D11.12: Cyber Data Security Management Plans

WP11: T11.6: Cyber security Management

Authors: Georgios Tsoumanis (CERTH); Panagiotis Tsarchopoulos (CERTH); Dimosthenis Ioannidis (CERTH)

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 2

Technical references

Project Acronym POCITYF

Project Title A POsitive Energy CITY Transformation Framework

Project Coordinator João Gonçalo Maciel (EDPL)

[email protected]

Project Duration 60 months (from October 2019 – to September 2024)

Deliverable No. D11.12: Cyber Data Security Management Plans

Dissemination level* PU

Work Package WP 11: Project Management

Task T11.6: Cyber security Management

Lead beneficiary 38 (CERTH)

Contributing beneficiary/ies 1 (EDPL)

Due date of deliverable 31 March 2020

Actual submission date 30 April 2020

* PU = Public PP = Restricted to other programme participants (including the Commission Services) RE = Restricted to a group specified by the consortium (including the Commission Services) CO = Confidential, only for members of the consortium (including the Commission Services)

In case you want any additional information or you want to consult with the authors of this document, please send your inquiries to:

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 3

Version History

v Date Beneficiary Author

0.8 21/4/2020 CERTH Georgios Tsoumanis and Panagiotis Tsarchopoulos

1.0 29/4/2020 CERTH Georgios Tsoumanis and Panagiotis Tsarchopoulos

Disclaimer

This document reflects only the author's view. Responsibility for the information and views expressed therein lies entirely with the authors. The Innovation and Networks Executive Agency (INEA) and the European Commission are not responsible for any use that may be made of the information it contains.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 4

Executive Summary

Deliverable D11.12 – Cyber Data Security Management Plans – aims to present a framework to ensure that POCITYF will comply with privacy and security of sensitive information. The proposed strategies will facilitate the implementation of a layered data protection framework allowing the project to collect and manipulate big amounts of data. The framework will be continuously monitored and assessed to ensure privacy and security on a constant basis. The deliverable is the outcome of task 11.6 Cyber-security Management, which aims to address the security and privacy part of data management.

D11.12 heavily depends on the available knowledge about the POCITYF’s Innovative Elements (IE) in the four Energy Transition Tracks (ETTs). For this reason, the creation of the deliverable follows a sequential process, following the knowledge creation process regarding POCITYF’s IEs that happen in WP1, WP6 and WP7.

The current, 1st version of the deliverable introduces the concept of cyber-security and privacy in smart cities. Moreover, it provides an overview of the cyber-security and privacy issues relevant to POCITYF 4 ETTs. This version uses the information for POCITYF’s IEs that is already available in the DoA.

The next, 2nd version, which is due to month 24, will identify and document the critical cyber-security and privacy challenges associated with POCITYF 4 ETTs. Moreover, it will provide the recommended actions to address the cyber-security and privacy challenges and to mitigate relevant risks.

The 3rd and final version, which is due to month 48, will present the results of the monitoring of the implementation of cyber-security and privacy recommendations. Moreover, it will evaluate the results and provide insights and lessons learnt from the POCITY project. The primary outcome will be a practical set of the key takeaways for protecting the cyber-security and privacy in smart city initiatives.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 5

Table of contents

Technical references ...... 2

Executive Summary ...... 4

Table of contents ...... 5

List of Tables ...... 7

List of Figures ...... 7

Abbreviations and Acronyms (in alphabetical order) ...... 8

1 Introduction ...... 10

1.1 Objectives and Scope ...... 10

1.2 Relation to other activities ...... 11

1.3 Structure of the deliverable ...... 11

2 Methodological approach ...... 12

2.1 Deliverable preparation process...... 12

2.2 Explosive Growth on Internet of Things (IoT) in Smart Cities...... 13

2.3 Cyber-security vs. Privacy ...... 14

2.4 Privacy concerns ...... 15

3 Literature review about cyber-security and privacy in Smart Cities ...... 17

3.1 Cyber-security in Smart Cities ...... 17

3.1.1 Surveys ...... 17

3.1.2 Frameworks – Detection schemes ...... 19

3.1.3 Secure transactions ...... 21

3.1.4 Data transfer, storage, and processing ...... 23

3.2 Privacy in Smart Cities ...... 25

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 6

4 EU initiatives and regulations for cyber-security and privacy in Smart Cities ...... 27

4.1 Organizations ...... 27

4.2 Legislation ...... 28

4.2.1 General Data Protection Regulation (GDPR) ...... 29

4.3 EU funded projects ...... 31

5 POCITYF’s approach ...... 34

5.1 Critical energy infrastructure ...... 35

5.2 Smart buildings ...... 37

5.3 Transportation ...... 43

5.4 Smart citizens’ data ...... 46

5.5 Indirect to POCITYF approaches ...... 51

6 Conclusions ...... 53

7 References ...... 54

8 ANNEX I - Standards related to IoT and Smart Cities ...... 64

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 7

List of Tables Table 1 Population change in 10 world’s largest cities at the end of 2019 ...... 13 Table 2 Security services and the corresponding threats and attacks ...... 18 Table 3 Communication Protocols for Smart Buildings ...... 39 Table 4 Well-known ITS threats, attacks, and countermeasures...... 44 Table 5 Standards related to IoT and smart cities ...... 64

List of Figures Figure 1 Overall process for the execution of task 11.6...... 12 Figure 2 Connected IoT devices worldwide...... 14 Figure 3 Security standards and recommendations for cyber-security of smart buildings ...... 19 Figure 4 Chatfield and Reddick framework ...... 20 Figure 5 POCITYF’s Energy Transition Tracks ...... 34 Figure 6 Three high-level security objectives for the Smart Grid [72] ...... 37 Figure 7 Types of security products categorized by good, ...... 41 Figure 8 A holistic view of the data lifecycle ...... 50 Figure 9 (TPM) ...... 50

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 8

Abbreviations and Acronyms (in alphabetical order)

Abbreviation Definition ABE Attribute-Based Encryption AVs Autonomous Vehicles BEMS/HEMS/CEMS Building/Home/City Energy BMS Building Management System CA Central Authority CNTL Colluded Non-Technical Loss CP-ABE Ciphertext Policy Attribute-Based Bncryption CSIRT Computer Security Incident Response Team CUSUM Cumulative Sum DC Direct Current DHC District Heating Cooling DoA Description of Action DoS Denial of Service DPI Deep packet inspection DSM Demand Side Management DSO Distribution System Operator ECSO The European Cyber Security Organisation EEA European Economic Area EE-ISAC European Energy - Information Sharing & Analysis Centre EFTA European Free Trade Association ENISA European Union Agency for Cyber-security ETSI European Telecommunications Standards Institute ETT Energy Transition Track EV Electric Vehicle EU European Union FC Fellow City GA Grant Agreement GDPR General Data Protection Regulation GPS Global Positioning System IE Innovative Element

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 9

Abbreviation Definition IDS Intrusion Detection System IoT Internet of Things IS Integrated Solution ITS Intelligent Transport Systems LH LightHouse MAS Multi-Agent Systems NTL Non-Technical Loss NZEB Near Zero Energy Building P2P Peer-to-Peer PCM Phase Change Material PEB Positive Energy Building PED Positive Energy District PV PhotoVoltaic RAAC Robust and Auditable Access Control RES Renewable Energy Source SE Software Engineering SoS System-of-Systems SoSSec Systems-of-Systems Security SwHE Somewhat Homomorphic Encryption V2G Vehicle to Grid V2I Vehicles to Infrastructure V2V Vehicle to Vehicle VANETs Vehicular ad hoc networks VSNs Vehicular Social Networks VPP Virtual Power Plant WP Work Package XML Extensible Markup Language XMPP Extensible Messaging and Presence Protocol

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 10

1 Introduction

1.1 Objectives and Scope The current deliverable D11.12 – Cyber Data Security Management Plans – aims to present a framework to ensure that POCITYF will comply with privacy and security of sensitive information. The proposed strategies will facilitate the implementation of a layered data protection framework allowing the project to collect and manipulate big amounts of data. The framework will be constantly monitored and assessed to ensure privacy and security on a constant basis. The deliverable is the outcome of task 11.6 Cyber-security Management, which aims to address the security and privacy part of data management. The task focuses its efforts on data security management and investigates strategies to implement a layered data protection framework. It also aims to ensure privacy and security of sensitive information, for legal or ethical reasons, for issues pertaining to personal privacy.

D11.12 heavily depends on the available knowledge about the POCITYF’s Innovative Elements (IE) in the four Energy Transition Tracks (ETTs). For this reason, the creation of the deliverable will follow an iterative process. This process will be in accordance with the knowledge creation process regarding POCITYF’s IEs that happen in WP1, WP6 and WP7.

The current, 1st version of the deliverable introduces the concept of cyber-security and privacy in smart cities and provides an overview of the cyber-security and privacy issues relevant to POCITYF 4 ETTs. This version uses the information for POCITYF’s IEs that is already available in the DoA.

The second version, which is due to month 24, will identify and document the critical cyber-security and privacy challenges associated with POCITYF 4 ETTs. Moreover, it will provide the recommended actions to address the cyber-security and privacy challenges and to mitigate relevant risks.

The 3rd and final version, which is due to month 48, will present the results of the monitoring of the implementation of cyber-security and privacy recommendations. Moreover, it will evaluate the results and provide insights and lessons learnt from the POCITY project. The primary outcome will be a practical set of the key takeaways for protecting the cyber-security and privacy in smart city initiatives.

The updated versions 2 and 3 of D11.12 will be part of D11.9 Data Management Plan - version 2 and D11.10 Data Management Plan - version 3, which are due to month 24 and 48, respectively.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 11

1.2 Relation to other activities T11.6, and subsequently its respective deliverable D11.12, has a relation to many activities of the POCITYF project. In particular with the activities of WP1 - POCITYF Smart City Framework Towards an Integrated Deployment, WP2 - Setting Up, Planning and Execution of Performance Monitoring Activities, WP4 - Citizens Engagement and Open Innovation Activities, WP6 Evora Lighthouse City demonstration activities, WP7 Alkmaar Lighthouse City demonstration activities, WP8 Replication Plans and 2050 Vision by Fellow Cities, and WP9 Clustering and Coordination with Smart City Initiatives and Partnerships.

1.3 Structure of the deliverable Chapter 2 presents the methodological approach followed for the preparation of the deliverable. Moreover, it introduces the concepts of cyber-security and privacy in smart cities.

Chapter 3 contains a literature review about cyber-security and privacy in Smart Cities, initially categorized in (i) Cyber-security in Smart Cities; and (ii) Privacy in Smart Cities, while a further categorization applied to each respective subsection. The literature review is based on published scientific papers and outcomes of research projects related to security and privacy are studied.

Chapter 4 outlines the key initiatives and regulations in the European Union (EU) for cyber-security and privacy in Smart Cities.

Chapter 5 provides an overview of the cyber-security and privacy issues relevant to POCITYF 4 ETTs.

Chapter 6 contains the conclusions.

Chapter 7 contains the references to the scientific articles used in the deliverable.

Chapter 8 contains annexes.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 12

2 Methodological approach

2.1 Deliverable preparation process The creation of D11.12 will follow a sequential process, as it heavily depends on the available knowledge about the POCITYF’s Innovative Elements (IE) in the four Energy Transition Tracks (ETTs). Thus, the first version of the deliverable, submitted in month 6, will introduce the concept of cyber-security and privacy in smart cities and will provide an overview of the cyber-security and privacy issues relevant to POCITYF 4 ETTs. This version uses information that is already available in the DoA about the projects IEs.

The second version, delivered in month 24, will use the information about IEs that will be collected in WP 1, WP 6 and WP 7 deliverables (i.e. City Vision and Master Plan for ETT#1, 2, 3 and 4 Solutions, Updating Evora's Vision and Master Planning, and Updating Alkmaar’s Vision and Master Planning). Based on a more advanced body of knowledge about the POCITYF’s solutions, it will identify and document the critical cyber-security and privacy challenges associated with POCITYF 4 ETTs. Moreover, the 2nd version of D11.12 will provide the recommended actions to address the cyber-security and privacy challenges and to mitigate relevant risks.

The final version, submitted in month 48, will present the results of the monitoring of the implementation of cyber-security and privacy recommendations. Moreover, it will evaluate the results and provide insights and lessons learnt from the POCITY project. The primary outcome will be a practical set of the key takeaways for protecting the cyber- security and privacy in smart city initiatives. Figure 1 presents the overall process for the execution of task 11.6.

Figure 1 Overall process for the execution of task 11.6.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 13

2.2 Explosive Growth on Internet of Things (IoT) in Smart Cities In the 16-01-2020 Business Insider’s article titled “How smart city technology & the Internet of Things will change our apartments, grids and communities” [1], it is mentioned that over the past years, people continue to flock to large cities for several reasons, such as employment opportunities, lifestyle, and more. In the same article, the growth of the 20 largest cities in the USA is presented, showing that most of these cities (i.e., all but one) experienced population growth during 2019. In Table 1 [2], the 1-year (2019) population change in the ten most inhabited cities in the world is given, showing that 8 out of 10 of these cities were even larger by the end of 2019.

Table 1 Population change in 10 world’s largest cities at the end of 2019

2020 2019 Rank Name Change Population Population 1 Tokyo 37,393,129 37,435,191 -0.11%

2 Delhi 30,290,936 29,399,141 3.03%

3 Shanghai 27,058,479 26,317,104 2.82%

4 Sao Paulo 22,043,028 21,846,507 0.90%

5 Mexico City 21,782,378 21,671,908 0.51%

6 Dhaka 21,005,860 20,283,552 3.56%

7 Cairo 20,900,604 20,484,965 2.03%

8 Beijing 20,462,610 20,035,455 2.13%

9 Mumbai 20,411,274 20,185,064 1.12%

10 Osaka 19,165,340 19,222,665 -0.30%

In order to follow the same rate as the surging population, cities need to become more efficient, the latter goal to be approached in many cases by turning the cities into Smart Cities. Smart Cities exploit Internet of Things (IoT) devices (e.g., connected sensors, lights, meters, etc.) to collect and analyse data to use them in order to improve infrastructure, public utilities, services, and more. IoT, being the backbone of Smart Cities, mainly refers to the interconnection and exchange of data among IoT devices. Currently, with the explosive growth the IoT technologies have met [3], an increasing number of practical applications can be found in many different fields, such as security,

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 14 asset tracking, agriculture, smart metering, smart homes, and smart cities [4]. As for the IoT devices, the total installed, connected devices are expected to reach 75.44 billion worldwide by 2025 (Figure 2) [5].

