Creating cyber secure

smart cities

www.pwc.in
 Making smart cities cyber secure................................................................. 8

Global smart cities targeted by adversaries.................................................. 10

Key cyber security initiatives taken across the globe..................................... 12

India has just begun the journey to secure smart cities................................. 15

Contents

Indian smart cities face specific challenges.................................................. 16

Security risk landscape for Indian smart cities............................................. 17

Actions required by smart city stakeholders to enhance security maturity.... 20

Cyber security framework for smart cities.................................................... 26

2 Creating cyber secure smart cities

PwC 3
4 Creating cyber secure smart cities
Foreword from the Ministry of Housing and
Urban Affairs
Kunal Kumar
Joint Secretary,
Mission Director – Smart Cities,
Ministry of Housing and Urban Affairs,
Government of India

India is the fastest growing trillion-dollar economy in the prominent challenges is definitely the cyber security of the
world. The long-term growth prospects of the Indian economy smart cities. Considering the ever-expanding risk landscape,
are largely due to its young population, technological progress, India’s developing smart cities could be the target for
and increasing urbanisation. The country is in the midst of a various adversarial interests. From e-governance services to
massive wave of urbanisation as millions of people move into telemedicine and other smart city services – the acceptance
towns and cities each year. Enormous investments are being and delivery of all of these services depend on the security
made to meet soaring aspirations and to make towns and cities of the underlying technology powering them. This needs
more liveable. collective effort from every stakeholder associated with the
One such initiative in this direction is India’s Smart Cities smart city ecosystem.
Mission. The Hon’ble Prime Minister, Shri Narendra Modi, As we discuss the right mechanism to deal with this rising
launched the Smart Cities Mission in the year 2015 as an threat, it must also to be recognised that there are multiple
innovative and visionary undertaking towards improving the stakeholders in the smart city environment. Hence, we should
quality of life and attracting people and investment, setting strive to develop a holistic mindset towards cyber security
in motion a virtuous cycle of growth and development. The challenges that takes into account the requirements of all
Smart Cities Mission is expected to drive economic growth stakeholders involved. It evidently becomes very important
and improve the quality of life of people by enabling local to secure India’s smart cities as they impact the lives of millions
development and harnessing technology to create smart of residents.
outcomes for citizens. The Ministry of Housing and Urban Affairs (MoHUA) has
Though the beginning has been excellent, the Smart Cities already taken initiatives in terms of creating the cyber security
Mission is still very much a work in progress. There are model framework for smart cities. However, a concentrated
various economic, technical, and managerial challenges and coordinated effort from all the stakeholders involved is
to overcome in mission implementation. One of the most critical.

PwC 5
Foreword from Data Security Council of India
Rama Vedashree
Chief Executive Officer
Data Security Council of India

India’s digitalisation roadmap is expected to catapult its published the ‘Cyber Security Framework for Smart Cities’ on
digital economy to 1 trillion USD by 2025. India is witnessing 20 May 2016 and issued an advisory to all smart cities to drive
an unforeseen digital transformation, and at the same time, conformance to this framework.
a rapid rate of urbanisation. The Government of India’s This report on ‘Creating cyber secure smart cities’, jointly
100 Smart Cities Mission blends these digitalisation and developed by DSCI and PwC, is an attempt to reinforce the
urbanisation waves, and endeavours to accomplish urban attention that smart city administrators need to give to cyber
renewal through a Pan-City Smart Solutions initiative, and security in all their projects as they infuse smart solutions.
technology-enabled ‘city improvement (retrofitting), city With a fine blend of global and Indian instances, this report
renewal (redevelopment) and city extension (greenfield serves as a preliminary guide for smart city stakeholders
development)’. to understand the risks and steps that need to be taken
While the smart city initiative focuses on sustainable to enhance the cyber security posture of smart cities. The
development of our cities and harnessing digital technologies report acknowledges that cyber security is the combined
for integrated citizen service delivery, it demands a strong responsibility of various stakeholders—MoHUA at the central
focus on cyber security. It is imperative for stakeholders to level; and smart city special purpose vehicles (SPVs), project
review and make efforts towards ensuring the safety, security management consultants (PMCs), master system integrators
and privacy of citizens and enhancing our cities’ capability to (MSIs), original equipment manufacturers (OEMs), third-
mitigate cyber security risks. party vendors, among others, at the smart city level.
Globally, countries have deployed technologies and controls to Finally, we have provided guidance to the various stakeholders
avoid loss of data, network lockdowns, and stalling of critical across the smart city planning, design/implementation and
services that can otherwise cripple a city’s functioning. We also operations phase. We do hope that this report serves as a
need to take appropriate measures to create cyber secure smart helpful guide in strengthening the cyber security posture of
cities that can minimise attacks and potential risk to our city smart cities and in driving stakeholder collaboration.
infrastructure and services. Recognising cyber security as a key
priority, the Ministry of Housing and Urban Affairs (MoHUA)

6 Creating cyber secure smart cities

Message from PwC
Sivarama Krishnan
Leader, Cyber Security
PwC India

As India’s population gradually shifts to urban areas, there is Although the Government of India looks committed to creating
no better solution to manage the shift than the Smart Cities secure and safe smart cities with a host of steps, concerns and
Mission. It is a step in the right direction that will help create challenges related to governance and operations in the wake
an ecosystem conducive to sustaining a larger mass even with of attacks and hacking incidents have to be duly addressed.
limited resources. Digital technology, which is at the heart Through this knowledge paper, we want to lay emphasis on
of this mission, is going to propel smart cities. However, the the importance of cyber security and the need to evaluate the
adoption of technology throws up its own set of challenges – existing landscape and understand the criticality of taking up
for example, cyberattacks and the risk of privacy violation. India-specific challenges head-on. Our analysis and evaluation
We need to understand that the use of technology in a city-like of the smart cities project suggests that there is an immediate
set-up automatically widens the threat surface. Devices and need to tighten the screws for secure and uninterrupted
machines, interconnected over the network and installed to transmission and flow of information/data over a wide and
generate and exchange an enormous amount of data, enable complex network. Unaddressed vulnerabilities will most likely
smart services. However, these smart services attract undesired serve as backdoors for cyber intruders.
attention from miscreants and hackers who can disrupt their We have prescribed action items to assist different smart
provision. By exploiting loose or inappropriately secured city stakeholders and create a strategy for cyber security
endpoints, they can gain easy and privileged access to major implementation and oversight. A well-coordinated and direct
control systems. approach is recommended, must be adopted and worked upon.
India cannot afford to have inadequately secured smart cities. The action items are a result of a careful, exhaustive evaluation
Cyber security needs to be ingrained in the systems right of the global best practices for the protection of smart cities
from the beginning or during the implementation phase. All and the guidelines of the Indian government. The paper
stakeholders of smart cities, including the government and will assist organisations, agencies and governments in India
appointed businesses, must pay heed to the requirements for engaged in building strong defences against cyberthreats.
robust security, and take measures under the concurrent and Robust cyber security measures will help citizens repose trust
continuous information security functions: identify, protect, in smart cities.
detect, respond and recover.

