Australia, Canada, New Zealand, UK, and US offer advice on potential smart city vulnerabilities and how to mitigate them. Credit: Yiran Ding New guidance, Cybersecurity Best Practices for Smart Cities, wants to raise awareness among communities and organizations implementing smart city technologies that these beneficial technologies can also have potential vulnerabilities. A collaboration among the Five Eye nations (Australia, Canada, New Zealand, the UK, and the US), it advises communities considering becoming smart cities to assess and mitigate the cybersecurity risks that comes with the technology.What makes smart cities attractive to attackers is the data being collected and processed. Because AI-powered systems are being used to integrate this data, these should be given special attention when checking for vulnerabilities.The guide focuses on three areas: secure planning and design, proactive supply chain risk management, and operational resilience. Secure planning and designWhen planning to integrate smart city technologies into infrastructure systems, communities must include strategic foresight and proactive cybersecurity risk management processes. New technology should be carefully integrated into legacy systems. Smart or connected features must be secure by design. Communities should be aware that legacy infrastructure may require a redesign to securely deploy smart city systems. Organizations implementing smart city technology should apply the principle of least privilege throughout their network environments. This means reviewing default and existing configurations along with hardening guidance from vendors to ensure that hardware and software is allowed to access only systems and data that it needs to perform its functions.These organizations should understand their environment and carefully manage communications among subnetworks, including newly interconnected subnetworks linking infrastructure systems. Other considerations are to enforce multifactor authentication (MFA), implement zero-trust architecture, securely manage smart city assets, improve security of vulnerable devices, protect internet-facing services, patch systems and applications in a timely manner, review the legal, security, and privacy risks associated with deployments.Proactive supply chain risk managementAll organizations involved in implementing smart city technology should proactively manage information and communications technology (ICT) supply chain risk for any new technology, including hardware or software that supports the implementation of smart city systems or service providers supporting implementation and operations, the guidance recommends. Procurement officials from communities implementing smart city systems should also communicate minimum security requirements to vendors and articulate actions they will take in response to breaches of those requirements.Operational resilienceOrganizations responsible for smart city projects should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly. Those contingencies should include plans for disconnecting infrastructure systems from one another or from the public internet to operate autonomously. In the event of a compromise, organizations should be prepared to isolate affected systems and operate other infrastructure with as little disruption as possible. For this to happen, the guidance recommends conducting workforce training on how to isolate compromised IT systems from OT and manually operate core functions if necessary.There should also be a focus on creation, maintenance, and test backups, both for IT system records and for manual operational capabilities for the physical systems integrated in a smart city network. Develop and exercise incident response and recovery plans are also recommended.The guidance is the result of a collaboration of:The Australian Cyber Security Centre (ACSC)The Canadian Centre for Cyber Security (CCCS)New Zealand’s National Cyber Security Centre (NCSC-NZ)The United Kingdom’s National Cyber Security Centre (NCSC-UK)The US’s Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA).“Organizations should implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizens’ private data, and security of sensitive government and business data,” according to the guidance. Related content news BreachForums seized by law enforcement, admin Baphomet arrested Official telegram channels operated by BreachForums members confirm law enforcement seizures and arrest. By Shweta Sharma May 16, 2024 4 mins Data Breach Cybercrime feature Cyber resilience: A business imperative CISOs must get right With ransomware at an all-time high, companies need to understand that being cyber resilient means going beyond compliance to considering all aspects of a business, from operational continuity to software supply chain security. By Andrada Fiscutean May 16, 2024 12 mins Regulation Incident Response Supply Chain news analysis Microsoft fixes three zero-day vulnerabilities, two actively exploited The company’s Patch Tuesday includes fixes for flaws in Windows Desktop Window Manager, Windows MSHTML, and Visual Studio, among others, that IT security orgs should prioritize. By Lucian Constantin May 15, 2024 6 mins Windows Security Zero-day vulnerability brandpost Sponsored by Palo Alto Networks How you may be affected by the new proposed Critical Infrastructure Cyber Incident Reporting Rule The current cybersecurity regulatory landscape continues to evolve, and CIRCIA’s incident reporting requirements are just one of the many emerging regulations organizations will need to observe By Anand Oswal, Senior Vice President and GM of Network Security at Palo Alto Networks May 15, 2024 5 mins Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe