Cybersecurity Framework for Smart Societies
Guest User
The digital transformation is reaching every aspect in the society which leads to Society 5.0
The first evolving society, the hunter and gatherer society, developed only thirty thousand years ago. From this point on, the speed of inventing new objects and methods increased (exponentially) with time. Since the industrial revolution, that aggregated speed of inventions and the progress of new technologies became so vital, that only three hundred years after the so-called Third Society, we arrived in Society 4.0, the time of Information Society (M. Aldabbas et al., 2020). This shows in an impressive manner, how the progress gained speed along the way. In the year 2020 Japanese scientists, only half a decade after the Information Society, started to talk about forwarding to Society 5.0 already. That implies, the increase of the digitalized and interconnected networks and thus, the increase of cybersecurity challenges and information security, leading to difficult decisions, facing cybersecurity threats and attacks (Mohammad Aldabbas et al., 2020).
Society 5.0
The main difference between the Information Society and Society 5.0 is, how humankind adapted the gained knowledge of the Information Society to their advantage. The new purpose is not only to provide humankind with services and data but rather to connect societies together and to use disruptive technologies to enhance life quality and safety for themselves and upcoming generations. Thus, humankind automatically tries to cope with the voids resulting from Information Society, through applying the latest technologies (Shiroishi et al., 2018).
Increasing cyberattacks and why cybersecurity is vital
That being said, unfortunately Mr. and Mrs. Swiss lately often read news like: "At first, the municipality denied it. But now it turns out: the hackers stole AHV numbers and a lot more" or "The stolen data also includes credit cards as well as access data for Swiss databases." Digitalization, digital transformation, IoT, AI and more and more networked systems have made it impossible to imagine servers without sensitive data. With the advance of new technologies, such as AI or cloud computing to only name two, the trust in systems, as well as privacy and security aspects in smart societies become relevant; more than ever.
If cybersecurity is not ensured or private data suddenly becomes public, the trust of institutions and private citizens towards the government is at stake. Without trust, smart societies are not able to move forward and thus, adaption and the use of disruptive technologies are at risk, as well as the economic growth coming within (M. Aldabbas et al., 2020).
Cybersecurity on the nexus to a functional Smart Society: What could go wrong
The flow of data is increasing, whether in terms of volume, variety or speed. The numerous benefits that come with the technologies are almost limitless. The only aspect that can slow down or partially prevent this technological change is cybercriminals. Just like our technologies, they move with the times, in some cases even ahead of it. Through hacking attacks, executed through increasingly sophisticated methods, highly sensitive data is being stolen and subsequently returned for ransom. In addition to the financial damage to companies and governments/municipalities, the subsequent loss of trust that individuals develop in a government, also plays a major role. How can legislators keep pace with rapid technological developments? Laws as we know them today (e.g., private law or public law) must be implemented in the same way for the use of data, adaptation and creation of a software code. Furthermore, challenges such as the "dual-use dilemma" or traceability after attacks must be mastered. The framework presented copes exactly these chal-lenges and therefore ensures one of the ways on how to improve the digital maturity.
Where the framework found its origin
On the way to the cybersecurity framework for smart societies, the author challenged existing frameworks and guidelines within the financial sector as well as the IT sector. Within lays the challenge to extract the missing spots in existing frameworks and thus to add value to the advantageous framework already existing. While for instance, the OCTAVE framework is based on guid-ance, governance, and enabling employees with workshops, frameworks like the FAIR model try to overcome security breaches through quantitative models (Cannady et al., 2019). Many of the frameworks elaborate on how security can be enhanced beforehand but only a few describe what must happen after an attack was being carried out. The framework FAIR, a financial model, describes how high the level of accepted losses can be based on the parameters of an institution (Cannady et al., 2019).