PwC 7
 Making smart cities cyber secure
Urbanisation is a global trend and India is no exception. In The smart cities leverage technology and utilise existing and
India, 31% of the population currently lives in cities. The planned infrastructure investments to provide a higher quality
number continues to grow, with more people migrating to of living to residents. Smart cities are powered by advanced
urban areas for better employment opportunities, healthcare technologies such as the Internet of things (IoT) and sensors
and educational facilities, and a higher standard of living.1 along with the traditional information technology (IT) and
This trend is expected to continue in the coming years, with operational technology (OT) systems and devices. These
city population growth projected to reach almost 50% by advanced and traditional technologies, distributed across
2030.2 The Indian government, having acknowledged this the smart city, work in an integrated manner to generate
shift, undertook steps to develop 100 smart cities under the intelligent and actionable information to help in providing
Smart Cities Mission launched in the year 2015.3 services to residents in an efficient and sustainable manner.4

9.96 2,03,172
100
crore crore INR

smart cities urban population Projects worth

impacted

1 Census India, 2011: http://censusindia.gov.in/2011-prov-results/paper2/data_files/india/Rural_Urban_2011.pdf

2  https://www.thehindubusinessline.com/economy/policy/half-of-indias-population-will-be-living-in-urban-areas-by-2030-says-puri/
article9891352.ece
3 http://smartcities.gov.in/
4 http://smartcities.gov.in/content/
8 Creating cyber secure smart cities
Intelligent traffic management system (ITMS)
The ITMS includes automating the process of traffic
management by optimally configuring traffic junction
signals on real-time basis.
E-governance
E-governance is the use of information and
communication technology (ICT) to provide public
services to citizens, by re-engineering internal business
processes and increasing the transparency and
accountability of government schemes.
Closed circuit TV (CCTV) surveillance
The city surveillance system comprises video and audio
surveillance that converge onto possible crime vectors
and their prevention.
Smart waste management
This includes a web-based tracking and monitoring
system pertaining to functions like recycling, reusage and
disposal.

Smart water management

The smart water management system gathers meaningful
and actionable data about the flow, pressure and
distribution of a city’s water and streamlines the
processes. Telemedicine
Telemedicine provides digital channels to consult
physicians and avail medical guidance remotely,
including requesting emergency services and medical
facilities.

Automatic fare collection system

This system includes an automatic gate machine, ticket
vending machine and ticket checking, along with analysis
of passenger flow.
Enterprise GIS application
It is an integrated cross-sectoral platform to collect,
manage, compile, analyse and visualise spatio-temporal
information for sustainable urban planning, development
and management.
Smart poles
Smart poles combine the benefits of LED lighting, Wi-Fi
connections and mobile connectivity in an integrated
manner.

Though integrated technologies assist in efficient delivery

of services, using them expands the threat landscape. With 100 smart cities, India has an
Cyberattacks, which earlier targeted data centres, are now aggressive agenda of socioeconomic
directed towards numerous systems and devices spread across development. Though the technologies
a smart city. This enhanced threat surface provides huge utilised in smart cities promise an improved quality
opportunities for hackers to launch attacks. A single intrusion of life, they also expand the threat landscape. This
by them may leave the entire smart city network compromised. phenomenon has also been observed across the globe,
Cyber security has always been a pain point for organisations. wherein many cities were compromised and services were
With the increased threat surface, it will be prudent for smart brought to halt.
cities to focus on cyber security to be able to deliver a safe and
secure environment to citizens.

PwC 9
 Global smart cities targeted by adversaries
There’s no denying that smart cities have paved the way out criminal activities. Many smart cities across the globe
for a better and healthy life. However, they have their own have faced major cyberattacks in the past few years. With the
pitfalls. On the one hand, this has led to new socioeconomic passage of time, attacks have grown in sophistication and
opportunities; on the other, smart cities have opened up new severity, resulting in cities coming to a standstill.
avenues for attackers who can indulge in disruption and carry

Atlanta smart city network locked down Sensitive health data of 1.5 million patients, including
Prime Minister’s, stolen in Singapore
Attackers encrypted files, locking employees out of the smart
city network completely, while the rest were forced to shut Hackers targeted Singapore’s largest healthcare institution,
down to prevent the virus from spreading. It is believed that SingHealth, and stole the personal profiles of 1.5 million
the cyberattack destroyed 'years' worth of police dash cam patients along with the details of prescriptions for 1,60,000
video footage.5 others.8

Emergency sirens activated, resulting in California hospital remained shut for a week, paid a
widespread panic in Dallas ransom in order to resume operations

Attackers activated 156 emergency sirens at 11:40 p.m., A hospital in California had to shut down all its systems for a
waking up and frightening a lot of people until 1:20 a.m., week as it was attacked by cybercriminals demanding a ransom
when the alarms were turned off.6 in bitcoins.9

Massive power outage in Ukraine, Airport operations impacted, causing significant delays
leading to blackouts in Istanbul

BlackEnergy malware was planted within the networks The airport passport system was infected using malware and
of multiple regional power companies in Ukraine and the several flights were delayed due to the unavailability of the
technical support phone lines of targeted firms were also passport system.10
flooded, which led to blackouts in different regions in Ukraine7.

