Naavi.org

One of the major investments in a Smart City would be on an integrated intermodal  transport network which connects the personal transport vehicles to the public systems of different kinds.

To understand the issues involved, a really smart city transport service means that the city bus service, the private taxi or auto services  are needed to be connected to the railways, metro and air network so that a person leaving his residence in his vehicle knows exactly how is the transport network which will reach him to the airport in time. This network of transport vehicles need to be connected to the traffic light system, (including the VIP movement system..or privileged access system) to enable smooth vehicular movements. The GPS records of the movement need to be picked up say with visuals from different CCTV cameras en-route, processed in real time and decisions to be transmitted back to the grid. If an ambulance is on the way, it should be recognized and provided privileged access. If an accident happens, there needs to be an intelligent rerouting, alerts to the hospital etc.

The technologists will look at different components that will address these systems. However the biggest challenge would be in working out the interoperability of different systems. Application level security may be guaranteed to some extent by the vendors of the systems but the security challenges that may arise from the interconnection of one system to the other would be the responsibility of the network integrator. The decisions of such an integrator would conflict with the decisions of other functionaries as regards to vendor choice, application choice etc and are likely to introduce political and commercial hurdles.

The Smart City management team need to be suitably empowered to take decisions on purchase of products and services by the City. In a way this is similar to what we say in a corporate scenario where the CISO should have a say in hardware and software purchase but it does not happen as often as necessary. In the Corporate scenario we try to over come this hurdle with the formation of a high level Information Security Committee. Perhaps the Smart City project should also create a CISO and Information Security community even at the time of initial planning so that security inputs go into every decision right at the architecture level.

If these challenges are properly addressed, then the cost of the smart city projects will be controllable. Otherwise the project will be delayed and there will be cost escalations along with inefficient implementation of the project.

The Smart City projects should therefore be on the look out for IS professionals of all hue and colour and it would be a great time for such professionals in terms of job opportunities.

Naavi

Just as Maggi has got into a controversy on its taste enhancing additives to its noodles, Airtel appears to be encountering a controversy by introducing a “Computer contaminant” into its customer’s browsers which is an offence under Section 66 of ITA 2008.

According to this report in ehacking news.com , a programmer has published his findings that when customers using Airtel broadband internet account and browse internet, Airtel introduces a java script and an iframe into the browser. This script and iframe points to a specific URL.

On its part, Airtel has released a statement trying to explain its position. The explanation does not appear convincing but appears to suggest that it is trying to develop a tool to provide users information about the data usage during their browsing sessions.

In a way therefore there is an admission that Airtel has introduced what is considered as a “Computer Contaminant” under Section 43 of ITA 2008 which is defined as follows:

“Computer Contaminant” means any set of computer instructions that are designed –
(a)to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
(b)by any means to usurp the normal operation of the computer, computer system, or computer network

Introduction of a Computer contaminant without the permission of the owner of a computer is a contravention under Section 43 of ITA 2008 and an offence under Section 66. The company would be liable for financial compensation and probably for at least being tried for a cognizable offence.

While the Company may have a reason to experiment with a tool not meant to harm the users, it has ignored the ITA 2008 compliance requirement which could have been met by providing a proper notice to the users.

Hope it would take the necessary corrective action by sending a proper notice to its customers clarifying its position.

(P.S: Thanks to a published erroneous judgement of the Adjudicator of Karnataka in December 2011, and the continued neglect of the Karnataka High Court and the apathy of the Central Government in not appointing a Chair person for the Cyber Appellate Tribunal,  neither Section 43 nor Section 66 is applicable to Bharti Airtel in the state of Karnataka.)

Naavi

New Mobile App launched for Cyber Law Awareness for Everyone

One of the first innovations that the proposed Smart Cities in India need to build up is an efficient way of distributing electricity so that the net cost of consumption of Electricity is reduced. The solution for this without doubt is to build a Smart Grid. A Smart Grid is a mechanism where there is an intelligent sharing of information from the  end of the consumer of electricity and using it to modify the electricity supply and usage pattern so that a balance is achieved between production and consumption.

This requirement of matching demand with supply on a real time basis arises since electricity production and consumption varies throughout the day and there are peak requirements and slack period requirements. Since power cannot be easily and economically  stored and used at different times, if we need to satisfy consumer demand, we always need to keep production matching the peak requirement and let it go waste at other times. Otherwise outages would occur when peak load is demanded and the grid cannot supply the same.

