Internet-connected technology that’s used to power smart cities makes a very tempting target for cyberattacks and local authorities need to be aware of the risks that they – and their citizens – could face if malicious hackers are able to tamper with infrastructure or services.
Urban infrastructure, including emergency services, transport, traffic light management, CCTV and more, is increasingly using sensors and becoming connected to the Internet of Things in an effort to collect data and provide better, more efficient services.
However, the UK’s National Cyber Security Centre (NCSC) – the cyber arm of intelligence agency GCHQ – has warned that cyber-physical systems in smart cities could be compromised by cyber attackers if they are not secured properly.
SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)
The huge volume of sensitive data being collected and stored by IoT-connected smart cities, plus the ability to disrupt, “makes these systems an attractive target for a range of threat actors,” the NCSC’s new guidance for securing smart cities warns.
“These connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly. Because as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors,” said Ian Levy, technical director at the NCSC.
To help guide local authorities and protect infrastructure, organisations and people from the threat of cyberattacks that could target smart cities, the NCSC has published a series of principles that should be adhered to in order to provide these networks with the highest possible level of cybersecurity.
To start with, local authorities should understand the role of their connected place. By determining who is responsible for the connected place, what the IoT network will look like, what data will be collected, processed, stored, and shared and what operational technology is in place already, authorities can begin connecting smart cities with security in mind from the start.
Authorities are also urged to understand the potential risks to the connected place. These risks range from knowing exactly what devices and software is being used to connect the place up – ensuring that it’s from a trusted, reputable vendor – to ensuring those devices are sufficiently secured when it comes to authentication.
For example, a city shouldn’t be rolling out IoT devices across the network if those products still have a default username and password, as that would make them an easy target for cyber attackers, particularly if data is “collected or processed in a dumb way,” said Levy.
SEE: Wi-Fi hotspots, pollution meters, gunshot locators: How lampposts are making cities smarter
Smart cities are supposed to help improve services for people, but being irresponsible with data storage could result in privacy violations and poorly implemented security could allow cyber attackers to interfere with services and systems people need.
“We hope these principles will help designers, owners and managers of connected place systems to make well-informed cybersecurity choices,” said Levy.
While the NCSC guidance doesn’t refer to any particular potential cyber-threat actor, the director of GCHQ recently warned that the emergence of China as technology producer means that the UK and other countries could face challenges if organisations – or local authorities – become reliant on devices and software made in the country.
“States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future,” said Jeremy Fleming.