Report by CISA | NSA | FBI | NCSC-UK | ACSC | CCCS | NCSC-NZ
Download the full report at www.cisa.gov/resources-tools/resources/cybersecurity-best-practices-smart-cities
Risk to Smart Cities
Smart cities may create safer, more efficient, more resilient communities through technological innovation and data-driven decision-making; however, this opportunity also introduces potential vulnerabilities that, if exploited, could impact national security, economic security, public health and safety, and critical infrastructure operations. Cyber threat activity against OT systems is increasing globally, and the interconnection between OT systems and smart city infrastructure increases the attack surface and heightens the potential consequences of compromise.
Smart cities are an attractive target for criminals and cyber threat actors to exploit vulnerable systems to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks. Successful cyberattacks against smart cities could lead to disruption of infrastructure services, significant financial losses, exposure of citizens’ private data, erosion of citizens’ trust in the smart systems themselves, and physical impacts to infrastructure that could cause physical harm or loss of life. Communities implementing smart city technologies should account for these associated risks as part of their overall risk management approach. The authoring organizations recommend the following resources for guidance on cyber risk management:
Expanded and Interconnected Attack Surface
Integrating a greater number of previously separate infrastructure systems into a single network environment expands the digital attack surface for each interconnected organization. This expanded attack surface increases the opportunity for threat actors to exploit a vulnerability for initial access, move laterally across networks, and cause cascading, crosssector disruptions of infrastructure operations, or otherwise threaten confidentiality, integrity, and availability of organizational data, systems, and networks. For example, malicious actors accessing a local government IoT sensor network might be able to obtain lateral access into emergency alert systems if the systems are interconnected.
Additionally, as a result of smart cities integrating more systems and increasing connectivity between subnetworks, network administrators and security personnel may lose visibility into collective system risks. This potential loss of visibility includes components owned and operated by vendors providing their infrastructure as a service to support integration. It is critical that system owners maintain awareness and control of the evolving network topology as well as the individuals/vendors responsible for the overall system and each segment. Ambiguity regarding roles and responsibilities could degrade the system’s cybersecurity posture and incident response capabilities. Communities implementing smart city technology should assess and manage these risks associated with complex interconnected systems.
Risks From the ICT Supply Chain and Vendors
Communities building smart infrastructure systems often rely on vendors to procure and integrate hardware and software that link infrastructure operations via data connections. Vulnerabilities in ICT supply chains—either intentionally developed by cyber threat actors for malicious purposes or unintentionally created via poor security practices—can enable:
• Theft of data and intellectual property,
• Loss of confidence in the integrity of a smart city system, or
• A system or network failure through a disruption of availability in operational technology.
ICT vendors providing smart city technology should take a holistic approach to security by adhering to secure-by-design and secure-by-default development practices. Software products developed in accordance with these practices decrease the burden on resource-constrained local jurisdictions and increase the cybersecurity baseline across smart city networks. See the following resource for guidance on secure-by-design and secure-by-default development practices:
• Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by–Design and -Default (CISA, NSA, FBI, ACSC, NCSC-UK, CCCS, BSI, NCSC-NL, CERT NZ, NCSC-NZ)
Automation of Infrastructure Operations
Smart cities can achieve efficiencies by automating operations, such as wastewater treatment or traffic management. Automation reduces the requirement for direct human control of those systems. Automation can also allow for better consistency, reliability, and speed for standardized operations. However, automation can also introduce new vulnerabilities because it increases the number of remote entry points into the network (e.g., IoT sensors and remote access points). The volume of data and complexity of automated operations—including reliance on third-party vendors to monitor and manage operations—can reduce visibility into system operations and potentially hinder real-time incident response.
Automation for infrastructure operations in smart city environments may require the use of sensors and actuators that increase the number of endpoints and network connections that are vulnerable to compromise. The integration of AI and complex digital systems could introduce new unmitigated attack vectors and additional vulnerable network components. Reliance on an AI system or other complex systems may decrease overall transparency into the operations of networked devices as these systems make and execute operational decisions based on algorithms instead of human judgment.
Secure Planning and Design
The authoring organizations strongly recommend communities include strategic foresight and proactive cybersecurity risk management processes in their plans and designs for integrating smart city technologies into their infrastructure systems. New technology should be deliberately and carefully integrated into legacy infrastructure designs. Communities should ensure any “smart” or connected features they are planning to include in new infrastructure are secure by design and incorporate secure connectivity with any remaining legacy systems. Additionally, communities should be aware that legacy infrastructure may require a redesign to securely deploy smart city systems. Security planning should focus on creating resilience through defense in depth and account for both physical and cyber risk as well as the converged cyber-physical environment that IoT and industrial IoT (IIoT) systems introduce. See the following consolidated, baseline practices that organizations of all sizes can implement to reduce the likelihood and impact of known IT and OT risks.
See the following additional resources for guidance on accounting for risks in the cyber, physical, and converged environments:
Apply the Principle of Least Privilege
The organizations responsible for implementing smart city technology should apply the principle of least privilege throughout their network environments. As defined by the U.S. National Institute of Standards and Technology (NIST), the principle of least privilege is, “The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” Administrators should review default and existing configurations along with hardening guidance from vendors to ensure that hardware and software is only permissioned to access other systems and data that it needs to perform its functions. Administrators should also immediately update privileges upon changes in administrative roles or the addition of new users or administrators from newly integrated systems. They should use a tiered model with different levels of administrative access based on job requirements. Administrators should limit access to accounts with full privileges across an enterprise to dedicated, hardened privileged access workstations (PAWs). Administrators should also use time-based or just-intime privileges and identify high-risk devices, services, and users to minimize their access. For detailed guidance, see:
Enforce Multifactor Authentication
The organizations responsible for implementing smart city technology should secure remote access applications and enforce multifactor authentication (MFA) on local and remote accounts and devices where possible to harden the infrastructure that enables access to networks and systems. Organizations should explicitly require MFA where users perform privileged actions or access important (sensitive or high-availability) data repositories. Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols. Organizations responsible for implementing smart cities should review configuration policies to protect against “fail open” and re-enrollment scenarios. See the following resource for guidance on implementing MFA:
Implement Zero Trust Architecture
Implementing zero trust network design principles will create a more secure network environment that requires authentication and authorization for each new connection with a layered, defense-in-depth approach to security. Zero trust also allows for greater visibility into network activity, trend identification through analytics, issue resolution through automation and orchestration, and more efficient network security governance. See the following resources for guidance on implementing zero trust:
Note: Both zero trust architecture and MFA should be applied wherever operationally feasible in balance with requirements for endpoint trust relationships. Some OT networks may require trust-by-default architectures, but organizations should isolate such networks and ensure all interconnections with that network are secured using zero trust and related principles.
Manage changes to internal architecture risks
The organizations responsible for implementing smart city technology should understand their environment and carefully manage communications between subnetworks, including newly interconnected subnetworks linking infrastructure systems. Network administrators should maintain awareness of their evolving network architecture and the personnel accountable for the security of the integrated whole and each individual segment. Administrators should identify, group, and isolate critical business systems and apply the appropriate network security controls and monitoring systems to reduce the impact of a compromise across the community. See the following resources for detailed guidance:
Securely manage smart city assets
Secure smart city assets against theft and unauthorized physical changes. Consider implementing physical and logical security controls to protect sensors and monitors against manipulation, theft, vandalism, and environmental threats.
Improve security of vulnerable devices
See the following resources for guidance on protecting devices by securing remote access:
Protect internet-facing services
See the following resources for guidance on protecting internet-facing services:
Patch systems and applications in a timely manner
Where possible, enable automatic patching processes for all software and hardware devices that include authenticity and integrity validation. Leverage threat intelligence to identify active threats and ensure exposed systems and infrastructure are protected. Secure software assets through an asset management program that includes a product lifecycle process. This process should include planning replacements for components and software nearing or past end-oflife, as patches may cease to be developed by manufacturers or developers. See the following resources for guidance on protecting systems and networks via asset management:
Review the Legal, Security, and Privacy Risks Associated with Deployments
Implement processes that continuously evaluate and manage the legal and privacy risks associated with deployed solutions.
Proactive Supply Chain Risk Management
All organizations responsible for implementing smart city technology should proactively manage ICT supply chain risk for any new technology, including hardware or software that supports the implementation of smart city systems or service providers supporting implementation and operations. Organizations should use only trusted ICT vendors and components. The ICT supply chain risk management process should include participation from all levels of the organization and have full support from program leaders implementing smart city systems. Procurement officials from communities implementing smart city systems should also communicate minimum security requirements to vendors and articulate actions they will take in response to breaches of those requirements. Smart city technology supply chains should be transparent to the citizens whose data the systems will collect and process.
