Interconnected systems and control systems within smart cities are increasingly a target for adversaries and cyber criminals. To bolster smart city cybersecurity and assist forensic investigators after a cyberattack, researchers from the Singapore University of Technology and Design have developed an ontology for threats to Smart City critical infrastructure.

Dr Tok Yee Ching, a Research Fellow from the university’s Automated Systems SEcuriTy (ASSET) group, together with Singapore Institute of Technology student Davis Yang Zheng and SUTD Associate Professor Sudipta Chattopadhyay, developed the ontology entitled “Smart City Ontological Paradigm Expression (SCOPE) for SCI threats, cybercrime and digital investigation”. Dr Tok’s paper, titled “A Smart City Infrastructure ontology for threats, cybercrime and digital forensic investigation” has been published in Forensic Science International: Digital Investigation.

“Digital forensic investigators have had the short end of the stick for far too long. They often contend with tight timelines and vast amounts of data during investigations. Moreover, if collaboration is required on uncommon platforms such as SCI, investigators must establish a common term of reference for investigation. They also need to identify threats, corresponding digital evidence sources and crimes committed. Such activities can take considerable amounts of time and effort,” said Dr Tok.

Ontologies are representations, definitions and relations of concepts and data within a specific domain. By using ontologies, complex domains can be understood more easily via consistent and structured representation of knowledge. SCOPE was envisioned to be an attractive aid for digital forensic investigators and adheres to international standardisation standards.  SCOPE also have a technology-agnostic approach to account for the diverse range of smart city infrastructure in various sectors such as energy, home, oil & gas etc.

While conducting the research, the ASSET group analysed the current ontologies such as Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE). After careful consideration and thorough research, the group concluded that such current ontologies lack SCI representation, and extending them on an ad hoc basis is inefficient and ineffective for investigators. This led to the design and development of SCOPE.

Building on the prior work from ASSET group, which also involved Dr Tok as the key contributor, the ASSET group researchers and their SIT collaborator embedded their earlier work on SCI threats, cybercrime, and evidence sources into SCOPE. Other critical information, such as attack techniques and pattern classifications from MITRE, was also accounted for. With SCOPE, users can adopt it for a wide range of use cases, such as SCI cybercrime incidents, evidence sharing, or even adversary emulation.

While the design of SCOPE was challenging, its suitability for a real-life cybercrime scenario needed to be investigated thoroughly. To this end, Dr Tok and his colleagues evaluated the usability of SCOPE via a few carefully crafted scenarios based on real-world activity by Advanced Persistent Threats (APTs). The evaluation consisted of i) ontological representation of the scenario, ii) investigation and the Tactics, Techniques and Procedures (TTPs) used by the APT and iii) containment and recovery using identified Indicators of Compromise (IoCs). In a nutshell, this evaluation was necessary to understand how the end users of SCOPE will apply SCOPE for realistic scenarios and accomplish the crucial tasks should a cybercrime takes place in SCI.

The evaluation results showed that, through the usage of SCOPE, investigators could add more granular details during their investigation, such as affected areas of malicious software infection and damage. The additional context allowed increased efficiency and rapid remediation. Investigators also benefit from easily accessible complex technical details such as threat type and affected systems.

ASSET research group has made SCOPE publicly available for the digital forensic community to use and assist in future SCI investigations. In future, the ASSET research group will add further tooling support to use the SCOPE ontology and will conduct a user study with digital forensic professionals from the public and private sectors. This will determine how SCOPE could be further improved for industry usage. The group also hopes future researchers could explore integrating SCOPE into digital forensics tools to empower digital forensic investigators in their future workflows.