About This Section
This section is distinct from prior recommendations in the Connected Nashville document in that it is highly technical in nature. The goal is to present a set of minimum requirements and standards that help us to select technology in the best interest of our citizens based on global industry best practices. The terms and concepts used here do not reflect the language that most citizens use in day-to-day conversation. The information contained in this document will inform policy development, software development and service contracts that protect your privacy, promote cost-effective systems and guarantee that any data collected remains secure.
Integration and Interoperability
Interoperability and integration are critical to facilitate interface, prevent failure dynamics and ensure system flexibility and scalability. Interoperable platforms require machine readable, open API access data for bulk, non-real-time, and real-time data to serve different purposes and functions. Heterogeneity in both message (data) layers and behavior (control) layers is one of the biggest emerging challenges for governance enterprises given the driving need for integrated systems to provide useful and timely services to employees, residents and visitors. To address integration and interoperability, solutions must meet the following minimum requirements:
- Operational within Metro’s defined technical environment
- Standardized or interoperable format and syntax for the data and content such as HTML or JSON;
- Inclusive of Interface Definition Language (IDL) to facilitate communication between software components that do not share a language
- Compliant with international information communication technology (ICT) standards, such as oneM2M, FIWARE, KSPA.
There are numerous advantages inherent in a city’s thinking in a holistic way about the services it provides to its citizens. Too often however, considerations of security and privacy are afterthoughts in technology-centric initiatives. It is vital that Nashville’s services are end-to-end secure. Consideration of smart cities’ technological solutions requires that security risks be actively assessed, understood and addressed by appropriate technical and managerial controls.
Metro has developed an extensively detailed Cyber Security Checklist for Smart Cities Technology; a summary of absolute minimum requirements for technology solutions appears below.
- Solution provides controls to address physical security needs. This includes safeguards that take into consideration where the devices are located during operation, what security controls the devices feature (e.g. tamper resistant or tamper evident), and the sensitivity of the data processed by devices. Breaches of physical security must generate alerts.
- Solution fails safe/close in the case of a system malfunction or crash.
- Solution has undergone third party penetration testing (“pentest”).
- Solution provides centralized mechanism for application/infrastructure administration.
- Solution provides automatic and secure updates of software, firmware, etc. for all components.
- Solution provides mechanisms for auditing and logging events, including security events.
- Solution can be continuously monitored.
- Solution provides mechanisms for real time alerting for defined events, including security events. Alerts are available via multiple modes (text, email, etc.).
- Solution utilizes strong cryptography to protect data, both at rest and in transit.
- Solution requires unique username and password to access functionality and supports strong authentication mechanisms (one-time passwords, certificate- or biometric-based authentication, etc.).
- Device level authentication is used for machine to machine (M2M) communications.
- Devices used within solution have a mechanism to prevent tampering by unauthorized sources.
- Solution does not use any backdoor/undocumented/hardcoded accounts.
Protection of privacy is a growing concern with citizens. Data collection through various technical solutions and devices may raise concerns about potentially negative impacts on constituent privacy. To address concerns around privacy, solution providers must be able to assure Metro and to provide citizens with accurate and reliable information about city data collection and use, and policies and mechanisms for controlling that data in whatever format it may exist. Contractual provisions to address privacy and data use concerns include:
- Providers assert no ownership of data outside of providing for the agreed upon service. This stipulation includes data that results from analysis of primary data.
- Solution or provider data collection and use is well documented, including what is collected and for what purpose(s).
- All data collected is securely stored and transported.
- Data storage elements are subject to specific controls (e.g., how much data is retained, location of storage, etc.).
- Solution only collects citizen information directly relevant and necessary to accomplish specified purpose(s), and only retains citizen information for as long as is necessary to fulfill those specified purpose(s).