Point out the missing brick in the wall which is the guideline for the future (we cannot live on the history, can we?) so we need to move on with our frameworks too
The framework presented in this article overcomes the mentioned weaknesses through a multilayer build up. Therefore, the framework will cope with voids of cybersecurity and enhance the advantageous parts of existing frameworks. Organizations, firms, and private citizens must prepare themselves against potential cybercrimes. Data collection and professional judgement, therefore, are crucial points (Ekstedt et al., 2014). Companies and governmental institutions change their way of how they operate completely. Exponential growth and disruptive technologies change how Society 4.0 is being set up. New ways of how to operate businesses or how public services are structured have occurred (Čelik, 2019). In Society 5.0 data, computers and innovation-driven devices become more important than they have ever been before. Challenges, such as overcom-ing poverty, global warming, economic disparity, and many other issues, will be improved by implementing the latest innovation and technological knowledge towards problem-solving. Meanwhile, negative aspects like “the use of modern disruptive technologies, at local, regional and global level, constantly generates new forms of abuse within the application of modern digital technologies, in all sectors of human activity and work” (Čelik, 2019, p. 351) come within. To cope all challenged in the scale of society, the framework provides information to all roles within. Through the possible application of the framework to all stakeholders, the framework takes on the challenge to assist all, one citizen, or the society as a whole.
Durability of the cybersecurity framework for smart societies
Technology advances quickly, the framework needs to be ahead of its time. The framework has also thought of this matter, if a smart society is planned, new disruptive technologies can severely shake up the market and its encryption landscape. Concluding, that a framework needs to be state-of-the-art for a period of time. To improve cybersecurity and thus, fulfill the need of the mentioned stakeholders, the framework solely uses collective terms to explain the different di-mensions, aspects and processes how to overcome the mentioned challenges. By using collective terms, the framework is also prepared for upcoming new technologies. Collective terms ensure that the framework will be applicable not only today but, in the future, as well. One example would be using “secure IoT networks” instead of using an actual technology used today to secure IoT networks, such as “Zigbee”. As of today, “Zigbee” might be the best solution to secure smart objects at home, but it is unclear if this specific technology will still be applicable in ten years (Engebretson, 2018).
The creation of the framework from scratch
Version 0.1 was developed through literature research. All advantageous aspects from different frameworks build up the basis for the initial version of the framework. The structure, so learnt the author, would be adjusted several times in the making of the framework. But the gathered infor-mation gave an idea, on what direction the framework will be constituted. Version 0.1 was then the version before the first interview and thus, stated the foundation for the discussion. As the work went along, the framework has experienced lots of changes, be it structure wise or content wise. The author of the framework challenged the work along the way with cybersecurity experts and adapted the framework in an agile way. In today's fast-paced world, nothing can be gained without agility. People in the lead not infrequently encounter headwinds, because iterative approaches are difficult for rigid institutions to accept. For the development of the framework, the agile method brings advantages like saving time, being able to show the progress of development and having a better end-product, due to optimal resource allocation in agile conception. This ultimately led to the version 1.0 – the final product.
As mentioned, the framework is designed for the use of all stakeholders within the scales. It could be applied through a person working in the government who wants to ensure cybersecurity in the future in a governmental institution or it could be applied through a CEO in a firm, as well as at home through a family father or in a shared flat. This being said, the upcoming paragraph therefore explains how the framework is being applied.
The layers
The framework is divided into three layers. The light blue “technology layer” on the bottom, “the facets of cybersecurity” on the left and the blue “scale layer” on the top need to be applied at the same time, to be able to use the framework. The following guidance shows how each of the layers is applied and how they work in the context of other layers. Additionally, the layer “facets of cybersecurity” is divided into two groups. The difference between this layer is explained as well. For better visibility and usability, the author recommends opening the framework in the presented link: Cybersecurity Framework for Smart Societies.
Figure 1 – Cybersecurity Framework for Smart Societies: own presentation
The “scale layer” is designed that when a technology is to be deployed, it may have different threats, risks, vulnerabilities, and associated processes, depending on each scale. The general specifications in the layer scale reach from “citizen” to “household”, “town”, “institutions”, “city” and finally to “society”. Therefore, the cybersecurity threats for a single citizen might differ from the threats for a whole society.
Each specification, from small scale to large scale, has its own specific threats, risks and vulnerabilities.
The “facets of cybersecurity layer” is on the left side of the framework and works both, with the “technology layer” (light blue) and the “scale layer” (blue) together. It is divided into two groups. The red, upper part represents all facets of cybersecurity that could harm each scale or represent an area, where the corresponding scale could be vulnerable. These facets are divided into the three main facets of cybersecurity. The threats, the corresponding risks and the vulnerabilities within. Further on, on the left side on the lower half, the green area represents all corresponding processes, that help to achieve cybersecurity maturity. The group is divided into the three main processes, “mitigation-management”, “incident-management” and the “business-continuity-management”. All stated facets help each specification of the scale layer to get a hold on what threats could be a problem, what risk must be considered or where vulnerabilities could occur. All the mentioned specifications are subsequently solved through the implemented (green) processes. The processes either mitigate risks or vulnerabilities or once an actual attack has happened, how to keep the institution up and running. The cybersecurity facets of the framework follow the main processes of the NIST framework. The process of “identify”, “protect”, “detect”, “respond” and “recover” can be applied to each aspect of the layer.
The “technology layer” (light blue) is on the bottom of the framework. It completes the framework and its perks to get a hold on what threats one needs to consider and how security measurements could be applied. To apply the technology layer, the user simply adds the desired technology.
Guidance
The flow of the framework is held simple. Once the user decides what technology needs to be implemented, be it smart technologies or to improve the safety of the already implemented devices in a city, household or any other layer of scale, one will be able to apply the cybersecurity framework presented.
The user will be able to read, what one must take into account while working out a strategy or while implementing a new smart device for instance. Usually, frameworks solely give you food for thought and tell one what to think about, when a project is taken care of. The cybersecurity framework, on the other hand, already gives the user a list and associated guidelines on how to apply them. In the last segment (green) of the framework, the mitigation-management, incident-management, and business-continuity-management show ways on how to conquer any cybersecurity challenge.
Going in: The guidelines
In the following, the guidelines of the framework are elaborated. The boxes in between the layers, containing threats, vulnerabilities, risks and processes to cope with each one of those aspects. Each of the boxes represents a non-exhaustive list of what the user must think of before implementing new technology or what could help to make an already implemented technology safer. In the following, the author explains the terminuses.
Threats/risks and vulnerabilities
Hacking is the one of the most known forms of cyber-attacks. Hacking, used as a collective term, describes all kinds of actions with which cyber criminals try to get access to a server or account of a person or an institution. This can occur through algorithms to find out the passcode or sometimes they find a loophole in the access-management process (Mayer, 2018). Next to the technical aspect on how to get access to someone`s server, cybercriminals can carry out social engineering attacks. The goal of these attacks is to confuse and trap the victims, in order to obtain personal data, financial data, bank transfers or access codes of the attacked person. In this type of attack, the individuals are usually contacted by a real person, the attacker personally. One common way of a social engineering attack is “phishing”. Further, the abuse of the “dual-use dilemma” occurs, when for example, a social media platform strategically collects personal data and then sells them for profit. It is always the question of how much you want to invest in security and if you trust the partner/provider. Thus, some institution that abuses their power, takes advantage of the dual-use-dilemma and the cybersecurity of their customers is at stake. While automating all kinds of processes, institutions and individuals tend to give up the integrity of their data. This process leads to the to the situation, that more and more information about personal data, habits of an individual or behavior is being stored online on a server. Even financial data is being processed. As elaborated the dual-use dilemma therefore states, that the collected data is being used in an unlawful manner and data ends up in cybercriminals hands.
Through the presented information, the attackers might be more successful to carry out an attack. “The data generated by smart metering is critical, as it makes it possible to generate user profiles of individual persons.” (M. Aldabbas et al., 2020, p. 104). This issue must be taken seriously and solved and there must be barriers implemented or mechanisms that prevent data from being misused by institutions, governments, or private citizens.
Blockchain-Hacking: Blockchain is a new technology in general and the majority of people do not quite understand the mechanism behind the technology. Since blockchain technology is sofware-based, the danger of having bugs in the code is real. One might argue that since the use of the technology goes up and the interconnection between the software rises within, more and more bugs will be available for hackers to get ahold trading platforms or of cyber currency wallets of citizens (Summers, 2016).
