The National Cyber Security Centre (NCSC) has published a set of security principles for local authorities to protect smart city technology from cyber threats.
It has produced the guidance with a warning that internet of things (IoT) devices and underlying infrastructure are potential targets for cyber attacks, and that the compromise of a single system in a smart city could have a negative impact across the network if it is badly designed.
NCSC said the document, titled Connected Places Cyber Security Principles, is aimed at helping chief information security officers, cyber security architects and other relevant personnel consider the necessary high level security requirements.
Its technical director Dr Ian Levy said: “Local authorities are using sensors and intelligent systems to improve our lives and make our cities more efficient and environmentally friendly.
“While these benefits should be embraced, it’s important to take steps now to reduce the risk of cyber attacks and their potentially serious impact on these interconnected networks. I urge every individual and organisation establishing a connected place in the UK to consult our newly published cyber security principles.
“It’s our collective responsibility to ensure that our cities of the future are safe and resilient.”
The document defines a connected place as a community that integrates ICT and IoT devices to collect and analyse data to deliver new services to the built environment and enhance citizen’s quality of life. This involves using a system of sensors, networks and applications in functions such as transport, utilities, infrastructure and the local environment.
Understanding, design, management
It divides the principles into three sections on understanding, designing and managing a connected place.
The understanding has to take in the goals and ambitions for a place, the risks, governance and skills, the role of suppliers and legal and regulatory requirements.
One of the key steps for risk owners is to determine what impacts they are not willing to accept within the system. An example cited is the threat of losing control of traffic light signals.
Other important steps include conveying security requirements to suppliers and understanding the maturity of their security protections and people security arrangements.
The design element has to take in the connected place architecture, with a consideration of zones of trust within the network and a need to identify critical security boundaries. The latter is not just about cyber but physical space, such as power supplies and communication routes, and cyber-physical such as redundant sensors.
Along with this the connected place has to be designed to reduce exposure, protect its data, be resilient and scalable and to have a monitoring system that is independent from the operational systems.
The section on managing connected places includes the management of privileged access to systems, the supply chain, the management of incidents with response and recovery, and ensuring the management is in place throughout the lifecycle of systems. An important element of the latter is testing a system through its lifecycle through health checks, penetration testing and a continual review of risks and procedures.
The document also points to other sources of guidance from NCSC and the Centre for the Protection of National Infrastructure.
Digital Infrastructure Minister Matt Warman said: “Local leaders and innovators should follow the National Cyber Security Centre's expert guidance so our cities, towns and rural areas can unlock the benefits of smart, internet connected infrastructure in a safe and secure way.”
Image from iStock, metamorworks