Figure 2 Connected IoT devices worldwide In this sense and given the rapid growth of technology involved in the Smart City concept, it is vital to identify and implement security controls for their fluent operation. Smart City (cyber)security and privacy are essential to be considered for a city to incorporate Smart City’s technologies; thus, improving its citizens’ living conditions.

2.3 Cyber-security vs. Privacy In the next sections, a literature review about cyber-security and privacy in Smart Cities is given, among others. Before that, it is worth mentioning that different works have provided the readers with different approaches on how cyber-security is differentiated from privacy. In this deliverable, the authors will follow the terms given in [6] for both cyber-security and privacy. More specifically:

- Cyber-security will refer to the measures taken in order to protect a device (e.g., computer, computer system, IoT device, etc.) against unauthorized access. A robust cyber-security policy protects and secures critical and sensitive data and

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 15

prevents malicious third parties from acquiring or destroying them. The most common forms of cyber-attacks are (i) phishing; (ii) Spear-phishing; and (iii) injecting malware code into a computer system. - Privacy will refer to the type of “information security that deals with the proper handling of data concerning consent, notice, sensitivity, and regulatory concerns” [7]. On its basic level, data privacy’s goal is about consumers’ understanding of their rights on how their personal information is collected, stored, used, and shared. The exploit of personal information must be explained to consumers simply and transparently. In most cases, consumers are asked to give their consent before their personal information is used.

2.4 Privacy concerns Privacy in any technology is mainly connected to the rights of citizens that must be guaranteed anywhere and anytime. Privacy breaches in Smart Cities services can be an issue for users that are not familiar with security issues (especially adolescents and the elderly). As a result, they can be perfect targets for attackers who take advantage of their interaction with many services through their smartphones, tablets, and computers, revealing personal data such as gender, age, and location.

In order for the Smart Cities to become “accepted” by the public opinion, it is necessary to acknowledge people's concerns about their privacy in the development of smart cities; thus, maintaining their support and participation [8]. Regarding the general term of privacy, it is interesting to mention that the theoretical research about it is diverse and contradictory [9]. For example, Yuan Li, in his work “Theories in online information privacy research: A critical review and an integrated framework” [10] back in 2012, identified 15 different theories of privacy in online contexts. Besides, and with the advent of social media, two paradoxes are identified by the privacy research. The first paradox lies in people’s lacking appropriate secure and private behaviour, despite their expressing concerns about their privacy. Interestingly, the most popular password in 2019 was 1234561 , and many people use a single password for multiple accounts [11]. This paradox, known as the “privacy paradox” [12], is further enhanced by the fact that individuals share their personal information on numerous social media sites (e.g., Facebook, Twitter, etc.). At the same time, they do not feel secure about doing so. The second paradox is the “control paradox,” which describes how the feeling of being in control over-delivering

1 Keck, Catie. “It's Time to Nervously Mock the 50 Worst Passwords of the Year.” Gizmodo, Gizmodo, 19 Dec. 2019, gizmodo.com/its-time-to-nervously-mock-the-50-worst-passwords-of-th-1840514905.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 16 or registering one's data leads to less concern about how one's data are later used by other parties [13].

For further enhancing the significance of privacy challenges in smart cities, an example is given in the sequel as used in [14]:

“A vehicle’s license plate can be connected to the vehicle owner’s identity. Hence, the trajectory of a vehicle can easily be traced even if all communications between the vehicle and infrastructure are encrypted and each device is authenticated by others. This is against the common notion of privacy, which includes the right of people to lead their lives in a manner that is reasonably secluded from public scrutiny, whether such scrutiny comes from a neighbour’s prying eyes, an investigator’s eavesdropping ears, or a news photographer’s intrusive camera. In a smart city, future vehicles will have various communication capabilities that include Internet access, GPS, an electronic tolling system, and RFID. Connected devices in a vehicle will store lots of personal information and have various communication capabilities. In a smart city, the number of connected devices will be very high. The data collected by IoT will allow data consumers to understand the behaviours of data owners or use the data to derive highly personal information, including daily habits”.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 17

3 Literature review about cyber-security and privacy in Smart Cities

In this section, a literature review is given, initially categorized in (i) Cyber-security in Smart Cities; and (ii) Privacy in Smart Cities, while a further categorization will be applied to each respective subsection. Note that in some papers or projects, both security and privacy are studied. In such cases, information regarding privacy will be given in the security’s section and vice-versa. 3.1 Cyber-security in Smart Cities Smart city services can extend into many diverse domains, such as environment, transportation, health, tourism, home energy management, safety, security, etc. [15]. In order to better present the past works related to cyber-security in Smart Cities, a categorization of them will be employed here. More specifically, the presented works are categorized as follows:

- Surveys (for works published until 2016) - Frameworks – Detection Schemes - Secure Transactions - Data transfer, storage, and processing

3.1.1 Surveys For works published until 2016, several papers survey many techniques for cyber-security of Smart Cities, while some of them are dedicated to a specific Smart City part.

He and Yan surveyed Cyber-physical attacks regarding smart grids in their work “Cyber- physical attacks and defences in the smart grid: a survey” [16]. In the same year, Yan et al. have published “Detection of False Data Attacks in Smart Grid with Supervised Learning” [17], a comparative study on the utilization of supervised learning classifiers for the detection of direct and stealth false data injection (FDI) attacks in smart grids. Jow et al. surveyed intrusion detection systems during that period in their review paper “A survey of intrusion detection systems in smart grid” [18]. Standards in smart grid security are surveyed in “Smart grid security--an overview of standards and guidelines” [19] by Ruland et al.

Lu et al. survey the security, trust, and privacy advances in vehicular ad hoc networks (VANETs) in their work “A Survey on Recent Advances in Vehicular Network Security, Trust, and Privacy” [20], stating that in order to share the critical driving information in ITS systems, VANETs are established with two types of communication: (i) vehicle-to-vehicle (V2V), and (ii) vehicles-to-infrastructure (V2I). To the authors’ view, the core security

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 18 problem in VANETs is how to make the V2V and V2I communication channels secure. Regarding the security in each VANET’s service, the threats are categorized as shown in Table 2 [20].

Table 2 Security services and the corresponding threats and attacks

Security Service Threats & Attacks Availability Denial of Service (DoS) attack

Jamming attack

Malware attack

Broadcast Tampering Attack

Black Hole and Gray Hole Attack

Greedy Behavior Attack

Spamming Attack

Confidentiality Eavesdropping Attack

Traffic Analysis Attack

Authenticity Sybil Attack

Tunneling Attack

GPS Spoofing

Free-Riding Attack

Integrity Message Suppression/Fabrication/Alteration Attack

Masquerading Attack

Replay Attack

Non-Repudiation Repudiation Attack

Khatoun et al. have recommended the security standards for cyber-security of smart buildings, as shown in Figure 3 [14].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 19

Figure 3 Security standards and recommendations for cyber-security of smart buildings

3.1.2 Frameworks – Detection schemes Li and Liao in their 2016 work “An economic alternative to improve cyber-security of e- government and smart cities” [21] extended in their 2018 work “Economic solutions to improve cyber-security of governments and smart cities via vulnerability markets” [22] explored alternative economic solutions ranging from incentive mechanisms to market- based solutions to motivate smart city product vendors, governments, and vulnerability researchers and finders to improve the cyber-security of smart cities. First, the authors model the life cycle of smart city vulnerabilities by considering the role of government, smart product vendors, internal vs. external vulnerability finders, and offensive vs. defensive vulnerability buyers, as well as the likelihood of malicious cyber-attacks on smart cities and e-government. The model defined is analyzed in a four-party game theoretical framework. Then, two alternative economic solutions are proposed based on the modelling analysis of economic incentives. The first solution they propose is a carrot- and-stick-like strategy, in the sense that the government either rewards vendors for security investment by paying for their products or “punishes” them financially for vulnerability exploitation. The second solution is about encouraging vendors and governments to participate in the vulnerability market and compete with malicious attackers to purchase vulnerabilities for defensive purposes.

Chatfield and Reddick in “A framework for Internet of Things-enabled smart government: A case of IoT cyber-security policies and use cases in U.S. federal government” [23]

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 20 developed a framework for IoT-enabled smart government performance. The latter framework, depicted in Figure 4, is applied to conduct case study analyses of digital technology and IoT cyber-security in major application domains at the U.S. federal government level. The results showed that some agencies were strategic and forward- thinking in funding and partnering with sub-national governments in promoting IoT use. On the other hand, as shown in the paper, a critical need for national IoT policies to promote systemic IoT use across the application domains remains yet.

Figure 4 Chatfield and Reddick framework A recently discovered Non-Technical Loss (NTL), called Colluded Non-Technical Loss (CNTL), is studied in “A novel detector to detect colluded non-technical loss frauds in smart grid” [24] by Han and Xiao. As stated there, “existing detection schemes cannot detect CNTL frauds since these methods do not consider the co-existing or collaborating fraudsters, and therefore cannot distinguish one from many fraudsters.” In this sense, the authors proposed a CNTL fraud detector for detecting CNTL frauds. The proposed method’s goal is the quick detection of a tampered meter, based on recursive least squares. After identifying the tampered meter, the proposed scheme can detect different fraudsters using mathematical models.

Attia et al., in “An efficient Intrusion Detection System against cyber-physical attacks in the smart grid,” [25] proposed an Intrusion Detection System (IDS) architecture to detect lethal attacks, focusing on two smart grid security issues: (i). Against integrity issue with price manipulation attack, a Cumulative Sum (CUSUM) algorithm is proposed to detect this attack even with granular price changes; and (ii). The availability issue with Denial of Service (DoS) attack against which an efficient method to monitor and detect any misbehaving node was proposed there.

Nangrani and Bhat, in their paper “Smart grid security assessment using intelligent technique based on novel chaotic performance index” [26] proposed an intelligent technique that uses interleaving technique. More specifically, the authors of this paper suggest an intelligent monitoring technique for smart grid security assessment using an interleaved index. The latter includes Lyapunov Exponent based monitoring of

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 21 uncontrolled growth of power flow in conjunction with a general index of overload on the grid.

Christos Tsigkanos et al. in their 2018 paper “On the Interplay Between Cyber and Physical Spaces for Adaptive Security” [27], they proposed the use of Bigraphical Reactive Systems in order to model the topology of cyber and physical spaces and their dynamics. Then, they use these models to perform speculative threat analysis and propose an automatic planning technique to identify an adaptation strategy enacting security policy at runtime to prevent, circumvent, or mitigate possible security requirements violations.

Alrimawi et al., in their recent (08/2019) work “On the Automated Management of Security Incidents in Smart Spaces” [28] have developed a reporting of incidents approach in smart spaces (e.g., smart buildings) which supports sharing and visualization of incident instantiations in different smart buildings. Moreover, they provided filters to prioritize incidents depending on their number of actions or the components of the smart space that they involve.

Hachem et al. in their 2020 paper “Modelling, Analysing and Predicting Security Cascading Attacks in Smart Buildings Systems-of-Systems” [29], aim at investigating if Software Engineering (SE) can be the basis for modelling and analysing secure System-of-Systems (SoS) solutions against high impact (cascading) attacks at the architecture stage. The proposed model, called Systems-of-Systems Security (SoSSec), consists of SoSSecML language for SoS modeling and Multi-Agent Systems (MAS) for security analysis of SoS architectures. Moreover, a case study was conducted there on a real smart building, showing that their method can discover cascading attacks that consist of many individual attacks (e.g., Denial of Service.)

3.1.3 Secure transactions Kishimoto et al. have proposed SPaCIS, a protocol for secure payments in smart grids. In “SPaCIS: Secure Payment Protocol for Charging Information over Smart Grid” [30]. SPaCIS provides the consumer with the ability to validate the charging information.

As mentioned in [31], the adoption of Computer Security Incident Response Teams (CSIRTs) is necessary for the proper management of security incidents in Smart Grids. In the same paper, the authors propose an incident classification to assist CSIRT’s implementation for Smart Grids, considering the specific concerns of the different response teams that handle incidents.

Blockchain technology, firstly introduced for exchanging digital currency, has found security and privacy applications in many other areas, such as IoT [32], smart home [33], and smart city [34]. In “A framework of blockchain-based secure and privacy-preserving E-government system” [35] Elisa et al. propose a blockchain system dedicated to e-

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 22 government. More specifically, a framework of a decentralized e-government peer-to- peer (P2P) system enabling the communication between e-government and users’ devices is proposed there, based on the blockchain technology. During a new device (either e- government or user-owned) joining the system, the existing peers of the network decide to approve or disapprove the registration of the new device. If the registration is approved, one of the pre-existed peers is elected to set up the new network “node” and assign it a “blockchain wallet.” A prototype of the system mentioned above is presented. Then, it is followed by the theoretical and qualitative analysis of the security and privacy implications of such a system. In the same spirit, Yang et al. in “Privacy and Security Aspects of E-government in Smart Cities” [36] propose a similar to [35] peer-to-peer system is proposed based on blockchain technology. In addition, a useful summary of the technologies and techniques used for secure e-Government systems is presented there and goes as follows: (i). Blockchain; (ii). Artificial intelligence and machine learning; (iii). Biometric security and surveillance; (iv). Patching security vulnerabilities; (v). Deep packet inspection (DPI); (vi). Enhanced connected device security; and (vii). Mutual authentication.

