1. Incident management - main actions to ensure a performant incident management process

2. Cooperation and reporting - the role of cooperation for Cybersecurity implementation

3. High availability - conditions to ensure continuity of services

4. Operational landmarks - a mapping with IMPETUS operational approach

1. Incident management

1.1. Incident management stages

Incident management in cybersecurity is represented by the operational processes of preparation and reaction, having the explicit purpose of preventing and counteracting cyber-physical incidents. It includes a series of stages necessary for filtering and sorting the events, following a funnel triage methodology, in order to allow proper management of resources and measures taken for limiting the production of harm and damages, and to capitalize on the incidents' inertia that could offer the premises for documentation and dissemination of the threat information at the level of Smart City partners.

 Incident management includes the following stages [NIST, 2012]:

-        Preparation – which involves configuring and maintaining a resilient security infrastructure, raising human awareness and specialization in cybersecurity domain, management buy-in, exercising the response to incidents, improvement of weak points or leaks identified in the ecosystem.

-        Detection and analysis – which implies usage of SIEM and SOAR capabilities for automated detection, as well as threat hunting processes, inside SOCs, where funnel filtering and prioritizing, as well as thorough analysis are deployed in order to allow documentation of decisions for timely reaction to potential harmful incidents.

-        Containment, eradication and recovery. The incidents that trespass the multi-level protection layers and manifest in the protected ecosystem need to be contained (in order to limit the harmful effects, to avoid spreading and to document their modus operandi) and eradicated (in order to clean the systems from the malicious code and actively operating threats). The affected assets need to be reinstated, to function seamlessly at the expected level of performance.

-        Post-incident activity – which involves retaining evidence, as well as documentation, sharing and reporting information related to the occurred incidents, in order to support accountability, to substantiate decisions, to improve the ecosystem’s protection and to increase the knowledge base with new lessons learned.

1.2. Events vs. Incidents vs. Crisis

There are differences in perception of concepts of ”events”, ”incidents” and ”crisis”, when referred in relation to the physical world or to cyber space. The manifestation in the physical world is linear (bound to laws of physics) and traceable, while in cyber space it is rather scalable (dependent on human creativity) and transparent to the outside world. This makes events, incidents and crises have different dynamics depending of their place occurrence.

In the physical world, events and incidents are punctual materialization of accidents or human will, which usually is limited to specific areas, resources, time and inertia. The complexity of physical events and incidents is dependent on human capacity to organize, synchronize and manage in the physical environment, which – practically – has a linear scale of manifestation and may be easily identified, tracked, stopped and investigated. Once identified and neutralized the source of events and incidents, the propagation of manifestation is rarely out of control (e.g., when the disturbance propagates through ideas making neutral people adopt them and continue the implementation, more or less spontaneously).

In cyber space, events and incidents comport totally different meanings.

Events are all the technological activity inside systems and networks, recorded/registered as meta-data or logs, for functional and security purposes. Meta-data is a representation of the activity history inside the technological devices; almost any automatic process or human command is registered chronologically, in order to keep awareness and control over technology.

Cybersecurity events are logs with possible relevance for security purposes. Usually, they may be of the order of millions/billions per day, depending on the scale and activity of the technological infrastructure.

After thorough customized filtering, a small portion of events may represent potential cybersecurity incidents. Human technical analysis may conclude whether the identified incidents are a real manifestation of harmful activities or are just false positives. In parallel, threat hunting activities have the complementary purpose: to extract the false negatives from the neglected events (i.e., the ones that may have been perceived as irrelevant by the automatic filtering process, but are actually real incidents and pose assets to risk). Cybersecurity incidents may be of order of units/tens per day and most of them can be harmless, not being able to penetrate the protection measures to the core level needed for exploitation.

However, some cybersecurity incidents may be able to produce harm. More so, depending on the level of their complexity and the associated risks, cybersecurity incidents may generate situations of crisis, making it compulsory to synchronize the actions for a prompt response. The differentiation between regular cybersecurity incidents and situations of cybersecurity crisis is a matter of perception, categorizing and tagging, which is established and agreed by high-level decision makers in the preparatory phase, according to a series of specific criteria.

No less important is that Smart City consists of a cyber-physical environment, thus borrowing characteristics of both physical security, as well as cybersecurity. A crisis situation in a Smart City ecosystem may reflect occurrence of events and incidents in both physical and virtual environments, bringing leveraged harm and scaled consequences.

Degraded Modes section presents specific details related to the management of malfunctioning of, e.g., IMPETUS solutions, requirements for building robustness and resilience of the infrastructure, as well as practical considerations for tagging and responding to cyber-physical crisis situations.

1.3. Adjusting the perception

Considering the high level of complexity characterizing Smart City environments, the managers of infrastructures need to keep their awareness updated and open, in order to calibrate their perception to the realities of the operational challenges. Threat intelligence and knowledge about the evolution of relevant risks need to substantiate the adaptation of events filtering and analysis, as well as the patching of the newly discovered contextual vulnerabilities.

