CISA and Others Release Strategies for Protecting Smart Cities 

CISA and NCSC along with their equivalents in Canada, Australia and New Zealand have published Cybersecurity Best Practices for Smart Cities designed to help stakeholders build protections into new systems from the planning stage.

The document warns that due to the intrinsic value of the large data sets, not only are smart cities vulnerable to financially motivated cyber-criminals but with complex, automated supply chains, terrorists could paralyze critical services and even cause physical harm or loss of life.

While currently infrastructure services are separate, the challenge for defenders is that by integrating all systems into a single-network landscape, they will expand the digital attack surface for each participating organization, while making visibility and control more challenging for security teams.

Key recommendations are as expected and suggest that planners undertake:

  • Secure planning and design: principle of least privilege, MFA, zero trust architectures, prompt patching, device security, and protection for internet-facing services
  • Proactive supply chain risk management: covering the software supply chain, IoT and device supply chains, and managed/cloud service providers
  • Operational resilience: backing up systems and data, workforce training, and incident response and recovery

Carol Volk, EVP , BullWall(she/her)

   “This effort by the US and other nations is a commendable move towards promoting cybersecurity in the planning and design of smart city systems. It highlights the recognition of the inherent risks associated with large data sets in smart cities and the need for proactive measures to protect against cyber threats.

   “The emphasis on secure planning and design, proactive supply chain risk management, and operational resilience in the recommendations is crucial in ensuring the security of smart city systems. 

   “In particular, recognizing the risks of centralizing too much data in smart city systems is significant. Centralized data can become a single point of failure and will attract malicious actors like bees to honey. Governments must consider the balance between data centralization for operational efficiency and the need for data protection and privacy. Even the best planning will be thwarted by determined attackers, whether private or nation states. After watching ransomware attacks increasingly evade the best preventative measures, we need solid detection and containment layers as standard fare in these new network designs.”

Bryson Bort, Founder and CEO, SCYTHE had this to say:

   “I have worked smart city security in various countries since 2015. The joint country collaboration on best practices is particularly interesting in this case. The smart city of tomorrow promises a better way of life for its citizens with possibilities like re-routing traffic with sensors but must design for resilience and protective measures to assure the digital traffic doesn’t hit any potholes.”

Corey Brunkow, Dir of Eng Operations, follows up with this:

   “The CISA doc is pretty general but has links to useful information and has a section on Supply Chain Security Guidance which is critically important as the recent Toyota Supply Chain attack demonstrated.    This specific section from the UK NCSC addressing supply chain security guidance seems particularly relevant for best practices similar to what is needed.  

  1. Understand the risks
  2. Know who your suppliers are and build an understanding of what their security looks like
  3. Understand the security risk posed by your supply chain”

Roy Akerman, Co-Founder & CEO, Rezonate:

   “Smart cities are here, and we will see more and more cities adopt these practices – both with technology innovation as well as with government services. CISA recommendations are logical, yet they are far from reality. They may seem like basic functions yet today there are no vulnerability-free environments, the speed of patching is never real-time, zero-trust is a continuous journey, not a one and done. Smart city infrastructure will be distributed across many vendors and many teams, inevitably resulting in an increased attack surface that will lead to security breaches if not handled properly.

   “It is critical for the foundation of smart cities to be connected and based on strong automation, as with the private sector, resources are limited but effective security practices must be put in place to safeguard identity data. The approach must include both proactive measures and a defense-in-depth approach assuming compromise and readiness when a security breach occurs. Success will be evaluated by how fast they are able to get back online.”

Smart cities are going to be considered critical infrastructure in the not so distant future. Thus it’s good to see that there are these guidelines are out there to make smart cities as safe as possible.

Leave a Reply

%d bloggers like this: