The UK’s National Cyber Security Centre (NCSC), working alongside its counterparts from Australia, Canada, New Zealand and the US, has published advice and guidance to help ensure that connected technologies are integrated into the built environment in a way that protects systems and data.
The joint Cybersecurity best practices for smart cities guide is designed to help communities balance the benefits involved in creating smart cities – such as cost savings and improvements to quality of life – with the risks, which include an expanding, interconnected attack surface, supply chain issues, and vulnerabilities introduced by automating infrastructure operations and introducing artificial intelligence (AI)-powered solutions.
Community leaders and local governments considering embarking on smart city projects are encouraged to consult the guidance to better understand how to plot a secure path forward. The guide is available to download from the US Cybersecurity and Infrastructure Security Agency (CISA).
“Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way that safeguards security and data privacy,” said NCSC CEO Lindy Cameron.
“Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”
Smart city projects are already attractive targets for cyber criminals due to the type of data being collected, transmitted, stored and processed, which will almost certainly include what is termed special category data under the UK General Data Protection Regulation (GDPR) and other compliance regimes.
Coupled with the growing number of vulnerabilities, both existing and potential, in digital systems, the intrinsic value of smart city datasets also introduces the risk of exploitation for espionage purposes by nation-state-backed advanced persistent threat (APT) groups.
“Smart city technologies provide opportunities for more innovative and sustainable communities, but they also broaden the attack surface and risks to our security and critical infrastructure,” said Australian Cyber Security Centre (ACSC) head Abigail Bradshaw.
“This guidance helps forward-thinking communities to securely integrate new technologies into existing infrastructure, ensuring the resilience and protection of the data, systems and interconnected infrastructure we need for our daily lives and business.”
CISA director Jen Easterly added: “Today’s joint guide is a continuing example of the strong collaboration CISA has with our partners in the US and around the globe to provide timely and useful cyber risk management guidance.
“The cyber security best practices outlined here are designed to help evolving connected communities better protect their infrastructure and sensitive data.”
Among some of the topics covered in the guide are strategies for secure planning and design, including enforcing multifactor authentication (MFA), implementing zero-trust architecture, protecting services that face the public internet, and appropriate and timely patch management policies, all steps that all organisations should be taking as part of a basic cyber security hygiene regime.
Its recommendations for supply chain risk management include establishing clear requirements for software, hardware and internet of things (IoT) supply chains at the outset, and carefully reviewing arrangements and agreements with third parties.
The guide also provides guidance on what to do in the unfortunate event of a compromise, including incident response and recovery plans to isolate affected systems and minimise disruption, and appropriate workforce training.