Federal Agency Publishes “Smart” Cities Guide “warning that municipalities should carefully evaluate and address cybersecurity risks”

By B.N. Frank

If your community isn’t officially “smart” yet, it may be soon. In fact, earlier this year, a report named 10 U.S. cities that are ready to become “smart”. Fortunately for them and all others thinking about taking the plunge, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new guide of warnings worth considering.

From Smart Cities Dive:

Cybersecurity best practices for smart cities issued by CISA

Michael Brady Senior Editor

Dive Brief:

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday published a cybersecurity best practices guide for smart cities, warning that municipalities should carefully evaluate and address cybersecurity risks associated with connected public services and infrastructure.
Communities should integrate cybersecurity strategy and risk management in their smart city technology plans and proactively manage supply chain risk to ensure all hardware and software are secure, the guide states.
To ensure that vital public services and infrastructure continue functioning if there’s a cybersecurity event, operational resilience is essential, according to the report. “The organizations responsible for implementing smart city technology should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly,” it says.

Dive Insight:

Smart cities are vulnerable to cybersecurity threats because they often collect, transmit and store large amounts of “sensitive information from governments, businesses, and private citizens,” the report says. The AI-powered software at the heart of many smart city solutions is also susceptible to attack, the report says.

“The intrinsic value of the large data sets and potential vulnerabilities in digital systems means there is a risk of exploitation for espionage and for financial or political gain by malicious threat actors, including nation-states, cybercriminals, hacktivists, insider threats, and terrorists,” the report says.

The report recommends several strategies to employ in smart city security planning and design:

Apply the principle of least privilege, which the National Institute of Standards and Technology defines as “the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function,” according to the report.
Implement multifactor authentication on local and remote accounts.
Build zero-trust architecture that “requires authentication and authorization for each new connection.”
Manage changes to internal architecture, including communications between subnetworks.
Quickly apply patches for hardware and software and, as much as possible, enable automatic updates.

Other recommendations include securing vulnerable devices using virtual private networks and protecting smart city assets against theft and unapproved physical changes.

The report calls for localities to develop processes to back up smart city systems and data, train their workforce, and develop and practice incident response and recovery plans to improve operational resilience.

In addition, it provides resources to help smart city leaders proactively manage supply chain risk, including hardware and IoT devices, software, and managed and cloud service providers.

CISA developed the best practices guide in partnership with the National Security Agency, the Federal Bureau of Investigation and cybersecurity agencies in Australia, Canada, New Zealand and the United Kingdom.

American opposition to “smart cities” and all the costs, privacy violations, environmental, health, and safety risks associated with them has been ongoing for years (see 1, 2, 3, 4, 5, 6, 7, 8, 9, 10). Nevertheless, proponents continue to convince local leaders and legislators to install all kinds of controversial, privacy-invasive, and hackable “smart” technology in their communities (see 1, 2, 3). Of course this has been made easier by legislators who help fund “smart cities” with hundreds of millions in federal grants. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has helped with funding as well. In 2022 U.S. Transportation Secretary, Pete Buttigieg endorsed “smart cities” and last month announced that millions more would be dedicated to them. More recently Amazon announced its Internet of Things (IoT) network (now covering 90% of U.S. households) “holds promise” for “smart” cities.