Smart City Cyber Security

Cyber Security for the development of Smart Cities

  • Photo by Tyler Lastovich on Pexels.com

    A review of recent attacks to City public services around the World revels a range of attack types and also the rise of IOT Botnet capabilities including the new Botnet developed for DDoS attacks using the Kaiji malaware. Attacks to City public services continues with the same theme of phishing attacks to employees to launch malware for ransomeware and other activities.

    Recent Attacks – March & April 2020
    Durham City and County services (North Carolina) targeted in cyber attack, 80 servers taken offline
    City of Cartersville paid ransomware attackers $380K
    City of Wayne, Nebraska hit by ransomware attack
    Hackers compromise financial information for Carson City residents who pay water bill online
    City of Racine attacked with ransomware
    City of Hamilton warns data breach may compromise residents’ personal information
  • Photo by Tyler Lastovich on Pexels.com

    Zenzic, in partnership with the Centre for Connected and Autonomous Vehicles (CCAV) and Innovate UK, invested £1.2 million in 7 projects to support the development of connected and self-driving vehicle cyber security testing capabilities. Cyber Resilience in CAM – Cyber Feasibility Report is now available to download. The report was developed to summarise the findings from the seven Cyber Feasibility projects. The website and report also provide links to the 7 project reports..

    Having participated in one of the 7 projects and now having spent some time reading through the others i found there are key sections within the reports that are relevant to Smart Cities Vehicle and Mobility Management. I do recommend visiting the Zenzic website to find out more. I will explore some of the connections in other parts of this website and the Smart City Cyber Security Framework.

  • Photo by Tyler Lastovich on Pexels.com

    The second part of the NIST CSF Identify Function is the Business or City Environment in this case. According to the standard, the purpose of this function category is:

    The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

    Cities are very complex systems, especially very large metropolis capital cities hosting millions of citizens. Even a small city of hundreds of thousands of citizens has a challenge defining, managing and protecting all the things that constitute it. Successful cyber security, on a daily basis and for the future, requires insight and support from all those involved in the management and delivery of the city and its services. A City cannot change all at once so it must ensure, that as different parts of the city migrate from older legacy systems and technologies to new ones, effective coordination and communication exists across the departments and with the cyber security teams. The same applies to cyber security services within a city as it too evolves to meet the demand to secure smart new City services and technologies. One key aspect of defining the environment is to make the City more situationally aware of what is happening, where it is happening and for what reason. The City Environment has to be broken down into manageable sections, which could follow existing geographical as well as hierarchical structures. Through this, cyber security within a City must be able to collect and analyse information and intelligence to understand specifics and to help support decisions and assess risk and new threats.

    The Smart Transformation that Cities are undergoing has the potential to offer incredible benefits and changes to the way that Cities operate and serve the citizens that live or travel there. Cyber Security will have an important role protecting and monitoring the many systems and services brought about by this Smart Transformation and to do so it has to understand how a city operates, how decisions and events unfold and how the many departments and services work together. There are key requirements for this control and they include understanding a City’s role in the Supply Chain, its Critical Infrastructure, Departments and Services, the development and communication of cyber security policies and means of resilience across the Infrastructure, Departments and Services. Each of these requirements poses significant challenges to a City as well as the many dependencies placed upon it by the Private Sector and its Citizens.

    This is perhaps best explored with an example. If we consider the Logistics Sector and the role of Goods Delivery in the Supply Chain then many Supermarkets, Shops and other Business types rely upon the timely delivery or collection of goods. Smart Cities will need to equip their infrastructure and traffic management systems to provide effective transit, loading bays and parking facilities to enable this. Failure of these facilities could lead to disruption and impairment to business operations and services.

    To help understand how this NIST CSF Function applies to a City and its Smart Transformations I plan to use three different methods to do this:-

    1.  David C Hay – Enterprise Model Patterns. It offers a generic model that is divided up into 5 key upper concepts:

    • Parties – People and Organisation (Who)
    • Geographic Locations (Where)
    • Assets (What)
    • Activities (How)
    • Timing (When)

    2. Mereology – In philosophy and mathematical logic, mereology is the study of parts and the wholes they form. Source Wikipedia

    3. The Viable System by Stafford Beer

    Interesting Websites that help to show the scope of this control
    Siemens The Atlas of Digitalization
    NIST IES-City Framework
    Sidewalk Labs Toronto Project

    A final consideration for this control is the role it will play in supporting Smart City Cyber Security Situational Awareness. It is likely that as Smart Cities develop that certain City Departments will have operational management tools overseeing the technologies and services in their control. A good example of this is a City Traffic Management system or a City Lighting Management system. Both of these systems will be collecting and processing data in real-time and will generate events or alerts should anomalies or issues occur.

    These systems will provide operational awareness and where relevant can provide contextual data to correlate with security information and events to support monitoring of systems and service. Through establishing the Identify – City Environment control, City Cyber Security services are better informed and prepared for security incidents should they occur.

    Resources
    Identify – City Environment Design Guide (WIP)
  • Photo by Tyler Lastovich on Pexels.com

    For an overview of this concept, I am going to reference an article written by Dave McComb called The Enterprise Ontology. It offers a good description of an Enterprise Ontology as well as some very good reasons as to why an organisation, and in this case a City or the City Administration, should build one. The article was written in 2006 and I will quote the first paragraph: 

    At the time of this writing, almost no enterprises in North America have a formal enterprise ontology. Yet we believe that within a few years this will become one of the foundational pieces to most information system work within major enterprises.

    We are now in 2020 and the development of ontologies for organisations and specific domains has developed considerably. The article on Wikipedia covers several examples and there is also the GIST ontology developed by Dave McComb and SemanticArts. These and many others are now underpinning the information systems that exist within many organisations.

    An organisation can take some time to design, model and build an enterprise ontology and the benefits will, if it is managed effectively, bring considerable change to people and value to the information created. An enterprise ontology provides the enterprise with a data model or indexing system to define meaning, classification and categorisation for all of its assets, systems and services. It can add a lot of value if complemented with Asset Management. It stands to reason that Smart Cities can benefit by developing a Smart City Ontology using some of the standards and examples in place today and using it with City Asset Management. The links below will take you to further references on this subject. 

    Further References
    Smart City Ontology, Classification

  • Photo by Tyler Lastovich on Pexels.com

    Design Guide: Smart City Asset Management Design Guide

    It is not surprising that the first item in NIST CF is Asset Management with the mapping to the informative references being CIS Control 1 Inventory and Control of Hardware Assets and ISO 27K Annex A8 Asset Management. It is a fundamental requirement for cyber security. Over the years I have done a few CIS assessments and Asset Management has always been an interesting topic. I found Organisations to have varying degrees of maturity in this area and to have made quite different investments into asset management as prescribed by ITIL, one of the oldest ICT standards. ITIL v3 advises, as per Service Asset and Configuration Management (SACM), a Configuration Management capability to provide a Configuration Management System and Database:-

    The purpose of SACM is to Identify, control, record, report, audit and verify service assets and configuration items, including versions, baselines, constituent components, their attributes, and relationships.

    This description can be applied to any Organisation or City Asset type – People, Process, Technology and Physical Things such as buildings, land and roads etc. A city, and especially a very large city, is made up a lot of very different asset types (physical things and human beings) and managing these assets as many of them transform is going to be a challenge. [I am not about to cover human assets as that is another dimension to the problem but I do envisage that human assets will, at some point in the future, be closely monitored by devices and internet connectivity (more than mobile phone monitoring now) which would be very beneficial in times of something as serious as the global COVID19 pandemic. Perhaps in the future humans may be monitored remotely for virus infections through devices they wear on their persons].

    A City contains a lot of assets and a good proportion of those will become smarter and connected in one way or another. Traditional assets in a city like land, buildings, roads and infrastructure have been asset managed already but in the future they will acquire new asset properties. Let’s use the traditional Street Light as an example. The first requirement when these assets become smart or connected is a means to classify and categorise these assets anew. I am going to quote the recommendations from a provider of Street Lighting, Cimcon Lighting. Their software  LightingGale software  can collect and track information about their lighting assets, such as:

    • Precise location of the asset (e.g., latitude and longitude as defined by a real-time GPS reading)
    • Installation information (e.g., installer, installation date, and other information required for warranty purposes)
    • Fixture information (e.g., luminaire type and luminaire manufacturer)
    • Real-time monitoring/metering of electrical characteristics of the fixture (e.g., voltage, power, and current)
    • Real-time usage data (e.g., burn hours and cumulative kilowatt hours)
    • Pole information (e.g., height, material, arm length, and special attachments)
    • Status/health (e.g., tilt and physical integrity)

    This is quite a lot of new information about what was once a relatively straightforward asset. Now, as a connected asset, a Street Light is producing far more information about its situation and context. The real time monitoring and usage data is itself an Asset – a Data Asset providing additional value. For example, from a cyber security perspective some of these properties and the recorded information may yield some indication if the Street Light Asset has been compromised and is failing to perform as expected. An attack scenario may involve disabling several street lights while a burglary is in progress.

    I came across an interesting PDF, produced by the City of Toronto, describing the challenges of Asset Management, they include:-

    • Status Quo – “We have always done it this way”
    • Resistance to change/unsure
    • Staff capacity challenges
    • Decentralized approach to Asset Management
    • Business Processes and PM Practices not documented
    • Patchwork of different programs and legacy systems
    • Informal Asset Management programs & solutions, spreadsheets
    • Big data, analytics challenges – IoT
    • volume, rate of creation, and types of data threaten to overwhelm the tools used to store and process it

    The list above is a list of very common problems and challenges. Asset Management is a critical dependency for Smart City Cyber Security Operations. Detection of cyber security events will be by behavioural or erroneous events as defined by their asset properties. So to outline the requirements for Asset Management for cyber security i will define how to build up sufficient specification to structure the means to manage this type of capability.

    Resources:
    Smart City Asset Management Design Guide

  • Photo by Tyler Lastovich on Pexels.com

    In this second part introduction to the Cyber Security Framework for a Smart City i will cover the scope of the framework using the best practice described by the NIST Cybersecurity Framework and how the components can be used to work together with a Smart City strategy and thus effect a smart city cyber security strategy to work in conjunction. The NIST CF has three components consisting of:

    • Implementation Tiers
    • Framework Core
    • Profiles

    According to NIST CF the Framework Core is: a set of desired cybersecurity activities and outcomes organized into Categories and aligned to Informative References. NIST CF Components

    NIST CF website provides a good guide to the implementation of the Framework as well as a number of useful resources and guides. I am going to assume that Stakeholders involved in the strategy development of a Smart City and its Security can consider and recommend the guidance provided by NIST. The PDF documentation can be found here.

    I am going to focus on the Framework Core as i find, through previous implementations of it, that it helps to advise and direct the other components. Through a gap analysis of the Core you can further define risk attributes and tolerances as per the Tier component and customise Core specifics to your organisation and monitoring scope within the Profile component.

    Within the Core component of the NIST CF are Functions, Categories, Subcategories and Informative References. In past implementations of NIST CF i have used the Functions and Categories to define operating model capabilities and the subcategories to define capability use cases. I will provide some examples to this in the tables below to show how they can be adapted for a Smart City

    1) Using NIST CF to define Asset Inventory for a Smart City System

    FunctionCategorySubcategory
    IdentifyAsset ManagementPhysical devices and systems are inventoried

    Example – Smart City System Asset Inventory

    SystemArchitectureTechnologyProperties
    Car ParkCar Parking SensorOptical Sensor, Magnetic SensorDevice Id, Application Version, Hardware Version, Firmware version

    2) Using NIST CF to define Event Data Catalogue

    FunctionCategorySubcategory
    DetectAnomalies and EventsEvent data are collected and correlated from multiple sources and sensors

    Example – Smart City System Event Data Catalogue for metadata

    EventsErrorsExceptions
    Sensor Health
    Connectivity Status
    Number of Errors
    Device fail to wake-up
    Alarm Notification
    Connectivity Failure
    Crash
    Reboot
    Timeout

    I will continue to use the NIST CF framework and align all the functions, categories and subcategories to smart city cyber security requirements. This will also include the informative references incorporated into a reference model that will also map to key classification concepts.

    Further reading
    Threat ModelsCyber Security Design Guides
  • Photo by Tyler Lastovich on Pexels.com

    Introduction to a series of posts and resources i plan to put together to outline the key aspects of a Cyber Security Framework for a Smart City strategy.

    Having recently acted as an Advisor to a new Innovate UK research project I thought I would use and adapt some of the recommendations, for problems I was addressing, for Smart City Cyber Security. The problems I was looking at were focused on the development of cyber security solutions and services for vehicles and transport systems and of which the scope included the vehicles, infrastructure and organisations as well as the aspects of operating, managing and using transport both privately and commercially. It is all becoming increasingly interconnected and as such needs to be secure and monitored at a local level and even more so at the national level. 

    Part of the problem was how to define an effective means to design and build cyber security solutions and services in a controlled fashion where multiple parties take on particular roles and responsibilities. The parties range from commercial organisations, Universities, Local and National Government agencies and the scope of monitoring covers a huge amount of assets in a variety of environments. It is this that made me think of the similarities with Smart Cities – a huge number of assets and complex environments. 