If  smart management of demand and supply is possible,  the consumers can stagger the use of electricity to match the production and suply. Also different production sources such as solar production, wind production, etc can be connected to a common grid to which the conventional production sources dump their production. Since the natural source production of electricity may depend on say the availability of Wind or Sun, there will be variation in production of such energy which needs to be balanced by the consumers being incentivised to  stagger their consumption by offering discounts on consumption when surplus power in the grid is available as against premium charged when there is a shortage.

Also if the consumers are able to produce electricity on their own by say owning solar panels on their rooftops or a single wind turbine in the farm etc., they can supply electricity to the grid during peak hours and earn premium income while consuming electricity for their own use in the off-peak hours when the prices can be at a discount. In a way the consumers will consume electricity when it is cheap on the grid and produce electricity and push it to the grid when it is expensive on the grid.  This makes a consumer become a new category of user who may be called a “Prosumer” who both produces and consumes.

These fancy ideas of a smart grid are very much within the realms of possibility even now if the electric grid architecture can be planned properly ab-initio. The architecture will require supply of electricity and exchange of data over the same power line. In other words, every electric line will carry both electricity and data which will be resolved at each end through appropriate modems. Even broadband on power lines will also be possible under the same system.

The above smart grid applications can be built and are expected to be built in the smart cities. In cities like Amaravati where the electricity lines are to be drawn from scratch, perhaps it would be easier to use the appropriate hardware to build the dual purpose electricity distribution system which can carry power and data over the same lines.

While Electrical Engineers will work on the technology required for the purpose of carrying data over power lines and software professionals build applications to process the data and use them to modify distribution etc., the cyber security professionals will be concerned about the risk of data being unauthorizedly accessed and modified. In fact, the experience of Stuxnet is too recent to be forgotten. All Smart grids will fall into the category of  critical infrastucture and will be juicy targets for Cyber terrorists and as targets during a Cyber War.

Security will therefore be a major concern for Smart Grid developers and hence this is one of the first challenges to be tackled by the Smart City Cyber Security managers.

Note that use of smart grids will immediately require a modification of electricity laws as well as redefining of many cyber crime related laws and there could be obstructions from short sighted politicians who donot understand security issues. Modification of Cyber Laws is therefore a part of the cyber security plan for smart grids or smart cities.

In designing a Cyber Security system for a smart grid, all the five aspects of data security such as Availability, Integrity, Confidentiality, Authentication and Non Repudiation will be applicable. There will be threats and vulnerabilities to be recognized and risks estimated. Controls need to be built to mitigate the risks with a very very low tolerance levels and with redundancy built in some form to tackle the inevitable security breaches.

Building security to a smart grid system after it is established would be complicated, inefficient and some times impossible. Hence planners of the Smart cities need to integrate cyber security plans when building the smart grid network itself.

It is difficult to conceive of the cyber security system for a smart grid without knowing exactly the architecture. But NIST has worked on the requirements and come up with a suggested architecture for interoperability as well as guideline for information security applicable for smart grids and perhaps it needs to be adopted to our requirement with whatever minor changes need to be made.

If these requirements are not studied now and addressed, the specifications for the hardware would be imperfect leading to delay in projects, escalation of project costs and also compromise of security for which we may have to pay a huge price some time in future.

I therefore request the CM of AP in charge of Amaravati project,  Mr Chandrababu Naidu and also the Union Power minister Mr Piyush Goyal  not to neglect the cyber security requirements of smart grids when they plan for the smart cities, and more particularly for Amaravati where work has to commence from a zero base.

Naavi

AP Chief Minister Mr Chandrababu Naidu laid the foundation stone for the new Capital City of Andhra Pradesh to be known as Amaravati. The City is to be developed as a “Smart City”. Knowing the cyber savvy nature of Mr Chandra Babu Naidu and the opportunity to build the capital city with a Zero based planning, it is possible that Amaravati can come up as an ideal smart city which is the dream of Mr Narendra  Modi.

While we watch the developments as they unfold, we once again reiterate that the success of the concept of “Smart City” is closely associated with the Cyber Security plans that are implemented when the smart city is built brick by brick. As if to remind everyone about the vulnerabilities associated with the dependence on “Information” in Governance, US Government has announced its apprehensions of a major hacking of its federal information systems by China. (Read the article in Independent here).

