Cybersecurity agencies from around the world have joined together to issue the free guide, ‘Cybersecurity Best Practices for Smart Cities.’ The guide is intended to provide an overview of risks to smart cities such as: expanded and interconnected attack surfaces; ICT supply chain weaknesses; and increasing automation of infrastructure operations.
As the guide states: “Smart cities are an attractive target for criminals and cyber threat actors to exploit vulnerable systems to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks. Successful cyberattacks against smart cities could lead to disruption of infrastructure services, significant financial losses, exposure of citizens’ private data, erosion of citizens’ trust in the smart systems themselves, and physical impacts to infrastructure that could cause physical harm or loss of life.”
After examining the potential risks, the guide provides recommendations to help cities strengthen their cybersecurity. Recommendations include:
- Secure Planning and Design – emphasizing the need for strategic foresight and the establishment of proactive cybersecurity risk management processes. Suggested proactive measures include: applying the principle of least privilege; enforcing multi factor authentication; implementing zero trust architecture; and improving the security of vulnerable devices;
- Proactive Supply Chain Risk Management – incorporating security requirements into the software/hardware and IoT devices/managed service providers and cloud service providers supply chains; and
- Operational Resilience – developing and maintaining contingencies for manual operations of all critical infrastructure functions.
The guide’s collaborators are part of the Five Eyes intelligence alliance and include: the US Cybersecurity and Infrastructure Security Agency (CISA); the National Security Agency (NSA); the Federal Bureau of Investigation (FBI); the UK’s National Cyber Security Centre (NCSC-UK); the Australian Cyber Security Centre (ACSC); the Canadian Centre for Cyber Security (CCCS); and the New Zealand National Cyber Security Centre ((NCSC-NZ).