Australia, Canada, New Zealand, UK, and US offer advice on potential smart city vulnerabilities and how to mitigate them. Credit: Yiran Ding New guidance, Cybersecurity Best Practices for Smart Cities, wants to raise awareness among communities and organizations implementing smart city technologies that these beneficial technologies can also have potential vulnerabilities. A collaboration among the Five Eye nations (Australia, Canada, New Zealand, the UK, and the US), it advises communities considering becoming smart cities to assess and mitigate the cybersecurity risks that comes with the technology.What makes smart cities attractive to attackers is the data being collected and processed. Because AI-powered systems are being used to integrate this data, these should be given special attention when checking for vulnerabilities.The guide focuses on three areas: secure planning and design, proactive supply chain risk management, and operational resilience. Secure planning and designWhen planning to integrate smart city technologies into infrastructure systems, communities must include strategic foresight and proactive cybersecurity risk management processes. New technology should be carefully integrated into legacy systems. Smart or connected features must be secure by design. Communities should be aware that legacy infrastructure may require a redesign to securely deploy smart city systems. Organizations implementing smart city technology should apply the principle of least privilege throughout their network environments. This means reviewing default and existing configurations along with hardening guidance from vendors to ensure that hardware and software is allowed to access only systems and data that it needs to perform its functions.These organizations should understand their environment and carefully manage communications among subnetworks, including newly interconnected subnetworks linking infrastructure systems. Other considerations are to enforce multifactor authentication (MFA), implement zero-trust architecture, securely manage smart city assets, improve security of vulnerable devices, protect internet-facing services, patch systems and applications in a timely manner, review the legal, security, and privacy risks associated with deployments.Proactive supply chain risk managementAll organizations involved in implementing smart city technology should proactively manage information and communications technology (ICT) supply chain risk for any new technology, including hardware or software that supports the implementation of smart city systems or service providers supporting implementation and operations, the guidance recommends. Procurement officials from communities implementing smart city systems should also communicate minimum security requirements to vendors and articulate actions they will take in response to breaches of those requirements.Operational resilienceOrganizations responsible for smart city projects should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly. Those contingencies should include plans for disconnecting infrastructure systems from one another or from the public internet to operate autonomously. In the event of a compromise, organizations should be prepared to isolate affected systems and operate other infrastructure with as little disruption as possible. For this to happen, the guidance recommends conducting workforce training on how to isolate compromised IT systems from OT and manually operate core functions if necessary.There should also be a focus on creation, maintenance, and test backups, both for IT system records and for manual operational capabilities for the physical systems integrated in a smart city network. Develop and exercise incident response and recovery plans are also recommended.The guidance is the result of a collaboration of:The Australian Cyber Security Centre (ACSC)The Canadian Centre for Cyber Security (CCCS)New Zealand’s National Cyber Security Centre (NCSC-NZ)The United Kingdom’s National Cyber Security Centre (NCSC-UK)The US’s Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA).“Organizations should implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizens’ private data, and security of sensitive government and business data,” according to the guidance. Related content news Salt Security adds defense against OAuth attacks The new offering is designed to mitigate vulnerabilities and misconfigurations associated with the open authentication (OAuth) authorization framework. By Shweta Sharma Apr 25, 2024 3 mins Authentication Security Software news Cisco urges immediate software upgrade after state-sponsored attack Hackers exploited previously undetected vulnerabilities in Cisco’s Adaptive Security Appliances — a product that combines multiple cybersecurity functions. By Prasanth Aby Thomas Apr 25, 2024 3 mins Vulnerabilities brandpost Sponsored by Microsoft Security What will cyber threats look like in 2024? Analyzing incidents in the past will help advise a stronger cybersecurity strategy in the future—2024 and beyond. By Microsoft Security Apr 24, 2024 5 mins Security news analysis How the ToddyCat threat group sets up backup traffic tunnels into victim networks The Chinese APT group is using a variety of tools to infiltrate networks and steal large amounts of data. By Lucian Constantin Apr 24, 2024 6 mins Advanced Persistent Threats Threat and Vulnerability Management Network Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe