Automatic assets identification for smart cities: Prerequisites for cybersecurity risk assessments

Abstract

Generally speaking, an asset is something that has a potential or actual value for an organization. In the context of this paper the concept of the “organization” has to be extended to comprise a smart city or a compound structure of smart cities interrelated at different administrative, legislative, geographical and technical levels. The management of an asset portfolio is generically introduced by ISO 55000. Management of fixed assets is a process that seeks to track assets for the purpose of financial accounting, theft prevention, preventive maintenance etc. Software asset management (SAM), as covered by ISO/IEC 19770-5, addresses processes and technology for managing software and related IT assets. These digital assets are key enablers for most activities in a world of smart cities. The fact that systematic asset management is currently enforced only in a few, heavily regulated business domains indicates that, at a smart city level, this will be a daunting challenge. The focus of this paper is on the manual and automatic asset identification, annotation and tracking as well as on the assignment of graded application security controls (ASCs) that can benefit from a comprehensive and formalized asset management. This includes the availability and integrity of fixed and mobile information technology (IT) assets connected to wired and wireless networks and the reliability and integrity of software assets installed on servers and cloud environments. Asset identification is a precondition for the safe application of security patches and for conducting risk assessments with consideration of version and patch-level specific dependencies between software components. Rigorous and pervasive asset management provides value beyond security, for example with regard to a more efficient use of software license pools or other temporarily assigned resources (like exchangeable battery packs) or resources needed on demand (like smart healthcare robots). Unfortunately, new concerns are also raised, as semi-formal asset descriptions, enhanced details on links between assets and the simplified tracking of assets may be misused for sophisticated attacks targeting combinations of version specific vulnerabilities. For selected ongoing smart city related projects this paper addresses the stringent need of adding a semi-formal asset management, the immediate benefits and the expected progressive benefits derived e.g. from model-based guidance that relies on the asset specific intelligence.