Smart cities are an “attractive target” for threats, the GCHQ’s National Cyber Security Centre has warned in a new set of guidance for leaders of data-driven places.
Recommendations from the UK intelligence agency outlined 14 steps to ensure that public realm technology and data-rich environments are safe from cybersecurity threats.
The NCSC warned that compromised systems could affect local citizens through data breaches and a disruption or failure of critical functions.
Local authorities could also be at risk, and attacks could affect their reputation, finances and ability to encourage citizen participation.
The guidance was published the same day that a ransomware attack in the US shut down a pipeline that carries almost half of the East Coast’s fuel supply.
Although the guidance is primarily for local and national authorities, the recommendations should also be a “warning klaxon” for the property industry to take cybersecurity seriously, the founder of the Real Estate Data Foundation, Dan Hughes, has said.
In its report, the NSCS said: “A connected place provides a range of critical functions and services to its systems. The systems that these functions and services rely on will be moving, processing, and storing sensitive data, as well as controlling critical operational technology.
“Unfortunately, this makes these systems an attractive target for a range of threat actors. A connected place will be an evolving ecosystem, comprising a range of systems that exchange data, which will only add further risks.”
The guidance is split into three parts – understanding, designing and managing connected places – with a total of 14 recommendations.
The first step is to have a detailed understanding of the tech-enabled place, including who has overall responsibility and accountability, what data will be collected and what the IoT network will look like.
Risks need to be taken into account early with a clear view of the data the system holds and where potential vulnerabilities lie.
Cybersecurity governance and skills play a crucial role: “Over time, the services and functions of the connected place will become embedded within everyday lives of its citizens. Therefore, you need to ensure that the connected place has the resources and funding available for its upkeep such as operational security and improving future services in line with technological advances.”
Connected places need to be designed securely with appropriate protections for the threats identified earlier. Interfaces should be exposed only where necessary, which includes implementing firewall rules that deny everything except for agreed critical network services. Default configurations, such as passwords, should be changed and unused or unnecessary services and ports should be turned off.
Data protection is also a priority, as is designing the system to be resilient and scalable: “Thought should be given to define acceptable levels of service when faced with increased demand, and the speed at which the system should scale to meet this.
“When limits are reached, the system should degrade gracefully, rather than fail catastrophically.”
Once the system is up and running, managing users, their permissions and devices is a priority because compromises to management accounts could lead to attackers gaining unrestricted access to the system.
Because connected systems evolve, there needs to be a plan for how components are decommissioned, replaced and disposed of without creating new security risks. In the event that things do go wrong, there also needs to be a plan for managing incidents and planning a response and recovery.
Comment: Dan Hughes, Alpha Property Insight and founder of the Real Estate Data Foundation
It is really encouraging to see the recent guidance published by the NCSC for cybersecurity in the built environment. As the sector evolves from concrete and metal structures to the digital platforms of tomorrow, it is essential that these things are considered.
This guidance is primarily aimed at local authorities for smart cities; however, the principles and the risks are just as real for buildings and the property sector as a whole. Landlords, managers and occupiers should today consider the security implications that the use of technology in their buildings presents.
How long will it be before buildings being held to ransom by actual, or threatened, digital attacks becomes a reality? And when it does, what will this mean for the building’s ability to perform?
The guidance suggests the first two steps to take are to understand the space and then to understand the risks, something every organisation and building should as a minimum be doing today. This need not be costly nor time consuming, but is essential.
The fact that GCHQ are providing guidance about cyber security in smart cities is very welcome and I hope a warning klaxon for the rest of the property sector to take note, and more importantly take action.
The full report is available here.