nature builds trust over time’ f– BFFs don’t appear at first sight
• Privacy is contextual– We “keep it in the family”, we “keep it in the workplace”, we “leave it on the sportsfield”
P l b t t t• People move between contexts– Should trust established in one context move with us?us?
17
Where is work being done?
• In SDOs– 3GPP, oneM2M, SmartM2M, HF, ITS …– All looking at sectors of the smart city opportunity
• In the Internet “App” and “Service” space– Routing apps, city apps, government apps …g pp , y pp , g pp
• In EU Research– SECONOMICS et al– SECONOMICS et al
18
General DescriptionGeneral Description
− Assess information and physical security threatsWhat
Assess information and physical security threats− Explore the challenges of pan-European coordination on the area− Develop optimal mitigation policies based on to the prior activities
Where - Critical infrastructures within a technological and socioeconomic context
Who - European Commission, European universities, and business
Whom - Decision-makers responsible for citizen’s security
Why - Assist decision-makers at identifying and reacting to future and emerging threatsWhy Assist decision makers at identifying and reacting to future and emerging threats
When - From January 2012 to January 2015
How- Synthesis of social and security sciences- Utilization of recent advances in modelling technologyHow Utilization of recent advances in modelling technology- Case studies
Outcome
- A general framework for security resource allocation relevant for critical infrastructuresA t ti l t lkit th t f ilit t h t li k- A computational toolkit that facilitates such a process to policy makers
- Showcases (best practice) of the framework and toolkit in relevant case studies
Work Packages:C St diCase Studies
Group of Work Packages Work Package Name Partner
Case Studies:- Identify security issues- Assess the stakeholders- Establish requirements
Validate models and tools
WP1 – Air Traffic Management Deep Blue (Italy)Anadolu University (Turkey)
WP2 – Critical National Infrastructure National Grid (UK)
ATOS (Spain)- Validate models and tools of Technical WPs.
WP3 – Urban Public Transport( p )
Transports Metropolitans de Barcelona (Spain)
Work Packages:T h i l/R&DTechnical/R&D
G f W k P k W k P k N PGroup of Work Packages Work Package Name Partner
WP4 – Security and Society• Identify public perception and attitudes
toward risk and securityE ti t th bli d d f
Academy of Sciences of the Czech Republic
Technical/R&D: Develop technical results (characterization of threats and rigorous socioeconomic
• Estimate the public demand for security, and its value for them
p
WP5 – Security Risk Models• Develop a method for modelling risk
scenarios with adversaries andUniversidad Rey Juan Carlos
(Spain)and rigorous socioeconomic methodologies), based on the Case Studies and tested on them.
scenarios with adversaries and uncertainty (ARA and Game Theory)
(Spain)
WP6 – Economics and Systems Models• Integrate models of system architecture
with macroeconomic models of policywith macroeconomic models of policy maker preferences
• Evaluate economic incentives that might mitigate or drive security issues
University of Aberdeen (UK)
Work Packages:I i d P j MIntegration and Project Management
G f W k P k W k P k PGroup of Work Packages Work Package Partner
WP7 – Cross Mission Consolidation• Gather user requirements from the
Case Studies, and consolidate the lt th S NOK AS (N )
Integration: Integration of the technical results.
results across them• Consolidate and generalize the
technical results and compose them into a framework
Secure-NOK AS (Norway)
WP8 Tool SupportWP8 – Tool Support• Provide a toolkit for policy decision
making for optimal security resource allocation, through integrating the tools of the Technical WPs, tested in Case
Fraunhofer (Germany)
Studies and generalized in WP7
Project Management
WP9 – Outreach and Community Building ATOS (Spain)
WP10 Project Management Universita degli Studi di Trento WP10 – Project Management g(Italy)
SECONOMICS Value:E di th S i S itExpanding the Scope in Security
Expanding the Security Scope allows an evolution:Expanding the Security Scope allows an evolution:
Specific Security Scope Contextualized Security S• Assume a simplification of
the context• Provide a partial solution that
may not be effective in a wider security vision
Scope• Asses the [complex] context• Provide a solution tailored to
a wider security visionwider security vision
SECONOMICS Value:E di th S i S itExpanding the Scope in Security
Moreover security activities have been expanding their scope continuously:Moreover, security activities have been expanding their scope continuously:
Societal Security S it GS it M t yGovernance,
Security as a public good
Organizations have i i
Security Governance, ERM, …
Security within the context of
Organizational
Security Management, Risk Management,
Incident Management, …
Less isolation (IT and
Protective Security
Isolated security activities (IT, Safety,
Environment ) an active part in Societal Security
Organizational Resilience
Less isolation (IT and Information, HSE, etc.)
Environment, …)
SECONOMICS Value:E di th S i S itExpanding the Scope in Security
SECONOMICS framework and toolkit will provide valuable guidance for p gcritical infrastructure security through:• Considering societal and security governance issues related to:
• Social perceptions and attitudes toward risk and security• Role of motivation and its impact on risk and security• Influence of public policies on the social perception and risk motivation
• Improving the following processes:• Risk assessment from an economical point of view• Balancing security with policy, economics and other relevant social constraints• Quantifying positive and negative indirect cost of risk and security
Summary
• ETSI’s TVRA has allowed us to get good results– For our target telecommunications environment– For well defined ToE and adversary models– Fits well to existing Common Criteria model
• With some extensions it will continue to evolve– For new targets with loose ToE boundaries– Taking Design for Assurance to the next levelTaking Design for Assurance to the next level
28
Acknowledgements• SUNSHINE
– This project is partially funded under the ICT Policy Support Programme (ICT PSP) as part of the Competitiveness and Innovation Framework Programme by the European CommunityCompetitiveness and Innovation Framework Programme by the European Community (http://ec.europa.eu/ict_psp).
• i‐Tour– The research leading to these results has received funding from the European Commission’s
Seventh Framework Programme (FP7/2007‐2013) under the Grant Agreement number 234239. The authors are solely responsible for it and that it does not represent the opinion of theThe authors are solely responsible for it and that it does not represent the opinion of the Commission and that the Commission is not responsible for any use that might be made of information contained therein.
• i‐SCOPE– The project has received funding from the European Community, and it has been co‐funded by the p j g p y, y
CIP‐ICT Policy Support Programme as part of the Competitiveness and innovation Framework Programme by the European Community (http://ec.europa.eu/ict_psp), contract number 297284. The author is solely responsible for it and that it does not represent the opinion of the Community and that the Community is not responsible for any use that might be made of information contained therein
29
Questions
30