It explains that with more and more cities integrating smart technology into the operation of their systems, this creates new vulnerabilities. The guide itself is Cybersecurity Best Practices for Smart Cities.
A few summary statements from the linked article are below:
Plan for Physical and Cyber Risks
Communities should consider cyber and physical security and risk management when preparing
to adopt smart city solutions or features.
Rely only on trusted components and trusted vendors, and require vendors to meet minimum security standards.
Plan for Resiliency
Should cyber attackers compromise a system, be ready to isolate it from the network
and keep non-impacted systems operating autonomously. Interested parties can read more details in the guide, which can be found here.
- Follow the Principle of Least Privilege, such as by
- Limiting users’ access to assets and resources based on what they need to perform their jobs,
- Updating privileges whenever new users are added due to new system integrations,
- and reviewing vendors’ hardening advice and default access permissions configurations.
- Apply multi-factor authentication (MFA) to remote and local accounts and devices.
- Follow zero-trust network design principles.
- For example, network administrators need to keep tabs on any network architecture changes as well as be aware of which individuals are responsible for securing each part of the network and for securing the overall system.
- Protect sensors, monitors and other smart city assets from physical threats, like vandalism or environmental damage.
- Protect Internet-facing services.
- Secure remote access to vulnerable devices.
- Promptly patch systems and applications.
- “Review the legal, security and privacy risks associated with deployments” of smart city solutions.
- Ensure software providers follow secure software development practices and vulnerability identification and patching practices.
- Consider how hardware and IoT device providers source and assemble their products, the way the IoT devices protect, share and store data, and any concerns around third-party entities providing support for the products.
- Consider risks from managed service providers and cloud service providers and ensure agreements with them include security standards.
- Back up data and systems.
- Test abilities to recover from backups.
- Test abilities to manually operate the physical systems included in your smart city network.
- Train your workforce to be ready to operate systems manually and restore services.
- Make and practice incident response and recovery plans.
