The National Cyber Security Centre (NCSC) has published a guide on best practice in cyber security in the development of smart cities.
Recommended measures include applying the principle of least privilege, multi-factor authentication and taking a proactive approach to supply chain risk management.
The guidance has been produced with agencies from the US, Australia, Canada and New Zealand, and is designed to help ensure connected technologies and integrated into infrastructure in a way that protects systems and data.
It acknowledges the the positive potential but also highlights a number of risks in the development of smart cities, including an expanded and interconnected attack surface in which threat actors could exploit vulnerabilities. For example, if they can access a local government internet of things (IoT) network they might be able to obtain lateral access into emergency alert systems if they are connected.
There are also risks from weak points in the ICT supply chain and the automation of infrastructure operations, both of which can provide multiple entry points into a network.
In response, the guidance recommends steps beginning with secure planning and design for the integration of new technology with legacy infrastructure, followed by applying the principle of least privilege, under which each entity in a network is granted the minimum system authorisation and resources needed to perform its function.
These should be accompanied by the use of multi-factor authentication, zero trust architecture, patching systems and applications in a timely manner, the careful management of communications between subnetworks, and the secure management of assets such as sensors and monitors.
There should also be a proactive approach to supply chain risk management, only using trusted ICT vendors and components, and with participation from all levels of the organisations. This should be accompanied by setting security requirements or controls for software suppliers, and due diligence research on how IoT devices and hardware are sourced and assembled.
Managed service and cloud service providers should also be subject to clear security requirements.
Internally, there is a need to store and isolate back-ups of IT systems to inhibit the spread of ransomware, conduct relevant workforce training and develop and test incident response and recovery plans.
Balance benefits with safeguards
Lindy Cameron, NCSC CEO, said: “Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way which safeguards security and data privacy.
“Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”