“Denial-of-service attacks” follow the mechanism, of overturning a system by over-heating it. A high number of server requests are being carried out in a short amount of time. This process lasts as long as the server is able to withstand the attack. Safety measures explained later in the paper help to overcome such attacks or mitigate the downtime of the server. Denial-of-service attacks can be either distributed- or permanent-denial-of-service attacks. The distributed specifi-cation is actually one without any criminal thought behind the system failure. This occurs for instance, when too many people would like to purchase the same item or buy objects in the same online shop at the same time. Often seen while selling tickets for concerts or when companies release a long-waited object (Marmita, 2020).
Mitigation-management, incident-management and business-continuity management
A study shows that 80% of objects in IoT fail to require a password and 70% have open systems or open doors for hackers and cyber-attacks, such as getting knowledge about users’ accounts (Jadhav et al., 2017). Firstly, the latest updates should be uploaded on the systems and devices. With updates, bugs are fixed and overall security is enhanced. When encryption keys are being leaked, patch management comes into play. The leaked master key for instance could then be fixed over an over-the-air-update. On one hand, the devices must be secured through the latest updates on a regular basis, on the other hand, an applicable patch management needs to be available in case that some-thing gets leaked. “As technology evolves, so does cybercrime. The more detailed the approach to patch management, the more you are reducing the risk of a vulnerability being exploited and data breaches being made.” (Keall, 2018, p. 1)
Over-the-air updates are an important way on how to secure the durability of smart objects. Over-the-air updates although come into play while looking at the lifecycle management. When, for example, the source code is leaked and the master key for the implemented technology can easily be hacked, over-the-air updates find a remedy on how to conquer the challenge.
Access control is important when it comes to the mitigation-management. The access management needs to be comprehensible and adaptable. Secondly, employees or citizens, in general, should only have access or permissions to get to data that they are entitled to see or edit. An adequate access management can further be directly used as a technical barrier if one member of a network gets hacked.
Adequate Backup-Management can be a key factor for cybersecurity as well. There are two ways to backup data or information. Either storage of data is secured in a cloud-based solution with an external provider, the so-called online backups, or one can store data offline on hard disks or in own server cabinets. Datacenter, so-called cloud-based backup centers, usually have on-premises guards and other physical safety measures to secure the cabinet server and backup server. Either way, it is crucial to have both, online and offline backup of important data. Georedundancy may have an impact on cloud-based backups, as well as on offline backups. Even with the mentioned safety measures, cloud-based data centers are not one hundred per cent safe from data loss. An adequate back up-management, therefore, consists of both, on- and offline backups. The threats and risks of vandalism or fire breakouts are not to be underestimated. Georedundancy comes into play when an important server and back-up server are located in the same area. Storage of important data should always be saved in several different places with independent safety measures and power sources.
The lifecycle management describes the process of being able to turn on or turn off devices or systems that are being attacked. If for example a smart object gets hacked, cybercriminals could lock it and in exchange for money transfers unlock the device again. In these situations, the owner of the smart object should be able to turn off or override the device before malware is able to spread or perform additional damage in general.
The encryption of systems and devices within is the most important part of all cybersecurity actions. There are mainly two forms of encryption methods. The symmetric and asymmetric encryption. Unfortunately, as of today, it is unclear, if today’s encryption methods used will still be state-of-the-art in a few years’ time. New technologies like quantum computing might be too strong and fast to over-come the safety net proposed by today`s encryption methods. Either way, an encryption method needs to be put in place in any case. The algorithms used, encrypt data and use a special key in the code in order to be able to decrypt the data and its information. The encryption process follows the pattern, of displaying random text in order to make it not understandable to other systems. Only with the mentioned key, other systems are able to read the secret text that lays behind the encrypted text (Oxford, 2017).
Figure 2 - Encryption decoded: Different kinds of encryption methods (Oxford, 2017)
Testing the Framework
To test whether the promise that even a person with little IT knowledge can find their way around the framework and understand it, the criterion was tested as part of a comprehension test with a professor.