5  https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html
6 https://www.reuters.com/article/us-texas-sirens-idUSKBN17B001
7 http://www.securityweek.com/blackenergy-group-usesdestructive-plugin-ukraine-attacks
8 https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most
9 https://www.forbes.com/sites/thomasbrewster/2016/02/18/ransomware-hollywood-payment-locky-menace/
10 https://www.theregister.co.uk/2013/07/31/istanbul_airport_chaos_malware_blamed/

10 Creating cyber secure smart cities

Hacking attack caused ‘massive damage’ at German
steel works

A blast furnace at a German steel mill caused massive damage

following a cyberattack on the plant’s network. It is believed
that attackers used booby-trapped emails to steal logins that
gave them access to the mill’s control systems.11

Estonia faced a full-scale cyberwar

Estonia was subjected to cyberterrorism in which the

attackers penetrated and brought down key government
websites, rendering them redundant. A number of techniques
such as ping floods and botnets were deployed for the
Distributed Denial of Service (DDoS) attacks delay
penetration process.12
trains in Sweden
Pornographic clip played on advertisement display at a
A series of DDoS attacks aimed at Sweden’s transportation
metro station in New Delhi
services caused train delays and disrupted travel service.14
Miscreants played a pornographic video on an advertisement
screen installed at a metro station in New Delhi and the entire
sequence was shot by a few commuters on their mobile phones,
after which the incident went viral on social media. It is From loss of health data to complete network
believed that the LED TV system was under commissioning and lockdown, global smart cities face the
the Wi-Fi port was accessible due to lack of password controls. continuous onslaught of cyber security breaches. While
these attacks have attempted to cripple smart cities, they
Sabotage of traffic signals in Los Angeles also provide an opportunity to the various countries
to learn from such incidents and appropriately build
Two traffic signal engineers hacked into the systems and
security controls to safeguard against them.
tweaked the timings of the signals at four critical intersections,
causing havoc within the city..13

11 http://www.bbc.com/news/technology-30575104
12 http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1105&context=jss
13 http://articles.latimes.com/2007/jan/06/local/me-trafficlights6
14 https://www.scmagazineuk.com/ddos-attacks-delay-trains-halt-transportation-services-sweden/article/1473963

PwC 11
 Key cyber security initiatives taken across the globe
Worldwide, countries acknowledge the threats their smart cities face from cybercriminals, and have accordingly invested in
ramping up the security and privacy layers around their infrastructure and data. Many countries have set a precedent by taking
significant steps on regulations, standards and framework to fortify cyber security.

1 United Stated of America (USA) 2 Europe

a. I nternet of Things Cyber Security Improvement Act, a. European Union (EU) Network and Information
2017: The USA government released the Internet of Security (NIS) Directive for Sectoral Supervision: The
Things Cyber Security Improvement Act, 2017, to establish EU released the NIS directive which clearly indicated that
minimum cyber security standards for IoT devices.15 the member states needed to supervise the cyber security of
critical market operators in the country.21
b. C
 yber Physical Systems (CPS) Framework 1.0: The
National Institute of Standards and Technology’s CPS b. C
 ertification Framework for Devices: This framework
Public Working Group (PWG) released the CPS PWG seeks to ensure an EU-wide certification scheme consisting
Cyber Physical Systems Framework 1.0, detailing the cyber of comprehensive rules, technical requirements, standards
security privacy and strategy for the common elements— and procedures. This will be based on agreement at the
identification, implementation and monitoring of cyber EU level on the evaluation of the security properties of a
security services of the CPS.16 specific ICT-based product or service.22
c. C
 yber Security Guidelines for Securing Smart Cities: c. B
 aselines Security Recommendations for IoT: The EU
Multiple cyber security vendor firms collaborated to provided ‘Baseline Security Recommendations for IoT’
launch a not-for-profit forum ‘Securing Smart Cities’, detailing the critical attack scenarios, need for security by
which released ‘Cyber Security Guidelines for Smart City design and the security gaps in the IoT ecosystem, followed
Technology Adoption’.17 by recommendations.23
d. N
 YC Secure Initiative: NYC Secure is an initiative for d. E
 uropean Union Agency for Network and Information
citizens of New York City. It includes a free city-sponsored Security (ENISA) Guidelines for Cyber Security of
smartphone protection app that will issue warnings to users Smart Cities: ENISA has released two detailed guidelines
when suspicious activity is detected on their phones, as well for cyber security of smart cities—architecture model for
as new protection for the city’s public Wi-Fi networks.18 public transport, and security and resilience for smart
health service and infrastructure.24
e. N
 ational Infrastructure Protection Plan (NIPP 2013)
– Partnering for Critical Infrastructure Security and e. C
 ritical Infrastructure Security Analysis (CRISALIS)
Resilience: It outlines the plan for collaboration amongst Programme: The CRISALIS programme is aimed
the government and private sector participants to manage at providing means to secure critical infrastructure
risks and achieve cyber resilience.19 environments from attacks caused by malware and threat
agents such as Stuxnet and Duqu.25
f. C
 ity-Based Cyber Lab: Los Angeles launched a City-Based
Cyber Lab to strengthen cyber security for its businesses and
residents. The lab is a public-private partnership that will
disseminate information and intelligence based on analysis
of more than one billion security-related events and over
four million attempted intrusions into city networks
per day.20

15 https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
16 https://pages.nist.gov/cpspwg/
17 https://securingsmartcities.org/wp-content/uploads/2016/03/Guidlines_for_Safe_Smart_Cities-1.pdf
18 https://secure.nyc/
19 https://www.dhs.gov/national-infrastructure-protection-plan
20 https://www.lacity.org/blog/mayor-garcetti-launches-nations-first-city-based-cyber-lab
21 https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/cii/nis-directive
22 https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework
23 https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot
24 https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/smart-infrastructure?tab=publications
25 ct.eu/node/38
12 Creating cyber secure smart cities
 3 Singapore 4 Australia

