CYBERSECURITY - A PILLAR FOR SMART CITIESE-mail: [email protected], [email protected],...

Proceedings of 73rd Research World International Conference, Tokyo, Japan, 7th -8th September, 2019

33

CYBERSECURITY - A PILLAR FOR SMART CITIES

1PAULO VAZ, 2JORGE RIBEIRO,3JOSÉ NEVES,4LUÍS FRAZÃO

1,4School of Technology and Management. PolytechnicInstituteof Leiria, Leiria, Portugal 2ARC4DigiT – Applied Research Center for Digital Transformation - Polytechnic Institute of Viana do Castelo, Portugal

3Centro ALGORITMI, Universidade do Minho, Braga, Portugal E-mail: [email protected], [email protected], [email protected], [email protected]

Abstract - Smart City (SC) is a concept that is differently defined in the literature and can be described as a concept that refers to a technology-based integration of both social and economic aspects of a city in order to sustain sustainable and resilient development. Due to technological development, a large number of smart city services and processes are based on technological infrastructures, information systems and digital networks, which must be secured and managed in such a way as to support the control of the SC processes. Various guidelines for the management and control of IT such as ISO 270xx, COBIT and ITIL have been presented. On the other hand, Cybersecurity is one of the most recent trends and concerns regarding IT security in general and, in particular, in terms of Intelligent Infrastructure. Following a method of action to answer the question Is Cybersecurity a necessary pillar of SCs?, it was applied a series of cybersecurity checklists to a real case of a middle city board with a defined SC structure. It may be over and done with that it is possible to achieve the objectives that should be associated with the relationship between SCs and Cybersecurity, and to obtain specific and important information in the specification of a learning method in order to achieve the proposed intentions and to defuse the planned question. Keywords – Cyber Security, Smart Cities, Information Technology.

I. INTRODUCTION A Smart City (SC) is a concept that is defined differently in the literature. There are mainly two trends in the definition, a focus on a single urban aspect such as technology or ecology and definitions regarding the integration of different urban aspects. In line with the second trend, SC can therefore be described as a concept that refers to a technology-based integration of both Social and Economic aspects of a city in order to sustain sustainable and resilient development [1-4]. Another example of the goal of SCs is the dynamic optimization of the city in order to provide citizens with a better quality of life through the use of Information and Communication Technologies (ICT) [4,5], which integrates the respective information system services city, such as health, education, transport, electricity, or water and waste management, to provide citizens with public services in terms of efficiency, safety, privacy and ubiquity [6, 7]. On the other hand, over the last decades, several guidelines have been issued for the design, management and monitoring of Technological Security Infrastructures, including ISO 27001 [8], COBIT Information and Technology Control Goals [9] and some directives such as ITIL (Information Technology Infrastructure Library) [ 10]. On the other hand, cybersecurity is one of the most recent trends and concerns in IT security, and several papers have recently been presented [11-17]. Some guidelines have been suggested for Best Practices, Frameworks, and Cyber Risk Assessment, i.e., reports from the Financial Industry Regulatory Authority [18], Frameworks of the Cybersecurity Framework of the United States National Institute of Standards and Technology (NIST) [ 19], the SANS

Critical Security Controls for Effective Cyber Defense [20], the ISO 27001 (Security Techniques - Cybersecurity Guidelines) [21] and Cyber Security Risk Assessment, where several private companies and public institutions provide metrics and assessment tools for the Cyber Security Identification and analysis process provided and assessment of Security Risk and Cybersecurity Risks [22-24]. The general objective of the study is to illustrate the relationship between SCs and Cybersecurity, which applies to a set of frameworks for a real SC environment. It presents an overview of various components of a SC and presents recent studies on the challenges and framework conditions for cyber security and guidelines. An action research plan was used in this work. It uses a combination of a number of frameworks based on NIST [19], SANS Institute [20] and ISO 27001 cybersecurity guidelines [21], as well as a series of additional questions on IT security [22]. The paper's work focuses on applying an action research methodology to the research question "Is Cybersecurity a necessary pillar of SCs?". It applies a set of frameworks to a real case of a medium-sized Portuguese city. In the end, some discussions, conclusions, and future work will be emphasized in order to create a better working framework for researchers and IT professionals that work on this subject. The remaining sections provide a brief overview of the concepts, challenges, and recent work on SCs, conclusions and future work. II. SMART CITIES, SECURITY AND CYBERSECURITY The range of areas where cities can become smarter is extensive; it is an evolution of Connected Cities with

Cyber Security - A Pillar for Smart Cities


34

the prevalence of data exchange at a larger scale [8]. Although it is possible to collect different definitions of the SC concept, with some emphasis on the non-uniform nature of the concept, it is agreed that the SC concept was born to provide citizens with an improved quality of life. The aim of SCs [1-6] is to dynamically optimize the city in order to provide citizens with a better quality of life through the use of Information and Communication Technology (ICT) [8]. The main idea is the integration of information systems services of the various sectors such as health, education, transport, electricity, water and waste management of the city in order to provide them to citizens in a way that is efficient [1, 2], under an urban environment that involves complex systems of infrastructure [4, 10], and last but not least human behavior, technology, social and political structures and economics [4, 12]. SC is based on the creation of smart infrastructures and the link between ICT and people, where the city's growth must proceed in terms of the axes of Sustainability (by improving the relationship between the city and the environment towards a green economy); Cleverness; Context-sensitive Economy and Governance; Inclusiveness [23]. Indeed, a SC system can be seen as a massive information system involving smaller but efficient subsystems that must be interconnected [2]. The rapprochement of SCs to citizens, in turn, brings with it the new challenge of promoting access to information that is provided and consumed by citizens, while meeting all implicit confidentiality and integrity requirements. In the current concept of SCs, the treatment of individual factors must develop into a global multi-factor approach. This is even more important when two new diluted components emerge, namely Smart Governance and Smart People. All of these aspects competed with the actual concept of SC to develop several areas, areas or strategic pillars that have been presented in various studies and reports [1-3, 36-38], namely the one that is depicted below, viz [36]. • Smart Energy — Digital Management of Energy;