Mylrea and Gourisetti, in their work “Blockchain for Smart Grid Resilience: Exchanging Distributed Energy at Speed, Scale and Security” [37] in 2017, outlines how to apply blockchain-based smart contracts to increase speed, scale and security of exchanges of distributed energy resources. In addition, they propose two existing testbeds to simulate the power grid’s complex system: (i). the PNNL’s B2G testbed; and (ii). the integrated Transactive Campus. The latter provides a unique combination of live telemetry and real- time data to simulate the power grid and improve the state of the art of blockchain security technology to create a more resilient grid. Blockchain in smart grids has also been the case for Musleh et al. in their more recent review article “Blockchain Applications in Smart Grid - Review and Frameworks” [38]. The authors there, state that power grids are starting a very effective utilization of blockchain technology while the technique is not yet mature enough. They also categorize the reviewed works in three categories: (i). Energy trading; (ii). Electric Vehicles; and (iii). Microgrid operations.

Li et al., in their work “Consortium Blockchain for Secure Energy Trading in Industrial Internet of Things,” [39] observed the typical energy trading scenarios in Industrial IoT (IIoT). They established a unified energy blockchain with moderate cost. In addition, to reduce the limitation of transaction confirmation delays, they designed a credit-based payment scheme to support frequent energy trading enabling fast payment. Finally, for the credit-based payment scheme, they proposed an optimal pricing strategy using Stackelberg game [40] for credit-based loans to maximize the utility of the credit bank.

Biswas et al. in “A Scalable Blockchain Framework for Secure Transactions in IoT,” [41] proposed a solution to address the generation of transactions at a rate in which current

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 23 blockchain solutions cannot handle and the impossibility of implementing Blockchain peers onto IoT devices due to resource constraints. The proposed solution uses a local peer network to bridge the gap. It restricts the number of transactions which enters the global Blockchain by implementing a scalable local ledger, without compromising on the peer validation of transactions at a local and global level.

3.1.4 Data transfer, storage, and processing Storing data in servers through cloud computing has been proposed by many researchers as a feasible solution for e-health. On the other hand, cloud computing involves potential threats to security and protection of healthcare data [42], such as threats arising by Denial of Service (DoS) attacks, cloud malware injection attack, man-in-the-middle cryptographic attack, spoofing, collusions attack [43]. As a result, the research about security and privacy for e-health focuses most on cloud computing security and privacy techniques that fit in the e-health perspective. One such technique and its modifications is the Homomorphic encryption [44] where modifications of the encrypted data take place without decrypting it. One version of this technique, the Somewhat Homomorphic Encryption (SwHE) technique, has been successfully proven in medical and financial applications [45].

Zhu et al., in their work “An Efficient and Privacy-Preserving Biometric Identification Scheme in Cloud Computing” [46] examine the biometric identification scheme [47] revealing its security weakness under a proposed level-3 attack. More specifically, they show there that an attacker can recover the secret keys by colluding with the cloud; thus, decrypting the biometric traits of all users. For tackling the above problem, a new biometric identification scheme in this work with the goal to ensure security is proposed, based on a new encryption algorithm proposed there and cloud authentication certification.

Xue et al. presented robust and Auditable Access Control (RAAC) in “RAAC: Robust and Auditable Access Control with Multiple Attribute Authorities for Public Cloud Storage” [48]. The authors there propose secure access control that counters the single-point performance bottleneck-k problem. In order to achieve its goals, trust between RAAC and Central Authority (CA) is necessary for key generation and distribution. On the other hand, a deniable Attribute-Based Encryption (ABE) scheme for cloud storage services is studied by Chi and Lei in “Audit-Free Cloud Storage via Deniable Attribute-Based Encryption” [49]. In this paper, ABE characteristics are used for creating a scheme that enhances Waters's ciphertext policy attribute-based encryption (CP-ABE) scheme [50]. In the same sense, Huang et al., in their work “Efficient Anonymous Attribute-Based Encryption with Access Policy Hidden for Cloud Computing,” [51] proposed an anonymous attribute-based encryption scheme for cloud data so as to enhance privacy protection of ABE schemes. In addition, performance in terms of storage, communication, and computational overheads

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 24 is also aimed under the latter paper while satisfying constant secret key length and reasonable size of ciphertext requirements. ABE is also the key point by Li et al. in the scheme they proposed in their paper “Unified Fine-Grained Access Control for Personal Health Records in Cloud Computing” [52]. First, the scheme generates shared information by the common access sub-policy, which is based on different patients’ access policies. Then, after combining the encryption of PHRs from different patients, the aim is to reduce both time consumption of encryption and decryption.

A disease prediction scheme, called PPDP, is proposed in “PPDP: An efficient and privacy- preserving disease prediction scheme in the cloud-based e-Healthcare system” [53]. In this work, Zhang et al. proposed the scheme mentioned above (i.e., PPDP scheme), which is characterized by employing random vectors and matrices, thus enabling the outsourced EHRs with the ability to be handled and trained on the cloud server by using SLP algorithm without leaking sensitive information.

Kim and Kim thoroughly discuss the benefits of adopting a cloud computing approach for Smart Grids security in their review paper “Benefits of cloud computing adoption for smart grid security from a security perspective” [54].

Security Data Transmission for ITS in Mobile Heterogeneous Cloud Computing systems is the case of Gai et al. paper “SA-EAST: Security-Aware Efficient Data Transmission for ITS in Mobile Heterogeneous Cloud Computing” [55]. The authors in the latter work propose a mobile heterogeneous cloud implementation using dynamic task assignments to achieve high performance and secure wireless transmissions in ITS. The approach is based on mapping cloud resources that can be implemented in other systems for security-aware efficient solutions and a deployment is presented that can be employed for securing ubiquitous CPS by using mobile heterogeneous cloud computing.

Wu et al., in their paper “Establishing an Intelligent Transportation System With a Network Security Mechanism in an Internet of Vehicle Environment” [56] proposed an integration of ITS in traffic signal control to aid emergency vehicles in more promptly arriving at their destinations. For tackling traffic incidents, regular vehicles are enabled with the ability to obtain proof of incident from pertaining authorities, learn about nearby vehicles global positioning system information (e.g., position and speed), and utilize their car camcorder data for proving purposes. To achieve their goals, the authors propose filtered information transmissions by roadside units with traffic signal control towards the certificate authority.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 25

3.2 Privacy in Smart Cities As in an information system, so in Smart Cities, there are three main operations: data transfer, storage, and processing. Privacy concerns can occur during any of these operations, which can affect the user’s behavior [14].

Driven by a Privacy Compliance Assessment derived from the European Union’s General Data Protection Regulation (GDPR), Anisetti et al. in their work “Privacy-aware Big Data Analytics as a Service for Public Health Policies in Smart Cities” proposed a new Big Data- assisted public policy in order to turn the implementation progress into “privacy-by- design.” The proposed approach is based on a Big Data Analytics as a Service approach, which is discussed in the context of a public health policymaking process.

Shen et al., in their 2018 paper “Privacy-Preserving Support Vector Machine Training over Blockchain-Based Encrypted IoT Data in Smart Cities,” [57] proposed a privacy-preserving SVM training scheme over blockchain-based encrypted IoT data. By utilizing the blockchain techniques, the authors build a data-sharing platform among multiple data providers, where IoT data is encrypted and then recorded on a distributed ledger. In addition, they construct an SVM training algorithm, tat only requires two interactions in a single iteration, without the need for a third-party.

Lim and Taeihagh in their 2018 study “Autonomous Vehicles for Smart and Sustainable

Cities: An In-Depth Exploration of Privacy and Cyber-security Implications” [58] highlighted the literature supporting the need for enabling the Smart Cities with the ability to use Autonomous Vehicles (AVs) for their citizens’ transportation. Then, they identified the most significant aspects of privacy and cyber-security in AVs. Regarding privacy in AVs, it is stated there that in many cases (e.g., efficient traffic management, accurate assignment of liability in the event of collisions, etc.), AVs have to store highly sensitive data and transmit them to other vehicles, connected infrastructure, or third- party organizations through external V2V and V2I communication networks. As a result, unrestricted sharing of data may occur, the latter raising privacy concerns.

Privacy in Vehicular Social Networks (VSNs) (i.e., mobile communication systems formed by the combination of relevant concepts and features from the vehicular ad-hoc networks and social networks [59]) is discussed in Yu et al. paper “MixGroup: Accumulative Pseudonym Exchanging for Location Privacy Enhancement in Vehicular Social Networks” [60]. For enhancing the location privacy, the authors in this work proposed the “MixGroup” scheme. MixGroup scheme integrates the mechanism of group signature and constructs an extended pseudonym-changing region. Doing so and by accumulatively exchanging pseudonyms, vehicles will have their pseudonym entropy consecutively increased. As a result, location privacy was substantially enhanced.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 26

Wang et al. in “TCSLP: A trace cost based source location privacy protection scheme in WSNs for smart cities” [61] proposed that privacy can be protected by creating several phantom source nodes. These nodes are placed near the real source node (i.e., the node that transmits packets towards the sink node). This technique limits the ability of an adversary to find the real source node.

Beltran et al., in their 2017 paper “An ARM-Compliant Architecture for User Privacy in Smart Cities: SMARTIE — Quality by Design in the IoT,” proposed the “SMARTIE” architecture. Except for being the architecture’s name, SMARTIE is also the acronym of the EU-funded project, under which the architecture was funded and developed, titled “Secure and sMArter ciTIes data management”2. SMARTIE architecture is based on IoT- ARM for securing and preserving privacy during the dissemination of data in Smart Cities.

Alabdulatif et al. propose a cloud-based model for providing a privacy preserving anomaly detection service for decision-making in Smart Cities in “Privacy-preserving anomaly detection in the cloud for quality assured decision-making in smart cities” [62]. The authors there employ homomorphic encryption in order to preserve data privacy. In addition, for countering computational overheads associated with homomorphic encryption, they utilize MapReduce based distribution of tasks and parallelization.

An interesting aspect of privacy in electricity consumption was studied by Alamaniotis et al. and given in “Enhancing privacy of electricity consumption in smart cities through the morphing of anticipated demand pattern utilizing self-elasticity and genetic algorithms” [63]. In this paper, a method for enhancing consumer privacy in smart cities is proposed under an intelligent aggregation of anticipated demand patterns of multiple consumers as a means to hide individual features. The proposed method makes use of consumers' self- elasticities matrices and a genetic algorithm to create an aggregated pattern that masks individual consumption data.

For privacy in a Vehicle-to-Grid (V2G) network, Han and Xiao in their work “IP2DM: integrated privacy-preserving data management architecture for smart grid V2G networks” [64] studied the data management of V2G networks in smart grids with privacy- preservation. The goal here was to benefit both the customers (because of privacy preservation) and the utility companies. Both data aggregation and data publication of V2G networks are aimed to be protected under the proposed architecture. To check the architecture’s security, it is analyzed in several typical V2G networks attacks, and experiments are conducted on it.

2 CORDIS | European Commission. (2020). Retrieved 9 March 2020, from https://cordis.europa.eu/project/id/609062

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 27

4 EU initiatives and regulations for cyber- security and privacy in Smart Cities

4.1 Organizations In Europe, ERTICO - ITS Europe [65] is an Intelligent Transportation System (ITS) organization that promotes relevant research and defines ITS industry standards. More specifically, ERTICO – ITS is a network of stakeholders in Europe, connecting public authorities, industry, infrastructure operators, users, national ITS associations, and other organizations. Regarding the United States, each state has its own ITS chapter that holds a yearly conference to promote and showcase ITS technologies and ideas. Representatives from each Department of Transportation (state, cities, towns, and counties) within the state attend this conference.

Over the past years, ITS technologies and services have been the case for many research communities and standardization organizations, such as IEEE, the European Telecommunications Standards Institute (ETSI), the Car2Car Communication Consortium, and the U.S. National Highway Traffic Safety Administration (NHTSA). During Horizon 2020, the most significant EU Research and Innovation programme3, ITS has been the main or one of the main subjects of research in 103 projects in “Transport & Mobility” domain of application4.

The European Union Agency for Cyber-security (ENISA)5 has been working to make Europe cyber-secure since 2004. The Agency is located in Athens, Greece and has a second office in Heraklion, Greece. The Agency, in cooperation with the Member States and private sector, delivers advice and solutions as well as improvements for their capabilities. This support includes the pan-European Cyber-security Exercises, the development, and evaluation of National Cyber-security Strategies, CSIRTs cooperation and capacity building, studies on IoT and smart infrastructures, addressing data protection issues,

3 Kugleta. (2017, March 15). What is Horizon 2020? Retrieved from https://ec.europa.eu/programmes/horizon2020/en/what-horizon-2020

4 CORDIS | European Commission. (2020). Retrieved 8 March 2020, from https://cordis.europa.eu/search/en?q=contenttype%3D%27project%27%20AND%20(programme%2Fcode%3D %27H2020%27)%20AND%20applicationDomain%2Fcode%3D%27trans%27%20AND%20(%27Intelligent%27%20AND %20%27transportation%27%20AND%20%27technologies%27)&p=1&num=10&srt=Relevance:decreasing

5 Enisa.europa.eu. 2020. ENISA. [online] Available at: [Accessed 2 April 2020].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 28 privacy-enhancing technologies and privacy on emerging technologies, eIDs and trust services, identifying the cyber threat landscape, and others.

The European Cyber Security Organisation (ECSO)6 is an entirely self-financed non-profit organization under the Belgian law, established in June 2016. ECSO represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP). ECSO members include a wide variety of stakeholders such as large companies, SMEs and Start-ups, research centers, universities, end-users, operators, clusters and association as well as European Member State’s local, regional and national administrations, countries part of the European Economic Area (EEA) and the European Free Trade Association (EFTA) and H2020 associated countries.

The European Energy - Information Sharing & Analysis Centre (EE-ISAC)7 is an information- sharing network of trust driven by the industry. Private utilities and solution providers, as well as (semi)public institutions such as academia, governmental and non-profit organizations, will share knowledge and information by monitoring the cyber-security situation within the energy sector.

4.2 Legislation In 2013, the European Commission (EC) adopted the Directive (2013/40/EU) on attacks on information systems, which aims to prevent large-scale cyber-attacks by requesting from EU countries to update their national cybercrime laws and adopt harsher criminal penalties.

In 2016, the EC proposed the first piece of cyber-security legislation, the EU Network and Information Security (NIS) Directive (EU2016/1148). This Directive has three parts: a) the supervision of cyber-security of critical infrastructure in sectors such as energy, health or transport sector by each EU Member State, b) each EU country should have its national cyber-security capabilities, such as a Computer Security Incident Response Team (CSIRT) and c) ensure cross-border cooperation among EU countries.

