Intelligence agencies from the Five Eyes alliance have published a smart city cybersecurity guidelines.
National security agencies in the United States, United Kingdom, Australia, Canada, and New Zealand have published a Cybersecurity Best Practices for Smart City guide, with advice and warnings for city leaders planning to integrate connected technologies.
The term smart cities covers a lot of technologies, including physical hardware such as smart sensors and connected vehicles, and software that collects all of the data and analyzes it. IoT devices are often the least protected, which opens up smart cities to cyberattacks.
“Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way which safeguards security and data privacy,” said Lindy Cameron, NCSC CEO. “Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”
In the report, the intelligence agencies recommend that organizations implementing smart city technologies be careful when integrating legacy systems and ensure that cybersecurity risk management processes are baked into every step of the development and production cycle. Alongside this, organizations must ensure that any equipment being integrated into a smart city operation is secure by design, with advanced connectivity solutions.
There are many ways to reduce risk in a smart city operation. One of the key points the intelligence report mentions is the “principle of least privilege”, which ensures that each device and entity is provided the minimum amount of system resources to perform its function. With this in place, if one IoT device is corrupted, it is less likely to be able to spread inside a system. Multi-factor authentication adds another secure layer to the smart city operation, which can be implemented at stress points to protect against highly sensitive data.
Other points included the use of zero trust architecture, applying network security controls and monitoring systems to internal architecture, securing assets from theft, vandalism or adverse weather conditions, and implementing automatic patch processes when possible to avoid end-of-life cycles which can reduce the amount of security and functionality available.
Another one of the key points highlighted is proactive supply chain risk management, which starts with the procurement process. Organizations should have a list of verified vendors for IT products, both hardware and software, which reduces the likelihood of unexpected changes to product performance. Due to the severity of cyber risks to public services, organizations need to create a list of minimum security requirements and actions if a vendor’s product leads to security breaches.
This is not just for hardware, as the intelligence agencies highlight managed service providers and public cloud service providers as potential cyber risks. Organizations need to be aware of the shared agreement that service providers have with customers, and who is responsible for each area of cloud security.
The final point in the intelligence report involves operational resilience. Organizations need to maintain some way to manually control all critical infrastructure in times of crisis or attack, to ensure that high level data and operations remains out of the hands of attackers. Contingencies should be in place which should include the ability to disconnect infrastructure from the internet, and to operate autonomously without the need for centralized control for a short period.
Backups of systems and data need to be implemented and consistently checked to ensure that the correct data is being backed up at regular intervals. Organizations also need to create systems to remove old backups regularly. Training staff on these contingencies and security protocols is critical, so that in the event of a system being compromised staff know the way to protect data, and not lose more to cyberattackers.