The second part of the NIST CSF Identify Function is the Business or City Environment in this case. According to the standard, the purpose of this function category is:
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Cities are very complex systems, especially very large metropolis capital cities hosting millions of citizens. Even a small city of hundreds of thousands of citizens has a challenge defining, managing and protecting all the things that constitute it. Successful cyber security, on a daily basis and for the future, requires insight and support from all those involved in the management and delivery of the city and its services. A City cannot change all at once so it must ensure, that as different parts of the city migrate from older legacy systems and technologies to new ones, effective coordination and communication exists across the departments and with the cyber security teams. The same applies to cyber security services within a city as it too evolves to meet the demand to secure smart new City services and technologies. One key aspect of defining the environment is to make the City more situationally aware of what is happening, where it is happening and for what reason. The City Environment has to be broken down into manageable sections, which could follow existing geographical as well as hierarchical structures. Through this, cyber security within a City must be able to collect and analyse information and intelligence to understand specifics and to help support decisions and assess risk and new threats.
The Smart Transformation that Cities are undergoing has the potential to offer incredible benefits and changes to the way that Cities operate and serve the citizens that live or travel there. Cyber Security will have an important role protecting and monitoring the many systems and services brought about by this Smart Transformation and to do so it has to understand how a city operates, how decisions and events unfold and how the many departments and services work together. There are key requirements for this control and they include understanding a City’s role in the Supply Chain, its Critical Infrastructure, Departments and Services, the development and communication of cyber security policies and means of resilience across the Infrastructure, Departments and Services. Each of these requirements poses significant challenges to a City as well as the many dependencies placed upon it by the Private Sector and its Citizens.
This is perhaps best explored with an example. If we consider the Logistics Sector and the role of Goods Delivery in the Supply Chain then many Supermarkets, Shops and other Business types rely upon the timely delivery or collection of goods. Smart Cities will need to equip their infrastructure and traffic management systems to provide effective transit, loading bays and parking facilities to enable this. Failure of these facilities could lead to disruption and impairment to business operations and services.
To help understand how this NIST CSF Function applies to a City and its Smart Transformations I plan to use three different methods to do this:-
1. David C Hay – Enterprise Model Patterns. It offers a generic model that is divided up into 5 key upper concepts:
- Parties – People and Organisation (Who)
- Geographic Locations (Where)
- Assets (What)
- Activities (How)
- Timing (When)
2. Mereology – In philosophy and mathematical logic, mereology is the study of parts and the wholes they form. Source Wikipedia
3. The Viable System by Stafford Beer
| Interesting Websites that help to show the scope of this control |
|---|
| Siemens The Atlas of Digitalization |
| NIST IES-City Framework |
| Sidewalk Labs Toronto Project |
A final consideration for this control is the role it will play in supporting Smart City Cyber Security Situational Awareness. It is likely that as Smart Cities develop that certain City Departments will have operational management tools overseeing the technologies and services in their control. A good example of this is a City Traffic Management system or a City Lighting Management system. Both of these systems will be collecting and processing data in real-time and will generate events or alerts should anomalies or issues occur.
These systems will provide operational awareness and where relevant can provide contextual data to correlate with security information and events to support monitoring of systems and service. Through establishing the Identify – City Environment control, City Cyber Security services are better informed and prepared for security incidents should they occur.
| Resources |
| Identify – City Environment Design Guide (WIP) |
Smart City Cyber Security 