The vulnerabilities of the complex artificial intelligence-powered software systems used to integrate the data from citizens, businesses, and government agencies make smart cities an appealing target for malicious cyber actors. Therefore, a group of leading cybersecurity experts created smart city security standards. The recommendations are designed to help smart cities strengthen their cyber defences.
New Zealand National Cyber Security Centre (NCSC-NZ) released these in conjunction with the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA) and the United States Federal Bureau of Investigation (FBI).
These agencies are aware that communities might look to smart city infrastructure digital transformation for cost savings and quality of life enhancements. While bringing public services online can boost efficiency and resilience, evaluating and managing potential cybersecurity risks is vital.
University campuses, military bases, municipalities, and cities are just some communities incorporating smart city technologies into their infrastructure. Connected places, connected communities, and smart homes all use information and communication technologies (ICT), community-wide data, and intelligent solutions to digitally transform infrastructure and optimise governance to meet residents’ needs better.
Information from various sources (governments, businesses, and individuals) is being gathered, sent, stored and processed. Some smart software cities use to combine this data is artificial intelligence-powered and potentially vulnerable. National governments, cybercriminals, hacktivists, insider threats, and terrorists all pose a risk because of the monetary and political value they could derive from exploiting the weaknesses in digital systems and the massive data sets they contain for espionage purposes.
There is no foolproof technological solution as municipalities adopt smart city technology. However, the guidelines suggest a middle ground between security, privacy, and productivity. Place the concepts of least privilege, enforce multifactor authentication, carry out zero trust architecture, regulate changes to internal architecture risks, carefully manage smart city assets, improve the safety of vulnerable devices, preserve internet-facing services, patch systems and applications in adequate time, and examine the legal, security, and privacy hazards associated with deployments are all suggestions for bolstering the cybersecurity of smart cities.
A security architecture should be developed following the principle of least privilege, which states that each entity should access only the most miniature set of system resources and authorisations necessary to carry out its specific role. Default and existing configurations, as well as hardening vendor recommendations, should be examined by administrators to guarantee that hardware and software have access to only the systems and data they need to execute their jobs.
To harden the infrastructure that permits access to networks and systems, the entities adopting smart city technologies should lock down remote access applications and require multifactor authentication (MFA) on local and remote accounts and devices.
Adopting zero trust network design concepts, users can use a layered, defence-in-depth strategy to achieve a more secure network environment. Each new connection needs authenticating and authorising. Zero trust makes network activity visibility, trend de-identification by analytics, issue resolution via automation and orchestration, and effective network security governance possible.
Organisations tasked with rolling out smart city technologies need to be aware of their surroundings and manage communications between subnetworks, especially those that have recently been integrated to facilitate the integration of infrastructure systems. Administrators of such networks should always be mindful of the people whose responsibility is to ensure the safety of the entire system and its constituent parts. The impact of a compromise on the community can be mitigated if administrators take the necessary steps to identify, organise, and isolate essential business systems and implement the required network security controls and monitoring tools.