For detailed supply chain security guidance, see:
Software Supply Chain
The organizations responsible for implementing smart city technology should set security requirements or controls for software suppliers and ensure that potential vendors use a software development lifecycle that incorporates secure development practices, maintains an active vulnerability identification and disclosure process, and enables patch management.
Product vendors should also assume some of the risk associated with their products and develop smart city technology in adherence to secure-by-design and secure-by-default principles and active maintenance for the products they provide. Vendors adhering to these principles give the organizations responsible for procuring and implementing smart city technology more confidence in the products they introduce into their networks.
For detailed guidance, see:
• Software Bill of Materials (CISA)
• Protecting your organization from software supply chain threats (CCCS)
Hardware and IoT Device Supply Chain
Organizations responsible for implementing smart city technology should determine whether the IoT devices and hardware that will enable “smart” functionality will require support from third-party or external services. These organizations should perform due-diligence research on how parts are sourced and assembled to create products. They should also determine how the devices store and share data and how the devices secure data at rest, in transit, and in use. Organizations should maintain a risk register that identifies both their own and their vendors’ reliance on cloud computing support, externally sourced components, and similar dependencies. For detailed guidance, see:
Managed Service Providers and Cloud Service Providers
Organizations should set clear security requirements for managed service providers and other vendors supporting smart city technology implementation and operations. Organizations should account for the risks of contracting with third-party vendors in their overall risk management planning and ensure organizational security standards are included in contractual agreements with external parties. Similarly, organizations should carefully review cloud service agreements, including data security provisions and responsibility sharing models. For detailed guidance, see:
The organizations responsible for implementing smart city technology should develop, assess, and maintain contingencies for manual operations of all critical infrastructure functions and train staff accordingly. Those contingencies should include plans for disconnecting infrastructure systems from one another or from the public internet to operate autonomously. In the event of a compromise, organizations should be prepared to isolate affected systems and operate other infrastructure with as little disruption as possible.
Backup Systems and Data
The organizations responsible for implementing smart city technology should create, maintain, and test backups, both for IT system records and for manual operational capabilities for the physical systems integrated in a smart city network. These organizations should identify how and where data will be collected, processed, stored, and transmitted and ensure each node in that data lifecycle is protected. System administrators should store IT backups separately and isolate them to inhibit the spread of ransomware—many ransomware variants attempt to find and encrypt/delete accessible backups. Isolating backups enables restoration of systems/data to their previous state in the case of a ransomware attack.
The organizations responsible for implementing smart city technology should have plans in place and training for staff so operations managers can disconnect normally connected infrastructure systems and operate manually in an “offline” mode to maintain basic service levels. For detailed guidance, see:
Conduct Workforce Training
Though implementation of smart city technology may include extensive automation, employees responsible for managing infrastructure operations should be prepared to isolate compromised IT systems from OT and manually operate core functions if necessary. Organizations should train new and existing employees on integrated, automated operations as well as isolated, manual backup procedures, including processes for restoring service after a restart. Organizations should update training regularly to account for new technologies and components. For detailed guidance, see:
Develop and Exercise Incident Response and Recovery Plans
Incident response and recovery plans should include roles and responsibilities for all stakeholders including executive leaders, technical leads, and procurement officers from inside and outside the smart city implementation team. The organizations responsible for implementing smart city technology should maintain up-to-date and accessible hard copies of these plans for responders should the network be inaccessible (e.g., due to a ransomware attack). Organizations should exercise their plans annually and coordinate with continuity managers to ensure continuity of operations. For detailed guidance see:
This guidance was developed by U.S., U.K., Australian, Canadian, and New Zealand cybersecurity authorities to further their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
Microsoft, IBM, and Nozomi Networks contributed to this guidance.
The information in this report is provided “as is” for informational purposes only. CISA, NSA, FBI, NCSC-UK, ACSC, CCCS, and NCSC-NZ do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring.
U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at email@example.com or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. United Kingdom organizations: report a significant cyber security incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at firstname.lastname@example.org. New Zealand organizations: report cyber security incidents to email@example.com or call 04 498 7654