A Smart City by its very concept is highly susceptible to information security vulnerabilities since its critical resources such as Electricity Supply, Water Supply, Road Transport, Health system etc will be vulnerable to terrorist attacks and cyber warfare. We are not sure if managers of other smart cities are capable of understanding these risks and taking appropriate security measures but feel that Mr Chandrababu Naidu is one who can understand the risks and take such steps which would form a guideline to other smart cities in India.

We therefore congratulate Mr Naidu on laying of the foundation stone for  Amaravati, and at the same time urge him to lay the foundation stone for an appropriate “Smart City Cyber Security Framework” which is technologically sound.

We reiterate that the technologically sound cyber security framework should also be supported by a “Smart City Cyber Law Framework” which takes into account the issues surrounding Big Data and Internet of Things. Aditionally  people involved must be adequately trained and motivated to implement the information security as a backbone to the city’s law and order eco system.

Naavi.org will try to present the major information security issues to be tackled by a Smart City one by one. I request all security professionals to consider contributing to this knowledge base in the form of articles on various issues involved in securing the Smart City cyber systems. The articles and comments can be sent to naavi@vsnl.com with a brief profile of the author, for publication in Naavi.org. Students of Technical and Legal institutions are also welcome to contribute.

Naavi

It has come to the notice of Naavi.org that two individuals in Australia  have registered a domain name “Naavi.co” and are attempting to promote a blog and other educational products in the name of Naavi.

A preliminary notice has been sent to the promoters for necessary corrective action, failing which necessary action through legal means would be initiated.

In the meantime we would like to inform all the visitors of Naavi.org that we donot have any relation with Naavi.co or any of its declared promoters, Naavi Pty.co or the individuals Mr Blake Seufert and Michael Bates who declare themselves as the Co-Founders of Naavi.co.

Naavi

It is reported that NASSCOM and DSCI has set up a Cyber Security Task Force with representatives from industry and academia to identify key priorities and build a detailed action plan. The task force is expected to study the Indian Cyber Security eco system to identify the issues and challenges. The Chairman of NASSCOM states that the efforts will be to “bring together the stakeholders from across the board”.

(Refer report here)

The initiative is welcome.

However, it has been noticed earlier that the approach of NASSCOM lead by technology specialists often fail to address Cyber Security from the holistic perspective. The end results of most such initiatives lead by business leaders is to identify and pursue business opportunities that arise out of such initiatives and any benefits that the society may achieve becomes incidental. The interest of the end consumers is not always kept in mind by such initiatives.

One example which we can quote here for those who have great faith in such industry lead committees is the attempt made by some Bankers who were part of the G Gopalakrishna Working Group (GGWG) of RBI which was meant to address the Information Security requirements in E Banking, to influence the committee into taking decisions which were anti consumer and violation of the law of the land. It was only the efforts of a vigilante Naavi.org and an understanding Chair Person that the effort was thwarted.

It is therefore anticipated that even this NASSCOM-DSCI Cyber Security Task force runs the risk of such motivated manipulations that needs to be guarded against.

It is necessary for the task force to recognize that “Cyber Security is not achieved only by a set of technology tools such as an Anti Virus package,  Firewall or an IDS system but includes the Cyber Law environment and the management of the behaviour of human resources”. In other words it is necessary to recognize that Cyber Security is a three dimensional exercise involving technology, law and behavioural science.

I am confident that the task force will do an adequate work as regards the technical aspects of security. However I am more or less certain that the task force will fail to have a holistic view of the Cyber Security eco system that includes laws that affect technology and behavioural aspects of ICT users.

To be a comprehensive approach the task force report should incorporate the Cyber Law requirements to support the issues such as Cyber War fare, Cyber Terrorism, Organized international Cyber Crime syndicates, Privacy Issues, Anonymity and Pseudonomity, Addiction of Internet users to Social media, Effects of Video Gaming, Pornography, the issues of Social Engineering and the ubiquitous presence of Mobiles.

The attempt of technologists would be to drive technology use without fully covering up the risks. When the technology person himself looks at the security, there is an inherent conflict of interest and the final outcome always leans towards what increases the revenue and profitability. The risks which make consumers lose money are never the focus of such task forces.

I would like to draw the attention of the Chair persons of NASSCOM and DSCI to the above apprehension and take appropriate steps.

Naavi