The Five Eyes intelligence alliance, comprised of the US agencies CISA, NSA and FBI, the UK’s National Cyber Security Centre, Canada’s Centre for Cyber Security, the Australian Cyber Security Centre, and New Zealand’s National Cyber Security Centre, has issued guidance on cybersecurity best practices for smart cities.
The document highlights the potential risks that come with integrating information and communication technologies (ICT), operational technology (OT), cloud computing, AI, and 5G communications in communities. Smart cities are defined as communities that optimize governance through the integration of intelligent solutions and community-wide data.
Although smart cities offer numerous benefits, they are an attractive target for threat actors, including profit-driven cybercriminals and state-sponsored actors looking to obtain valuable information, cause disruption or destruction. The interconnected attack surface created when previously separate systems are integrated into a single network poses a risk, enabling attackers to move laterally and cause “cascading, cross-sector disruptions of infrastructure operations.”
Threat actors can also exploit supply chain vulnerabilities to steal valuable data, cause disruption, or weaken confidence in the integrity of systems.
The guidance recommends keeping track of individuals and vendors responsible for the system and each segment, carefully vetting vendors and assessing risks, and scrutinizing vendors from nation-states associated with cyberattacks or those subject to national legislation requiring them to hand over data to foreign intelligence services.
Other recommendations include implementing a zero-trust architecture, enforcing multi-factor authentication, securely managing assets, improving device security, protecting internet-exposed systems, patching systems, conducting training, and developing and exercising incident response and recovery plans.
The guidance summarizes the recommendations for securing smart cities and includes links to numerous useful resources provided by various government agencies.
In conclusion, the Five Eyes agencies have issued guidance on cybersecurity best practices for smart cities to address the potential risks associated with integrating ICT, OT, cloud computing, AI, and 5G communications in communities. Smart cities offer numerous benefits for authorities and citizens, but they are an attractive target for threat actors.
The guidance recommends carefully vetting vendors and assessing risks, implementing a zero-trust architecture, enforcing multi-factor authentication, securely managing assets, improving device security, protecting internet-exposed systems, patching systems, conducting training, and developing and exercising incident response and recovery plans.