6 ECSO - European Cyber Security Organisation. 2020. ECSO - European Cyber Security Organisation. [online] Available at: [Accessed 2 April 2020].

7 EE-ISAC - European Energy - Information Sharing & Analysis Centre. 2020. Home - EE-ISAC - European Energy - Information Sharing & Analysis Centre. [online] Available at: [Accessed 2 April 2020].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 29

In 2017, the EC introduces the EU Cyber-security Act, which remodels and expands ENISA’s capabilities and creates an EU-wide certification framework in cyber-security.

In 2019, the EC adopted the recast of the Electricity Regulation (EU) 2019/943, which gives the EC a mandate to create a cybersecurity network code for the electricity sector in order to increase its reliability and protect the grid.

4.2.1 General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 of the European Parliament and the Council, the European Union’s ('EU') new General Data Protection Regulation (GDPR), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU. It does not apply to the processing of personal data of deceased persons or legal persons. The rules do not apply to data processed by an individual for purely personal reasons or activities carried out in one's home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected8.

The way GDPR can affect smart cities’ development has been discussed lately. The answer in this question can be given by applying parts of the new regulation that seem to play an important role [66].

In Article 4 of GDPR, the term “personal data” is given: “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In Article 5 of the Regulation, personal data are described as: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, also “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. “Decoding” the above GDPR article’s parts, collecting personal data for the development of Smart Cities has to be precisely pre-defined and follow the legal

8 What does the General Data Protection Regulation (GDPR) govern? (2019, November 27). Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection- regulation-gdpr-govern_en

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 30 rules. Moreover, special attention is paid in the way the data are kept, the duration of keeping them not exceeding the necessary period. On the other hand, anonymous data are supposed to be used (and kept) for statistics and for other reasons, e.g., the production of a traffic model.

In Article 6 of GDPR it is determined that personal data processing is legitimate if certain conditions are met: "processing is necessary for the performance of a task carried out in the public interest". In this sense, when collecting data of public interest, it should be obvious that collecting these data is precisely about the public interest.

The issue of security of personal data processing is stated in Article 32: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” In this part, the regulation enters the information security systems area, previously regulated by the series of standards ISO/IEC 27000 [67].

It is crucial for Smart Cities developers to consider and pre-organize the way they will “use” the personal data of citizens. In addition, the kind of information needed for a Smart City feature to work must be pre-considered. For example, it is obvious that when an application for monitoring the road load per hour is developed, there is no need for acquiring personal data of drivers, rather than the cars’ presence – movement on road.

Another interesting point in GDPR is “pseudonymization”. The latter term, mentioned in Article 4 means that “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.

Taking a step further. In Article 89 one can read the following: “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”. As a result of the above, fully anonymous data are treated as personal data, since no natural person can be identified out of them.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 31

4.3 EU funded projects The SPEAR (Secure and PrivatE smArt gRid)9 project is a 36-month research program, co- funded by the Horizon 2020 framework programme of the European Union. It aims at developing an integrated platform of methods, processes, tools, and supporting tools for: a) Timely detection of evolved security attacks such as APT, Denial of Service (DoS) and Distributed DoS (DDoS) attacks using big data analytics, advanced visual-aided anomaly detection, and embedded smart node trust management. b) Developing an advanced forensic readiness framework, based on smart honeypot deployment, which will be able to collect attack traces and prepare the necessary legal evidence in court, preserving the same time user private information. c) Implementing an anonymous smart grid channel for mitigating the lack of trust in exchanging sensitive information about cyber-attack incidents. d) Performing risk analysis and awareness through cyber hygiene frameworks while empowering EU-wide consensus by collaborating with European and global security organizations, standardization bodies, industry groups and smart grid operators. e) Exploiting the research outcomes to more CIN domains and creating competitive business models for utilizing the implemented security tools in smart grid operators and actors across Europe.

EnergyShield (Integrated Cybersecurity Solution for the Vulnerability Assessment, Monitoring, and Protection of Critical Energy Infrastructures)10 is a 36-month EU H2020 Research and Innovation program of the European Union, funded by the Horizon 2020 framework program and began on the 1st of July 2019. The project addresses the needs of the operators in the Electrical Power and Energy System (EPES). It combines the latest technologies for vulnerability assessment, supervision, and protection to draft a defensive toolkit.

PHOENIX (Electrical Power System’s Shield against complex incidents and extensive cyber and privacy attacks)11 is a 36-month EU H2020 Research and Innovation program of the

9 Spear2020.eu. 2020. Home Page - SPEAR Project. [online] Available at: [Accessed 2 April 2020].

10 Cordis.europa.eu. 2020. CORDIS | European Commission. [online] Available at: [Accessed 2 April 2020].

11 https://cordis.europa.eu/project/id/832989

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 32

European Union, funded by the Horizon 2020 framework program and began on the 1st of September 2019. PHOENIX aims to offer a cyber-shield armor to European EPES infrastructure enabling cooperative detection of large scale, cyber-human security and privacy incidents and attacks, guarantee the continuity of operations and minimize cascading effects in the infrastructure itself, the environment, the citizens and the end- users at reasonable cost.

CONCORDIA (Cybersecurity cOmpeteNce fOr Research anD Innovation)12 is a 36-month EU H2020 Research and Innovation Action project of the European Union, funded by the Horizon 2020 framework program and began on the 1st of January 2019. CONCORDIA addresses the current fragmentation of security competence by networking diverse competencies into a leadership role via a synergistic agglomeration of a pan-European Cyber-security Center. The vision of CONCORDIA is to build a strong community cooperation between all stakeholders, understanding that all stakeholders have their KPIs, bridging among them, and fostering the development of IT products and solutions along the whole supply chain. Technologically, it projects a broad and evolvable data-driven and cognitive E2E Security approach for the ever-complex ever-interconnected compositions of emergent data-driven cloud, IoT, and edge-assisted ICT ecosystems.

SerIoT (Secure and Safe Internet of Things) 13 is a 36-month EU H2020 Research and Innovation Action project of the European Union, funded by the Horizon 2020 framework program and began on the 1st of January 2018. SerIoT aims to provide a useful open & reference framework for real-time monitoring of the traffic exchanged through heterogeneous IoT platforms within the IoT network in order to recognize suspicious patterns, to evaluate them and finally to decide on the detection of a security leak, privacy threat and abnormal event detection while offering parallel mitigation actions that are seamlessly exploited in the background.

SCISSOR (Security In trusted SCADA and smart-grids)14 was a 36-month EU H2020 Research and Innovation Action project of the European Union, funded by the Horizon 2020 framework program and began on the 1st of January 2015. The project aimed to design a new generation SCADA security monitoring framework.

12 CONCORDIA. 2020. Home : CONCORDIA. [online] Available at: [Accessed 2 April 2020].

13 Seriot-project.eu. 2020. Seriot – Secure And Safe Internet Of Things. [online] Available at: [Accessed 20 March 2020].

14 Cordis.europa.eu. 2020. CORDIS | European Commission. [online] Available at: [Accessed 2 April 2020].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 33

WiseGRID (Wide scale demonstration of Integrated Solutions and business models for European smartGRID)15 is a 42-month EU H2020 Innovation Action project of the European Union. It is funded by the Horizon 2020 framework program and began on the 1st of November 2016. WiseGRID integrates, demonstrates, and validates advanced ICT services and systems in the energy distribution grid in order to provide secure, sustainable, and flexible smart grids and give more power to the European energy consumer. The project will combine an enhanced use of storage technologies, a highly increased share of Renewable Energy Sources (RES) and the integration of charging infrastructure to favor the large-scale deployment of electric vehicles. It will place citizens at the center of the transformation of the grid.

P2P-SmarTest (Peer to Peer Smart Energy Distribution Networks)16 was a 36-month EU H2020 Innovation Action project of the European Union, funded by the Horizon 2020 framework program and began on the 1st of January 2015. The project investigated and demonstrated a smarter electricity distribution system integrated with advanced ICT, regional markets, and innovative business models. It employed Peer-to-Peer (P2P) approaches to ensure the integration of demand-side flexibility and the optimum operation of DER and other resources within the network while maintaining second-to- second power balance and the quality and security of the supply.

15 Ece.ntua.gr. 2020. Wisegrid - Wide Scale Demonstration Of Integrated Solutions And Business Models For European Smartgrid. [online] Available at: [Accessed 4 March 2020].

16 Cordis.europa.eu. 2020. CORDIS | European Commission. [online] Available at: [Accessed 10 March 2020].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 34

5 POCITYF’s approach

In this Section, an initial approach is made in investigating the cyber-security and privacy issues in the considered Energy Transition Tracks (see Error! Reference source not found.). By providing possible threats and taking into consideration the current related knowledge on cyber-security and privacy in Smart Cities, some indications are given on how POCITYF plans to overcome the mentioned threats. Based on the considered Energy Transitions Tracks, the categorization regarding the cyber-security and privacy in this Section will be following:

a. Critical energy infrastructure b. Smart buildings c. Transportation d. Smart citizens’ data e. Indirect to POCITYF approaches

Figure 5 POCITYF’s Energy Transition Tracks

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 35

5.1 Critical energy infrastructure When discussing critical energy infrastructure in a Smart City, one mainly refers to the set of infrastructures that support the city’s electricity smart grid, along with oil and gas reserve stocks. Regarding electricity smart grids, this infrastructure mostly consists of computers and sensors and, being the backbone of the ICT-based grid, is responsible for managing electricity in a sustainable, reliable, and economical manner.

According to the European Commission, the smart grid is “an upgraded electricity network to which two-way digital communication between supplier and consumer, intelligent metering and monitoring systems have been added” [68]. The European Union has a high level of energy security, enabled by oil and gas reserve stocks, and one of the most reliable electricity grids in the world [69]. The focus here is on challenges regarding the security of energy supply, notably in the electricity sector.

In POCITYF, the ETT 2 - P2P Energy Management and Storage Solutions for Grid Flexibility - is the main ETT that considers smart grids. More specifically, the Innovative Solutions (IS) proposed there are:

- IS-2.1: Flexible and Sustainable Electricity Grid Networks with Innovative Storage Solutions. This IS’s innovative elements (IE) considered are: o 2nd life residential batteries o Micro-grid controller platform o Control algorithms o LV and MV-connected storage systems o P2P energy trading platform o City Energy Management System o Powermatcher (DSM platform) o Stationary batteries o Virtual Power Plant (VPP) o V2G o DC grid o Fuel cells (hydrogen) - IS-2.2: Flexible and Sustainable District Heating/Cooling with Innovative Heat Storage Solutions. This IS’s IEs considered are: o Freezing storage in store o Market-oriented building flexibility services o low temperature o heat grid o geothermal

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 36

o low temperature waste heat o ATES (heat/cold storage) o HEAT matcher o thermal grid controller o Heat Island concept

Threats

Regarding the threats on the smart grids, such as the one in POCITYF’s ETT 2, those are mainly three: (i) attacks targeting availability, also called denial-of-service (DoS) attacks, attempt to delay, block or corrupt the communication in the Smart Grid; (ii) attacks targeting integrity aim at deliberately and illegally modifying or disrupting data exchange in the Smart Grid; and (iii) attacks targeting confidentiality intend to acquire unauthorized information from network resources in the Smart Grid. The challenges in POCITYF’s smart grid(s) have to consider all the ISs mentioned. In this sense, security and privacy schemes must be a kind of multidisciplinary.

Another threat to be considered is about issues regarding trust in smart grids. Trust can be described as the confidence that, during some specific interval (a) users can access data created by the right device at the expected location at the proper time, communicated using the expected protocol, and (b) the data has not been modified [70].

If some smart grid’s participants are not “trustworthy,” methods of addressing this issue are required.

In smart grids, developments such as Internet technologies, broadband communication, and non-deterministic communication environments are employed. As a result, many security issues may occur. Interestingly, commonly used devices can become a threat to smart grids. For example, smart meters are desirable targets because vulnerabilities can easily be monetized. Compromising a meter can immediately manipulate the energy costs or energy meter readings [71]. Regarding privacy, energy use information stored at the meter and distributed thereafter acts as an information-rich side channel, exposing customer habits and behaviors.

POCITYF’s approach

The objectives in POCITYF regarding the cyber-security and the main threats given for its smart grids are the following [72] and depicted in Figure 6:

Availability: Ensuring timely and reliable access to and use of information is of the most important in the Smart Grid. This is because a loss of availability is the disruption of access to or use of information, which may further undermine the power delivery. Integrity: Guarding against improper information modification or destruction is to ensure information nonrepudiation and authenticity. A loss of integrity is the unauthorized

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 37 modification or destruction of information and can further induce incorrect decisions regarding power management.

Confidentiality: Preserving authorized restrictions on information access and disclosure is mainly to protect personal privacy and proprietary information. This is necessary to prevent unauthorized disclosure of information that is not open to the public and individuals.

Figure 6 Three high-level security objectives for the Smart Grid [72]

5.2 Smart buildings Smart buildings are a crucial part of a smart city for various purposes: improving residents’ comfort, efficient operation of the building’s systems (i.e., elevators, water pipes, gas pipes), and reduction in energy consumption [73]. In their general case, they consist of: (i). Sensors for monitoring and submitting messages in case of changes; (ii). Actuators that perform physical actions; (iii) Controllers to control units and devices based on programmed rules set by the user; (iv). Central unit that enables programming of units in the system; (v). Interface for users’ communication with the system; (vi). Network which allows for the communication between the units; and (vii). Smart meter that offers a two- way, near or real-time communication between customer and utility company [74].

