The UK’s National Cyber Security Centre (NCSC) – the cyber arm of intelligence agency GCHQ – issued guidance for local authorities urging them to think about the cybersecurity of IoT before rolling them out to prevent essential services from being disrupted by hackers.
Internet-connected technology that’s increasingly used to power smart cities and urban infrastructure – emergency services, transport, traffic light management, CCTV and more – thus IoT makes a very tempting target for cyberattacks. NCSC urged local authorities to be aware of the risks that they – and their citizens – would face in case hackers tamper with infrastructure or services. It warned that cyber attackers could compromise “cyber-physical systems” in smart cities if they are not secured properly.
The reliance of IoT-connected smart cities on data “makes these systems an attractive target for a range of threat actors,” the NCSC warns, saying it’s high time to think about their security.
“These connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly. Because as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors,” said Ian Levy, technical director at the NCSC.
The NCSC has published principles for providing these networks with the highest possible level of cybersecurity. It advises starting with understanding the role of the connected place. Local authorities must determine who is responsible for the connected place, what the IoT network will be, what data it will provide, what data will be processed, stored, and shared. Authorities should begin connecting smart cities with security in mind from the start.
Before starting to implement IoT infrastructures, authorities must understand the potential risks linked with the connected place. This involves knowing what devices and software will be used in the infrastructure, ensuring that it’s from a trusted, reputable vendor, ensuring those devices are secured with strong authentication, etc.
Default username and password are not acceptable, and a city shouldn’t be rolling out IoT devices.
NCSC says being irresponsible with data storage could result in privacy leaks, while poorly implemented security could allow cyber attackers to disrupt services and systems that are essential to people.
The NCSC guidance particularly mentions the emergence of China as technology producer which means that organizations and local authorities could face challenges if they become reliant on devices and software made by that country.
“States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future,” said Jeremy Fleming.