a. S
 ingapore Cybersecurity Act, 2018: The act establishes a. I nternet of Things (IoT) Alliance Australia: The IoT
a legal framework for the oversight and maintenance of Alliance Australia (IoTAA) works with the objective of
national cyber security in Singapore with the objective accelerating IoT innovation and adoption in Australia.
of strengthening the protection of critical information Recently, they launched a report, ‘Enabling the Internet
infrastructure (CII), preventing and responding to cyber of things for Australia’, detailing the need for privacy by
security threats and incidents, sharing cyber security design, data protection and testing of IoT devices in the
information and establishing a light-touch licensing area of smart cities, health, energy, etc.31
framework for cyber security service providers.26
b. G
 uidelines & Best Practices in Smart Cities: In 2018, the
b. P
 ersonal Data Protection Act (PDPA), 2012: The PDPA Smart Cities Council Australia and New Zealand released a
establishes a data protection law that comprises various best practices guide covering the cyber security standards
rules governing the collection, storage, use, disclosure in 2018.32
and care of personal data. A Personal Data Protection
Commission (PDPC) is also defined which ensures the c. C
 ritical Infrastructure Program for Modelling and
enforcement of the act.27 Analysis (CIPMA): It was launched to assist critical
infrastructure owners and operators in understanding
c. I nternet of Things (IoT) Ecosystem Standards: The network interdependencies and improving resilience by
Internet of Things Technical Committee (IoTTC) focuses developing and using the tools of modelling and simulation
on the standardisation needs in IoT technologies, such as to provide impartial, evidence-based and objective analysis
sensor networks, system interfaces, data management and of potential natural or human-induced disruptions to
security. Thus far, four technical standards on IoT have been critical infrastructure.33
published.28
d. The Trusted Information Sharing Network (TISN): It is
d. N
 ational Cybersecurity Research & Development Australia’s primary national engagement mechanism for
Lab: It was set up with the primary aim of maintaining a business-government information sharing and resilience-
shared national infrastructure that provides computing building initiatives on critical infrastructure resilience and
and networking resources for cyber security research and cyber security.34
development.29
e. C
 yber Security Start-up Hub: Singapore opened its first
cyber security entrepreneur hub called ICE71 ‘Innovation
Cybersecurity Ecosystem at Block 71’ to strengthen its
growing cyber security ecosystem by attracting and
developing competencies and deep technologies.30

26 hhttps://www.csa.gov.sg/legislation/cybersecurity-act
27 https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview
28 https://www.imda.gov.sg/itsc/technical-committees/internet-of-things-technical-committee-iottc
29 https://ncl.sg/about
30 https://ice71.sg/
31 https://www.iot.org.au/about/
32 h
 ttps://anz.smartcitiescouncil.com/system/tdf/anz_smartcitiescouncil_com/public_resources/
smart_cities_standards_best_practice_guide_issue.pdf?file=1&type=node&id=5297
33 https://www.tisn.gov.au/Documents/CIPMA-flyer.PDF
34 https://www.tisn.gov.au/Pages/default.aspx
PwC 13
 Learnings from global initiatives

Cyber security and privacy acts have been introduced to ensure security is given the foremost
importance. Existing regulations have been updated at periodic intervals to incorporate the smart
Effective regulations city security perspective.

Several countries across the globe have established cyber security frameworks and defined security
Framework and standards and privacy guidelines in the context of smart cities. Baseline security standards and guidelines
for ecosystem have also been introduced for different stakeholders.

Cyber security information sharing platforms have been created for collaboration across sectors,
including smart cities, finance and energy. A number of programmes have been launched globally
Collaboration and for building skills and capabilities in cyber security. A conducive environment has also been set up
capacity development to promote cyber start-up hubs.

Globally, smart cities have launched numerous cyber security initiatives spread across three pillars—
effective regulations, framework and standards for the ecosystem, and collaboration and capacity building. India is
following in their footsteps.

14 Creating cyber secure smart cities

 India has just begun the journey to secure smart cities
India’s efforts to protect its smart cities are timely. A host of policies and regulations have been designed to protect the smart city
infrastructure from cyberattacks. Some of the existing/upcoming regulations on security and privacy are also applicable to smart
cities, thereby helping to build secure cities.

India

a. M
 inistry of Housing and Urban Affairs (MoHUA) Guidelines:35 MoHUA, the Government of India, released a model
framework for cyber security in smart cities on 20 May, 2016. It covers the security of smart cities across different layers,
namely sensor layer, communication layer, data layer and application layer. The major guidelines include, but are not
limited to:
• D
 esigning a secure network architecture based on the National Institute of Standards & Technology (NIST) reference IT
architecture
• Security solutions that needs to be considered while developing a smart city
• Secure storage and transmission of data between different systems and devices implemented in the smart city
• Security assessment of the services before and after going live
• C
 ompliance with standards such as ISO 27001, ISO 22301, ISO 37120, ISO 3712, ISO 27017, ISO 27018, BSI PAS 180, BSI
PAS 182, Protected Extensible Authentication protocol (PEAP) and 3rd generation Partnership Project (3GPP),
as applicable
• Setting up of security monitoring for smart city network, devices and sensors
• R
 eporting of security incidents to relevant bodies such as Computer Emergency Response Team – India (CERT-In) and
National Critical Information Infrastructure Protection Centre (NCIIPC).
b. T
 he National Critical Information Infrastructure Protection Centre (NCIIPC), 2014: NCIIPC has been identified as the
nodal agency under the National Technical Research Organisation for the protection of critical information infrastructure.
The formal roles and responsibilities of the NCIIPC include cooperation strategies, issuing guidelines, advisories and
coordination with CERT-In. The NCIIPC has defined controls for the critical infrastructure sectors to enhance security.36
c. N
 ational Cyber Security Policy, 2013: The policy aims to create a secure cyber ecosystem in the country and strengthen the
regulatory framework.37
d. I nformation Technology Act (IT Act), 2000, and its amendments: The IT Act includes rules on the protection of sensitive
personal data or information and provisions for electronic service delivery, publication of content of a specific nature on the
Internet, and the penalties applicable in case of any offence.38
e. A
 adhaar Act, 2016, and its regulations: The Aadhaar Act, 2016, defines how Aadhaar-related data is to be captured, stored
and processed. Aadhaar data includes not only biometric information (fingerprints, iris and photo) but also the demographic
details of the resident. The Aadhaar Act, 2016, forms the basis of various e-governance initiatives such as distribution of
services and benefits to residents of India.39
f. D
 raft Personal Data Protection Bill: The Personal Data Protection Bill includes provisions to protect personal data as
an essential facet of information privacy. The bill provides guidelines on the data processing grounds, rights of the data
principal, penalties and exemptions, amongst other areas. The bill aims to protect the autonomy of individuals from data
privacy violations by the state and private entities. Once enforced, the bill will impact how the smart city information systems
store and process personal/sensitive data.40
g. D
 raft Digital Information Security in Healthcare Act (DISHA): The draft DISHA document was recently released in the
public domain for comments. It aims to set up a National Health Authority in India which shall be responsible for enforcing
privacy and security measures for electronic health data, and to regulate storage and exchange of the same.41