In POCITYF, the ETT 1 - Innovative Solutions for Positive Energy (CH) Buildings and Districts - is the main ETT that considers smart buildings. More specifically, the Innovative Solutions (IS) proposed in ETT 1 are:

- IS-1.1: Positive Energy (stand-alone) Buildings. This IS’s IEs considered are: o PV glass o PV canopy o PV skylight o Tegosolar PV o Traditional PV shingle o Bidirectional smart inverters o Energy router

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 38

o BMS o 2nd life o residential batteries o HEMS/BEMS o Positive Computing Data Centre o Insulation with circular materials o Triple glazing o Solar roofs and facades o Thermo acoustic heat pumps o Hybrid wind/solar o generation system (Powernest) o Li-ion batteries o Cascaded heat pumps o Composite façade panels o PCM in the floor - IS-1.2: Positive Energy Districts Retrofitting. This IS’s IEs considered are: o Smart Lamp posts with EV charging and 5G functionalities o Energy router o Smart distribution management system o P2P energy trading platform o Community Solar Farm (P2P driven: (3)PV plants, (1) public funded ESCO PV) o DHC (biomass, waste, geothermal) o ATES (heat/cold storage) o Li-ion/Li-metal batteries o DC lighting with EV charging o Solar roads o V2G - IS-1.3: Feeding of PEDs with Waste Streams (heat/materials) promoting Symbiosis and Circular Economy. This IS’s IEs considered are: o 2nd life residential batteries o Pay-As-You-Throw (PAYT) o Reverse collection of waste o Circular economy building practices o ATES (heat/cold storage) o PCM in the floor o Waste management tools

Threats

Regarding the cyber-attacks in a smart city’s (smart) buildings, they target the IT infrastructure supporting the buildings’ smart control systems (e.g., light and motion

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 39 sensors, water heaters and coolers, escalators, gas, and smoke detectors, water leak detectors, security, etc.). Note that these control systems interconnect with other systems; thus, further adding to the potential under-attack systems. In a smart building, the threat is mostly on the building automation systems (e.g., disruption of video surveillance, electrical distribution, lighting, emergency power, access control, elevators, fire systems, HVAC, climate control, monitoring, etc.). In recent research [75] by cyber- security firm Kaspersky17 it is mentioned that in the first half of 2019, 37.8% of computers controlling smart building automation systems were affected by “malicious cyber- attacks.” The study was conducted on more than 40,000 buildings that use Kaspersky’s cyber-security products. It is interesting to mention that the attacks were not specifically targeted at building automation systems. However, in most cases, the malware was found on computer systems affecting computers that control the smart building systems. Of the 4 in 10 buildings attacked, 11 percent were attacked by spyware attempting to steal account credentials. Further discussing anti-viruses, it is interesting to note that not every device can hold an anti-virus. For example, in the absence of anti-virus, a smart TV can be attacked by using a “Man In The Middle” during a simple authentication procedure that only needs an IP address, a MAC address, and a hostname18.

Table 3 Communication Protocols for Smart Buildings

Communication Protocol Description BACnet [76] Standardized by the American National Standards Institute (ANSI) and the International Standards Organization (ISO) (ISO 16484-5) since 2003 for building automation and control networks. It defines several data link/physical layers.

KNX [77] Standardized under EN 50090 and ISO/IEC 14543. Open System Interconnection (OSI)-based network communications protocol for intelligent buildings.

Factory Instrumentation European standard (EN 50170-3) used for the Protocol (FIP) [78] interconnection of devices in automated systems. It defines several application/datalink/physical layers.

17 Global Leader in Cybersecurity for Home & Business. (n.d.). Retrieved from https://www.kaspersky.com/

18 7, O. (n.d.). Smart Buildings At High Risk for Cyber Attacks: Study. Retrieved from https://www.facilitiesnet.com/buildingautomation/tip/Smart-Buildings-At-High-Risk-for-Cyber-Attacks- Study--44839

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 40

While various communication protocols have been implemented over the years (see, for example, those depicted in Table 3), most of them do not take any cyber-security measures against cyberattacks or intrusions. Hence, strong security measures must be applied in smart buildings.

Mainstream buildings can be turned into smart by using Building Automation Systems (BAS), which can both monitor and control the multiple building systems (such as those mentioned earlier) through a shared network medium. Under BAS, the smart devices consisting the smart building (e.g., sensors, actuators, etc.) report and provide physical control through controller devices [15]. On the one hand, the connection of all the devices together enables for smart building’s operations to be remotely observed over the Internet. On the other hand, using the Internet along with the interconnection of the devices result in security treats [79].

Since BAS has access to shared networks, the devices consisting it are exposed to threats that originally would be faced by traditional IT networks and protocols. For example, smart buildings can face denial of service threats (e.g., against their access control system) and even a complete takeover of the smart building may be the threat’s goal in some cases [80] [81]. Steffen Wendzel surveys the six unresolved problems regarding smart buildings’ security, in his work “How to increase the security of smart buildings?” [82]: (i). Internet-based Communications; (ii). Impact of Attacks; (iii). Long-term Software Deployment; (iv). User-Oriented Software Design; (v). Insecure Network Stacks; and (vi). Access to Standards, the six steps to be taken towards a more secure system.

POCITYF’s approach

Intel categorizes the types of security products that can be implemented or installed for POCITYF’s smart buildings by “good, better, and best.” 19 This categorization, along with the smart building’s part it targets, is depicted in Figure 7.

19 Cdrdv2.intel.com. 2020. [online] Available at: [Accessed 26 April 2020].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 41

Figure 7 Types of security products categorized by good, better, and best In terms of specific protocols that can be implemented for POCITYF’s buildings IoT, and the security provided by each one, a review of the security provided by some of the most known protocols for IoT is given in the sequel:

MQTT [83]: MQTT is a publish /subscribe messaging protocol developed by IBM. It is an OASIS20 standard as of 2014. It is lightweight, open, simple, and designed to be easily

20 “Advancing Open Standards for the Information Society.” OASIS, www.oasis-open.org/.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 42 implemented. These characteristics make it ideal for Machine to Machine (M2M) communications and Internet of Things (IoT) contexts that are the backbone of a smart building. In its pub/sub messaging pattern, there are at least three entities: a mediator (usually called a broker), a data publisher, and a data subscriber. The broker is used to queue and transmit messages between data publishers and data subscribers. Regarding security, it provides a username/password system for authentication and relies on Transport Layer Security (TLS) library for data encryption.

MQTT-SN [84]: Message Queuing Telemetry Transport for Sensor Networks (MQTT-SN) is enhancing MQTT in adapting to the peculiarities of a wireless communication environment (e.g., low bandwidth, high link failures, short message length, etc.) MQTT-SN does not require TCP/IP stack. At the same time, it is optimized for the implementation on low- cost, battery-operated devices with limited processing and storage resources. Regarding security issues, it inherits the MQTT approach (username/password, TSL).

HTTP/REST [85]: HTTP is the well-known protocol powering the Internet and allows for sending information back and forth between clients and servers under the request/response method. HTTP uses TCP packets and is enhanced by the Representational State Transfer (REST) model in terms of providing a way to organize interactions between entities. The key characteristic of a RESTful Web service is the explicit use of HTTP methods (GET, PUT, POST, and DELETE) in a way that follows the protocol as defined by RFC 2616. REST is also stateless, exposes directory structure-like URIs and allows the transfer of information using XML and JSON objects. Security of HTTP/REST relies on TLS for data encryption and OAuth for authorization.

CoAP [86]: Constrained Application Protocol (CoAP) is a request/response protocol, similar to HTTP/REST. It is mostly differentiated in using UDP instead of TCP. UDP’s datagrams allow for “running” on top of packet-based technologies (e.g., SMS). Regarding security, TLS encryption is only available over TCP; thus, CoAP makes use of its UDP counterpart Datagram Transport Layer Security (DTLS).

AMQP21: AMQP provides a platform-agnostic method for ensuring information is safely transported between applications, among organizations, within mobile infrastructures, and across the Cloud. AMQP is used in areas as varied as financial front office trading, ocean observation, transportation, smart grid, computer-generated animation, and online gaming. Many operating systems include AMQP implementations, and many application

21 ISO and IEC Approve OASIS AMQP Advanced Message Queuing Protocol. (n.d.). Retrieved April 10, 2020, from https://www.oasis-open.org/news/pr/iso-and-iec-approve-oasis-amqp-advanced-message-queuing- protocol

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 43 frameworks are AMQP-aware. There are Cloud-hosted offerings of AMQP, and it is embedded in virtualization infrastructure. Regarding security, it supports TLS and the Simple Authentication and Security Layer (SASL).

XMPP [87]: Extensible Messaging and Presence Protocol (XMPP) is an open communications protocol based on the Extensible Markup Language (XML). XMPP enables for decentralized instant messaging, presence, multi-party chat, voice, and video calls. While old (established as IETF standard back in 2004), it is recommended by many researchers for IoT as a result of XMPP supporting federation. In other words, devices from different manufacturers and connected to different platforms can communicate with each other using a standard communications protocol. Regarding security, it can use SASL for authentication and TLS for encryption. On the other hand, it lacks end-to-end encryption or quality of service.

5.3 Transportation As mentioned in the Introduction section of the current, most people live in large cities today; thus, mobility in those cities can cause several problems, due to traffic congestion, increased energy consumption and high pollution. For tackling the effects of the above problems, intelligent transportation systems (ITSs) are employed in smart cities, i.e., advanced applications aiming at providing innovative services relating to different modes of transport and traffic management and enable users to be better informed and make safer, more coordinated, and 'smarter' use of transport networks. As a result, the ITSs’ services can reduce mobility, optimize trip planning, prevent drivers from exhibiting malicious behaviors, improve safety, reduce CO2 emissions, provide information regarding parking places using smartphones, track cars, etc. Hence, vehicular communication is a critical technology in smart cities.

In POCITYF, the ETT 3 - e-mobility Integration into Smart Grid and City Planning - is the main ETT that considers ITS. More specifically, the ISs proposed in ETT 3 are:

- IS-3.1: Smart V2G EVs Charging. This IS’s IEs considered are: o EV charging management platform o EV charger prototype with PV integration o Bidirectional smart inverters o V2G o Smart Lamp posts with EV charging and 5G functionalities o Intelligent and optimal control algorithms o Smart solar charging o Virtual Power Plant (VPP) o DC lighting with EV charging

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 44

- IS-3.2: E-mobility Services for Citizens and Auxiliary EV technologies. This IS’s IEs considered are: o EV sharing o Hydrogen powered HD vehicles o Solar Roads

Threats

As in most ITSs, the main POCITYF’s ITS threats and attacks are related to the following primary security services [88]: availability, identification and authenticity, confidentiality and privacy, integrity and data trust and non-repudiation and accountability. In Table 4, these services are shown, along with most known “attacks” regarding each one and well- known security solutions regarding them.

Table 4 Well-known ITS threats, attacks, and countermeasures. Non- Identification Integrity ITS Confidentiality Repudiation Availability and and Data Threats and Privacy and Authenticity Trust Accountability

Denial of Man in the Eavesdropping Message Loss of Event Sevice Middle Tampering Traceability Traffic Analysis Jamming Sybil Message Wormhole Information Suppression Broadcast Replay Gathering and Tampering ITS GPS Spoofing alteration Attacks Greedy Masquerading Behaviour Tunneling Black Hole Key/Certification Malware replication Spamming

ITS Bit Digital Encryption of Group Key Trusted Security Commitment Certification & Data and Management Hardware Solutions & Signature Zero Knowledge Positions of Zero Authorized Vehicles Frequency Trusted Knowledge Modifications Hopping Hardware Variable MAC & Only

IP Addresses Authentication Central & non- Validation Repudiation Authority

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 45

Non- Identification Integrity ITS Confidentiality Repudiation Availability and and Data Threats and Privacy and Authenticity Trust Accountability

Digital Time Stamping Signature of Bit Commitment Software & & Signature w. Sensors Positioning System

Digital Signature of Software & Sensors

The involved entities regarding POCITYF’s ITS security can be given as follows [89] [88]:

The drivers: Drivers are the most crucial element of ITS, since they must make vital decisions and can interact with the driving assistance systems to ensure their safety;

The on-board unit (OBU): OBU refers to both the driver and the vehicle in the literature. OBUs can be classified into (i) normal OBUs, which operate in a usual way; and (ii) malicious OBUs, which try to mislead the system;

The roadside unit (RSU): Similarly to OBU, RSUs can be classified into (i) normal RSU terminals; and (ii) malicious RSU terminals, which try to mislead the system;

Third-party entities: Third-party entities can be trusted or semi-trusted, and are responsible for managing the security certificates, as well as the diverse secrets/public key pairs. Examples of such entities include the transportation regulatory agencies and vehicle manufacturers;

The attackers: Attackers try to violate the security of ITS systems by using several techniques, as shown in Table 4.

POCITYF’s approach

For achieving a practical deployment of POCITYF’s ITS system, several security requirements have to be satisfied; thus, ensuring the safety of drivers and the V2V and V2G security. More specifically, special attention has to be paid in the following challenges [88]:

Authentication: This is an essential requirement. It refers to (i) user authentication to prevent Sybil attacks and dismiss malicious entities; (ii) source authentication to ensure

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 46 that legitimate ITS stations generated messages; and (iii) location authentication to ensure the integrity and relevance of the received information;

Data integrity: ITS entities (e.g., OBUs, RSUs, etc.) should be able to verify and validate the integrity of the received messages in order to prevent any unauthorized or malicious modification, manipulation or deletion during transmission;

Privacy and anonymity: The identities of drivers and vehicles should not be easily identifiable from the exchanged messages, and the right of the driver to control the access and use of her/his data should be enforced;

Availability: Exchanged information should be processed and made available in real-time, requiring thus the implementation of low-overhead and lightweight cryptographic algorithms;

Traceability and revocation: ITS authorities should be able to track malicious ITS entities that are misusing the ITS system, in order to revoke them promptly. The trust authority (TA) should be able to trace the vehicle and reveal its identity. Furthermore, in case of a dispute or when a malicious vehicle is detected, the TA must revoke it and add its identity to the revocation list;

Authorization: It is necessary to define the access control and authorization for the different entities. Specific rules should be enforced for accessing or denying specific ITS entities access and/or use of certain functions or data;

Non-repudiation: Each ITS entity should be uniquely associated with its information and actions in order to achieve data authenticity and origination;

Robustness against external attacks: ITS entities should be robust against external attacks, such as availability attacks, and ITS software should be almost free of vulnerabilities (e.g., buffer overflow) and logic flaws;

Data confidentiality: Exchanged messages should be encrypted appropriately and protected in order to prevent the disclosure of sensitive information to malicious nodes or unauthorized parties.