Perception is paramount for gaining situational awareness. If it lags behind, the entire lifecycle of cybersecurity is delayed and weakened, making the protection efforts to be derisive. On the other side, it is very difficult to reach a perfect understanding of the environmental risks, due to lots of factors that overpass the human control (at least at the level of administrators and managers), e.g., physical limits of sensors, limited sets of data extracted from sensors, limits of hardware and software processing capabilities, countless but sometimes difficult options for integration and analysis of all the collected data.

However, continuous improvement on adjusting the monitoring processes helps manage the degraded operation of platforms, identifying the indicators of threat appearance, as well as envisioning and preventing the materialization of risks. It is an operational change management process, that allows continuous adjustment to the evolution of risks, in conditions of high dynamics and uncertainty.

Perception adjustment needs to be a requirement for the crisis management procedures, since it improves the preparation stage and helps approach normal incidents and crisis situations in a differentiated way. It is a management tool for setting the proper conditions and parameters that would allow an efficiency increase of the cybersecurity efforts and resources.

1.4. Adjusting the reaction

The managers of infrastructures need also to keep themselves alert, to allow the reaction capabilities to be deployed spontaneously in the event of a risk manifestation. All the stages of incident management process need to be seamlessly correlated and synchronized, in order to limit any potential harmful consequences.

The optimal implementation of incident management is dependent on the quality and calibration of the procedures, on exercising and testing the reaction capabilities, on the creativity to respond to on-going incidents, as well as on the adaptation of procedures and the improvement of preparedness, knowledge base and expertise. All the actions taken prior, during and post incident bring an added value to the reaction chain. Thus, they need to be improved, correlated and duly taken.

While the foundation for incident and crisis management consists in the preparation efforts, the actual success and efficiency stand in the capacity for spontaneous adaptation to the situation’s dynamics. Procedures and exercising facilitate coordination and scaling of reaction, while creativity and expertise support suited tactical and strategic decision making.

2. Cooperation and reporting

2.1. The need for cooperation

In a multi-stakeholder context (e.g., Smart City), besides the proper preparation and deployment of security capabilities around each of the protected infrastructures, the most important actions to be done for streamlining the incident management process are reporting and cooperation. Synchronization of individual and orchestrated actions (i.e., between multiple SOCs) is needed to counteract the spreading of the malicious activities and to limit the harmful effects.

Usually, the attackers have an advantage – based on their lack of need to respect social laws/ rules/ procedures and on their high collective organization – that allows them to deploy fast and stealthy actions. The slowness of bureaucracy inside authorities, institutions and organizations needs to be compensated with agile action paths, to allow real-time reaction in front of complex attacks.

Each SOC shall have their own properly customized communication and action procedures in case of cyber incidents, that would allow firm reaction to keep the infrastructures in good standing. An emphasis is put around the fact that cyber-physical resilience is dependent both on preparation actions, as well as on adaptation capacity.

Then, coordination among SOCs shall be clearly established and tested, in such a manner that would allow horizontal cooperation, bottom-up reporting and top-down command and control, in non-overlapping conditions. The distribution of responsibilities and the requirements for communication shall be well established, in order to ensure proper information for decision substantiation and optimal workflows for decision implementation.

2.2. Cooperation requirements

Depending on the custom conditions of the protected technological ecosystems, the organization of SOCs communication shall be done in the most advantageous architecture that would ensure situational awareness, decision facilitation and support, as well as firm reaction to incidents. Usually, the SOCs structure is built up around a pyramidal system-of-systems that allows strategic management of security under unique/unitary command and control capabilities.

IMPETUS cybersecurity approach takes advantage of these principles to concentrate relevant information and technical tools under the command of a single SOC having the capability to deploy real-time reaction to incidents. System and sensory data, as well as Intelligence, is collected (e.g., mainly via automated tools, such as Cyber Threat Intelligence/CTI in IMPETUS), as well as processed and leveraged (e.g., via correlation tools, such as Cyber Threat Detection and Response/CTDR in IMPETUS). Correct understanding and management of the operational information supports the situational awareness and the decision-making processes, thus being vital for preventing and timely annihilation the threats that endanger the safety of people in high-tech urban ecosystems.

Reporting and cooperation are supported by subsidiary activities such as:

-        information collection (from sensors);

-        Intelligence gathering (from both technical and human sources);

-        information analysis and processing (by both technical and social analysts);

-        transfer of indicators of compromise and CVE information;

-        technical information exchange between operational teams and between SOCs (with the ones not related to Smart City/ IMPETUS);

-        technical support for patching and remediation;

-        informing operational decision makers, relevant stakeholders and infrastructure owners;

-        informing the media and public (with relevant aspects, when it is the case);

-        dissemination of lessons learned and best practices in the cybersecurity community.

All communications need to be done on corresponding channels, depending on the sensitivity of the information. Cybersecurity usually makes use of dedicated communication platforms (i.e., dedicated and secured chatting, forums, information exchange, e.g., MISP platforms), strictly following TLP protocol to respect the need-to-know and need-to-share principles.

