The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday published a cybersecurity best practices guide for smart cities, warning that municipalities should carefully evaluate and address cybersecurity risks associated with connected public services and infrastructure.
Communities should integrate cybersecurity strategy and risk management in their smart city technology plans and proactively manage supply chain risk to ensure all hardware and software are secure, the guide states.
To ensure that vital public services and infrastructure continue functioning if there’s a cybersecurity event, operational resilience is essential, according to the report. “The organizations responsible for implementing smart city technology should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly,” it says.
Smart cities are vulnerable to cybersecurity threats because they often collect, transmit and store large amounts of “sensitive information from governments, businesses, and private citizens,” the report says. The AI-powered software at the heart of many smart city solutions is also susceptible to attack, the report says.
“The intrinsic value of the large data sets and potential vulnerabilities in digital systems means there is a risk of exploitation for espionage and for financial or political gain by malicious threat actors, including nation-states, cybercriminals, hacktivists, insider threats, and terrorists,” the report says.
The report recommends several strategies to employ in smart city security planning and design:
- Apply the principle of least privilege, which the National Institute of Standards and Technology defines as “the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function,” according to the report.
- Implement multifactor authentication on local and remote accounts.
- Build zero-trust architecture that “requires authentication and authorization for each new connection.”
- Manage changes to internal architecture, including communications between subnetworks.
- Quickly apply patches for hardware and software and, as much as possible, enable automatic updates.
Other recommendations include securing vulnerable devices using virtual private networks and protecting smart city assets against theft and unapproved physical changes.
The report calls for localities to develop processes to back up smart city systems and data, train their workforce, and develop and practice incident response and recovery plans to improve operational resilience.
In addition, it provides resources to help smart city leaders proactively manage supply chain risk, including hardware and IoT devices, software, and managed and cloud service providers.
CISA developed the best practices guide in partnership with the National Security Agency, the Federal Bureau of Investigation and cybersecurity agencies in Australia, Canada, New Zealand and the United Kingdom.