Several leading government security agencies have published new advice for smart city stakeholders designed to help them build protections into new systems from the outset.
Cybersecurity Best Practices for Smart Cities was published by the UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA) and their equivalents in Canada, Australia and New Zealand.
Read more on smart city threats: Smart City Alert as Experts Detail LoRaWAN Security Issues.
Launched at CYBERUK 2023, the document warned that smart city technology is at risk from financially motivated cyber-criminals, nation states, terrorists and hacktivists – due to the “intrinsic value of the large data sets and potential vulnerabilities in digital systems.”
Successful attacks could not only lead to sensitive data theft but also disrupt critical services and even cause physical harm or loss of life, the report noted.
Part of the challenge for defenders is that by integrating previously separate infrastructure systems into a single network environment, they will expand the digital attack surface for each participating organization, while making visibility and control more challenging for security teams.
There is also an elevated risk from large, complex supply chains, and even from increased use of automation, if it expands the number of endpoints and network connections vulnerable to compromise, the report added.
“Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way which safeguards security and data privacy,” argued NCSC CEO, Lindy Cameron.
“Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”
Among the key recommendations for smart city communities are that they undertake:
- Secure planning and design, including the principle of least privilege, multi-factor authentication, zero trust architectures, prompt patching, device security, and protection for internet-facing services
- Proactive supply chain risk management, covering the software supply chain, IoT and device supply chains, and managed/cloud service providers
- Operational resilience, including backing up systems and data, workforce training, and incident response and recovery