Cybersecurity agencies publish guide of cybersecurity best practices for smart city networks

From self-driving cars that communicate with traffic lights to water management solutions and drones that can zip deliveries automatically across otherwise congested neighborhoods, there’s a lot to be excited about when it comes to the future of smart cities. Emerging technology poses an opportunity for administrators to create safer, more efficient and resilient cities by leveraging data that’s collected via sensors and processed with artificial intelligence. But as smart city technology expands alongside its use cases, so do the cybersecurity concerns local governments must contend with.

Guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Wednesday aims to help communities bolster their digital defences as they build infrastructure to support smart city solutions. The guide was created by CISA and the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies from the United Kingdom, Canada, Australia and New Zealand.

Recommendations include strategic planning and proactive foresight that considers cybersecurity risk and management as future technologies evolve. And when they do, each should be “deliberately and carefully integrated into legacy infrastructure designs,” the report says. The principle of “least privilege,” which defines that each entity should be granted the minimum number of authorizations and access to perform their function, should also be implemented from the start, along with multifactor authentication around a zero trust architecture framework, among other things.

“Today’s joint guide is a continuing example of the strong collaboration CISA has with our partners in the U.S. and around the globe to provide timely and useful cyber risk management guidance,” said Jen Easterly, director of CISA. “The cybersecurity best practices outlined here are designed to help evolving connected communities better protect their infrastructure and sensitive data.”

Given the critical data cities and counties are responsible for protecting, they’re an “an attractive target for criminals and cyber threat actors” looking “to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks,” the report says. At the same time, the complex software systems that gather and integrate the data pose security risks. One breach could give a perpetrator access to a large trove of data and sensitive information. And as more devices connect, the threat increases.

“Integrating a greater number of previously separate infrastructure systems into a single network environment expands the digital attack surface for each interconnected organization,” the report says. “This expanded attack surface increases the opportunity for threat actors to exploit a vulnerability for initial access, move laterally across networks, and cause cascading, cross- sector disruptions of infrastructure operations, or otherwise threaten confidentiality, integrity, and availability of organizational data, systems, and networks.”

Besides devices, the guide highlights the risk posed to smart city networks by organizations that don’t fall under the same regulation while being able to access the smart city network, as they might not have the same level of cybersecurity in place.

“Smart city IT vendors may also have access to vast amounts of sensitive data from multiple communities to support the integration of infrastructure services—including sensitive government information and personally identifiable information,” the guide says. “No technology solution is completely secure. As communities implement smart city technologies, this guidance provides recommendations to balance efficiency and innovation with cybersecurity, privacy protections, and national security.”

To review the complete guide, visit CISA’s website.