35 http://mohua.gov.in/pdf/58fd92b5545b85821b621a862dCyber_Securitypdf.pdf
36 NCIIPC. Retrieved from https://nciipc.gov.in/
37 http://164.100.94.102/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf
38 http://meity.gov.in/content/information-technology-act-2000
39 https://uidai.gov.in/legal-framework/acts.html
40 http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
41 https://mohfw.gov.in/newshighlights/comments-draft-digital-information-security-health-care-actdisha
PwC 15
 Indian smart cities face specific challenges
Challenges specific to the Indian context weaken the efforts Indian context, it is often an afterthought. As cities throw their
towards cyber security implementation in smart cities. The weight behind timelines to implement services, security takes
major challenges have been 1) cyber security not figuring a backseat. Based on our analysis and on-ground assessments,
amongst top priorities and 2) limited stakeholder awareness on the smart cities today face multiple challenges in implementing
cyber security. While security should be a prerequisite, in the cyber security.

Security governance
There is no security organisation responsible for
ensuring cyber security within smart cities. Additionally,
there is no or limited consideration of cyber security
during the various phases of smart city development.

Budget allocation
Limited budget is allocated for cyber
security in the overall smart city budget.
Even when a budget is allocated, it
does not match the risk profile of smart
cities, thereby making the process of
setting up adequate defences a difficult
Security products selection and proposition.
implementation
Business-driven risk assessments are not conducted to identify
appropriate security products based on the risk profile of the
smart city. Additionally, there are no baseline security guidelines
for implementation and configuration of security products.

Cyber security capability and awareness

Smart city stakeholders have low
awareness of cyber security risks and
vulnerabilities. Further, the stakeholders
responsible for securing the smart
cities, have limited cyber security
capabilities.

Review and monitoring mechanism

There is no mechanism in place to regularly perform security
assessments of the smart city set-up in order to identify and
mitigate security risks on a continual basis.

Indian smart cities are exposed to challenges that hinder the development of secure cities. These
challenges leave smart city services prone to serious security vulnerabilities which, if exploited, can paralyse smart
city operations or do irreparable damage.

16 Creating cyber secure smart cities

 Security risk landscape for Indian smart cities
The Indian Smart City technology architecture can be understood through the four logical layers: sensor, communication, data
and application layers. The technology across these four layers works in an integrated manner to deliver Smart City services.

Indian smart city ICT architecture

Intelligent
City Smart waste Smart water Automatic fare Enterprise GIS
E-governance Smart poles Telemedicine traffic
surveillance management management collection application
management
Application layer

Video management Integrated traffic Waste management Water management Telemedicine

E-governance
system management system application application application

Flood monitoring Smart pole Parking management Other enterprise

GIS
system application system applications/APIs

Master data Citizen personal and health Predictive/prescriptive analytics Big data
E-governance
Data layer

management database analytics

KPI Dashboards Other advanced

Alerts
indicators and reports analytics
Communication

Ethernet
E-governance Wi-Fi GPRS Fibre
layer

Firewall and security Routers and Communication Other network and

devices switches channels communication devices

Surveillance Environmental and Parking Water level Traffic detection Speed detection
Sensor layer

cameras seismic sensors sensors detection system cameras

Audio detection Smoke Leakage Smart Red-light violation

RFID tags Readers
sensors detection detection meters detection

Our analysis and on-ground assessment of a few smart cities suggest that the technology powering the Indian smart city services
are very much prone to vulnerabilities, which can lead to potential social, health, economic and/or reputational risks.
The presence of inherent challenges, lack of granular guidelines and regulations, and India-specific issues add to the complexity
of the risk landscape for Indian smart cities.

PwC 17
 Smart service Vulnerabilities in systems associated with smart service Potential risks

• Unencrypted storage and transmission of • Citizen personal data, including financial and health data,
citizen data can be compromised
• Lack of user access and authorisation controls • E-governance services can be shut down, denying
E-governance services to citizens
• Multiple vulnerabilities due to non-adherence to software
development life cycle (SDLC) process
• Outdated version prone to emerging attacks including
ransomware

• Default password and configuration • Video surveillance can give information about weak
surveillance zones which can be used for malicious anti-
• CCTV cameras accessible over open Internet with weak
social purposes and to plan and plot a city-level attack
City surveillance access controls
• Video recordings can be tampered/deleted, hampering
• Insecure transmission of video feeds
police investigation

• Inappropriate cryptographic techniques for security of • Smart sewage system can be breached to open/close
radio-frequency identification (RFID) tags smart valves and release untreated sewage water into
Smart waste bodies of freshwater
management • Cloning and spoofing of tags
• A denial of service attack can be performed to interrupt
• Denial of service attacks on tags
waste collection, posing a risk to citizen health safety

• Default password and configuration of smart pole edge • Attackers may connect to Wi-Fi and send anti-social
devices (e.g. Wi-Fi, sensors) emails to create unrest in the city
• Inappropriate validation mechanism for connecting to edge • Anti-political message can be displayed in public places
Smart poles devices (e.g. Wi-Fi) through digital billboards to stir unrest amongst the public
• Remote terminal access to sensors • Lights can be put off at night so that a crime is not
captured by surveillance cameras

• Tampering of data during storage/transmission • Wrong data related to water management can
Smart water lead to water shortage, unidentified wastage of potable
• Cloning and spoofing
management water, and unavailability of water quality control metrics
• Denial of service attacks

• Insecure storage and transmission of citizen • Citizens’ personal/health-related information can be

health record compromised and sold illegally
Telemedicine • Lack of user access and authorisation controls • Citizens’ health information can be compromised with
legal and regulatory implications
• Business logic flaws in doctor consultation and medicine
ordering
• Cloning, forgery and tampering of smart cards • Payment information can be manipulated to cause
Automatic fare revenue loss to government/citizens
collection system • Insecure transmission of financial data

• Unpatched vulnerabilities in GIS applications/application • Unauthorised access can be gained to critical city plans/
program interfaces (APIs) layout
Enterprise GIS
application • Insecure cross-system communication • Cross-system communication can be hijacked to further
propagate attacks

• Man-in-the-middle attack between sensor • Miscreants can monitor the live location of buses and
and reader other parameters to plan an attack
Intelligent traffic
management • Cloning and spoofing • Traffic signals can be manipulated to create a traffic jam
system in the city
• Denial of service attacks

18 Creating cyber secure smart cities

Categorisation of smart services based on risks

Considering the risks applicable to different smart city services, they can be divided into three categories based on the ease of
exploiting the associated vulnerabilities and the impact level:
1. Catastrophic zone: The services categorised as catastrophic, if compromised, will impact safety and security, health, trust in
the government, and privacy of citizens.
2. Critical zone: The services categorised as critical, when compromised, will pose a challenge to delivery only. However, these
services may be further exploited to extend the damage and enter the catastrophic zone.
3. Marginal zone: If the services in this zone are compromised, citizens will be inconvenienced.

