In smart cities, walking in a park is not that simple. For example, Hyde Park in London collected visitors' demographic information like gender, age, and location by their network provider EE for more than a year. Your walk in the park is not private anymore.
To enjoy technological advancement, we are giving away our private information!
Another example of a privacy breach - London city, where smart bins were installed in 2012. The bins were used to collect peoples’ data from their phones which were used for targeted advertisements. The data was collected without people's knowledge, which was exposed by journalists after a year.
Smart city dwellers are exposed to an enormous amount of sensors that are continuously collecting data related to their health, location, habitat, and environment data like pollution, noise, parking slots, etc. This data sometimes exposes the most personal and sensitive information of the citizens.
These sensors and actuators are deployed in a huge amount for collecting information. While these sensing and actuating devices provide valuable data and statistics, unauthorized access to these devices can invade user privacy and safety.
According to McKinsey & Company report ‘Unlocking the potential of the Internet of Things’, IoT applications like smart cities can only reach their full potential with proper policy actions to ensure security and protect citizens’ privacy.
Smart cities create an environment where the citizens are exposed to government and corporate surveillance the minute they step into the streets. The citizens' data is collected, processed, and shared without even their knowledge, let alone taking consent.
Besides, vulnerabilities in databases and online systems demonstrate that smart cities are under serious cyberattacks and hacking possibilities. In December 2015, more than 80,000 people were left in the dark for 3 hours as Ukraines’ power plant was hacked.
Moreover, the phone helpline was also under TDOS, to prevent the users from calling for load shedding complaints. Another research paper demonstrated an attack on street lights, where an infectious worm can quickly spread and bring down all the city street lights within minutes. Interested readers can have a deeper look at the top security challenges and cyber-attacks faced by smart cities.
Access control is the discriminatory restriction of access to any resource for limiting the functions of an entity having legitimate access. Access control has been found to be an effective measure to prevent unauthorized access to resources. It restricts access rights of objects (data, files, and other resources) only to authorized subjects (users).
Several traditional access control models can be used according to application requirements. Traditional Access Control models such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC) focus on the protection of data in a closed environment.
Image Source: CyberHoot
As an exemplary scenario of access control in smart cities is that of smart healthcare, access control prevents the leakage of patient’s confidential and sensitive healthcare records by denying access rights to unauthorized users. Similarly, smart locks and keys have been introduced for smart buildings that store permission to open only an allowed list of locks.
Image Source: iotforall
Most of the traditional access control models provide authorizations through subject attributes and object attributes only. These attributes assigned to subjects and objects are generally static and can be modified only through an administrative role. This static approach is suitable for some traditional access control policies but this approach is no longer appropriate for access controls in today's world of the IoT.
However, these traditional access control models can be extended to incorporate the multi-domain, collaborative and dynamic requirements of IoT-based smart cities. Following are some popular access control models that have been proposed to cater to the needs of security and privacy in smart cities.
1. Intelligent Role-Based Access Control (I-RBAC)
RBAC is very significant and successful in providing access control measures to static computing domains. Yet, it is unable to adapt to the dynamically changing information of users, tasks, semantically meaningful business roles, access policies, and resources.
A novel access control scheme has been proposed by Rubina et al which uses intelligent software agents to achieve access control in smart cities applications. This model uses real-world semantic business roles as occupational roles, provided by Standard Occupational Classification (SOC), USA.
2. Attribute-Based Access Control (ABAC)
Typical access control models like ACL (Access Control List) and RBAC (Role Based Access Control) coarsely provide a discrete list of users/roles that can access an object. Whereas, ABAC brings in the context information and also the attributes of subjects and objects into its access control policies. Incorporating attribute information will also aid in reducing the maintenance load as only attribute values will need to be updated instead of changing all the subject-object relationships. This will improve the dynamicity and granularity of ABAC, which is ideal for the security requirements of smart cities.
3. User-Centric Access Control
This model empowers the users to be directly in charge of their sensitive data. Through policy-based access control and attribute-based encryption mechanisms, user-centric access control allow users to :
To this aim, Beltran et al have proposed an IoT integrated security ‘SMARTIE’ platform that provides authentication and access control to smart cities.
4. LIGHT est
LIGHT est is an access control infrastructure for IoT-enabled smart cities, which provides on-device authentication. Access control policies are written in a machine-readable format, in this case, Trust Policy Language, which empowers the devices to reject an access request from unauthorized entities on their own. Trust policies can be formulated based on context information like location, time IP addresses, etc.
5. CapBAC (Capability-Based Access Control)
Capability-Based Access Control provides the most fine-grained access by using access tokens. The access tokens are granted to the subjects only in a specific context (e-g, token usage within a predefined time). The token is valid to perform one action, once the action is performed the access token expires. Nakamura et al propose a decentralized CapBAC scheme for smart cities using Ethereum smart contract technology to manage and store capability tokens.
As the acceptability and popularity of smart cities are increasing, there is an increased digital security concern.
Fortunately, legislation like the IoT Cybersecurity Improvement Act in the U.S is being introduced to address cyber threats and potential market failure that will be useful in enabling secure smart cities.