In order to test whether the Professor was able to understand the framework with minimal guidance, she was sent the framework instructions prior to the test execution. The guidance she received were held on minimal explanation level. No additional information except the chapter “guidance” was provided. The guidance provided, contained an explanation on how to use the framework and how to apply technology to the framework. It did not include an explanation of the guidelines or any other additional information
Results of the test
According to the proband, the generic flow of the framework and its layers were understandable. The scale layer and facets of cybersecurity and the corresponding processes made sense to her. The only uncertainty in the framework mechanism was the “technology and application” layer. She did not understand right away how to apply the corresponding technology. After a short explanation, however, this point also made sense and she understood how the framework worked. The comprehensibility of the different layers and the associated colors make sense. It is very helpful to see those threats, risks and vulnerabilities, facets that could concern cybersecurity maturity are shown in red, while processes to mitigate these risks, threats, and vulnerabilities in green. The use of color, in general, addressed her.
The various guidelines are very technical for her. Among other things, technical definitions, like the "dual-use dilemma" were not understood. After a short explanation by the author, the ambiguity was resolved. This was a sign of how important the individual explanations in the "Guidelines" chapter of the paper are in order to apply the framework correctly.
On the question on how her institution could apply the framework, she said she could imagine introducing the "chatbot" technology to see what threats, risks, and vulnerabilities should be considered when introducing a chatbot and what measures could be integrated to reduce any threats, risks and vulnerabilities.
The chatbot she has in mind would automatically organize speaking appointments with possible clients of hers. Through the chatbot, the client would be directly connected to the professors calendar. Here, of course, the interface to the calendar comes into play again and this must be secured. Through the framework, it became visible that this interface would have to be secured by a password. Furthermore, it must ensure that the chosen provider is a secure one and does not use the acquired data to its advantage. She understood what threats, risks, and vulnerabilities come within while introducing a chatbot. Furthermore, she understood what measures can be applied to mitigate the mentioned threats, risks and vulnerabilities.
Interpretation
Cybersecurity is an exciting but highly complex topic. The complexity of the subject did not allow for an in-depth analysis, which is why the high-level approach was chosen. The various techniques and technologies themselves could be analyzed further at the technical level, and weak points could be worked out and solutions presented. However, the framework wanted to provide food for thought and generic solution approaches for the various stakeholders in a smart society. The goal that even someone without deep IT knowledge can understand the framework and the work, in general, was proven and achieved based on the results of the test.
The framework also provides additional guidance for understanding the individual guidelines and layers within the modular framework. According to the subject of the test, however, the structure is intuitive and understandable even without a detailed description. The further explanations help the user to implement effective measures according to the dangers, vulnerabilities, and risks. It needs to contain what challenges a smart society will face in the future and what measures would provide a solution. It can be concluded that the framework also has practical relevance and would pass a practical test. Due to the strict use of collective terms, the framework is durable and can also be applied with new, still unknown technologies.
Future research possibilities on the matter
The future brings many advantages due to the increasing development of processes and technologies. Due to the rapid technological progress and partly groundbreaking innovations, mankind has been developing rapidly since time immemorial.
However, increasing digitalization and the introduction of IoT networks also contain dangers. In the future, the "dual-use dilemma" will certainly continue to play an important role when it comes to dealing with collected data. It is essential to ensure that no personal data is misused and that the privacy of users is guaranteed since the base of the smart society is data. The whole lifecycle of data includes at least five processes: collection, communications, storage, usage, and destruction (Aldabbas et al., 2020, p. 106). These processes need to be clear and legally backed from data collection until data destruction. Additionally, the process of data processing will play a role. Questions like, who owns the data? To whom may any information be passed on? These questions will become increasingly important and must definitely be regulated by the legislature and politics. Innovations will also have a major challenge in the direction of threats. Unfortunately, not only are the technologies of non-criminal behavior evolving but the malicious ones as well. In the future, traditional encryption methods may no longer be sufficient and device protection will have to be organized in another way. Further, all people in a society must help cybersecurity persist. The best encryption tactics are useless if the people using the systems are careless with passwords. They may be at the origin of an attack and for this reason, are sometimes responsible for the security of the cyber environment of the future.
