Design Guide: Smart City Asset Management Design Guide
It is not surprising that the first item in NIST CF is Asset Management with the mapping to the informative references being CIS Control 1 Inventory and Control of Hardware Assets and ISO 27K Annex A8 Asset Management. It is a fundamental requirement for cyber security. Over the years I have done a few CIS assessments and Asset Management has always been an interesting topic. I found Organisations to have varying degrees of maturity in this area and to have made quite different investments into asset management as prescribed by ITIL, one of the oldest ICT standards. ITIL v3 advises, as per Service Asset and Configuration Management (SACM), a Configuration Management capability to provide a Configuration Management System and Database:-
The purpose of SACM is to Identify, control, record, report, audit and verify service assets and configuration items, including versions, baselines, constituent components, their attributes, and relationships.
This description can be applied to any Organisation or City Asset type – People, Process, Technology and Physical Things such as buildings, land and roads etc. A city, and especially a very large city, is made up a lot of very different asset types (physical things and human beings) and managing these assets as many of them transform is going to be a challenge. [I am not about to cover human assets as that is another dimension to the problem but I do envisage that human assets will, at some point in the future, be closely monitored by devices and internet connectivity (more than mobile phone monitoring now) which would be very beneficial in times of something as serious as the global COVID19 pandemic. Perhaps in the future humans may be monitored remotely for virus infections through devices they wear on their persons].
A City contains a lot of assets and a good proportion of those will become smarter and connected in one way or another. Traditional assets in a city like land, buildings, roads and infrastructure have been asset managed already but in the future they will acquire new asset properties. Let’s use the traditional Street Light as an example. The first requirement when these assets become smart or connected is a means to classify and categorise these assets anew. I am going to quote the recommendations from a provider of Street Lighting, Cimcon Lighting. Their software LightingGale software can collect and track information about their lighting assets, such as:
- Precise location of the asset (e.g., latitude and longitude as defined by a real-time GPS reading)
- Installation information (e.g., installer, installation date, and other information required for warranty purposes)
- Fixture information (e.g., luminaire type and luminaire manufacturer)
- Real-time monitoring/metering of electrical characteristics of the fixture (e.g., voltage, power, and current)
- Real-time usage data (e.g., burn hours and cumulative kilowatt hours)
- Pole information (e.g., height, material, arm length, and special attachments)
- Status/health (e.g., tilt and physical integrity)
This is quite a lot of new information about what was once a relatively straightforward asset. Now, as a connected asset, a Street Light is producing far more information about its situation and context. The real time monitoring and usage data is itself an Asset – a Data Asset providing additional value. For example, from a cyber security perspective some of these properties and the recorded information may yield some indication if the Street Light Asset has been compromised and is failing to perform as expected. An attack scenario may involve disabling several street lights while a burglary is in progress.
I came across an interesting PDF, produced by the City of Toronto, describing the challenges of Asset Management, they include:-
- Status Quo – “We have always done it this way”
- Resistance to change/unsure
- Staff capacity challenges
- Decentralized approach to Asset Management
- Business Processes and PM Practices not documented
- Patchwork of different programs and legacy systems
- Informal Asset Management programs & solutions, spreadsheets
- Big data, analytics challenges – IoT
- volume, rate of creation, and types of data threaten to overwhelm the tools used to store and process it
The list above is a list of very common problems and challenges. Asset Management is a critical dependency for Smart City Cyber Security Operations. Detection of cyber security events will be by behavioural or erroneous events as defined by their asset properties. So to outline the requirements for Asset Management for cyber security i will define how to build up sufficient specification to structure the means to manage this type of capability.
| Resources: |
| Smart City Asset Management Design Guide |
Smart City Cyber Security 