12 Feb A Smart City Infrastructure ontology for threats, cybercrime and digital forensic investigation

Posted at 10:05h in Research by
0 Likes

Introduction

Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Cyber-attacks on future technological advancements such as smart city infrastructure (SCI) will introduce new challenges to digital forensic investigators and law enforcement agencies. These challenges include a lack of standardised SCI contexts, information sharing, collaboration and tool interoperability.

Blue teams have it hard – they maintain a watchful eye on whatever technology is deployed to detect threats, respond to incidents, perform digital forensics and reverse malware (or make malware happy!) when needed. Hopefully, no one has to handle all these roles alone since there is also the continuous learning aspect of getting up to speed with the latest threat vectors, vulnerabilities and exploit techniques. Adversaries only need one attack to succeed to gain actions on objective. In contrast, defenders have to detect and stop every attack to prevent adversaries from being successful.

Smart Cities, Blue Teams and the importance of Ontologies

Multiple countries are gradually considering the concept of Smart Cities, a key consideration in the United Nations Development Programme (UNDP). As such technologies are implemented, the responsibility of defending this critical infrastructure again falls on the shoulders of blue teams. Smart Cities have yet to be fully implemented, but it does not mean we should not be proactive in preparing defenders to handle future problems. Current issues, even without Smart Cities in the fray, already cause blue teams grief (e.g. different technology platforms, different contexts, information sharing, collaboration and tool interoperability). Given these complexities, an ontology would allow a shared understanding of vocabulary, facilitate data sharing, and even enable automated data reasoning.

Representing attacks and cybercrime on smart city infrastructure

Wanting to pre-emptively solve future issues of attacks and cybercrime on smart city infrastructure, I (along with my co-authors in the SUTD ASSET Group) set out to create the Smart City Ontological Paradigm Expression (SCOPE). SCOPE was designed to be an ontology for threats, cybercrime and digital forensic investigation on smart city infrastructure. We did not create the ontology from scratch but chose to adhere to ontology best practices and extended the venerable Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE). UCO and CASE have gained some traction, and these ontologies have been experimentally adopted in forensic tools such as Cellebrite, Magnet Forensics, and MSAB XRY [1]. However, UCO and CASE did not have any smart city infrastructure representation, and expecting overwhelmed blue teams to create them from scratch would most certainly be the straw that broke the camel’s back.

Design Considerations of SCOPE

Proposed definition of technology-agnostic smart city infrastructure
Figure 1: Smart City Infrastructure Definition (Figure reproduced with permission from authors) [2]

We deliberated on several design factors. Firstly, we defined smart cities using a technology-agnostic approach while adhering to international standards (with reference to Figure 1) that adopted the United Nations (UN) Sustainable Development Goals (SDG) (this was done in a previous work) [2]. By doing so, we ensured that the evolution of technologies or vendors would not affect the fundamental principle of Smart Cities. Secondly, we identified possible threats, cybercrime, and digital forensic evidence sources from the Smart City, which were defined in the first step (also from the same previous work) [2]. Thirdly, we included MITRE ATT&CK techniques and MITRE CAPEC into SCOPE for analysts and investigators to provide additional context to forensic evidence. Finally, we followed the ontological style and design practices when creating SCOPE, an expansion profile from UCO and CASE.

Evaluation

We evaluated SCOPE via real-world attack scenarios attributed to publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. With reference to Figure 2, the evaluation process workflow is shown. We successfully represented the attack scenarios, cybercrime committed, incident details, evidence and attack patterns (to name a few).

Evaluating SCOPE via a Smart CIty Infrastructure scenario based on APTs
Figure 2: SCOPE Evaluation Process (Figure reproduced with permission from authors) [1]

Concluding Remarks

Will SCOPE ever be helpful? Not yet. I hope it will come in handy in future for digital forensic investigators and law enforcement agencies when cybercrime on smart city infrastructure becomes prevalent. As mentioned, SCOPE is technology-agnostic while adhering to several ISO standards. Additionally, it contains enough granularity to allow users to pinpoint key information while ensuring it can capture abstract definitions covering emerging technologies. We have made SCOPE publicly available to the digital forensic community to assist future smart city infrastructure investigations. SCOPE’s GitHub project link is here, and the official ontology website is here. For complete details of SCOPE, you can find the full published paper here in Volume 52 of Forensic Science International: Digital Investigation (FSIDI) or the preprint here.

References:

1. https://doi.org/10.1016/j.fsidi.2025.301883
2. https://doi.org/10.1016/j.fsidi.2023.301540

Tags:
No Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from POP POP RETN

Subscribe now to keep reading and get access to the full archive.

Continue reading