U.S. and international cybersecurity officials are collaborating to release a set of recommendations aimed at helping governments pursuing “smart cities” tech strategies to balance efficiency and innovation with cybersecurity, privacy protections, and national security.
The Cybersecurity Best Practices for Smart Cities provides an overview of risks to smart cities and their technologies – including expanded and interconnected attack surfaces, information and communications technologies supply chain risks, and increasing automation of infrastructure operations.
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, the FBI, the United Kingdom National Cyber Security Centre, the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre worked together to release the joint guide.
“Today’s joint guide is a continuing example of the strong collaboration CISA has with our partners in the U.S. and around the globe to provide timely and useful cyber risk management guidance,” CISA Director Jen Easterly said in a press release. “The cybersecurity best practices outlined here are designed to help evolving connected communities better protect their infrastructure and sensitive data.”
This guide is intended to help communities navigate through the “complex and important work” of becoming a smart city, the press release says. It is critical that they thoroughly assess and mitigate the cybersecurity risk that comes with the integration of public services into a connected environment.
The security agencies offered three broad recommendations aimed at strengthening the cyber posture of smart cities:
- Strategies for secure planning and design, including enforcing multifactor authentication, implementing zero trust architecture, protecting internet-facing services, and patching systems and applications in a timely manner;
- Proactive supply chain risk management, such as setting clear requirements for software, hardware, and Internet-of-Things supply chains, and carefully reviewing agreements with third-party vendors – like managed service providers and cloud service providers; and
- In the event of a compromise, operational resilience strategies, like workforce training and incident response and recovery plans, can prepare organizations to isolate affected systems and operate infrastructure with as little disruption as possible.
“Smart city technologies provide opportunities for more innovative and sustainable communities, but they also broaden the attack surface and risks to our security and critical infrastructure,” said Abigail Bradshaw, head of the ACSC. “This guidance helps forward-thinking communities to securely integrate new technologies into existing infrastructure, ensuring the resilience and protection of the data, systems and interconnected infrastructure we need for our daily lives and business.”