In this second part introduction to the Cyber Security Framework for a Smart City i will cover the scope of the framework using the best practice described by the NIST Cybersecurity Framework and how the components can be used to work together with a Smart City strategy and thus effect a smart city cyber security strategy to work in conjunction. The NIST CF has three components consisting of:
- Implementation Tiers
- Framework Core
- Profiles
According to NIST CF the Framework Core is: a set of desired cybersecurity activities and outcomes organized into Categories and aligned to Informative References. NIST CF Components
NIST CF website provides a good guide to the implementation of the Framework as well as a number of useful resources and guides. I am going to assume that Stakeholders involved in the strategy development of a Smart City and its Security can consider and recommend the guidance provided by NIST. The PDF documentation can be found here.
I am going to focus on the Framework Core as i find, through previous implementations of it, that it helps to advise and direct the other components. Through a gap analysis of the Core you can further define risk attributes and tolerances as per the Tier component and customise Core specifics to your organisation and monitoring scope within the Profile component.
Within the Core component of the NIST CF are Functions, Categories, Subcategories and Informative References. In past implementations of NIST CF i have used the Functions and Categories to define operating model capabilities and the subcategories to define capability use cases. I will provide some examples to this in the tables below to show how they can be adapted for a Smart City
1) Using NIST CF to define Asset Inventory for a Smart City System
| Function | Category | Subcategory |
| Identify | Asset Management | Physical devices and systems are inventoried |
Example – Smart City System Asset Inventory
| System | Architecture | Technology | Properties |
| Car Park | Car Parking Sensor | Optical Sensor, Magnetic Sensor | Device Id, Application Version, Hardware Version, Firmware version |
2) Using NIST CF to define Event Data Catalogue
| Function | Category | Subcategory |
| Detect | Anomalies and Events | Event data are collected and correlated from multiple sources and sensors |
Example – Smart City System Event Data Catalogue for metadata
| Events | Errors | Exceptions |
| Sensor Health Connectivity Status Number of Errors | Device fail to wake-up Alarm Notification Connectivity Failure | Crash Reboot Timeout |
I will continue to use the NIST CF framework and align all the functions, categories and subcategories to smart city cyber security requirements. This will also include the informative references incorporated into a reference model that will also map to key classification concepts.
| Further reading | |
| Threat Models | Cyber Security Design Guides |
Smart City Cyber Security 