NCSC releases cybersecurity principles for smart cities amid warnings of cyberattacks

The UK’s National Cyber Security Centre (NCSC) has warned of the cybersecurity risks posed to the UK’s connected places and published a new set of principles for the secure design, management and building of smart cities of the future. The Connected Places Cyber Security Principles are primarily for UK local and national authorities, with particular relevance for risk owners, CISOs, cybersecurity architects and engineers, and other personnel who will be running the day-to-day operations of the connected places infrastructure.

Cybersecurity threats to connected places

The NCSC defines connected places as communities that integrate information and communication technologies and IoT devices to collect and analyse data to deliver new services to the built environment. These are designed to enhance the quality of living for citizens involving factors such as transportation, buildings, utilities, environment, infrastructure and public services.

Whilst acknowledging the vast benefits connected places offer, due to the critical nature of the functions they provide and volume of sensitive data they process, the NCSC warned they are significant, potential targets for cyberattacks. “The systems that these functions and services rely on will be moving, processing and storing sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors.”

If a connected system is compromised, the consequences have the potential to greatly affect local citizens and organisations, the NCSC added. “Impacts could range from breaches of privacy to the disruption or failure of critical functions. This could mean destructive impacts, which in some cases could endanger the local citizens. There could also be impacts to the local authorities that are attacked. These could include a loss of reputation that could affect citizen participation, or the financial impacts of dealing with the aftereffects of an attack.”

Securing smart cities of the future

The principles set out by the NCSC serve as a guide for system owners, designers, vendors and operators to help them consider the high-level security requirements and principles that should govern connected places in the UK, outlines Ian Levy, technical director at the NCSC, in a blog post.

“The principles advise local authorities to understand their connected places by considering required cybersecurity governance and skills, the role of suppliers, risks and more,” added the NCSC. They also explain how connected places can be designed to protect data, be resilient and scalable, less exposed to risk and supported by sufficient network monitoring. When it comes to running a connected place, there is guidance on how privileges, supply chains and incidents should be managed.

“These connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly,” Levy wrote. “These principles call out to lots of existing NCSC and CPNI guidance, but we do expect to have to create some very specific guidance over the coming years.”

Commenting on the announcement, Mark Jackson, national cybersecurity advisor, Cisco UK and Ireland, argues that the NCSC’s principles are one of the most sophisticated pieces of government-led guidance published in Europe to date. “The guidance set out for connected places generally aligns to cybersecurity best practice for enterprise environments, but also accounts for the challenges of connecting up different systems within our national critical infrastructure. This will enable new initiatives in the field of connected places and smart cities to gather momentum across the UK – with cybersecurity baked into the design and build phase. As lockdown restrictions ease and people return to workplaces and town centres, they need assurance that their digital identities and data are protected as the world around becomes more connected. These guiding principles are a means of helping local governments achieve this vision.”