Cybersecurity officials from the United States, United Kingdom, Australia, Canada, and New Zealand have collaboratively released a joint guide titled "Cybersecurity Best Practices for Smart Cities." This initiative aims to help communities balance the benefits of efficiency and innovation with the crucial aspects of cybersecurity, privacy protections, and national security.
Smart cities have the potential to create safer, more efficient, and more resilient communities through technological innovation and data-driven decision-making. However, these opportunities also introduce potential vulnerabilities that could impact national security, economic security, public health and safety, and critical infrastructure operations. With the increasing cyber threat activity against operational technology (OT) systems globally, the interconnection between OT systems and smart city infrastructure expands the attack surface and heightens the potential consequences of compromise.
Integrating public services into a connected environment can enhance the efficiency and resilience of the infrastructure that supports everyday life in communities. However, smart cities must thoroughly assess and mitigate the cybersecurity risks that accompany such integration. The joint guide provides an overview of these risks, including expanded and interconnected attack surfaces, information and communications technology (ICT) supply chain risks, and increased automation of infrastructure operations.
ICT supply chain vulnerabilities, which may be intentionally developed by cyber threat actors for malicious purposes or unintentionally created through poor security practices, can lead to data theft, loss of confidence in the integrity of a smart city system, or a system or network failure through disruption of availability in operational technology. ICT vendors providing smart city technology should adopt a holistic approach to security by adhering to secure-by-design and secure-by-default development practices, which can decrease the burden on resource-constrained local jurisdictions and increase the cybersecurity baseline across smart city networks.
To address these risks, the guide offers three recommendations to strengthen a community's cyber posture: secure planning and design, proactive supply chain risk management, and operational resilience. Secure planning and design strategies include enforcing multifactor authentication, implementing zero trust architecture, protecting internet-facing services, and timely patching of systems and applications.
Proactive supply chain risk management recommendations involve setting clear requirements for software, hardware, and Internet-of-Things (IoT) supply chains, and thoroughly reviewing agreements with third-party vendors, such as managed service providers and cloud service providers.
Operational resilience strategies, including workforce training and incident response and recovery plans, can prepare organisations to isolate affected systems and operate infrastructure with minimal disruption in case of a compromise.
The joint guide exemplifies the strong collaboration among global cybersecurity agencies to provide timely and useful cyber risk management guidance, helping connected communities better protect their infrastructure and sensitive data while enjoying the benefits of smart city innovations.
Additional resources:
See guidance on secure-by-design and secure-by-default development practices:
- Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (CISA, NSA, FBI, ACSC, NCSC-UK, CCCS, BSI, NCSC-NL, CERT NZ, NCSC-NZ)
Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.
Assistance / Where can I go for help?
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).
- Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (CISA, NSA, FBI, ACSC, NCSC-UK, CCCS, BSI, NCSC-NL, CERT NZ, NCSC-NZ)