More so, Smart Cities can also create their own trusted cybersecurity communication infrastructures (i.e., identity-based trust frameworks), to ensure interoperability, resiliency and coordination of security related actions. This may not only support Smart Cities cooperation, but also interconnect with other multi-purpose trust frameworks, to integrate cybersecurity of multiple industries at national and international level.

3. High availability

The success of crisis management is measured by the capacity to resist, confront and overcome adversity, having in the end as few as possible damage (preferably none at all). Response to crisis consists in leveraging on the adaptation capacity of both cybersecurity technology and human decision in such a manner to ensure a proper resilience at the level of the entire protected ecosystem.

Cybersecurity incidents may occur at any time and are not limited to physical boundaries. They pose great pressure on the security mechanisms to be fully prepared and operational at any time. The uncertainty specific to cybersecurity threats manifestation generates the need to implement 24/7 operational SOCs, with continuity personnel that can ensure permanent monitoring and analysis of the threat landscape.

In case of major incidents that trigger crisis situations, an operational crisis management cell shall be deployed in no time, to be able to react properly to the occurring events. This structure consists of high-level decision makers empowered to dispose appropriate action for the security of the entire Smart City ecosystem. All the relevant social actors shall be represented in the crisis management cell, to protect the people and technology prone to adversity.

In order to ensure high availability of the crisis management capabilities, specific procedures shall be developed and frequently tested. As well, dedicated exercises – both hands-on and table-top – shall validate the functionality of cybersecurity technology and the efficiency of operational cooperation and reporting mechanisms.

In these regards, IMPETUS offers the Cyber Threat Detection and Response/CTDR tool for processing and optimizing the response to possible cybersecurity attacks, and for calibrating the strategies to approach the particular high-probability Smart City-related threats that are identified by the means of the Cyber Threat Intelligence/CTI tool.

4. Operational landmarks

4.1. IMPETUS Cybersecurity Mindset

IMPETUS makes use of a series of cyber and physical security technologies that ensure the protection of Smart City environments. The security infrastructure consists of sensors, data collectors and transmitters, threat Intelligence gatherers, vulnerability detectors and assessors, information processing and analysis tools, simulators for exercising and training, as well as incident management solutions. These are all managed in a centralized manner, in a SOC with integrated monitoring and support for unitary decision, command and control.

The entire architecture benefits from multiple layers of information processing, thus allowing funnel filtering to extract the most relevant and accurate essence out of massive structured and unstructured databases (Big Data with open, functional, operational, Intelligence and security information). From data to decision, information is subject to multi-level analysis, in direct relation to the functional specifics of operators. Thus, the IMPETUS platform disposes of dedicated view modes for developers, administrators, analysts, security specialists, high-level SOC operators and decision makers.

A symbolic representation of the security information workflows of IMPETUS is envisaged in the figure below. Tools such as Urban Anomaly Detector/UAD, Cyber Threat Intelligence/CTI, Social Media Detection/SMD, Firearm Detector/FD and Bacteria Detector/BD facilitate data gathering from various sources in physical and virtual environments, Workload Monitoring System/WMS supports Big Data analytics and interpretation, as well as Cyber Threat Detection and Response/CTDR and Evacuation Optimiser/EO offer a solid ground for optimization of decisions and response, in order to prevent and counteract the cyber-physical incident and to avoid or limit any eventual damages.

Open

4.2. Mapping the IMPETUS solutions

IMPETUS comes with a series of dedicated cybersecurity solutions (i.e., Cyber Threat Intelligence/CTI, Cyber Threat Detection and Response/CTDR tools) that support information gathering, vulnerability analysis and response optimization.

Cyber Threat Intelligence/CTI offers the capability of automated search for threats in the deep and dark web environments, in order to extract the main characteristics of high probability attacks that can endanger Smart Cities in the foreseeable future. This kind of information has preventive relevance and shall prepare the administrators to properly patch the systems' vulnerabilities, as well as the security operators to focus their attention and analysis on newly found risk indicators (that have not been released publicly, as CVEs, yet).

Threat intelligence offers the best preparatory lever for cybersecurity. Besides any of the detection capabilities, proper Intelligence (related to technical TTPs of attackers and to their human intentions and actions) ensures the basis for timely and precise decisions related to consolidation of security weaknesses. Networks are scanned for supposed vulnerabilities, detection mechanisms are calibrated on the newly malicious behaviors that are expected to occur in the systems activity, threat hunting is focused specifically on the indicators of the coming/predicted attacks, and new CVEs are born, to help protect Smart Cities from any cyber-criminal activity.

Knowledge related to future actions of hackers allows an increase in efficiency of security resources management.

Cyber Threat Detection and Response/CTDR uses facilities based on attack graphs to offer operators improvements and optimizations for response to cybersecurity incidents. It ensures a loop of learning that gathers experience and knowledge from incident situations, fusing and correlating data coming from multiple and diverse sources, and transforms them in applied modeling of the reaction capabilities.

The IMPETUS cybersecurity tools offer multi-layered awareness and protection, contributing to elimination of security weaknesses in the Smart City ecosystems. They use a holistic approach (which covers and tests all the technological assets and dynamics) to enhance infrastructure robustness and resilience, thus raising the capacity of prediction related to risks occurrence.