As municipal infrastructure becomes increasingly integrated with technologies to improve the operations and efficiency of basic utilities—running water, power, and internet access—the governments of the U.S., U.K., Australia, Canada and New Zealand launched updated cybersecurity protocols.
These guidelines, developed by an international cohort of agencies—including the U.S.’s Cybersecurity and Infrastructure Security Agency, the Australian Cyber Security Centre and the United Kingdom National Cyber Security Centre—aim to help communities transitioning into tech-based environments, known as “smart cities,” fortify the digital networks that will be crucial to delivering basic utilities and services.
“Integrating public services into a connected environment can increase the efficiency and resilience of the infrastructure that supports day-to-day life in our communities,” the press release reads. “However, communities considering becoming ‘smart cities’ should thoroughly assess and mitigate the cybersecurity risk that comes with this integration.”
In this guidance, a smart city is specifically defined as a municipality that connects physical infrastructure maintenance to networks using integrated information and communications technologies. ICTs, in turn, are listed as internet of things devices, artificial intelligence, 5G broadband and cloud computing software.
The guidance emphasized smart cities’ vulnerability as targets for malicious cyber attacks. Data fueling the operations within these cities’ digital networks is a vulnerable target for threat actors to try to exploit.
“The intrinsic value of the large data sets and potential vulnerabilities in digital systems means there is a risk of exploitation for espionage and for financial or political gain by malicious threat actors, including nation-states, cybercriminals, hacktivists, insider threats and terrorists,” the report notes. AI technologies facilitating the processing and analysis of this data across networks also may contain similar vulnerabilities that can also present new potential attack points.
“The integration of AI and complex digital systems could introduce new unmitigated attack vectors and additional vulnerable network components,” the report says.
Among solutions posited by the guidance is secure software design––a recommendation regulatory agencies have emphasized over the past few weeks. This approach would prioritize security as an inherent feature in softwares used to operate utility infrastructure.
“Communities should ensure any “smart” or connected features they are planning to include in new infrastructure are secure by design and incorporate secure connectivity with any remaining legacy systems,” the report reads.
The use of security tools and updated security architectures, namely multi factor authentication and zero trust, was also recommended.