5.4 Smart citizens’ data A Smart City consists of many different parts, such as smart grid, smart buildings, etc. In this sense, POCITYF considers the 3 presented ETTs, covering the most significant parts of a Smart City. A common characteristic among those parts is their need for storing, using, and (in some cases) sharing the users’ data. For example, payment methods are

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 47 implemented both in ETT 1 and ETT 2. As a result, citizens’ data security will play an important role in their engagement with a Smart City’s built.

Taking into consideration that the goal of building a Smart City (or turning a city into a Smart City) is to become a better-to-live place for its citizens, the latter have to be part of the equation and play a role in building the Smart City. The transition to positive buildings, districts, and communities have to be pursued through a close relationship with citizens. This relationship must encompass a bottom-up approach (from city to solution providers and local authorities), in which co-creation, co-development, and co- implementation processes are involved. The aim is to prevent the disconnection that, may arise from the deployment of non-tailored solutions, agnostic to the culture and history of the local citizens. However, involving citizens in data collection may raise several issues concerning privacy, security, misinterpretation, or even abuse.

Large quantities of data are generated from Smart Cities infrastructures and infusing these data into the physical infrastructure of a city or government may lead to better services to citizens. On the other hand, collecting and processing of such data may result in privacy and security issues that should be faced appropriately to create a sustainable approach for smart cities and governments [90].

In order for the Smart Cities “builders” to engage the citizens in the creation process and have a close relationship with them, POCITYF proposes many ideas. Digital transformation in Social Innovation, Gamification platform, Tourist apps, Cultural experiences market (mobile app), Mobile apps on energy consumption, Value based design, and InnoFest concept are some of the POCITYF’s proposed ideas.

Next to citizens and networks of citizens, communities involve various other types of stakeholders. Policymakers and local government managers fulfill a crucial role in the energy and circular transition of cities and their residential, commercial, and industrial zones. Regarding POCITYF, they have a unique position, at the beginning of a change process, like in the implementation of Sustainable Development Goals, to bring the transition actors together. Within the Quadruple Helix –the industry-government- knowledge institutes-public relations and actors interact- in a region or city and contribute to the necessary change process. The Open Innovation for Policy Makers and Managers is enhanced by two innovative elements, i.e., TIPPING approach and Eco-Acupuncture.

The transition to an interconnected Smart City system can be achieved by enabling the concept of new solutions on top of the data that will be retrieved and centralized at a city-level platform. From the vibrant smart city environment, a set of new tools are needed for laying the ground for the attainment of an economically viable green economy and more effective citizen engagement. In this sense, POCITYF proposes City Urban Platform, Wi-fi data acquisition systems, Data lake intelligence for positive communities,

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 48

Smart-cloud for innovative Startups, Citizen Information Platform, Data acquisition systems, City Data Hub.

In POCITYF, while citizens’ data utility is categorized among the IEs of each IS (e.g., citizens’ data are used in both IS3.1’s EV charging management platform and IS1.1’s P2P energy trading platform), their participation in building the Smart Cities is considered as a different ETT: ETT 4 - Citizen-Driven Innovation in Co-creating Smart City Solutions.

The ISs proposed in ETT 4 are:

- IS-4.1: Social Innovation Mechanisms towards Citizen Engagement o Digital transformation in Social Innovation o Gamification platform o Tourist apps o Cultural experiences market (mobile app) o Mobile apps on energy consumption o Value based design o InnoFest concept - IS-4.2: Open Innovation for Policy Makers and Managers o TIPPING approach o Eco-Acupuncture - IS-4.3: Interoperable, Modular and Interconnected City Ecosystem o City Urban Platform o Wi-fi data acquisition systems o Data lake intelligence for positive communities o Smart-cloud for innovative Startups o Citizen Information Platform o Data acquisition systems o City Data Hub

Threats

All the above features will generate an enormous amount of data that has to be acquired, processed, and securely managed. In Figure 4, a holistic view of the data lifecycle is depicted, including data management, data security and privacy, and network and computing technologies in smart cities [91]. For securing the data in Smart Cities platforms in a holistic approach (and not in an element-based approached as in previous sections of the current), some works have been proposed over the past few years.

One of the first is providing security and privacy in IoT systems, an essential part of smart city infrastructure and applications. Using sensors and devices with limited computational power and, at the same time, relying on weak cryptography algorithms, pose serious threats to data security and integrity. Besides, using sensors to perform basic

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 49 cryptographic operations limits the length of cryptographic keys, which in turn can jeopardize both the confidentiality and integrity of data [92]. Note that dense deployment of IoT devices always carries the risk of physical security breaches.

POCITYF’s approach

One tool proposed for the above challenges is the Trusted Platform Module (TPM) standard22. The TPM (see Figure 9), is a dedicated hardware module for cryptographic processing operations. It is usually deployed as a co-processor and is used for cryptographic random number generation, secure boot, attestation, and data sealing. TPM saves a hash of the desired state of the platform in a secure area, and each time the system boots, it checks the current state of the system against the desired state hash. If any changes were detected, it prevents the system from booting. TPM, along with the BIOS system, create a root-of-trust. Using TPM can significantly increase the systems’ integrity and confidentiality. TPM is a viable solution for devices with hardware that can support such operations. Network overlays are a viable solution to protect security and privacy in networks with sensors and devices that have limited or no cryptographic capabilities. The overlay network provides security and privacy by isolating the network in question from attackers.

22 ISO. 2020. ISO/IEC 11889-1:2009. [online] Available at: [Accessed 16 March 2020].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 50

Figure 8 A holistic view of the data lifecycle

Figure 9 Trusted Platform Module (TPM) Servers play an important role in Smart City’s as all data gathered by sensors are placed and retained there, the latter threatening users’ privacy. In addition, as most activities are performed using ICT, users are unable to hide their presence.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 51

For issues like these, Blockchain [93] can be used, also having the potential to address privacy concerns in smart cities. Blockchain is a peer-to-peer distributed open database firstly used for keeping track of exchanged cryptocurrency (Bitcoins) [94]. The provided distributed database can be used to record transactions securely and anonymously. Because potential attackers have to hack 51% of the network nodes, Blockchain is said to have non-hackable nature. Blockchain can be used in Smart Cities to establish relations between service providers and users under contract without any involvement of third- parties and re-negotiations [91].

Another challenge in Smart Cities data is on securing machine learning vulnerabilities in adversarial environments (Adversarial Machine Learning field). Intrusion Detection Systems (IDSs) are based on technology that relies on machine learning systems to save networks from sophisticated attacks. In order for IDSs to perform efficiently, their machine learning algorithms are trained on datasets, called adversarial samples. These samples are past known patterns and attackers’ behaviors. As machine learning algorithms mature, adversarial attacks also get sophisticated in order to evade detection. Adversaries know that machine learning algorithms require training, so they often devise targeted attacks that aim to poison the training data that can render the algorithm useless. In addition, some adversaries focus on crafting input data that resembles regular input in order to escape detection.

5.5 Indirect to POCITYF approaches E-Government

The challenges e-government must overcome lie in privacy, trust, and availability in terms of security [14]. The security of e-governance emphasizes on data privacy and business management. At the same time, many European projects have been dedicated to these goals over the past years. For example, in the final report of the European project STOA, “Security of eGovernment Systems” [95], 11 security policies were defined: (i) Develop a policy strategy for improving the security of IT-systems used in Europe; (ii) Stimulate development and use of security checklists (short-term); (iii) Encourage the development and use of highly secure components (mid-term); (iv) Encourage the development and use of highly secure systems (long-term); (v) Create stronger institutional supervision and oversight of security; (vi) Build a ‘Privacy by Design’ knowledge base; (vii) Substantiate the data minimization principle by using anonymization techniques in all European eGovernment systems; (viii) Stimulate technical and legal solutions that avoid or limit privacy risks caused by re-identification of previously anonymized data; (ix) Make Privacy Impact Assessments of eGovernment systems mandatory and public; (x) Use gateways to achieve interoperability of different national eGovernment security tools, but aim at

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 52

Europe-wide availability and usability of tools; and (xi) Ensure open and transparent evaluations of the trade-offs between privacy, security, usability, interoperability and costs of an eGovernment system.

Healthcare

Smart Cities’ Healthcare section is mainly supported by e-health, a term that is dated back to at least 1999 [96]. Through the medical services it offers, e-health (or eHealth) enables the patients’ data with the ability to be shared among healthcare professionals. In contrast, tele-monitoring of patients’ health is able through smart devices (e.g., smartphones). In addition, patients can be provided with e-prescriptions, instead of the mainstream handwritten prescriptions. E-health also allows for public dissemination of medical information about a country’s health situation, which results in a better management of “health crises” using information systems to measure, monitor, and make decisions.

In order to enable and improve remote medical monitoring, wireless body area networks (WBANs) [97] have been developed. WBANs are characterized by their easy deployment, the mobile nodes they consist, and their self-organization.

In terms of security and privacy, many factors have to be taken into account when dealing with healthcare data. Unencrypted transmission of healthcare-related data, e.g., electrocardiograms (ECG), will have a significant impact on privacy. Commonly used methods, such as discrete cosine transform (DCT) [98] [99], wavelet transform [100], and adaptive Fourier decomposition (AFD) algorithms [101] [102], when used for e-health applications depend on the compression efficiency (i.e., the ratio between the original signal and the recovered one), reconstruction quality (the difference between the original signal and the recovered one), and computation complexity [14].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 53

6 Conclusions

Deliverable D11.12 – Cyber Data Security Management Plans – aims to present a framework to ensure that POCITYF will comply with the privacy and security of sensitive information. The proposed strategies will facilitate the implementation of a layered data protection framework allowing the project to collect and manipulate large amounts of data. The framework will be continuously monitored and assessed to ensure privacy and security regularly.

As D11.12 heavily depends on the available knowledge about the POCITYF’s Innovative Elements (IE) in the four Energy Transition Tracks (ETTs), the creation of the deliverable entails a sequential process, following the knowledge creation process regarding POCITYF’s IEs that happen in WP1, WP6, and WP7.

The current, 1st version of the deliverable introduces the concept of cyber-security and privacy in smart cities. Moreover, it provides an overview of the cyber-security and privacy issues relevant to POCITYF 4 ETTs. This version uses the information for POCITYF’s IEs that is already available in the DoA.

The 1st version lays the foundations for the identification of the critical cyber-security and privacy challenges associated with POCITYF 4 ETTs, which will be included in the 2nd version of the deliverable. This version that will be available in month 24 (included in D11.9 – Data Management Plan – version 2) will also provide the recommended actions to address the cyber-security and privacy challenges and to mitigate relevant risks.

The implementation of the cyber-security and privacy recommendations will be monitored, and the evaluation of the results will provide insights and lessons learned from the POCITY project. The primary outcome of the final version of the deliverable in month 48 (included in D11.10 – Data Management Plan – version 3) will be a practical set of the key takeaways for protecting the cyber-security and privacy in smart city initiatives.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 54

7 References

[1] A. Meola, “How smart city technology & the Internet of Things will change our apartments, grids and communities,” 1 2020. [Online]. Available: https://www.businessinsider.com/iot-smart-city-technology. [Accessed 3 January 2020].

[2] “World City Populations 2020,” 1 2020. [Online]. Available: http://worldpopulationreview.com/world-cities/. [Accessed 13 January 2020].

[3] K. Mekki, E. Bajic, F. Chaxel and F. Meyer, “A comparative study of LPWAN technologies for large-scale IoT deployment,” ICT express, vol. 5, pp. 1-7, 2019.

[4] R. Ratasuk, N. Mangalvedhe and A. Ghosh, “Overview of LTE enhancements for cellular IoT,” in 2015 IEEE 26th annual international symposium on personal, indoor, and mobile radio communications (PIMRC), 2015.

[5] “Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025,” 1 2020. [Online]. Available: https://www.statista.com/statistics/471264/iot-number-of-connected-devices- worldwide/. [Accessed 01 February 2020].

[6] “Cybersecurity vs. Data Privacy,” AmTrust Financial, [Online]. Available: https://amtrustfinancial.com/blog/small-business/cybersecurity-vs-data-privacy. [Accessed 05 February 2020].

[7] J. Peters, “Data Privacy Guide: Definitions, Explanations and Legislation,” Varonis, 20 January 2020. [Online]. Available: https://www.varonis.com/blog/data- privacy/. [Accessed 22 January 2020].

[8] A. M. Townsend, Smart cities: Big data, civic hackers, and the quest for a new utopia, WW Norton & Company, 2013.

[9] L. Van Zoonen, “Privacy concerns in smart cities,” Government Information Quarterly, vol. 33, pp. 472-480, 2016.

[10] Y. Li, “Theories in online information privacy research: A critical review and an integrated framework,” Decision support systems, vol. 54, pp. 471-481, 2012.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 55

[11] L. Van Zoonen, What do users want from their future means of identity management? Final report, 2014.

[12] S. B. Barnes, “A privacy paradox: Social networking in the United States,” First Monday, vol. 11, 2006.

[13] L. Brandimarte, A. Acquisti and G. Loewenstein, “Misplaced confidences: Privacy and the control paradox,” Social Psychological and Personality Science, vol. 4, pp. 340-347, 2013.

[14] R. Khatoun and S. Zeadally, “Cybersecurity and privacy solutions in smart cities,” IEEE Communications Magazine, vol. 55, pp. 51-59, 2017.

[15] Z. A. Baig, P. Szewczyk, C. Valli, P. Rabadia, P. Hannay, M. Chernyshev, M. Johnstone, P. Kerai, A. Ibrahim, K. Sansurooah and others, “Future challenges for smart cities: Cyber-security and digital forensics,” Digital Investigation, vol. 22, pp. 3-13, 2017.

[16] H. He and J. Yan, “Cyber-physical attacks and defences in the smart grid: a survey,” IET Cyber-Physical Systems: Theory & Applications, vol. 1, pp. 13-27, 2016.

[17] J. Yan, B. Tang and H. He, “Detection of false data attacks in smart grid with supervised learning,” in 2016 International Joint Conference on Neural Networks (IJCNN), 2016.

