New guidance, Cybersecurity Best Practices for Smart Cities, wants to raise awareness among communities and organizations implementing smart city technologies that these beneficial technologies can also have potential vulnerabilities. A collaboration among the Five Eye nations (Australia, Canada, New Zealand, the UK, and the US), it advises communities considering becoming smart cities to assess and mitigate the cybersecurity risks that comes with the technology.What makes smart cities attractive to attackers is the data being collected and processed. Because AI-powered systems are being used to integrate this data, these should be given special attention when checking for vulnerabilities.The guide focuses on three areas: secure planning and design, proactive supply chain risk management, and operational resilience.Secure planning and designWhen planning to integrate smart city technologies into infrastructure systems, communities must include strategic foresight and proactive cybersecurity risk management processes. New technology should be carefully integrated into legacy systems. Smart or connected features must be secure by design. Communities should be aware that legacy infrastructure may require a redesign to securely deploy smart city systems.Organizations implementing smart city technology should apply the principle of least privilege throughout their network environments. This means reviewing default and existing configurations along with hardening guidance from vendors to ensure that hardware and software is allowed to access only systems and data that it needs to perform its functions.These organizations should understand their environment and carefully manage communications among subnetworks, including newly interconnected subnetworks linking infrastructure systems.Other considerations are to enforce multifactor authentication (MFA), implement zero-trust architecture, securely manage smart city assets, improve security of vulnerable devices, protect internet-facing services, patch systems and applications in a timely manner, review the legal, security, and privacy risks associated with deployments.Proactive supply chain risk managementAll organizations involved in implementing smart city technology should proactively manage information and communications technology (ICT) supply chain risk for any new technology, including hardware or software that supports the implementation of smart city systems or service providers supporting implementation and operations, the guidance recommends. Procurement officials from communities implementing smart city systems should also communicate minimum security requirements to vendors and articulate actions they will take in response to breaches of those requirements.Operational resilienceOrganizations responsible for smart city projects should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly. Those contingencies should include plans for disconnecting infrastructure systems from one another or from the public internet to operate autonomously. In the event of a compromise, organizations should be prepared to isolate affected systems and operate other infrastructure with as little disruption as possible. For this to happen, the guidance recommends conducting workforce training on how to isolate compromised IT systems from OT and manually operate core functions if necessary.There should also be a focus on creation, maintenance, and test backups, both for IT system records and for manual operational capabilities for the physical systems integrated in a smart city network. Develop and exercise incident response and recovery plans are also recommended.The guidance is the result of a collaboration of:The Australian Cyber Security Centre (ACSC)The Canadian Centre for Cyber Security (CCCS)New Zealand\u2019s National Cyber Security Centre (NCSC-NZ)The United Kingdom\u2019s National Cyber Security Centre (NCSC-UK)The US\u2019s Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA).\u201cOrganizations should implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizens\u2019 private data, and security of sensitive government and business data,\u201d according to the guidance.