    Just recently I was with a client who was very concerned about the year-on-year rise in data volumes and demands from the business to secure new services and projects faster than ever across their global operations. After that meeting I put together the diagram below as a way of representing all of the different things and aspects that need to be considered both as a way of understanding the scope but also of what can be used or adapted. Best practice and standards will form the majority of guidance in conjunction with what is new and more changeable such as legislation, threat landscape and asset types. There is also a dependency on levels of maturity to cope with the change and legacy transition as well as deal with things that are new. It will be very easy for the scale and complexity to overwhelm and I have seen a lot of this in the past.

    Cyber Security Framework for Smart Cities

    Whilst there seems to be a lot to consider it is made easier by applying existing methodologies and frameworks rather than reinvent the process. This does not mean that every part of a method or framework needs to be applied. It is there for reference and the role of the designer is one to decide what is useful to use and what is not. There is one particular area – which I am covering in a separate part to this blog – which requires particular attention – being Classification and Categorisation underpinned by Knowledge Management. As AI and ML become more mature in their role in cyber security they will become even more effective when supported by definition and meaning – as derived from Classification and Categorisation.

    Further Reading
    Classification and CategorisationSmart City Security Ontology

  • Photo by Tyler Lastovich on Pexels.com

    As more technology is designed and developed for smart cities, to manage individual services or complex platform solutions, these technologies will be governed by compliance and regulation to control use and operation. Their generation and management of data will be a key focus as well as how they are secured and monitored. It is this data that may be a “Focus of Interest” for some attack actors or the disruption or sabotage of it that is of interest to others. The following articles are an interesting look at the range of regulatory challenges and complex integration issues.

    Network Industries Quarterly, Vol. 19, No. 3 – Regulatory Challenges for Smart Cities
    A Regulatory View on Smart City Services

    The second challenge is then the role of integrating Smart City Policy and Regulation with Cyber Security standards and best practice. The range of cyber security standards and regulations currently available provide a combination of guidance, best practice, dependencies and principles to help define and support the capabilities required to protect Smart Cities. They may not be specific to smart cities as yet but they have been developed and refined over recent years and the instruction is very valid. In many cases, much of the criteria for a security capability should come from current standards and best practice until specific guidance is produced.

    Implementing part or all of a standard may increase the effectiveness and maturity of a capability. This is particularly important for the key Detect and React capabilities which will focus on the means to identify a threat and how to respond to it. Regulations for Smart Cities and various Smart Services may well come into force as defined by individual Governments as well as Standards that City Administrators will need to consider in order to direct cyber security services.

  • Photo by Tyler Lastovich on Pexels.com

    The example high level Criteria taxonomy below provides guidance on the types of capability characteristics needed to detail a specific view of how the capability will be made up. This should be supported by a lower level of Criteria, that will need to extend this high level set with the attributes needed to address specific Smart City technologies, services and new functional requirements. The lower level attributes should encompass terminology derived from the emerging Smart City controlled vocabularies and related taxonomic structures. This ensures a level of consistency across all the capabilities and will aid integration and interoperability.

    Criteria Taxonomy
    Overview
    – High level summary of the capability
    Ownership
    – Organisational structure
    Directive
    – A list of the primary responsibilities of the capability
    Governance
    – The structure necessary to design and govern the capability
    Processes
    – Key Processes required to orchestrate and guide Roles
    Key Inputs
    – Key required input and dependencies
    Key Outputs
    – Key outputs of the capability based on input and directives
    Interfaces
    – Primary interfaces with other capabilities
    Roles
    – Key Roles including role title
    Triggering Events
    – Events that will trigger the capability
    Technologies
    – Technologies required to fulfil solution requirements

    The Capability criteria can be taken from a number of sources including enterprise architecture frameworks such as TOGAF, Zackman or SABSA. These three should provide the majority and specific criteria can be extended through technology standards, compliance or more recent smart city vocabularies from standards bodies.

    Further reading
    Smart City classification, ontology, taxonomy and vocabularies

  • Photo by Tyler Lastovich on Pexels.com

    As part of the wider Evidence Initiative, The Economist Intelligence Unit (EIU)—the research and policy arm of The Economist Group—has produced a first-of-its-kind Evidence Map to track the availability and characteristics of data in Group of 20 (G20) countries that policymakers need to make sound decisions. – The Economist Group and The Pew Charitable Trusts (2019). The Evidence Map: The Data Imperative. London and Washington, D.C.: The Evidence Initiative

    This is an interesting initiative and after reading through the report and exploring the Evidence Map I can see this as a useful source of data to support some of the challenging questions and decisions Smart City Governance and Administration need to address.

    Resources
    The Big Questions
    Evidence Map
    Evidence Map Report – PDF