jamesteohart - stock.adobe.com

NCSC publishes smart city security guidelines

Guidance for local authorities, IT and cyber professionals aims to ensure the security of connected, smart city projects

The UK’s National Cyber Security Centre (NCSC) has published new guidance on securing smart city infrastructure to help local authorities and the security community build awareness and understanding of what needs to happen to keep connected places safe and secure.

The code contains a core set of cyber principles to help risk owners, CISOs, cyber architects and engineers, and other operational personnel make their smart city projects and systems both easier to manage and resilient to cyber attack.

Such systems could include traffic lights, CCTV, waste management, street lighting, parking, public transport, health and social care, and emergency services.

“The systems that these functions and services rely on will be moving, processing and storing sensitive data, as well as controlling critical operational technology,” said the NCSC.

“Unfortunately, this makes these systems an attractive target for a range of threat actors. A connected place will be an evolving ecosystem, comprising a range of systems that exchange data, which will only add further risks.

“If connected systems are compromised, the consequences could impact the local citizens. Impacts could range from breaches of privacy to the disruption or failure of critical functions. This could mean destructive impacts, which in some cases could endanger the local citizens.

“There could also be impacts to the local authorities that are attacked. These could include a loss of reputation that could affect citizen participation, or the financial impacts of dealing with the after-effects of an attack.”

Writing in Computer Weekly today, digital minister Matt Warman said: “Emerging technologies are changing the way we think about our cities. From ultrafast 5G and gigabit broadband to internet of things (IoT) devices and sensors, digital innovation is sparking a revolution in urban design and planning across the UK. 

“New ‘connected places’ – such as those envisioned by Sunderland’s Smart City plan and Newcastle’s digital programme – are springing up using internet-connected infrastructure and devices to make communities and services more efficient, safer and environmentally friendly. They can range from entire smart cities to contained locations such as parks or ports and they are not just found in urban areas either,” he said.

Warman explained that it is important to have checks and balances in place to mitigate the potential risks of such projects.

“The principles explain how connected places can be designed to protect data, be resilient, scalable, less exposed to risk and supported by sufficient network monitoring. They also outline how system privileges and access, supply chains and incidents should be managed,” he said.

“The aim is to help designers, owners and managers of systems to have the tools they need to make well-informed cyber security choices. I urge local leaders and smart city designers to follow the guidance.”

The NCSC’s full guidance can be downloaded to read in full from its website, and is split into three sections covering smart city design, implementation and management, all of which bring different cyber risk factors into play.

Mark Jackson, Cisco’s national cyber security advisor for the UK and Ireland, said: “The complexity of the smart cities marketplace, with multiple device manufacturers and IT providers in play, could quite easily present cyber security issues that undermine these efforts. The NCSC’s principles are one of the most sophisticated pieces of government-led guidance published in Europe to date.

“The guidance set out for connected places generally aligns to cyber security best practice for enterprise environments, but also accounts for the challenges of connecting up different systems within our national critical infrastructure.

“With DCMS [the Department for Digital, Culture, Media and Sport] also planning to implement legislation around smart device security, this is indicative of a broader government strategy to level up IoT security across the board.

“This will enable new initiatives in the field of connected places and smart cities to gather momentum across the UK – with cyber security baked into the design and build phase. As lockdown restrictions ease and people return to workplaces and town centres, they need assurance that their digital identities and data are protected as the world around becomes more connected. These guiding principles are a means of helping local governments achieve this vision,” said Jackson.

F-Secure principle cyber security consultant Tom Van de Wiele said: “Smart cities make life more efficient and have been around for a while, but they do invite privacy and security risks. 

“Ultimately, there is a real risk for harm from unsecured networks that share data from sensors and analysis tools. The high degree of connectivity in these technologies means that an attacker could, potentially, take malicious action across the entire UK with ease if proper security measures such as segregation of networks and fallback processes are not enforced or properly tested.

A nation state, a serious organised crime group or attackers wishing to harm critical, national infrastructure without direct loss of life could create countless amounts of chaos. Threat actors on the prowl looking to abuse smart city networks and its decision-making patterns really are viable threats, and it isn’t far off from what we saw happen at the Florida water plant hack in February. The possibilities for attack are relatively endless.

Striking the right balance between efficiency, privacy and security is important so it’s no surprise the NCSC are setting out guidelines to get a hold over some of the risks,” he added.

Read more about smart cities

Read more on IT risk management

Data Center
Data Management