Smart Cities rely on technology to shape safer, more sustainable, and more resilient urban communities. As we know, technology is a huge opportunity but – at the same time – introduces potential vulnerabilities that could be exploited and jeopardize economic and political stability, public health and safety, or critical infrastructure operations.
Cybersecurity authorities from the US, UK, Canada, Australia, and New Zealand scrutinized these risks and related best practices in a joint guide, acknowledging that “Smart Cities are an attractive target for criminals and cyber threat actors to exploit vulnerable systems to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks”.
But why are cities such vulnerable to cybercrime? In a nutshell, because they are interconnected network environments, where a greater number of devices and applications interact and work together to share data and trigger actions. The more the network is large and complex, the bigger the possible attack surface is. Hackers may exploit a vulnerability for initial access (a connected IP camera, for instance), move laterally across networks, and cause cascading disruptions of infrastructure operations, or threaten confidentiality, integrity, and availability of organizational data, systems, and networks.
Not a reassuring perspective for city managers! Should cities refrain from digital innovation and smart technologies? Not really, state the cybersecurity agencies in their guide, but they warn communities to account for these risks as part of their overall risk management approach.
Government experts suggest 3 best practices to improve cybersecurity:
- Secure planning and design. Cities should check that any smart connected system to be added to the actual or new infrastructure has been developed with a security-by-design approach, complying with strict cybersecurity requirements. Principles of least privilege and zero trust network design should be preferred, and specific measures should be implemented to protect remote accounts and devices, and internet-facing applications.
- Proactive supply chain risk management. Cities should select only trusted technology vendors and partners, and set clear requirements for software, hardware and IoT supply chains, as well as carefully review agreements with managed service providers and cloud service providers.
- Operational resilience. Extensive trainings should be provided to employees to enhance cyber awareness and preparedness (don’t forget that 90% of security breaches come out of human inadvertent errors), while incident response and recovery plans should be developed and exercised.