Our analysis of the overall risks and vulnerabilities landscape for smart city services indicates that e-governance, CCTV
surveillance and telemedicine are the most critical services for the Indian smart city.

Catastrophic zone

Surveillance system
E- governance
Weak surveillance zones can be targeted
Citizens’ personal data, including for malicious anti-social purposes and
financial and health data, can be planning city-level attacks
compromised
Deletion/tampering of video recordings
Shutdown of services, leading to can hamper police investigation
denial of service to citizens

Telemedicine
Smart poles Citizens’ personal/health data can be
Attackers may connect to Wi-Fi and compromised and sold in the market
send anti-social emails to create unrest
Ease of exploit

Citizens’ health data, if compromised,

Anti-political messages can be can have legal and regulatory
displayed on billboards in public places implications

Smart waste management

Automatic fare collection system Untreated sewage water can be
Manipulation of payment released into freshwater bodies
information to cause revenue Citizens’ health safety can be impacted
loss to government/citizens by the interruption of waste collection

Traffic management Enterprise GIS application

system
Unauthorised access can be
Live location of buses can be Smart water management
gained to critical city plans/layout
tracked to plan attacks Compromise could lead to water
shortage, unidentified wastage of Cross-system communication
Manipulation of traffic signals can be hijacked to further
can lead to traffic jams/road potable water, incorrect estimation
of water available for use, and propagate attacks
accidents
unavailability of water quality
Marginal zone control metrics Critical zone

Perceived impact

It is important to note that smart cities are exposed to security risks that are capable of causing significant
damage. Smart city stakeholders, both at the central as well as the smart city level, are required to take definitive
steps towards securing the cities.

PwC 19
 Actions required by smart city stakeholders to enhance
security maturity

A. Understanding the smart city stakeholders

At the central level, MoHUA is the key stakeholder, while at the smart city level, stakeholders include smart city special purpose
vehicle (SPV), project management consultant (PMC), master system integrator (MSI), original equipment manufacturer (OEM)
and third-party vendors.

MoHUA

MoHUA is the apex body that sets up and monitors the Smart Cities Mission in India. MoHUA facilitates the formulation and
administration of the rules, regulations and laws relating to housing and urban development.

Smart PMC MSI/

city SPV vendors/OEM

WW WW WW
The smart city SPV is accountable The PMC acts as an advisor/ The MSI, along with the OEM,
for the implementation and consultant to the smart city SPV ensures that all smart services,
operations of a specific smart city in achieving the vision for the solution systems and components
with the objective of improving smart city. The PMC manages are implemented and operated as
sustainability and livability. It the design, implementation and per the requirements of the smart
drives the concept and execution operations of the smart city, city. OEMs and other third parties
of the smart city project, and and ensures that quality smart provide an array of products
helps build and activate teams to services are delivered to citizens and services for the efficient
deliver smart services to citizens. in a timely manner as per the functioning of smart city services.
procedures laid down.

20 Creating cyber secure smart cities

B. Call to action
In order to secure smart cities, a collaborative effort is required from all the key stakeholders. Each stakeholder has to take the
responsibility and play a definite role in securing the smart city.

At the central level – MoHUA

MoHUA

• Develop detailed guidelines for implementing cyber • Encourage smart city SPVs to perform risk assessment
security in smart cities. Though MoHUA has released the and implement solutions leveraging custom-off-the-shelf
model cyber security framework for smart cities, there is an (COTS)/Make in India/open source security products based
immediate need to provide detailed guidelines, including on risk assessment, security budget, and MoHUA guidelines.
reference security architecture to smart cities for cyber • Define security guidelines for the OEMs supplying products
security implementation. to smart cities.
• Mandate smart city SPVs to appoint security organisations • Create a platform for cyber security information sharing
with clearly defined security roles and responsibilities. and knowledge transfer amongst the smart cities and other
• Enforce the implementation of cyber security guidelines and agencies (e.g. CERT-In, NCIIPC). Consider the set-up of
link budget sanctions to the compliance status. smart city sectoral CERTs similar to the concept of other
• Develop a cyber security enforcement mechanism to which sectoral CERTs (e.g. financial CERTs, power CERTs) to
subsequent budgetary sanctions must be linked. ensure security across smart cities.

At the smart city level

Smart PMC MSI/

city SPV vendors/OEM

The actions to be taken at the smart city level depend on the phase of development of the respective smart city in achieving its
objectives. Smart cities can be at the following phases of development:
• Planning phase – from smart city nomination until on-boarding of MSI for implementation
• Design/implementation phase – from MSI on-boarding until implementation of smart city services
• Operations phase – post implementation of smart city services
There are definite actions that need to be taken for securing smart cities at various phases. The smart city SPV should ensure that
these actions are executed by the respective stakeholders in a time-bound manner.

Call to action – planning phase

Smart city SPV

• Appoint a chief information security officer (CISO) with • Ensure cyber security requirements are considered in MSI
defined security roles, responsibilities and accountability. RFP and MSI bid evaluation.
• Consider cyber security requirements in PMC RFP and PMC • Include cyber security as agenda item in status update
bid evaluation. meetings conducted for the smart city.
• Allocate budget for cyber security and privacy as part of the • Ensure that the PMC team is adequately staffed with cyber
detailed project report (DPR). security experts to oversee security design, implementation
and operations.

PwC 21
Smart city PMCs
• Perform security and privacy risk assessment to identify risk • Design robust security SLAs to measure and enhance
profile for smart city services. security maturity on a continual basis.
• Develop smart city security architecture leveraging COTS/ • Review security architecture, solution, and implementation
Make in India/open source security products based on risk plan proposed by MSI from security and privacy perspective.
assessment, security budget and MoHUA guidelines.
• Include detailed specifications for security products,
services and manpower in MSI RFP.