An unresolved issue is the traceability of the errors in an attack or the question of who is at risk. Are insurance companies obliged to pay a financial amount if the person negligently fell for a phishing mail?
It is difficult to find out, firstly, who made the mistake or who was the culprit. One way or another, cybercriminals are usually hard to find, which suggests disputes and different incentives between the victim and the insurance companies. It is imperative that this issue be resolved.
Questions about the framework? Contact Joël Bühler.
Literature
Aldabbas, M., Teufel, B., Teufel, S., & Xie, X. (2020). Future security challenges for smart societies: Overview from technical and societal perspectives. 2020 International Conference on Smart Grid and Clean Energy Technologies (ICSGCE), 103–111. https://doi.org/10.1109/ICSGCE49177.2020.9275630
Aldabbas, Mohammad, Nguyen, M., Teufel, S., & Teufel, B. (2020). Cyber security canvas for SMEs. Information and Cyber Security, 20–33. https://doi.org/10.1007/978-3-030-66039-0_2
Cannady, S., De Roure, D., Huth, M., Mantilla Montalvo, R., Nicolescu, R., R. C. Nurse, J., & Radanliev, P. (2019). Cyber security framework for the Internet-of-Things in industry 4.0. In MPRA Paper (No. 92565; MPRA Paper). University Library of Munich, Germany. https://ideas.repec.org/p/pra/mprapa/92565.html
Čelik, P. (2019). Institutional measures for increasing the cyber security for business in the European Union. Economic Themes, 57(3), 351–364. https://doi.org/10.2478/ethemes-2019-0020
Ekstedt, M., Holm, H., Honeth, N., & Sommestad, T. (2014). Indicators of expert judgement and their significance: An empirical investigation in the area of cyber security. Expert Systems, 31(4), 299–318. https://doi.org/10.1111/exsy.12039
Engebretson, J. (2018). Smart home cyber security: What dealers need to know to keep their customers cyber-secure. SDM: Security Distributing & Marketing, 48(7), 74–78.
Anz, P. (2021, 26. August). Cyberangriff auf Rolle: Sehr sensible Daten im Darknet. inside-IT
https://www.inside-it.ch/de/post/cyberangriff-auf-rolle-sehr-sensible-daten-im-darknet-20210826
Anz, P. (2021, 30. August). Cyberangriff auf Rolle: Es wird noch schlimmer. inside-IT
https://www.inside-it.ch/de/post/cyberangriff-auf-rolle-es-wird-noch-schlimmer-20210830
Anz, P. (2021, 30. August). Auch Neuenburger Kantonalbank von Hackern attackiert. inside-IT
https://www.inside-it.ch/de/post/auch-neuenburger-kantonalbank-von-hackern-attackiert-20210830
Jadhav, V., Kalia, S., Kumar, K. N., Maddulety, K., Rana, P. D., & Seetharaman, A. (2017). Understanding the correlation among factors of cyber system’s security for internet of things (IoT) in smart cities. Journal of Accounting, Business & Management, 24(2), 1–15.
Keall, B. (2018). New cyber-security guidelines for government departments. Network Security, 2018(7), 1–2. https://doi.org/10.1016/S1353-4858(18)30061-8
Marmita, S. T. (2020). Struggle of ASEAN in cyber security. Aziya i Afrika Segodnya, 8, 52–56. https://doi.org/10.31857/S032150750010451-8
Mayer, J. (2018). Government Hacking. Yale Law Journal, 127(3), 570–662.
Oxford, A. (2017). How does encryption work? Independent Banker, 67(11), 75–77.
Shiroishi, Y., Suzuki, N., & Uchiyama, K. (2018). Society 5.0: For human security and well-being. Computer, 51(7), 91–95. https://doi.org/10.1109/MC.2018.3011041
Summers, T. C. (2016). Hacking the blockchain. Modern Trader, 82–82.