Smart Grids; Smart Meters, and Intelligent Energy Storage;

• Smart Buildings — Automated Intelligent Buildings; Advanced Heating Ventilation and Air Conditioning Systems, Lighting Equipment;

• Smart Mobility — Intelligent Mobility; Advanced Traffic Management Systems; Parking Management; ITS-enabled Transportation Pricing System;

• Smart Technology — Seamless Connectivity; 4G; Connectivity; Super Broadband; Free Wi-Fi;

• Smart Infrastructure — Digital Management of Infrastructure; Sensor Networks; Digital Water and Waste Management;

• Smart Governance and Smart Education — Government-on-the-Go; e-Government; e-Education; Disaster Management Solutions;

• Smart Healthcare — Intelligent Healthcare Technology; Use of e-Health and m-Health Systems; Intelligent and Connected Medical Devices;

• Smart Citizen — Civic Digital Natives; Use of Green Mobility Options, Smart Lifestyle Choices; and

• Smart Security — Intelligent Threat Detection; Surveillance; Biometrics; Simulation Modelling and Crime Protection; Advanced Proactive Antivirus Protection.

In this sense, the final applications are bound to be objectives in themselves, being simple implementations in a global infrastructure where resources are collected, stored, processed and made available. This new, broad vision also requires a new technological approach - not focused on individual projects, but on a platform capable of gathering, storing, processing and generating information across domains. In this sense, two examples of tools for analyzing urban maturity in relation to a SC are the European Commission, viz. • The City's Digital Maturity Tool [23] and; • The European SCs Benchmarking Assessment

[26]. The general rating is a weight-based dimension of the SCs environment, based on surveys and questionnaires.On the other hand, security and privacy issues are becoming increasingly challenging, despite the huge efforts to combat cybercrime and cyberterrorism. Cybersecurity addresses the security of data and the applications and infrastructure used to store, process and transmit data. It is understood to be the process of protecting data and information by preventing, detecting and responding to cybersecurity events. Such events, including intentional attacks and accidents, are changes that may affect organizational operations [6, 8]. Many other laws need to be standardized and published to make the IoT gate more trustworthy. It is necessary to create a more reliable, secure and sustainable energy`s Internet to enable IoT connectivity and interoperability between things [4, 5]. Many of these technologies are wireless and depend on custom protocols and encryption platforms. Even more worrying is the fact that many SCs have not yet developed action plans describing responses to possible cyber-attacks on city services, infrastructure and ICT systems [6]. After defining the areas and goals, the system to be designed must have an architecture that reconciles all these requirements, namely accessibility, availability, robustness, scalability and security. Waedt, Karl, Ciriello (2016) [21], present a study on the automatic identification of assets for SCs, requirements for the assessment of cybersecurity risk. Their study focused on manually and automatically identifying, commenting, and tracking assets, as well as assigning Tiered Application Security Controls (TASCs) that can benefit from comprehensive and formalized asset



35

management. This includes the availability and integrity of fixed and mobile IT resources connected to wired and wireless networks, as well as the reliability and integrity of software assets installed on servers and cloud environments. With new concerns over automatic asset identification for SCs as semi-formal asset descriptions, advanced details on asset-to-asset relationships and simplified tracking of assets may be abused for sophisticated attacks that target combinations of version-specific vulnerabilities. It is emphasized that current SCs projects must consider the need for semi-formal or formal asset management, in terms of Proof Theoretical or Model-based instructions based on asset-specific intelligence. Khatoun, Rida, ZeadallyaneSherali [12] state that the increasing proliferation and deployment of ICT in the infrastructure of cities has increased the interest in SCs, once it is expected that the services provided to citizens ultimately will improve their quality of life. On the other hand, incorporating ICT opens up various security and privacy issues in a SC environment, namely in what concern to Critical Infrastructures, Smart Buildings, Intelligent Transportation Systems, E-Government, E-Health or Internet of Things, i.e., Privacy Issues and Privacy Models.

Figure 1: Cybersecurity challenges for smart cities illustration

[12]. Figure 1 shows some cybersecurity challenges for smart cities. Given the information above, many of these technologies are wireless and therefore dependent on custom protocols and encryption platforms; therefore, is of greater concern the fact that many SCs have yet to develop action plans which outline responses to possible cyber-attacks that may target the city's services, infrastructure and ICT systems (Alibasic, Junaibi, Aung, Woon, & Omar, 2017). The European Union Agency for Network and Information Security [8, 25], is examining and presenting some guidelines for an architecture model for public transport. The options for the ICT

architecture include people, processes, information and technologies, and their relationships to each other and the external environment, i.e., together they form the foundations of a SC [2]. Indeed, since the last decade, various SC frameworks and architectures have been developed to facilitate citizens' lives, by addressing SC challenges, either from technical to business or service-oriented. Therefore, an ICT architecture may consist of a set of formal descriptions, such as the portfolio of blueprints, models and examples of building architecture, plus the structure and behavioral characteristics of an information system that may evolve and adapt to future requirements and challenges (Kartman et al. 2011). III. SMART CITIES, SECURITY AND CYBERSECURITY A. Research Methodology Several studies have been presented and followed as a research method [30] applied to Case Studies for Research and Development, as Action Research (AR) [31] or Design Science Research (DSR) [32]. The DSR is most commonly used in the development of software solutions and approaches in Information Technology (IT). The DSR contains a series of steps and cycles on topics such as problem identification and motivation, definition of solution goals, design and development, demonstration, assessment, and communication. On the other hand, the DSR may be combined with the AR to investigate requirements and research as well as project implementation and evaluation. In this work, it is used the AR methodology for problem solving, which is applied to a case study where it is expected to have an answer to a research question. Using this method, the researcher tests a real situation, gets feedback, modifies the theory, and goes forward. According to Olesen and Meyers, it is used a five-step action research cycle that includes the following steps, viz. • Diagnosing — Identify the research question. In

this case study the question was “Is cyber security possibly a necessary pillar of SCs?

