Urban Critical Infrastructure and Cybersecurity Frameworks

Several cybersecurity frameworks have been developed over the years. The three most popular are the National Institute of Technology and Standards (NIST) Cybersecurity Framework (CSF) 2.0, ISO 27001:2022, and the Center for Internet Security (CIS) Controls framework, which is currently on version 8 (Shastri, 2025). As each local government and smart city is unique in its design and implementation of technology, there is no single framework that is designed with it entirely in mind. Local governments and smart cities typically compose a large variety of systems, which include, business systems for processing payment services for a variety of public works needs, Industrial Control Systems (ICS) networks that control a variety of utilities, Internet of Things (IoT) services which allow for many different services to be monitored and controlled remotely. There may even be a publicly accessible Wireless Internet system for the citizens to access. These systems are not a complete list of systems that a local government may employ.

The CIS Controls V.8 is a framework comprising 18 control categories that cover specific safeguards. As each city may be at its maturity level, this framework enables implementers to define and implement safeguards applicable to the services that need to be covered (Shastri, 2025). While this system may cover a wide variety of controls, its shortfall is that it covers the fundamentals.

ISO 27001 is a globally recognized standard that enables an organization to achieve certification in an Information Security Management System (ISMS). The latest version of the standard (ISO 27001:2022) guides organizations in creating a mature Information Security Management System (ISMS) that accounts for various risks and cybersecurity best practices (Shastri, 2025). The advantage of this system is that it enables any organization to create a custom framework that facilitates overall governance, continual improvement, and incorporates four families of cybersecurity controls. These families are organizational controls, people controls, physical controls, and technical controls. If an organization lacks the maturity or expertise to build a comprehensive system, it may find the process of implementing it with contractors to be overwhelming or expensive.

In 2024, NIST released the latest version of its CSF with version 2.0. This framework will cater to organizations at various maturity levels, enabling them to understand their current position and develop their desired future direction. This framework focuses on six core functions called Govern, Identify, Protect, Detect, Respond, and Recover (Shastri, 2025). This framework enables an organization to assess its current maturity profile based on the technology it has deployed and develop a roadmap for where it needs to be. While this may not be overly prescriptive, the advantage is that NIST has developed guidelines for a variety of technologies and frameworks that can be implemented through this system.

Of all the frameworks identified, most local governments would do well to utilize the NIST CSF 2.0, as it is one of the most flexible for the variety of technologies deployed throughout most urban infrastructures. CISA has also released a document in 2023 that identifies “cybersecurity best practices for smart cities”. This document guides local governments on how to define their various systems and apply best practices, including Zero-Trust Architecture, the principle of least privilege, and multifactor authentication (MFA) (CISA, 2023). Finally, NIST has also released a “smart cities and communities framework series” in 2019 but was updated in 2022. This series walks through four categories of information to consider. These categories are cross-cutting and foundational issues, sector-specific issues, implementation methods and approaches, and case studies (NIST 2019). While an organization would benefit from adopting any type of cybersecurity framework to enhance its security posture, local governments should give particular consideration to NIST CSF 2.0 and the accompanying guidance.

CISA. (2023, April 19). Cybersecurity Best Practices for Smart Cities. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/sites/default/files/2023-04/cybersecurity-best-practices-for-smart-cities_508.pdf

NIST. (2019, November 14). NIST Smart Cities and Communities Framework Series. National Institute of Standards and Technology. https://www.nist.gov/ctl/smart-connected-systems-division/iot-devices-and-infrastructure-group/smart-americaglobal-1

NIST. (2024, February 26). The NIST Cybersecurity Framework (CSF) 2.0. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.29

Shastri, G. (2025, April 3). Cyber Security Frameworks Comparison: A Complete Guide. Intersys.uk. https://intersys.co.uk/2025/04/03/cyber-security-frameworks-comparison-a-complete-guide/