In conjunction with its federal and international partners, the Cybersecurity and Infrastructure Security Agency (CISA) has released a new guide to help communities think through and control for cyber risks that come with advancing smart city technology. Profit-seeking or espionage-focused cyber attackers may be tempted to target smart cities to steal the valuable data these systems collect and transmit on residents, government and businesses, or they may try to attack the technology to disrupt important services.
Connecting physical infrastructure to IT — and integrating once-separate systems into the same network — expands the attack surface, while adding complexity that can make it harder for defenders to track activity across the network. Each endpoint added to a network is another avenue a hacker could strike, and attackers often try to spread from one connected system to another.
Governments also need to be careful when selecting vendors to provide or integrate technologies. These vendors’ practices and offerings need to be secure and resilient, and should follow secure-by-design and secure-by-default practices.
“Communities considering becoming smart cities should thoroughly assess and mitigate the cybersecurity risk that comes with this integration” and the new guide aims to help them “balance efficiency and innovation with cybersecurity, privacy protection and national security.”
Recommendations include the following:
Plan for Physical and Cyber Risks
Communities should consider cyber and physical security and risk management when preparing to adopt smart city solutions or features.
- Follow the Principle of Least Privilege, such as by
- Limiting users’ access to assets and resources based on what they need to perform their jobs,
- Updating privileges whenever new users are added due to new system integrations,
- and reviewing vendors’ hardening advice and default access permissions configurations.
- Apply multifactor authentication (MFA) to remote and local accounts and devices.
- Follow zero-trust network design principles.
- “Manage changes to internal architecture risks."
- For example, network administrators need to keep tabs on any network architecture changes as well as be aware of which individuals are responsible for securing each part of the network and for securing the overall system.
- Protect sensors, monitors and other smart city assets from physical threats, like vandalism or environmental damage.
- Protect Internet-facing services.
- Secure remote access to vulnerable devices.
- Promptly patch systems and applications.
- “Review the legal, security and privacy risks associated with deployments” of smart city solutions.
Manage Supply Chain Risks and Third-Party Risks
Rely only on trusted components and trusted vendors, and require vendors to meet minimum security standards.
- Ensure software providers follow secure software development practices and vulnerability identification and patching practices.
- Consider how hardware and IoT device providers source and assemble their products, the way the IoT devices protect, share and store data, and any concerns around third-party entities providing support for the products.
- Consider risks from managed service providers and cloud service providers and ensure agreements with them include security standards.
Plan for Resiliency
Should cyber attackers compromise a system, be ready to isolate it from the network and keep non-impacted systems operating autonomously.
- Back up data and systems.
- Test abilities to recover from backups.
- Test abilities to manually operate the physical systems included in your smart city network.
- Train your workforce to be ready to operate systems manually and restore services.
- Make and practice incident response and recovery plans.
Interested parties can read more details in the guide, which can be foundhere.
And find more at these additional resources:
- U.K.’s Connected Places Cyber Security Principles
- Australia’s An Introduction to Securing Smart Places
- Canada’s Security Considerations for Critical Infrastructure
- CISA’s Cross-Sector Cybersecurity Performance Goals
- CISA's Protecting Against Cyber Threats to Managed Service Providers and their Customers
- CISA’s secure-by-design and secure-by-default recommendations