International agencies issue smart city cybersecurity guide

Cybersecurity agencies from the US, UK, Canada, Australia and New Zealand have issued a joint guide on smart city best practices.

The guide provides an overview of risks to smart cities, including expanded and interconnected attack surfaces; ICT supply chain weaknesses; and increasing automation of infrastructure operations.

To protect against these risks, the government partners offer three overarching recommendations to help cities strengthen their cybersecurity: secure planning and design, proactive supply chain risk management, and operational resilience.

The following organisations collaborated on the guide: the US Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Federal Bureau of Investigation, the UK’s National Cyber Security Centre, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre. The five countries collaborate through the Five Eyes intelligence alliance.

Attractive target

The guide states: “Smart cities are an attractive target for criminals and cyber threat actors to exploit vulnerable systems to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks.

“Successful cyberattacks against smart cities could lead to disruption of infrastructure services, significant financial losses, exposure of citizens’ private data, erosion of citizens’ trust in the smart systems themselves, and physical impacts to infrastructure that could cause physical harm or loss of life.”

The report warns that the risk from a single smart city vendor could be much higher than in other ICT supply chains or infrastructure operations, given the increased interdependencies between technologies and basic or vital services.

It calls on organisations to consider risks from each vendor carefully to avoid threats from potentially unreliable hardware and software and deliberate exploitation of supply chain vulnerabilities as an attack vector.

“This includes scrutinising vendors from nation-states associated with cyberattacks, or those subject to national legislation requiring them to hand over data to foreign intelligence services,” the guide states.

Strategies

Specific strategies the agencies recommend include enforcing multifactor authentication and implementing zero trust architecture. Organisations should set clear requirements for software, hardware and Internet of Things (IoT) supply chains, as well as carefully reviewing agreements with third-party vendors such as managed service providers and cloud service providers. The guide also recommends that contingency plans are put in place in case of a cybersecurity compromise.

In a survey last year by technology company Sophos, 58 percent of local government respondents said their organisations were hit by ransomware in 2021, up from 34 percent in 2020.

Further, 59 percent perceived an increase in the volume of attacks over the last year, the same number reported growing attack complexity, and 56 percent said cyber-attacks were having a greater impact.

Attackers’ methods are becoming more sophisticated with the use of AI and automation technology, Sophos said.