• Action Planning — Determine the actions to be undertaken to address the research question;

• Action Taking — Conduct and monitor the planned actions; and

• Evaluation — Determine if the actions have addressed the research question.

B. Context The aim of this work is to conduct a cybersecurity assessment (using a questionnaire or checklist) for a true SC technological infrastructure, i.e., to evaluate its maturity level, to ensure the security and privacy of the its digital. The case study is of a portuguese medium-sized SC [32-34], in accordance with the structure of the SC domain shown in Table 1. The structure is divided into strategic pillars, each with a



36

strategic orientation and strategic lines. To each of these points is assigned a series of strategic vectors based on a set of strategic factors (e.g., promoting people's skills to improve their quality of life; the development of the human dimension in the context of openness to diversity and multiculturalism; appreciation of local and regional cultural capital and promotion of its transformation into factors of qualification; improvement their quality of life and promotion of the arts and creativity). Thus, each

objective is assigned a set of local government (city council) policy projects based on the 2020-2030 strategy (with or without ICT intervention) and a set of European Union smart age assessment indicators [26]. Following this mapping between strategic elements and strategic vectors, the mapping of SCs domains in the context of ICT is analyzed, and the guidelines and best practices for a local government (city council) are established to ensure the best relationship between Cybersecurity and SC.

Strategic Pillars

Strategic Directions Strategic Line Strategic Vectors

a b c d e f g h i

Society (intelligent people) and

Quality of life

Smart Education

e-Education (e.g. Video Conference)

x x x

School Digital Solutions x x x Training and Individuals’s

Capacity x x x

Smart Citizen- Creativity x x x

Smart Citizen- Inclusion

Integration of Migrants, Reduced Mobility

x x x x

Inclusion of people with physical and cognitive

difficulties x x X

Smart Health

Telemedicine and Remote Monitoring

x x x

Promotion of Healthy Actions and Habits

x x x

Smart Security and Safety

Legislative Reinforcement x x Emergency Response x x x

Intelligent street lighting and Monitoring of "Video Crime"

x x x

Integration and control of electronic devices

x x x

Smart Citizen- Hospitality

x x x x x

Green Buildings

Providing requalified and modern infrastructures

x x x x

Availability of modernized / new infrastructures

x x x x

Smart Citizen- Culture and wellness

Qualification and Social Inclusion

x x x x x x x x

Environment

Smart Management Smart Agriculture x x x x Sustainable Smart

Buildings Sustainable Buildings and

Urbanism x x x x

Resource Mangement x x x x Sustainability x x x x

Economy

Productivity/ Incubation / Coworking

x x x x x

Local and global link economy

Smart Agriulture and Smart Local/Global Links

x x x x x

Economic Agents Exchange development and e-

commerce x x x x

Smart Governance

Digital Transformation Complaint Management;

Various forms of payment; x x x

Electronic Services x e-Governance x x x x

Civil Protection Efficient Management of

Public Processes x x x x

Infrastructures of the city x x x x



37

Strategic Pillars

Strategic Directions Strategic Line Strategic Vectors

a b c d e f g h i

Commitment Commitment to the citizen

and with the industry x x x x

Incubation / Coworking x x x x

Smart Mobility

Support Infrastructures Improving Infrastructures x x x x x x Control of Access to

Areas of the City x x x

Smart Parks Efficient Parking Management x x x x Intelligent Traffic

Management Creation of Parking Parks and

efficient traffic monitoring x x x x

Multi-Modal Transport Integration

Integrated data collection platform for means of

transport to support integrated transport (buses, bicycles,

trains, etc.)

x x x x

Efficient Urban Mobility Solutions

Electric buses, sharing of electric bicycles; Cycle tracks, pedestrian lanes, promotion of policies for the use of means

of transport.

x x x x x x

Smart Infrastructures

Regeneration / Creation of Urban Infrastructures

Urban Regeneration x x x x Modernization / Creation of

Infrastructures x x x x x

Water, Noise and Air

Smart Meter x x X Renewable Energy Sources

and Efficiency x x x

Smart Water Grid and Water quality

x x x

Identification of Leaks x x x Preventive maintenance x x x

Waste

Waste for Compost ("biological fertilizers")

x x x

Reuse x x x Recycle, Treatment and

Reduce Waste x x x

Smart Energy

Renewable Energy Sources x x x Smart Meter x x x

Green Buildings and Intelligent Building

Construction x x x x

Smart Technology

Internet Of Things x x x x x Wireless and Optical fiber x x x x x x x x x

Communications Infrastructure - Monitoring

x x x x x X

Data Security, Data Protection and

Privacy x x x x x x

Big Data and Open Data x x x x x x Table.1 Smart City Grid Characterization

(a) - Clusters and strategic economic rows and other sectors; (b) – Tourism; (c) - Rural Area; (d) - Employment and Training; (e) - Social Cohesion; (f) - Culture, identity and creativity; (g) - Internal and external connectivity; (h) - Revitalization or urban; rehabilitation and animation; (i) - Cooperation and governance. C. Application of Cybersecurity Frameworks and Guidelines In recent years, scores of studies, standards, frameworks and guidelines have been produced [11-18]. On the other hand, there are reports that provide a good overview of the challenges, weaknesses, actions to be taken and recommendations; indeed,

they present the key parameters and pillars of a SC, as well as the security challenges and some possible solutions and approaches to mitigate the risk associated with the SC`s digital infrastructure [35]. In Krishnan et al. (EY, 2018) [36] one may find a good report on the relationship between SCs and Cybersecurity, which identifies a number of



38

challenges, vulnerabilities, potential risks, and a categorization of smart services based on risks, namely vulnerabilities and their impact. The same report outlines a number of key cybersecurity initiatives taken around the world, namely in the United States Cities (Cyber Security Improvement Act, 2017, Cyber Security Systems Framework 1.0 (NIST), Cyber Security Guidelines for Securing Smart Systems), New York City Secure Initiative, National Infrastructure Protection Plan as Partner for Security and Resilience of Critical Infrastructures, Cyber Lab in Los Angeles; in Europe with European Union Network Safety and Information Security Policy for Sectoral Surveillance, Certification Framework for Equipment, Safety Recommendations for the Internet of Things (IoT), European Union Agency for Cybersecurity Network and Information Security Guidelines for Smart Cities, Analysis Program for the Security of critical infrastructures; in Singapore (Singapore Cybersecurity Act, 2018, Data Protection Act, Internet of Things Ecosystem Standards, National Cyber Security Research and Development Laboratory, Cyber Security Start-up Hub); in Australia (Internet of Things Alliance, Australia, Smart Cities Policies and Best Practices, Critical Infrastructure Modeling and Analysis Program, Trusted Information Exchange Network). In [37], KPMG (2019) presented a Cyber Security Report in SCs, outlining the key framework for setting up cybersecurity components and the need for standards, bringing in a set of cybersecurity criterions

and practices as NIST ISO. Introduce a number of key measures to address the challenges of Cybersecurity and a SC ecosystem, i.e., creating a formal cybersecurity framework, building security from the ground up, using security in an integrated way across all values, building a cyber - robust and trustworthy environment and involvement of industry, knowledge and regulatory groups to standardize security measures. In [38], the Indian government presented a cybersecurity framework that contains good guidelines that are well-structured that considers the SC ecosystem when they are linked to cybersecurity. Following this literature review and the reports not only presented above but also in the reference section, it is possible to define a questionnaire (or checklist) to assess cybersecurity in an intelligent city. In this work it were followed the rules of the financial industry [15] and the guidelines and checklists of the National Institute of Standards and Technologies (NIST), Cybersecurity Framework [19], SANS Critical Security Controls for Effective Cyber Defense [20], ISO 270xx [21], and OWASP Open Cyber Security Framework Project [22], as well as the Cybersecurity Risk Assessment to identify, analyze and assess security risks [9, 23, 24]. The checklist and the guidelines used is presented in Table 2 in the subcategory column which were structured with a set of questions associated to the category domain and subcategory.

Function Domains or

Category Subcategory/Checklist items

SMART city pillar

Identify

Asset Management

Physical devices and systems (NIST SP 800-53 Rev. 4 CM-8, SO/IEC 27001:2013 A.8.1.1, A.8.1.2 , COBIT 5 BAI09.01,

BAI09.02), Software platforms and applications (NIST SP 800-53 Rev. 4 CM-8, ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, COBIT 5

BAI09.01, BAI09.02, BAI09.05), Organizational communication and data flows are mapped (NIST SP 800-53 Rev. 4 AC-4, CA-3,

CA-9, PL-8, ISO/IEC 27001:2013 A.13.2.1 , COBIT 5 DSS05.02), External information systems (NIST SP 800-53 Rev.

4 AC-20, SA-9, ISO/IEC 27001:2013 A.11.2.6, COBIT 5 APO02.02), Electronic Resources (NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, ISO/IEC 27001:2013 A.8.2.1, COBIT 5 APO03.03,

APO03.04, BAI09.02), Cybersecurity roles and responsibilities (NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11, ISO/IEC 27001:2013 A.6.1.1, COBIT 5 APO01.02, DSS06.03).

Energy Technology

Security

Business Environment

Organization’s role (NIST SP 800-53 Rev. 4 CP-2, SA-12, ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2, COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05),

Organization’s place in critical infrastructure (NIST SP 800-53 Rev. 4 PM-8, COBIT 5 APO02.06, APO03.01), Priorities for

organizational mission (NIST SP 800-53 Rev. 4 PM-11, SA-14, COBIT 5 APO02.01, APO02.06, APO03.01), Dependencies and

criticalfunctions (NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14, ISO/IEC 27001:2013 A.11.2.2, A.11.2.3,

A.12.1.3), Resilience requirements (ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1, NIST SP 800-53 Rev. 4

CP-2, CP-11, SA-14, COBIT 5 DSS04.02)

Energy Mobility

Technology Security



39

Function Domains or


SMART city pillar

Governance

Organizational information security policy (NIST SP 800-53 Rev. 4 -1 controls from all families, ISO/IEC 27001:2013 A.5.1.1, COBIT 5 APO01.03, EDM01.01, EDM01.02), Information

security roles (NIST SP 800-53 Rev. 4 PM-1, PS-7, ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, COBIT 5 APO13.12), Legal and

regulatory requirements (NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1), ISO/IEC 27001:2013 A.18.1, COBIT

5 MEA03.01, MEA03.04), Governance and risk Management processess (NIST SP 800-53 Rev. 4 PM-9, PM-11, COBIT 5

DSS04.02).

Governance Technology

Security

Risk Assessment

Asset vulnerabilities (NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5, ISO/IEC 27001:2013 A.12.6.1, A.18.2.3, COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04), Threat and vulnerability information (NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5, ISO/IEC 27001:2013 A.6.1.4), Threats management (NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-

12, PM-16, COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04), Potential business impacts (NIST SP 800-53 Rev. 4

RA-2, RA-3, PM-9, PM-11, SA-14, COBIT 5 DSS04.02), Threats vulnerabilities to determine risk (NIST SP 800-53 Rev. 4 RA-2,

ISO/IEC 27001:2013 A.12.6.1, COBIT 5 APO12.02), Risk responses (NIST SP 800-53 Rev. 4 PM-4, PM-9, COBIT 5

APO12.05, APO13.02).

Infrastructure Technology

Security

Risk Management

Strategy

Risk management processes (NIST SP 800-53 Rev. 4 PM-9, COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03,

BAI04.02), Organizational risk tolerance (NIST SP 800-53 Rev. 4 PM-9, COBIT 5 APO12.06), Dissemination of organization’s

determination of risk tolerance (NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14).

Technology Security

Protect

Access Control

Identities and credentials (NIST SP 800-53 Rev. 4 AC-2, IA Family, ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1,

A.9.4.2, A.9.4.3, COBIT 5 DSS05.04, DSS06.03), Physical access to assets (NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE5, PE-6, PE-9, ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4,

A.11.1.6, A.11.2.3, COBIT 5 SS01.04, DSS05.05), Remote access (NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20, ISO/IEC

27001:2013 A.6.2.2, A.13.1.1, A.13.2.1, COBIT 5 APO13.01, DSS01.04, DSS05.03), Access permissions (NIST SP 800-53

Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16, ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4), Network integrity (NIST SP 800-53 Rev. 4 AC-4, SC-7, ISO/IEC 27001:2013

A.13.1.1, A.13.1.3, A.13.2.1).

Infrastructure Citizen

Technology Security

Awareness and Training (urr-

understand roles &

responsibilities

All users are informed and trained (NIST SP 800-53 Rev. 4 AT-2, PM-13, ISO/IEC 27001:2013 A.7.2.2, COBIT 5 APO07.03,

BAI05.07), Privileged users urr (NIST SP 800-53 Rev. 4 AT-3, PM-13, ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, COBIT 5

APO07.02, DSS06.03), Third-party stakeholders urr (NIST SP 800-53 Rev. 4 PS-7, SA-9, ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, COBIT 5 APO07.03, APO10.04, APO10.05), Senior executives urr (NIST SP 800-53 Rev. 4 AT-3, PM-13, ISO/IEC 27001:2013

A.6.1.1, A.7.2.2, COBIT 5 APO07.03 ISA 62443-2-1:2009 4.3.2.4.2), Physical and information security personnel urr (NIST SP 800-53 Rev. 4 AT-3, PM-13, ISO/IEC 27001:2013 A.6.1.1,

A.7.2.2, COBIT 5 APO07.03).

Education Citizen

Technology Security

Data Security

Data-at-rest is protected (NIST SP 800-53 Rev. 4 SC-28, ISO/IEC 27001:2013 A.8.2.3, COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06), Data-in-transit is protected (NIST SP 800-53 Rev. 4

SC-8, ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3,


Security



40

Function Domains or


SMART city pillar

A.14.1.2, A.14.1.3, COBIT 5 APO01.06, DSS06.06), Assets are formally managed (NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16, ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7, COBIT 5 BAI09.03), Adequate capacity (NIST SP 800-53 Rev. 4

AU-4, CP-2, SC-5, ISO/IEC 27001:2013 A.12.3.1, COBIT 5 APO13.01), Protections against data leaks (NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4), ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1,

A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2,

A.14.1.3, COBIT 5 APO01.06), Integrity checking mechanisms (NIST SP 800-53 Rev. 4 SI-7, ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3), The development and testing

environment(s) are separate from the production environment (NIST SP 800-53 Rev. 4 CM-2, ISO/IEC 27001:2013 A.12.1.4,

COBIT 5 BAI07.04).

Information Protection

Processes and Procedures (Security policies)

A baseline configuration of information technology (NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9,

SA-10, ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05), A System Development Life Cycle to

manage systems is implemented (NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA10, SA-11, SA-12, SA-15, SA-17, PL-8, ISO/IEC

27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5, COBIT 5 APO13.01), Configuration change control processes are in place

(NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10, ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3,

A.14.2.4, COBIT 5 BAI06.01, BAI01.06), Backups of information are conducted, maintained, and tested periodically

(NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9, ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3, COBIT 5 APO13.01),

Policy and regulations for organizational assets are met (COBIT 5 APO13.01, ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3, COBIT 5 DSS01.04, DSS05.05), Data is destroyed according to policy (NIST SP 800-53 Rev. 4 MP-6, ISO/IEC

27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7, COBIT 5 BAI09.03), Protection processes are continuously improved

(NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6, COBIT 5 APO11.06, DSS04.05), Effectiveness of protection

technologies is shared with appropriate parties (NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4, ISO/IEC 27001:2013 A.16.1.6),

Response plans are in place and managed (NIST SP 800-53 Rev. 4 CP-2, IR-8, ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2

COBIT 5 DSS04.03), Response and recovery plans are tested (NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14, ISO/IEC 27001:2013 A.17.1.3), Cybersecurity is included in human resources practices

(NIST SP 800-53 Rev. 4 PS Family, ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4, COBIT 5 APO07.01, APO07.02,

APO07.03,APO07.04, APO07.05), A vulnerability management plan is developed and implemented (NIST SP 800-53 Rev. 4 RA-

3, RA-5, SI-2, ISO/IEC 27001:2013 A.12.6.1, A.18.2.2).

Technology Security

Maintenance

Maintenance and repair of organizational assets (NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5, ISO/IEC 27001:2013 A.11.1.2,

A.11.2.4, A.11.2.5, COBIT 5 BAI09.03), Remote maintenance of organizational assets is approved logged, and performed in a

manner that prevents unauthorized access (NIST SP 800-53 Rev. 4 MA-4, ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1,

COBIT 5 DSS05.04).

Energy Buildings


Security



41

Function Domains or


SMART city pillar

Protective Technology

Audit/log records are determined (NIST SP 800-53 Rev. 4 AU Family), documented, implemented, and reviewed in accordance with policy (ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, COBIT 5 APO11.04), Removable media is

protected and its use restricted according to policy (NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7, ISO/IEC 27001:2013

A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9, COBIT 5 DSS05.02, APO13.01), Access to systems and assets is controlled,

incorporating the principle of least functionality (NIST SP 800-53 Rev. 4 AC-3, CM-7, ISO/IEC 27001:2013 A.9.1.2, COBIT 5

DSS05.02), Communications and control networks are protected (NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7,

ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, COBIT 5 DSS05.02, APO13.01).


Security

Detect

Anomalies and Events

A baseline of network operations and expected data flows (NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4, COBIT 5 DSS03.01), Detected events are analyzed (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.1, A.16.1.4), Event data are aggregated and correlated from multiple sources and sensors (NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR5, IR-8, SI-4), Impact of events is determined (NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4, COBIT 5 APO12.06), Incident alert thresholds are established

(NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4, COBIT 5 DSS05.07).


Security

Security Continuous Monitoring

The network is monitored to detect potential cybersecurity events (NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7,

SI-4, COBIT 5 DSS05.07), The physical environment is monitored to detect potential cybersecurity events (NIST SP 800-

53 Rev. 4), Personnel activity is monitored to detect potential cybersecurity events (NIST SP 800-53 Rev. 4, ISO/IEC

27001:2013 A.12.4.1), Malicious code is detected (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.12.2.1, COBIT 5 DSS05.01), Unauthorized mobile code is detected (NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44, ISO/IEC 27001:2013 A.12.5.1), External service provider activity is monitored (NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA9, SI-4, ISO/IEC 27001:2013 A.14.2.7, A.15.2.1, COBIT 5 APO07.06), Monitoring for unauthorized

personnel, connections, devices, and software is performed (NIST SP 800-53 Rev. 4), Vulnerability scans are performed (NIST SP 800-53 Rev. 4 RA-5, ISO/IEC 27001:2013 A.12.6.1, COBIT 5

BAI03.10).


Security

Detection Processes

Roles and responsibilities for detection are well defined (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.6.1.1, COBIT 5

DSS05.01), Detection activities comply with all applicable requirements (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013

A.18.1.4), Detection processes are tested (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.14.2.8, COBIT 5 APO13.02), Event detection information is communicated to appropriate parties

(NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.2, COBIT 5 APO12.06), Detection processes are continuously improved

(NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.6, ISO/IEC 27001:2013 A.16.1.6).


Security

Respond

Response Planning

Response plan is executed (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.5, COBIT 5 BAI01.10)

Technology Security

Communications

Personnel know their roles and order of operations when a response is needed (NIST SP 800-53 Rev. 4, ISO/IEC

27001:2013 A.6.1.1, A.16.1.1), Events are reported consistent with established criteria (NIST SP 800-53 Rev. 4, ISO/IEC


Security



42

Function Domains or


SMART city pillar

27001:2013 A.6.1.3, A.16.1.2), Information is shared consistent with response plans (NIST SP 800-53 Rev. 4, ISO/IEC

27001:2013 A.16.1.2), Coordination with stakeholders occurs consistent with response plans (NIST SP 800-53 Rev. 4),

Voluntary information sharing occurs with external stakeholders (NIST SP 800-53 Rev. 4).

Analysis

Notifications from detection systems are investigated (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.12.4.1, A.12.4.3,

A.16.1.5, COBIT 5 DSS02.07), The impact of the incident is understood (NIST SP 800-53 Rev. 4 CP-2, IR-4, ISO/IEC

27001:2013 A.16.1.6), Forensics are performed (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.7), Incidents are categorized

(NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.4).


Security

Mitigation

Incidents are contained (NIST SP 800-53 Rev. 4 I, ISO/IEC 27001:2013 A.16.1.5), Incidents are mitigated (NIST SP 800-53

Rev. 4, ISO/IEC 27001:2013 A.12.2.1, A.16.1.5), Newly identified vulnerabilities are mitigated (NIST SP 800-53 Rev. 4,

ISO/IEC 27001:2013 A.12.6.1).


Security

Improvements Response plans incorporate lessons learned (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013 A.16.1.6, COBIT 5 BAI01.13), Response strategies are updated (NIST SP 800-53 Rev. 4).


Security

Recover

Recovery Planning

Recovery plan is executed during or after an event (NIST SP 800-53 Rev. 4, ISO/IEC 27001:2013).

Technology Security

Improvements Recovery plans incorporate lessons learned (NIST SP 800-53 Rev. 4, COBIT 5 BAI05.07), Recovery strategies are updated

(NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8, COBIT 5 BAI07.08).


Communications Public relations are managed (COBIT 5 EDM03.02), Reputation

after an event is repaired (COBIT 5 MEA03.02), Recovery activities are communicated (NIST SP 800-53 Rev. 4).


