Australia, Canada, New Zealand, UK, and US offer advice on potential smart city vulnerabilities and how to mitigate them. Credit: Yiran Ding New guidance, Cybersecurity Best Practices for Smart Cities, wants to raise awareness among communities and organizations implementing smart city technologies that these beneficial technologies can also have potential vulnerabilities. A collaboration among the Five Eye nations (Australia, Canada, New Zealand, the UK, and the US), it advises communities considering becoming smart cities to assess and mitigate the cybersecurity risks that comes with the technology.What makes smart cities attractive to attackers is the data being collected and processed. Because AI-powered systems are being used to integrate this data, these should be given special attention when checking for vulnerabilities.The guide focuses on three areas: secure planning and design, proactive supply chain risk management, and operational resilience. Secure planning and designWhen planning to integrate smart city technologies into infrastructure systems, communities must include strategic foresight and proactive cybersecurity risk management processes. New technology should be carefully integrated into legacy systems. Smart or connected features must be secure by design. Communities should be aware that legacy infrastructure may require a redesign to securely deploy smart city systems. Organizations implementing smart city technology should apply the principle of least privilege throughout their network environments. This means reviewing default and existing configurations along with hardening guidance from vendors to ensure that hardware and software is allowed to access only systems and data that it needs to perform its functions.These organizations should understand their environment and carefully manage communications among subnetworks, including newly interconnected subnetworks linking infrastructure systems. Other considerations are to enforce multifactor authentication (MFA), implement zero-trust architecture, securely manage smart city assets, improve security of vulnerable devices, protect internet-facing services, patch systems and applications in a timely manner, review the legal, security, and privacy risks associated with deployments.Proactive supply chain risk managementAll organizations involved in implementing smart city technology should proactively manage information and communications technology (ICT) supply chain risk for any new technology, including hardware or software that supports the implementation of smart city systems or service providers supporting implementation and operations, the guidance recommends. Procurement officials from communities implementing smart city systems should also communicate minimum security requirements to vendors and articulate actions they will take in response to breaches of those requirements.Operational resilienceOrganizations responsible for smart city projects should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly. Those contingencies should include plans for disconnecting infrastructure systems from one another or from the public internet to operate autonomously. In the event of a compromise, organizations should be prepared to isolate affected systems and operate other infrastructure with as little disruption as possible. For this to happen, the guidance recommends conducting workforce training on how to isolate compromised IT systems from OT and manually operate core functions if necessary.There should also be a focus on creation, maintenance, and test backups, both for IT system records and for manual operational capabilities for the physical systems integrated in a smart city network. Develop and exercise incident response and recovery plans are also recommended.The guidance is the result of a collaboration of:The Australian Cyber Security Centre (ACSC)The Canadian Centre for Cyber Security (CCCS)New Zealand’s National Cyber Security Centre (NCSC-NZ)The United Kingdom’s National Cyber Security Centre (NCSC-UK)The US’s Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA).“Organizations should implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizens’ private data, and security of sensitive government and business data,” according to the guidance. Related content news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government news analysis Massive security hole in VPNs shows their shortcomings as a defensive measure Researchers found a deep, unpatchable flaw in virtual private networks dubbed Tunnelvision can allow attackers to siphon off data without any indication that they are there. By Evan Schuman May 08, 2024 8 mins Threat and Vulnerability Management Data and Information Security Network Security news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe