Australia, Canada, New Zealand, UK, and US offer advice on potential smart city vulnerabilities and how to mitigate them.
New guidance, Cybersecurity Best Practices for Smart Cities, wants to raise awareness among communities and organizations implementing smart city technologies that these beneficial technologies can also have potential vulnerabilities. A collaboration among the Five Eye nations (Australia, Canada, New Zealand, the UK, and the US), it advises communities considering becoming smart cities to assess and mitigate the cybersecurity risks that comes with the technology.
What makes smart cities attractive to attackers is the data being collected and processed. Because AI-powered systems are being used to integrate this data, these should be given special attention when checking for vulnerabilities.
The guide focuses on three areas: secure planning and design, proactive supply chain risk management, and operational resilience.
Secure planning and design
When planning to integrate smart city technologies into infrastructure systems, communities must include strategic foresight and proactive cybersecurity risk management processes. New technology should be carefully integrated into legacy systems. Smart or connected features must be >secure by design. Communities should be aware that legacy infrastructure may require a redesign to securely deploy smart city systems.
Organizations implementing smart city technology should apply the principle of least privilege throughout their network environments. This means reviewing default and existing configurations along with hardening guidance from vendors to ensure that hardware and software is allowed to access only systems and data that it needs to perform its functions.
These organizations should understand their environment and carefully manage communications among subnetworks, including newly interconnected subnetworks linking infrastructure systems.
Other considerations are to enforce >multifactor authentication (MFA), implement >zero-trust architecture, securely manage smart city assets, improve security of vulnerable devices, protect internet-facing services, patch systems and applications in a timely manner, review the legal, security, and privacy risks associated with deployments.
Proactive supply chain risk management
All organizations involved in implementing smart city technology should proactively manage information and communications technology (ICT) supply chain risk for any new technology, including hardware or software that supports the implementation of smart city systems or service providers supporting implementation and operations, the guidance recommends. Procurement officials from communities implementing smart city systems should also communicate minimum security requirements to vendors and articulate actions they will take in response to breaches of those requirements.
Operational resilience
Organizations responsible for smart city projects should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly. Those contingencies should include plans for disconnecting infrastructure systems from one another or from the public internet to operate autonomously. In the event of a compromise, organizations should be prepared to isolate affected systems and operate other infrastructure with as little disruption as possible. For this to happen, the guidance recommends conducting workforce training on how to isolate compromised IT systems from OT and manually operate core functions if necessary.
There should also be a focus on creation, maintenance, and test backups, both for IT system records and for manual operational capabilities for the physical systems integrated in a smart city network. Develop and exercise incident response and recovery plans are also recommended.
The guidance is the result of a collaboration of:
- The Australian Cyber Security Centre (ACSC)
- The Canadian Centre for Cyber Security (CCCS)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
- The United Kingdom’s National Cyber Security Centre (NCSC-UK)
- The US’s Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA).
“Organizations should implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizens’ private data, and security of sensitive government and business data,” according to the guidance.
---
Autor(en)/Author(s): Samira Sarraf
Quelle/Source: CSO, 20.04.2023