[18] J. Jow, Y. Xiao and W. Han, “A survey of intrusion detection systems in smart grid,” International Journal of Sensor Networks, vol. 23, pp. 170-186, 2017.

[19] K. C. Ruland, J. Sassmannshausen, K. Waedt and N. Zivic, “Smart grid security--an overview of standards and guidelines,” e & i Elektrotechnik und Informationstechnik, vol. 134, pp. 19-25, 2017.

[20] Z. Lu, G. Qu and Z. Liu, “A survey on recent advances in vehicular network security, trust, and privacy,” IEEE Transactions on Intelligent Transportation Systems, vol. 20, pp. 760-776, 2018.

[21] Z. Li and Q. Liao, “An economic alternative to improve cybersecurity of e- government and smart cities,” in Proceedings of the 17th international digital government research conference on digital government research, 2016.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 56

[22] Z. Li and Q. Liao, “Economic solutions to improve cybersecurity of governments and smart cities via vulnerability markets,” Government Information Quarterly, vol. 35, pp. 151-160, 2018.

[23] A. T. Chatfield and C. G. Reddick, “A framework for Internet of Things-enabled smart government: A case of IoT cybersecurity policies and use cases in US federal government,” Government Information Quarterly, vol. 36, pp. 346-357, 2019.

[24] W. Han and Y. Xiao, “A novel detector to detect colluded non-technical loss frauds in smart grid,” Computer Networks, vol. 117, pp. 19-31, 2017.

[25] M. Attia, S. M. Senouci, H. Sedjelmaci, E.-H. Aglzim and D. Chrenko, “An efficient Intrusion Detection System against cyber-physical attacks in the smart grid,” Computers & Electrical Engineering, vol. 68, pp. 499-512, 2018.

[26] S. P. Nangrani and S. S. Bhat, “Smart grid security assessment using intelligent technique based on novel chaotic performance index,” Journal of Intelligent & Fuzzy Systems, vol. 34, pp. 1301-1310, 2018.

[27] C. Tsigkanos, L. Pasquale, C. Ghezzi and B. Nuseibeh, “On the Interplay Between Cyber and Physical Spaces for Adaptive Security,” IEEE Transactions on Dependable and Secure Computing, vol. 15, pp. 466-480, 2018.

[28] F. Alrimawi, L. Pasquale and B. Nuseibeh, “On the Automated Management of Security Incidents in Smart Spaces,” IEEE Access, vol. 7, pp. 111513-111527, 2019.

[29] J. E. Hachem, V. Chiprianov, M. A. Babar, T. A. Khalil and P. Aniorte, “Modeling, Analyzing and Predicting Security Cascading Attacks in Smart Buildings Systems-of- Systems,” Journal of Systems and Software, vol. 162, p. 110484, 2020.

[30] H. Kishimoto, N. Yanai and S. Okamura, “Spacis: Secure payment protocol for charging information over smart grid,” Journal of Information Processing, vol. 25, pp. 12-21, 2017.

[31] R. Jesus Martins, L. A. D. Knob, E. G. Silva, J. A. Wickboldt, A. Schaeffer-Filho and L. Z. Granville, “Specialized CSIRT for Incident Response Management in Smart Grids,” Journal of Network and Systems Management, vol. 27, pp. 269-285, 2019.

[32] S. Huh, S. Cho and S. Kim, “Managing IoT devices using blockchain platform,” in 2017 19th international conference on advanced communication technology (ICACT), 2017.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 57

[33] A. Dorri, S. S. Kanhere, R. Jurdak and P. Gauravaram, “Blockchain for IoT security and privacy: The case study of a smart home,” in 2017 IEEE international conference on pervasive computing and communications workshops (PerCom workshops), 2017.

[34] K. Biswas and V. Muthukkumarasamy, “Securing smart cities using blockchain technology,” in 2016 IEEE 18th international conference on high performance computing and communications; IEEE 14th international conference on smart city; IEEE 2nd international conference on data science and systems (HPCC/SmartCity/DSS), 2016.

[35] N. Elisa, L. Yang, F. Chao and Y. Cao, “A framework of blockchain-based secure and privacy-preserving e-government system,” Wireless Networks, pp. 1-11, 2018.

[36] L. Yang, N. Elisa and N. Eliot, “Privacy and security aspects of E-government in smart cities,” in Smart cities cybersecurity and privacy, Elsevier, 2019, pp. 89- 102.

[37] M. Mylrea and S. N. G. Gourisetti, “Blockchain for smart grid resilience: Exchanging distributed energy at speed, scale and security,” in 2017 Resilience Week (RWS), 2017.

[38] A. S. Musleh, G. Yao and S. M. Muyeen, “Blockchain applications in smart grid-- review and frameworks,” IEEE Access, vol. 7, pp. 86746-86757, 2019.

[39] Z. Li, J. Kang, R. Yu, D. Ye, Q. Deng and Y. Zhang, “Consortium blockchain for secure energy trading in industrial internet of things,” IEEE transactions on industrial informatics, vol. 14, p. 3690–3700, 2017.

[40] S. Maharjan, Q. Zhu, Y. Zhang, S. Gjessing and T. Basar, “Dependable demand response management in the smart grid: A Stackelberg game approach,” IEEE Transactions on Smart Grid, vol. 4, p. 120–132, 2013.

[41] S. Biswas, K. Sharif, F. Li, B. Nour and Y. Wang, “A scalable blockchain framework for secure transactions in IoT,” IEEE Internet of Things Journal, vol. 6, p. 4650– 4659, 2018.

[42] N. Dong, H. Jonker and J. Pang, “Challenges in ehealth: From enabling to enforcing privacy,” in International Symposium on Foundations of Health Informatics Engineering and Systems, 2011.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 58

[43] R. Bhagyoday, C. Kamani, D. Bhojani and V. Parmar, “Comprehensive Study of E- Health Security in Cloud Computing,” 2019.

[44] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the forty-first annual ACM symposium on Theory of computing, 2009.

[45] J. H. Cheon and J. Kim, “A hybrid scheme of public-key encryption and somewhat homomorphic encryption,” IEEE transactions on information forensics and security, vol. 10, pp. 1052-1063, 2015.

[46] L. Zhu, C. Zhang, C. Xu, X. Liu and C. Huang, “An efficient and privacy-preserving biometric identification scheme in cloud computing,” IEEE Access, vol. 6, pp. 19025-19033, 2018.

[47] Biometrics: authentication & identification (definition, trends, use cases, laws and latest news) - 2020 review.

[48] K. Xue, Y. Xue, J. Hong, W. Li, H. Yue, D. S. L. Wei and P. Hong, “RAAC: Robust and auditable access control with multiple attribute authorities for public cloud storage,” IEEE Transactions on Information Forensics and Security, vol. 12, pp. 953-967, 2017.

[49] P.-W. Chi and C.-L. Lei, “Audit-free cloud Storage via deniable attribute-based encryption,” IEEE Transactions on Cloud Computing, vol. 6, pp. 414-427, 2015.

[50] B. Waters, “Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization,” in International Workshop on Public Key Cryptography, 2011.

[51] C. Huang, K. Yan, S. Wei, G. Zhang and D. H. Lee, “Efficient anonymous attribute- based encryption with access policy hidden for cloud computing,” in 2017 International Conference on Progress in Informatics and Computing (PIC), 2017.

[52] W. Li, B. M. Liu, D. Liu, R. P. Liu, P. Wang, S. Luo and W. Ni, “Unified fine-grained access control for personal health records in cloud computing,” IEEE journal of biomedical and health informatics, vol. 23, pp. 1278-1289, 2018.

[53] C. Zhang, L. Zhu, C. Xu and R. Lu, “PPDP: An efficient and privacy-preserving disease prediction scheme in cloud-based e-Healthcare system,” Future Generation Computer Systems, vol. 79, pp. 16-25, 2018.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 59

[54] J. Kim and Y. Kim, “Benefits of cloud computing adoption for smart grid security from security perspective,” The Journal of Supercomputing, vol. 72, pp. 3522- 3534, 2016.

[55] K. Gai, L. Qiu, M. Chen, H. Zhao and M. Qiu, “SA-EAST: Security-Aware Efficient Data Transmission for ITS in Mobile Heterogeneous Cloud Computing,” ACM Transactions in Embedded Computing Systems, vol. 16, p. 60, 2017.

[56] H.-T. Wu and G.-J. Horng, “Establishing an intelligent transportation system with a network security mechanism in an Internet of vehicle environment,” IEEE Access, vol. 5, pp. 19239-19247, 2017.

[57] M. Shen, X. Tang, L. Zhu, X. Du and M. Guizani, “Privacy-preserving support vector machine training over blockchain-based encrypted IoT data in smart cities,” IEEE Internet of Things Journal, vol. 6, pp. 7702-7712, 2019.

[58] H. S. M. Lim and A. Taeihagh, “Autonomous vehicles for smart and sustainable cities: An in-depth exploration of privacy and cybersecurity implications,” Energies, vol. 11, p. 1062, 2018.

[59] A. Rahim, X. Kong, F. Xia, Z. Ning, N. Ullah, J. Wang and S. K. Das, “Vehicular social networks: A survey,” Pervasive and Mobile Computing, vol. 43, pp. 96-113, 2018.

[60] R. Yu, J. Kang, X. Huang, S. Xie, Y. Zhang and S. Gjessing, “MixGroup: Accumulative pseudonym exchanging for location privacy enhancement in vehicular social networks,” IEEE Transactions on Dependable and Secure Computing, vol. 13, pp. 93-105, 2015.

[61] H. Wang, G. Han, C. Zhu, S. Chan and W. Zhang, “TCSLP: A trace cost based source location privacy protection scheme in WSNs for smart cities,” Future Generation Computer Systems, 2017.

[62] A. Alabdulatif, I. Khalil, H. Kumarage, A. Y. Zomaya and X. Yi, “Privacy-preserving anomaly detection in the cloud for quality assured decision-making in smart cities,” Journal of Parallel and Distributed Computing, vol. 127, pp. 209-223, 2019.

[63] M. Alamaniotis, N. Bourbakis and L. H. Tsoukalas, “Enhancing privacy of electricity consumption in smart cities through morphing of anticipated demand pattern utilizing self-elasticity and genetic algorithms,” Sustainable Cities and Society, vol. 46, p. 101426, 2019.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 60

[64] W. Han and Y. Xiao, “IP2DM: integrated privacy-preserving data management architecture for smart grid V2G networks,” Wireless Communications and Mobile Computing, vol. 16, pp. 2956-2974, 2016.

[65] ERTICO Team, [Online]. Available: https://ertico.com/. [Accessed 1 March 2020].

[66] G. Vojkovic, “Will the GDPR slow down development of Smart Cities?,” in 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2018.

[67] B. Lewis, “ISO/IEC 27000 – KEY INTERNATIONAL STANDARD FOR INFORMATION SECURITY REVISED,” 1 March 2018. [Online]. Available: https://www.iso.org/news/ref2266.html. [Accessed 2 March 2020].

[68] I. Union, “Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions,” A new skills agenda for europe. Brussels, 2014.

[69] G. Erbach and J. O'Shea, “Cybersecurity of critical energy infrastructure,” 2019.

[70] H. Khurana, M. Hadley, N. Lu and D. A. Frincke, “Smart-grid security issues,” IEEE Security & Privacy, vol. 8, p. 81–85, 2010.

[71] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,” IEEE Security & Privacy, vol. 7, p. 75–77, 2009.

[72] W. Wang and Z. Lu, “Cyber security in the smart grid: Survey and challenges,” Computer networks, vol. 57, p. 1344–1371, 2013.

[73] R. Khatoun and S. Zeadally, “Smart cities: concepts, architectures, research opportunities,” Communications of the ACM, vol. 59, pp. 46-57, 2016.

[74] B. Morvaj, L. Lugaric and S. Krajcar, “Demonstrating smart buildings and smart grid features in a smart energy city,” in Proceedings of the 2011 3rd international youth conference on energetics (IYCE), 2011.

[75] G. Zimmerman, “Smart Buildings At High Risk for Cyber Attacks: Study,” 2019.

[76] “BACnet,” [Online]. Available: http://www.bacnet.org/. [Accessed 3 March 2020].

[77] [Online]. Available: https://www.knx.org/knx-en/for-professionals/index.php. [Accessed 12 February 2010].

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 61

[78] F. Hanssen and P. G. Jansen, Real-time communication protocols: an overview, Centre for Telematics and Information Technology, University of Twente, 2003.

[79] M. Peacock and M. N. Johnstone, “An analysis of security issues in building automation systems,” 2014.

[80] A. Antonini, A. Barenghi, G. Pelosi and S. Zonouz, “Security challenges in building automation and SCADA,” in 2014 International Carnahan Conference on Security Technology (ICCST), 2014.

[81] T. Mundt and P. Wickboldt, “Security in building automation systems-a first analysis,” in 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security), 2016.

[82] S. Wendzel, “How to increase the security of smart buildings,” Communications of The ACM, vol. 59, pp. 47-49, 2016.

[83] S. A. Shinde, P. A. Nimkar, S. P. Singh, V. D. Salpe and Y. R. Jadhav, “MQTT- message queuing telemetry transport protocol,” International Journal of Research, vol. 3, p. 240–244, 2016.

[84] A. Stanford-Clark and H. L. Truong, “Mqtt for sensor networks (mqtt-sn) protocol specification,” International business machines (IBM) Corporation version, vol. 1, p. 2, 2013.

[85] R. Fielding, “Representational state transfer,” Architectural Styles and the Design of Netowork-based Software Architecture, p. 76–85, 2000.

[86] Z. Shelby, K. Hartke and C. Bormann, “The constrained application protocol (CoAP),” 2014.

[87] P. Saint-Andre and others, “Extensible messaging and presence protocol (XMPP): Core,” 2004.

[88] E. B. Hamida, H. Noura and W. Znaidi, “Security of cooperative intelligent transport systems: Standards, threats analysis and cryptographic countermeasures,” Electronics, vol. 4, p. 380–423, 2015.

