National and international cybersecurity officials last week released recommendations and resources to help smart cities balance efficiency and innovation with cybersecurity, privacy protections, and national security.
The Cybersecurity Best Practices for Smart Cities joint guide was released jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, the FBI, the United Kingdom National Cyber Security Centre (NCSC UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC NZ).
The joint guide provides an overview of risks to smart cities, including expanded and interconnected attack surfaces, information and communications technologies supply chain risks, and increasing automation of infrastructure operations.
This guide is intended to help communities considering becoming “smart cities” thoroughly assess and mitigate the cybersecurity risk that comes with the integration of public services into a connected environment.
“Today’s joint guide is a continuing example of the strong collaboration CISA has with our partners in the U.S. and around the globe to provide timely and useful cyber risk management guidance,” CISA Director Jen Easterly said in a press release. “The cybersecurity best practices outlined here are designed to help evolving connected communities better protect their infrastructure and sensitive data.”
“Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way which safeguards security and data privacy,” said Lindy Cameron, NCSC-UK CEO. “Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”
The security agencies offered three recommendations aimed at strengthening the cyber posture of smart cities: secure planning and design, proactive supply chain risk management, and operational resilience.
Specifically, strategies for secure planning and design include enforcing multifactor authentication, implementing zero trust architecture, protecting internet-facing services, and patching systems and applications promptly.
Recommendations made by the agencies on proactive supply chain risk management include setting clear requirements for software, hardware, and Internet-of-Things supply chains, and carefully reviewing agreements with third-party vendors, such as managed service providers and cloud service providers.
Additionally, in the event of a compromise, the agencies recommended that operational resilience strategies include workforce training and incident response and recovery plans, which can prepare organizations to isolate affected systems and operate infrastructure with as little disruption as possible.
“The digital transformation of infrastructure can improve daily life, but increased connectivity may also expand attack surfaces and introduce new risks. No technology solution is completely secure. This guidance is a useful resource for organizations and communities seeking to balance innovation with cyber security,” said Lisa Fong, NCSC-NZ deputy director-general.