Security Table 2- CYBER SECURITY CONTROLS CHECKLIST

The table presents a series of subcategories (assigned as a checklist) that have been applied to the technological infrastructure of a portuguese’s SC. For each subcategory, the orientations of NIST [20], ISO 270032 [21] and COBIT [9] were followed and the information / points of the OWASP [22] were included. To plan and manage the technological security infrastructure, the cybersecurity checklist was supplemented with another one based on the COBIT guidelines, ITIL best practices, and ISO 27001 and 27005 methodological approach, plus a survey based on five general areas (i.e., security areas, software, backups, hardware, and infrastructure conditions). The second survey was subdivided into 156 questions divided into fourteen subject areas, which are presented in Table 1 [22], i.e., organization and policy, asset management, human resources, physical security, environmental protection, device security, operations management, data exchange, monitoring and logging, audit control, mobile computing, teleworking, vulnerability testing, incident management, business continuity and compliance. D. Evaluation and Discussion - In order to quantify the state of the security infrastructure the survey was filled three times in three months, and in a

probabilistic order out of those periods. For each question, the value was recorded to answer the question (Applicable / Not Applicable, or 1 / 0). Also, for each question, the importance of the question was evaluated in terms of the set {0,1,1,5,2,2,5,3}, where 0 is bad and 3 is good. Based on these fields, the weight score that results from multiplying the values of the fields is evaluated as (AP / NAP) * Weight * Score. Figure 1 shows an example of its application to the case study. Based on the schematization of SCs technological infrastructure and digital services, under the context of applied security and cyber security checklists of information systems and technologies, the domains or categories listed in Table 2 are assigned to the city`s strategic pillars [36], as well as the case study described in Table 1. In a first analysis, it can be stated that cyber security is one of the most important foundations for analyzing the security of infrastructure and digital services in intelligent technologies and intelligent security pillars. Following this evaluation methodology we are able to represent and quantify the performance of the infrastructure during a specific time and readjust and check some issues and corrections to attain in the infrastructure (Figure 2 (a,b)).



43

Figure 2 - Example of the Global results for the cyber security checklist application for the case study.

On the other hand, this paper attempts to answer the question of whether cybersecurity is a necessary pillar of smart cities.

Figure 3 - Example of the result of the state of the Scenario of the Cyber Security (a) and Security (b) IT Governance in a specific

time. Based on the research methodology referred to above, the cases` results are depicted in the form, viz. • Diagnosing — Identify the research question. In

this case study the question was “Is it possible that Cybersecurity is a necessary pillar of Smart Cities?”;

• Action Planning — After the examination of the various standards and frameworks oriented to manage and control the IT field, the fact is that Cybersecurity can be highly considered as a pillar of the SCs based on technological and digital infrastructures;

• Action Taking —In this case study and in particular for this institution, it was needed to proceed with the action analysis and specification of all the needs and difficulties of diagnosis in existing information services for the IS Security Control and Cybersecurity. Following the Cybersecurity and Security guidelines, Checklist and COBIT guidelines it were set orientations to monitor and evaluate the security of the infrastructure of the SC;

• Evaluation — To evaluate the usage and implementation of the methodological approach it was defined a set of indicators, namely one based on the indicators of the NIST, ISO 27001 and COBIT specification and other based on the score of the topics described in table 2; and

• Specifying Learning —The learning obtained was as follows, viz. Improve the quality of care by the administrative services; control and manage the IS more efficiently, defining processes and indicators to do it; reduced the tasks execution time; helped to define specially indicators to evaluate the performance of the services in IT field; being able to set questionnaires for identify, evaluate and manage the IT infrastructure related with cyber security in a SC ecosystem.

IV. CONCLUSIONS AND FUTURE WORK In recent years, many reports, papers, and many standards, frameworks, and guidelines for the



44

specifics of cybersecurity challenges and for use in the context of SCs have been published. Based on the general concepts of SCs, security and cybersecurity, we present a literature review in this paper, focusing work on four cyber security frameworks (National Institute for Standards and Technology, NIST) for the Cybersecurity Financial Industry Regulatory Practices Cybersecurity Framework, SANS Institute - Critical Security Controls for Effective Cyber Defense, ISO 270xx Standard and OWASP Open Cyber Security Framework Project, and Cybersecurity Risk Assessment. Approaches to Identify, Analyze and Assess Security Vulnerabilities as a COBIT and OWASP Risk Assessment Method. Action research methodology for the research question "Is cybersecurity a necessary pillar of smart cities?" We conclude that cybersecurity (challenges and prevention measures) is a crucial pillar of SCs. In the future we want to explore the data collected by the digital SC infrastructure to increase the use of Artificial Intelligence, here in the form of Artificial Neural Networks and Cased Based Reasoning systems in order to evaluate and predict patterns for cybersecurity. REFERENCES

[1] A. Monzon, “Smart cities concept and challenges: Bases for

the assessment of smart city projects”. In Smart Cities and Green ICT Systems, 2015 International Conference on, pp. 1–11, 2015.

[2] N. Bawany, and J. Shamsi, “Smart City Architecture: Vision and Challenges”. In International Journal of Advanced Computer Science and Applications, 6(11), pp.246-255, 2015.

[3] A. Ayoub, B. Zahi, E. Sabir, and M. Sadik, “A literature review on Smart Cities: Paradigms, opportunities and open problems”. pp.180-186, 2016.

[4] M. Mijac, D. Androcec and R. Picek, “Smart city services driven by IoT: a systematic review”. In Journal of Economic and Social Development (Varaždin), vol 4, pp.40-50, 2017.

[5] A. Gaur, B. Scotney, G. Parr, and S. McClean, “Smart City Architecture and its Applications Based on IoT”. Procedia Computer Science, 52, pp.1089-1094, 2015.

[6] S. Ijaz, M. Shah, A. Khan, and A. Mansoor. “Smart Cities: A Survey on Security Concerns”. In International Journal of Advanced Computer Science and Applications. vol 7, 2016.

[7] K. Zhang, J. Ni, K. Yang, X. Liang, J. Ren, and X. Shen, "Security and Privacy in Smart City Applications: Challenges and Solutions". In IEEE Communications Magazine. 55. Pp.122-129, 2017.

[8] ISO 27001 - International Organization for Standardization - Information security management systems. Available on:https://www.iso.org/isoiec-27001-information-security.html, last accessed 2019/07/22.

[9] COBIT: Information Systems Audit and Control Association, Control Objectives for Information and Related Technology, 5th Edition, IT Governance Institute, (2019), https://www.isaca.org, last accessed 2019/07/22.

[10] OGC: Official Introduction to the ITIL Service Lifecycle, Stationery Office, Office of Government Commerce (2019), https://www.itgovernance.co.uk, last accessed 2019/07/22.

[11] A. Armin, R. Junaibi, Z. Aung, W. Woon, and M. Omar, “Cybersecurity for Smart Cities: A Brief Review”. Lecture Notes in Computer Science. 10097. pp.22-30. 2017.

[12] H. Lim and A. Taeihagh, “Autonomous Vehicles for Smart and Sustainable Cities: An In-Depth Exploration of Privacy and Cybersecurity Implications”, Energies, vol 11, no 5:1062, 2018.

[13] C. Lévy-Bencheton, and E. Darra, “Cyber security for Smart Cities: An architecture model for public transport”. In European Union Agency For Network And Information Security, (https://www.enisa.europa.eu/) December, 2015.

[14] M. Evans, L. Maglaras, H. Ying, and J. Helge, "Human Behaviour as an aspect of CybersSecurity Assurance". In Security and Communication Networks. 9, 2016.

[15] R. Khatoun, S. Zeadally, “Cybersecurity and Privacy Solutions in Smart Cities”. In IEEE Communications Magazine IEEE Commun. Mag. Communications Magazine, IEEE. 55(3):pp.51-59, 2017.

[16] Z. L and M. Shahidehpour, “Deployment of cybersecurity for managing traffic efficiency and safety in smart cities”, in Special Issue: Contemporary Strategies for Microgrid Operation & Control, , vol.30(4):pp.52-61, 2017.

[17] Z. Li and Q. Liao, “Economic solutions to improve cybersecurity of governments and smart cities via vulnerability markets”, Government Information Quarterly, vol. 35 Issue 1, pp.151-160, 2018.

[18] Financial Industry Regulatory Authority, Inc, “Financial Industry Regulatory Practices”. Available on: https://www.finra.org/file/report-cybersecurity-practices, last accessed 2019/07/22.

[19] National Institute of Standards and Technology (NIST) Cybersecurity Framework. Available on: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf, last accessed 2019/07/22.

[20] SANS Institute - Critical Security Controls for Effective Cyber Defense. Available on: https://www.sans.org/critical-security-controls, last accessed 2019/07/22.

[21] ISO 27032 - Information technology — Security techniques — Guidelines for cybersecurity, Available on: https://www.iso.org/standard/44375.html, last accessed 2019/07/22.

[22] J. Ribeiro, V. Alves, H. Vicente, and J. Neves, “Planning, Managing and Monitoring Technological Security Infrastructures”.Lecture Notes in Electrical, vol. 505, Springer Verlag Eds, 2019.

[23] Open Cyber Security Framework Project, “OWASP Open Cyber Security Framework Project”. Available on: https://www.owasp.org/index.php/OWASP_Open_Cyber_Security_Framework_Project, last accessed 2019/07/22.

[24] OWASP Risk Rating Methodology. Available on: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology, last accessed 2019/07/22.

[25] K. Waedt, A. Ciriello, M. Parekh, and E. Bajramovic, “Automatic assets identification for smart cities: Prerequisites for cybersecurity risk assessments”. 2016 IEEE International Smart Cities Conference (ISC2) Smart Cities Conference (ISC2), pp:1-6, 2016.

[26] European Commission: Assess city’s digital maturity Tool: https://www.digitallytransformyourregion.eu/assess-your-citys-digital-maturity, last accessed 2019/07/22.

[27] Bin Bishr, A. “Smart Dubai: Introduction, Statagy and Progress Report”. Paper presented at the ITU Forum on Smart Sustainable Cities, Abu Dhabi-UAE, Available on: https://www.itu.int/en/ITU-D/Regional-Presence/ArabStates/Documents/events/2015/SSC/S1-DrAishaBinBishr.pdf, 2015, last accessed 2019/07/22.

[28] European Union Agency for Network and Information Security (ENISA). Available on: https://www.smesec.eu, last accessed 2019/07/22.

[29] European SmartCities Benchmarkink Assessment: http://www.smart-cities.eu, last accessed 2019/07/22.

[30] M. Kilani, and V. Kobziev, “An Overview of Research Methodology in Information System (IS)”. Open Access Library, 3, pp.1-9, 2016.

[31] K. Olesen, and D. Myers, “Trying To Improve Communication And Collaboration With Information Technology: An Action Research Project Which Failed,” Information Technology & People, 12, (4), pp: 317-332, 1999.

[32] D. Avison, F. Lau, M. Myers, and P. Nielsen, ”Action research”, vol. 42 Issue 1, pp:94-97, 1999.



45

[33] A. Hevner, S. March, J. Park, and S. Ram, “Design Science in Information Systems Research”. MIS Quarterly, 28(1), pp:75–105, 2004.

[34] Peffers, K., Tuunanen, T., Rothenberger, M. A., and Chatterjee, S. “A Design Science Research Methodology for Information Systems Research”. Journal of Management Information Systems, 24(3), pp:45–77, 2007.

[35] R. Giffinger, C. Fertner, H. Kramar, R. Kalasek, N. Milanović, “ Smart cities - Ranking of European medium-sized cities, 2007.

[36] Mapping Smart Cities in the European Union, Economic and Scientific Policy Report, January, Avaliable on: http://www.europarl.europa.eu/RegData/etudes/etudes/join/2014/507480/IPOL-ITRE_ET(2014)507480_EN.pdf, 2014, last accessed 2019/07/22.

Date post:	02-Oct-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times