[89] M. N. Mejri, J. Ben-Othman and M. Hamdi, “Survey on VANET security challenges and possible cryptographic solutions,” Vehicular Communications, vol. 1, p. 53–66, 2014.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 62

[90] S. Choenni, M. S. Bargh, C. Roepan and R. F. Meijer, “Privacy and Security in Smart Data Collection by Citizens,” in Public Administration and Information Technology, Springer International Publishing, 2015, p. 349–366.

[91] A. Gharaibeh, M. A. Salahuddin, S. J. Hussini, A. Khreishah, I. Khalil, M. Guizani and A. Al-Fuqaha, “Smart Cities: A Survey on Data Management, Security, and Enabling Technologies,” IEEE Communications Surveys & Tutorials, vol. 19, p. 2456–2501, 2017.

[92] S. Ma, Y. Zheng and O. Wolfson, “Real-time city-scale taxi ridesharing,” IEEE Transactions on Knowledge and Data Engineering, vol. 27, p. 1782–1795, 2014.

[93] M. Swan, Blockchain: Blueprint for a new economy, " O'Reilly Media, Inc.", 2015.

[94] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2019.

[95] A. Jacobi, L. M. Jensen, L. Kool, G. Munnichs and A. Weber, “Security of eGovernment Systems - Final Report,” STOA, July 2013. [Online]. Available: http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/513510/IPO L-JOIN_ET(2013)513510_EN.. [Accessed 02 February 2020].

[96] V. Della Mea, “What is e-Health (2): The death of telemedicine?,” Journal of medical Internet research, vol. 3, p. e22, 2001.

[97] J. Y. Khan and M. R. Yuce, “Wireless body area network (WBAN) for medical applications,” in New developments in biomedical engineering, InTechOpen, 2010.

[98] N. Ahmed, T. Natarajan and K. R. Rao, “Discrete cosine transform,” IEEE transactions on Computers, vol. 100, pp. 90-93, 1974.

[99] K. R. Rao and P. Yip, Discrete cosine transform: algorithms, advantages, applications, Academic press, 2014.

[100] C. E. Heil and D. F. Walnut, “Continuous and discrete wavelet transforms,” SIAM review, vol. 31, pp. 628-666, 1989.

[101] T. Qian, L. Zhang and Z. Li, “Algorithm of adaptive Fourier decomposition,” IEEE Transactions on Signal Processing, vol. 59, pp. 5899-5906, 2011.

[102] J. Ma, T. Zhang and M. Dong, “A novel ECG data compression method using adaptive fourier decomposition with security guarantee in e-health applications,” IEEE journal of biomedical and health informatics, vol. 19, pp. 986-994, 2014.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 63

[103] M. Vitunskaite, Y. He, T. Brandstetter and H. Janicke, “Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party and security ownership,” Computers & Security, vol. 83, pp. 313-331, 2019.

[104] H. Zhang, Z. Tang and K. Jayakar, “A socio-technical analysis of China's cybersecurity policy: Towards delivering trusted e-government services,” Telecommunications Policy, vol. 42, pp. 409-420, 2018.

[105] T. Braun, B. C. M. Fung, F. Iqbal and B. Shah, “Security and privacy challenges in smart cities,” Sustainable Cities and Society, vol. 39, pp. 499-507, 2018.

[106] R. Kazhamiakin, A. Marconi, A. Martinelli, M. Pistore and G. Valetto, “A gamification framework for the long-term engagement of smart citizens,” in 2016 IEEE International Smart Cities Conference (ISC2), 2016.

[107] J.-P. Hubaux, S. Capkun and J. Luo, “The security and privacy of smart vehicles,” IEEE Security & Privacy, vol. 2, p. 49–55, 2004.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 64

8 ANNEX I - Standards related to IoT and Smart Cities

Standards related to IoT and smart cities [103]

Table 5 Standards related to IoT and smart cities

No. Document ID Title Body

1. ANSI/ASQ E 4 Specifications and guidelines for quality systems for ANSI environmental data collection and environmental technology programs

2. BS EN 14908-5:2009 Open data communication in building automation, CEN controls and building management implementation guideline - Control network protocol - Implementation

3. BS EN 60730-1:1992 Specification for automatic electrical controls for CEN household and similar use - General requirements

4. BS ISO 14813-1:2007 Intelligent transport systems - Reference model ISO architecture(s) for the ITS sector - ITS service domains, service groups and services

5. CR 205-006:1996 en Home and building electronics system (HBES) - Technical NEN report 6: Protocol and data integrity and interfaces

6. CSN ISO/IEC TR Information technology - Home electronic system (HES) ISO/IEC 15067-3 application model - Part 3: Model of an energy management system for HES

7. CWA 14947:2004 en European eConstruction architecture (EeA) CEN

8. CWA 15264-3:2005 User requirements for a European interoperable eID CEN system within a smart card infrastructure

9. DD CEN/TS Public transport - Road vehicle scheduling and control CEN 13149-6:2005 systems - CAN message content

10. DIN SPEC 33440 Ergonomic design of user-interfaces and products for DIN smart grid and electromobility

11. DS/EN 61970-1 Energy management system application program IEC interface (EMS-API) - Part 1:

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 65

No. Document ID Title Body

Guidelines and general requirements

12. EIA TSB 4940 Smart device communications - Security aspects EIA

13. ETSI GS OSG 001 V Open smart grid protocol (OSGP) ETSI 1.1.1

14. ETSI TR 102935 V Machine-to-Machine communications (M2M) - ETSI 2.1.1 Applicability of M2M architecture to smart grid networks - Impact of smart grids on M2M platform

15. GOST R 55060 Automatized control systems of buildings and structures. GOST R Terms and definitions

16. IEC 62290-1 Railway applications - Urban guided transport IEC management and command/control systems Part 1: System principles and fundamental concepts

17. IEEE 1851 IEEE standard for design criteria of integrated sensor- IEEE based test applications for household appliances

18. ISO 15118-1 Road vehicles - Vehicle to grid communication interface - ISO Part 1: General information and use-case definition

19. ISO 16484-5 Building automation and control systems - Part 5: Data ISO communication protocol

20. ISO/PAS 22720 Association for standardization of automation and ISO measuring systems open data services 5.0

21. ISO/TS 24533 Intelligent transport systems - Electronic information ISO exchange to facilitate the movement of freight and its intermodal transfer - Road transport information exchange methodology

22. ITU-T X.207 Information technology - Open systems interconnection - ITU Application layer structure

23. NEMA SG-AMI 1 Requirements for smart meter upgradeability NEMA

24. NEN 7512:2005 nl Health informatics - Information security in the NEN healthcare sector - Basis for trust for exchange of data

25. NEN-EN-ISO Intelligent transport systems - Automatic vehicle and CEN 24534-3:2013 equipment identification - Electronic registration identification (ERI) for vehicles - Part 3: Vehicle data

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 66

No. Document ID Title Body

26. NPR-CEN/TR Intelligent transport systems - Public transport - Traveller CEN 16427:2013 en information for visually impaired people (TI-VIP)

27. OEVE B/EN Disturbances in supply systems caused by household OVE 60555-1/1987 appliances and similar electrical equipment - Part 1: Definitions

28. PAS 1018 Essential structure for the description of services in the DIN procurement stage

29. PAS 1090 Demands on information systems for collecting, DIN communicating and serving of relevant service information within the technical customer service

30. PAS 555:2013 Cyber security risk - Governance and management - BSI Specification

31. SS-ISO 15784-1:2008 Intellligent transport systems (ITS) - Data exchange ISO involving roadside modules communication - Part 1: General principles and documentation framework of application profiles (ISO 15784-1:2008, IDT)

32. UTE C15-900U ∗UTE Coexistence between communication and power UTE C15-900 networks - Implementation of communication networks

33. VDI 3814 Blatt 7 Building automation and control systems (BACS) - Design VDI of user interfaces

34. VDI 4201 Blatt 1 Performance criteria on automated measuring and VDI/DIN electronic data evaluation systems for monitoring emissions - Digital interface - General requirements

35. BS ISO 20121 Event sustainability management systems - Requirements ISO with guidance for use

36. ASTM E 1121 Standard practice for measuring payback for investments ASTM in buildings and building systems

37. BIP 2207 Building information management - A standard BSI framework and guide to BS 1192

38. BS 8587:2012 Guide to facility information management BSI

39. BS 8903:2010 Principles and framework for procuring sustainably - BSI Guide

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 67

No. Document ID Title Body

40. CAN/CSA-ISO/TS Environmental management - Life cycle assessment - CSA 14048:03 (R2012) Data documentation format

41. CWA 15666:2007 en Business requirement specification - Cross industry e- CEN Tendering process

42. CWA 15971-1 Discovery of and access to eGovernment resources - Part CEN 1: Introduction and overview

43. CWA 16649:2013 en Managing emerging technology-related risks CEN

44. CWA 50487:2005 en SmartHouse Code of Practice CEN

45. DS/ISO/IEC 18012-2 Information technology - Home electronic system - ISO/IEC Guidelines for product interoperability - Part 2: Taxonomy and application interoperability model

46. ISO 16484-1 Building automation and control systems (BACS) - Part 1: ISO Project specification and implementation

47. ITU-T L.1410 Methodology for the assessment of the environmental ITU impact of information and communication technology goods, networks and services

48. NEN-ISO Building information models - Information delivery ISO 29481-2:2012 en manual - Part 2: Interaction framework

49. NPR-ISO/TR Intelligent transport systems - System architecture - ISO/TR 12859:2009 en Privacy aspects in ITS standards and systems

50. RAL-UZ 170 Basic criteria for award of the environmental label - RAL Güte Energy services provided under guaranteed energy savings contracts

51. SS-ISO/IEC Information technology - Security techniques - ISO/IEC 27005:2013 Information security risk management

52. VDI 3814 Blatt 5 Building automation and control system (BACS) - Advices VDI for system integration

53. VDI 4466 Blatt 1 Automatic parking systems - Basic principles VDI

54. VDI 7000 Early public participation in industrial and infrastructure VDI projects

55. VDI/GEFMA 3814 Building automation and control systems (BACS) - GEFMA Blatt 3.1 Guidance for technical building management - Planning,

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 68

No. Document ID Title Body

operation, and maintenance - Interface to facility management

56. BS ISO 37120 Sustainable development and resilience of communities - ISO Indicators for city services and quality of life

57. BS ISO/TR 37150 Smart community infrastructures - Review of existing ISO activities relevant to metrics

58. ABNT NBR 14022 Accessibility in vehicles of urban characteristics for ABNT public transport of passengers

59. BIP 2228:2013 Inclusive urban design - A guide to creating accessible BSI public spaces

60. BS 7000-6:2005 Design management systems - Managing inclusive design - BSI Guide

61. BS 8904:2011 Guidance for community sustainable development BSI

62. CLC/FprTR 50608 Smart grid projects in Europe CENELEC

63. CWA 15245 EU e-Government metadata framework CEN

64. CWA 16030:2009 Code of practice for implementing quality in mobility CEN management in small and medium sized cities

65. CWA 16267:2011 Guidelines for sustainable development of historic and CEN cultural cities - Qualicities

66. DIN SPEC 91280 Ambient assisted living (AAL) - Classification of ambient DIN assistant living services in the home environment and immediate vicinity of the home

67. GOST R 54198 Resources saving - Industrial production - Guidance on GOST R the application of the best available technologies for increasing the energy efficiency

68. PAS 181:2014 Smart city framework - Guide to establishing strategies BSI for smart cities and communities

69. UNI 10951:2001 Systems of information for the maintenance management UNI of buildings - Guidelines

70. Z762-95 (R2011) Design for the environment (DFE) CSA

71. IEEE 1363 series Standards define specifications for public key IEEE cryptography

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 69

No. Document ID Title Body

72. IEEE 1619 series Standards define specifications for encryption in storage IEEE media

73. IEEE P24151-1-4 Standard for Smart Transducer Interface for Sensors, IEEE Actuators and Devices - eXtensible Messaging and Presence Protocol (XMPP) - currently being developed, specifically addresses security

74. IEEE Series of standards for sensors and actuators IEEE 1451/21450/21451

75. IEEE 2410-2015 IEEE standard for Biometric Open Protocol IEEE

76. IEEE P1912 Standard for Privacy and Security Architecture for IEEE Consumer Wireless Devices - currently being developed

77. IEEE 802.1X-2020 IEEE Standard for Local and metropolitan area networks- IEEE Port-Based Network Access Control

78. IEEE 802.1AE-2006 IEEE Standard for Local and Metropolitan Area Networks: IEEE Media Access Control (MAC) Security; Security capabilities expanded by IEEE 802.1AEbw-2013.

79. IEEE 802.1AR-2009 Standard for Local and metropolitan area networks - IEEE Secure Device Identity

80. IEEE 11-2012 series IEEE Standard for Information technology- IEEE Telecommunications and information exchange between systems Local and metropolitan area networks-Specific

requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications

81. IEEE 802.15.4-2015 IEEE Standard for Local and metropolitan area networks- IEEE Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)

82. IEEE 802.21a-2012 IEEE Standard for Local and Metropolitan Area Networks: IEEE Media Independent Handover Services - Amendment for Security Extensions to Media Independent Handover Services and Protocol

83. IEEE 1888 series IEEE Standard for Ubiquitous Green Community Control IEEE Network Protocol and its security

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.

D11.12: Cyber Data Security Management Plans 70

No. Document ID Title Body

84. IEEE 692-2013 IEEE Standard for Criteria for Security Systems for IEEE Nuclear Power Generating Stations

85. IEEE C37.240-2014 IEEE Standard Cyber-security Requirements for Substation IEEE Automation, Protection, and Control Systems

86. IEEE 1686-2013 IEEE Standard for Intelligent Electronic Devices Cyber IEEE Security Capabilities

87. PAS 180 Smart city terminology BSI

88. PAS 182 Data concept model for smart cities BSI

89. PAS 184 Project proposals for delivering smart city BSI

90. PD 8100 Smart city overview document BSI

91. PD8101 Smart city planning guidelines document BSI

92. BS Smart city concept model BSI ISO/IEC30182:2017

93. PD ISO/TR Standard on inventory of existing guidelines and BSI 37121:2017 approaches on sustainable development and resilience in cities

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement N° 864400.