CYBER DEFENSE OF URBAN DIGITAL SYSTEMS: SCALING SIEM CORRELATION TO REDUCE INCIDENTS IN A WARTIME CITY

Abstract

Modern megacities are increasingly dependent on the resilience of digital platforms and converged networks that sustain critical urban life support systems. In the context of a full-scale war, where cyberattacks are strictly synchronized with the physical destruction of energy and communication infrastructure, ensuring the continuity of municipal services requires a fundamental shift from fragmented monitoring to centralized, intelligent incident management. This article systematizes the practical experience of designing, building, and operating a city-scale Security Operations Centre (SOC) based on the Specialized Municipal Enterprise “Kyivteleservis” during the period of 2021–2024. The object of the study is the complex protection processes of the Corporate Multiservice Network (CMN) of Kyiv, which connects over 1,800 municipal institutions, spans 1,500 km of fiber-optic communication lines, and supports the “Safe City” video surveillance system (comprising over 8,000 cameras) alongside the Internet of Things (LoRaWAN) sensor network. The author provides a detailed analysis of the operational challenges resulting from the sharp increase in cyber incidents and the shifting threat landscape: from massive DDoS attacks on “Kyiv Digital” ecosystem services to sophisticated attempts at exploiting vulnerabilities in telecommunications equipment during emergency power blackouts. The primary focus of the work is on the development and implementation of a methodology for scaling correlation rules within a SIEM system. The article proposes a transition from standard signature-based detection to behavioral analysis, structured according to the five core functions of the NIST Cybersecurity Framework 2.0 (Identify – Protect – Detect – Respond – Recover). A specific mechanism for the “Contextual Enrichment” of security events is described, which involves automatically appending metadata regarding asset criticality, physical location, and responsible administrator to raw logs. This approach effectively addressed the issue of “alert fatigue,” filtering out up to 90% of false positives caused by legitimate remote user activity via VPN gateways during air raid alerts. The research results are substantiated by quantitative performance metrics of the SOC: the Mean Time to Respond (MTTR) for high-severity incidents was reduced by 30% (decreasing from 45 to 30 minutes on average), and the availability of key administrative services for citizens was maintained at a level of 99.9% even during peak load periods and kinetic attacks. The conclusions formulate practical recommendations for city digital transformation leaders regarding the prioritization of monitoring tools and the construction of a fault-tolerant cyber defense architecture under conditions of limited human and financial resources. This article will be useful for critical infrastructure cybersecurity specialists, system architects, and local government officials facing similar threats.