With cities worldwide outfitting more and more of their infrastructure with internet-connected devices and other operational technology, cybersecurity agencies from the U.S., U.K., Canada, Australia and New Zealand this week released a guidebook aimed at protecting assets used in “smart cities” programs.
The 13-page manual emphasizes that as cities install environmental monitors, automate infrastructure operations, build out 5G wireless networks and implement artificial intelligence and other emerging software tools, they’re also broadening the attack surface they present to malicious actors, heightening the risk of a compromise.
“This expanded attack surface increases the opportunity for threat actors to exploit a vulnerability for initial access, move laterally across networks, and cause cascading, crosssector disruptions of infrastructure operations, or otherwise threaten confidentiality, integrity, and availability of organizational data, systems, and networks,” the guide reads.
Government groups, academia and the private sector have for years sounded warnings about the risks that come with “smart city” technology, the market for which is expected to top $700 billion in less than a decade. Assets like parking meters and wastewater treatment plants have been snagged up by ransomware. Researchers have repeatedly found industrial control systems to be installed with their easy-to-guess default passwords. Federal regulatory agencies have imposed new cybersecurity requirements on utility sectors.
The guide also emphasizes that threats against “smart city” technology are a problem without borders, and are propagated by cybercriminals and nation-state actors alike. Since the start of Russia’s war against Ukraine last year, the U.S. and its allies have published multiple advisories that Kremlin-linked actors may target utilities and other critical sectors in countries supporting Kyiv.
Several of the guide’s recommendations on “smart city” technologies are consistent with cybersecurity advice for other sectors, like enabling multi-factor authentication, ensuring users have the least amount of network privileges necessary, imposing zero-trust architecture and patching and updating systems regularly.
But it also directs officials to consider other steps, like purchasing tools that are “secure by design” — an increasingly popular software-development philosophy that incorporates security measures from the earliest stages. The U.S. Cybersecurity and Infrastructure Security agency, along with cyber authorities in the other Five Eyes nations plus Germany and the Netherlands, last week published a set of design principles for software publishers.
“The digital transformation of infrastructure can improve daily life, but increased connectivity may also expand attack surfaces and introduce new risks. No technology solution is completely secure,” Lisa Fong, the deputy director-general of the New Zealand National Cyber Security Centre, one of the agencies involved in the “smart city” guide, said in a press release.