Smart city MSI

• Propose a robust security solution in line with RFP • Ensure appropriate number of security experts with relevant
requirements, MoHUA guidelines and applicable skills are proposed as part of staffing.
regulations.

Call to action – design/implementation phase

Smart city SPV

• Conduct monthly status update meetings to assess the • Ensure that personnel with access to critical systems and
quality of security implementation. information sign a non-disclosure agreement and go
• Maintain contact with various security agencies such as through a security clearance process.
CERT-In, NCIIPC and other security experts for cyberthreat
advisory and incident reporting.

Smart city PMCs

• Review security and privacy policies and procedures • Review compliance with security architecture, policy,
prepared by MSI in line with international security procedures and minimum baseline security guidelines
standards such as ISO 27001 and NIST cyber security during implementation status update meetings.
framework.
• Review business continuity and disaster recovery plans
• Assess minimum security baseline guidelines for systems prepared by MSI.
and devices, including operating system, databases, network
and security devices, sensors, and IoT devices. • Ensure security assessment is conducted and identified
vulnerabilities closed before user acceptance testing (UAT)
• Evaluate network security architecture and ensure sign-off and Go-live for each solution.
security is considered across all four layers: sensor layer,
communication layer, data layer, and application layer • Prepare and disseminate cyber security related awareness
in line with MoHUA guidelines and NIST IT reference material for different stakeholders, including smart city SPV,
architecture. MSI, third parties, and citizens through appropriate mode.

• Review the high-level and low-level designs (HLD and LLD)

for solutions and applications from the security and privacy
perspective.

Smart city MSI

• Prepare and obtain sign-off for all design documents,
including but not limited to:
­­­­−­­­­­­­­­ Security and privacy policies and procedures
−­­­­­­­­­ Minimum baseline security guidelines
−­­­­­­­­­ Security architecture
−­­­­­­­­­ Business continuity and disaster recovery plans
−­­­­­­­­­ Application and solution HLD and LLD
−­­­­­­­­­ SLA management framework

22 Creating cyber secure smart cities

• Implement security across the four layers as per security −­­­­­­­­­ Data layer
policies, procedures and minimum baseline security º Implement user authentication on databases.
guidelines:
º Provide database access to authorised users only on a
−­­­­­­­­­ Sensor layer need-to-know basis.
º A
 uthenticate edge devices, including IoT and º Deploy the database server into a segmented zone,
environmental sensors, while installing the network separate from the app server and web server.
based on physical characteristics such as device ID and
MAC ID. º Perform hardening for all database servers as per
minimum security baseline guidelines.
º D
 isable physical interface in edge devices to prevent
software modifications. º Perform channel encryption to ensure security of data
in transit.
º E
 nforce authentication for remote access to all
edge devices. º Encrypt all sensitive data and store encryption keys in
a trusted key store.
º Change default passwords of all edge devices.
º Conduct regular backups of database and encrypt
º H
 arden all edge devices in line with the minimum backup media.
baseline security guidelines.
−­­­­­­­­­ Application layer
º Encrypt all communications to and from edge devices.
º Follow secure SDLC process for custom developed
º C
 onfigure edge devices to connect to authorised applications.
wireless network only.
º Provide privileged access to servers to authorised
º R
 egularly update edge device firmware to prevent users only.
known attacks.
º Perform hardening for all application servers and web
º S
 ecure over-the-air updates to edge devices via servers as per minimum security baseline guidelines.
encrypted channel.
º Build authentication mechanisms for all applications
−­­­­­­­­­ Communication layer and API.
º S
 egment data centre network into multiple zones such º Create a role-based access control list derived from the
as demilitarised zone, trusted zone, management principle of least privilege.
zone, production zone and user zone.
º Secure application communication through encrypted
º P
 lace all edge devices, including Wi-Fi, sensors and IoT protocols such as HTTPS over TLS 1.2 and above.
devices, on a separate firewall-monitored network.
º Validate user-provided inputs at server side.
º S
 ecure the data centre network through external
firewall, web application firewall, and intrusion º Implement error-handling mechanism on end-user
prevention and detection system, and other inputs.
security products. º Disable access to default web server pages.
º C
 onfigure wireless network, wherever required, • Implement cloud security solution in line with Guidelines
securely in line with guidelines published by the for Government Departments on Contractual Terms Related
Department of Telecom. to Cloud Services released by the Ministry of Electronics and
º I mplement authentication and hardening for all the Information Technology (MeiTY).
devices on the network. • Provide privilege access to systems, applications,
º E
 ncrypt inter-component communication with secure network and sensors to authorised users only on a
protocols such as HTTPS over TLS 1.2, SSH, SFTP, etc. need-to-know basis.

º U
 se encrypted channels such as virtual private • Design and implement a SOC with advanced analytical
network while connecting remotely to the data centre capabilities to detect, respond, and recover from security
network. incidents on a 24*7 basis.

º D
 isable unused network or telecommunication access • Ensure integration of all systems and devices with the SOC.
points to prevent unauthorised access. • Perform security testing of all applications and devices, and
close identified gaps before service go live.

PwC 23
Call to action – operations phase

Smart city SPV

• Conduct frequent cyber security review meetings with PMC and MSI to address security issues and enhance security maturity.
• Ensure security and privacy policies are reviewed annually.
• Report security incidents, if any, to CERT-In and NCIIPC on a timely basis.
• Ensure periodic submission of MoHUA guidelines compliance report by MSI.
• Appoint an independent security audit agency to regularly assess the security posture of the smart city.

Smart city PMCs

• Periodically review the smart city’s security and privacy policies, procedures, and minimum baseline security guidelines to
keep abreast of emerging risks.
• Ensure periodic security assessments of all applications, websites, network and edge devices are conducted by MSI.
• Periodically review security-related SLAs and identify trends and areas of improvement.
• Conduct periodic security training and awareness sessions for different stakeholders.
• Perform gap assessment to assess compliance with MoHUA guidelines.
• Regularly review the security posture, and present risk dashboard to smart city management on existing and emerging cyber
risks, trends and directives.

Smart city MSI

• Create an asset inventory and identify critical systems and devices (‘crown jewels’).
• Update all the systems/devices with the latest patches on a regular basis.
• Follow secure operational procedures, such as user access management, change management, incident management and
capacity management, during smart city operations.
• Operate the SOC on a 24*7 basis.
• Periodically review firewall rules and appropriately set firewall rule base to allow for only authorised incoming and outgoing
traffic.
• Report and respond to security incidents, if any.
• Perform periodic user access reconciliation for systems, applications and devices, and revoke unauthorised accesses, if any.
• Perform periodic testing of business continuity and disaster recovery plans.
• Perform periodic backup of information, software and systems in accordance with backup policy.
• Track and close observations identified during assessments performed by different agencies, including PMC, independent audit
agency, and any other agency.
• Follow secure SDLC process for any enhancement to smart city applications and solutions.

24 Creating cyber secure smart cities

PwC 25
 Cyber security framework for smart cities
While the action points will help the smart city SPVs to make aspects—security governance, implementation, and operation
the cities secure, embracing a robust cyber security framework of security products and services, and security assurance. The
will give holistic coverage of security. A cyber security framework ably secures all the layers of technology, allows
framework for smart cities has been designed using MoHUA’s each smart city to align its requirements and helps comply with
Smart City Cyber Security Guidelines. It covers multiple the changing regulatory landscape.

Cyber security framework for smart cities

Governance

Design and governance

layer

Cyber security framework, strategy, responsibilities and accountability

Security requirements implementation and operations

Application layer

Authentication WAF SIEM

Implementation and operation layer

Design security and Design and Implement and

privacy policy implement secure configure security Authorisation Secure APIs Antivirus
network architecture solutions
Data layer
Data classification DLP IDAM HSM

Public key
Database activity monitoring Encryption
infrastructure
Communication layer
Anomaly
Security Set up and Compliance Authentication Authorisation IPS/IDS SIEM
detection
assessment operate security with regulatory
before Go-live operations centre requirements and Network DDOS
Firewall Anti-APT
guidelines access control protection
Sensor layer
Remote Device
Authentication
Assurance layer

administration discovery

Security assurance
Secure and uninterrupted operations with periodic audits, assessments, reviews and updates

The various layers of the framework have been detailed out below:

Design and governance

• Appoint a security organisation led by CISO to ensure cyber security in the smart city.
• Perform a business-driven risk assessment to appropriately consider cyber security requirements.
• Design a security and privacy framework including policy, procedures and minimum baseline security guidelines covering
systems, network devices, and edge devices including IoT, sensors, etc.
• Establish a governance mechanism to periodically review and enhance cyber security for the smart city.
• Plan for cyber security awareness and capacity building within the smart city.
• Maintain contact with various security agencies such as CERT-In and NCIIPC and other security experts for cyberthreat
advisory and incident reporting.

26 Creating cyber secure smart cities

 Security implementation

• Design and implement smart city security architecture leveraging COTS/Make in India/open source security products based on
risk assessment, security budget, and MoHUA guidelines.
• Implement the security products across different layers: sensor layer, communication layer, data layer and application layer.
• Ensure that all the systems, network and edge devices are configured as per the minimum baseline security guidelines.
• Perform security assessment of the services and close identified gaps before Go-live.

Security operations

• Conduct security operations in line with the security procedures—change management, incident management, etc.
• Design, implement and operate a security operations centre (SOC) with advanced analytical capabilities and integrate with all
the systems and edge devices, wherever possible. Operate the SOC on a 24x7 basis to detect, identify and respond to security
incidents.
• Enforce a comprehensive patch management process including regular and timely updates of all firmware and
operating systems.
• Periodically test business continuity and disaster recovery plans for smart services.

Security assurance

• Set up an assurance process to regularly review the security posture, and enhance cyber security maturity.
• Perform regular vulnerability scanning of firmware, operating system, applications, API, etc., to identify and mitigate existing
security vulnerabilities. Perform regular configuration reviews of all systems, network and edge devices to ensure security is
continuously maintained.
• Review the security-related SLAs on a regular basis and identify areas of improvement.
• Conduct periodic reviews against regulatory requirements and enhance overall security maturity.

PwC 27
Notes

28 Creating cyber secure smart cities

Notes

PwC 29
About DSCI
Data Security Council of India (DSCI) is a premier industry body on data protection in India, setup by NASSCOM®,
committed to making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives
in cyber security and privacy. DSCI brings together governments and their agencies, industry sectors including IT-BPM,
BFSI, Telecom, industry associations, data protection authorities and think tanks for public advocacy, thought leadership,
capacity building and outreach initiatives. www.dsci.in

Contacts
DSCI team

Amit Verma
Deputy Director, DSCI
Email: [email protected]

Manishree Bhattacharya
Manager – Research, DSCI
Email: [email protected]

Industry development team

Email: [email protected]
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 158 countries
with more than 2,36,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out
more and tell us what matters to you by visiting us at www.pwc.com
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and
Pune. For more information about PwC India’s service offerings,
visit www.pwc.com/in
PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate,
independent and distinct legal entity. Please see www.pwc.com/structure for further details.
© 2018 PwC. All rights reserved

About the authors

This report has been co-authored by Sivarama Krishnan, Rahul Aggarwal, Anas Viquar, Vikas Sood, Suman Bhunia, Amit Verma,
and Manishree Bhattacharya.
Sivarama Krishnan leads the Cyber Security practice at PwC India. Rahul Aggarwal is a Partner and focuses on cyber security
within the government practice. Anas Viquar and Vikas Sood are Associate Directors in Cyber Security and focus on smart cities.
Suman Bhunia is a Manager in Cyber Security and focuses on IoT security.
Amit Verma and Manishree Bhattacharya are part of Data Security Council of India (DSCI) and focus on industry development
and research in cyber security and data privacy.

Contact us
Sivarama Krishnan Neel Ratan
Leader, Cyber Security Leader, India Government Sector
[email protected] [email protected]

Siddharth Vishwanath Rakesh Kaul

Partner and Cyber Advisory Leader Leader, Government and Public Sector
[email protected] [email protected]

Rahul Aggarwal NSN Murty

Partner, Cyber Security Leader, Smart Cities
[email protected] [email protected]

PwC 31
pwc.in
Data Classification: DC0
This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by
PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates
contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their
own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither
accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or
decide not to or fail to take.
© 2018 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability
company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited
(PwCIL), each member firm of which is a separate legal entity.
SG/September2018-14660