The concept of heavily connected, internet driven Smart Cities bristling with digital cameras and sensors might have been the dream of Big Tech firms like Google and Amazon looking to rewire urban infrastructure in their own image, but the Five Eyes intelligence community, including the Australian Signals Directorate, has just fired off a serious new warning about the major cyber risks technologies like the Internet of Things (IoT) and 5G now pose.
In a major upgrade to advice previously directed at the deployment of 5G networks, the Five Eyes agencies are now telling everyone from major carriers to town mayors and wastewater operators to take a serious second look at the heavily-pumped notion of connecting everything from rubbish bins to traffic lights to the net.
“Integrating public services into a connected environment can increase the efficiency and resilience of the infrastructure that supports day-to-day life in our communities. However, communities considering becoming “smart cities” should thoroughly assess and mitigate the cybersecurity risk that comes with this integration,” Five Eyes cyber agencies, including Australia’s said in a joint release issuing new guidance.
While it may sound commonsense and friendly enough, the new joint guide, Cybersecurity Best Practices for Smart Cities, is in effect the schoolyard whistle being blown cyber security tsars wary of the number of potent new threats being introduced by connecting once discrete networks that sued their own proprietary protocols to communicate.
The agencies issuing the guide are the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), US National Security Agency (NSA), US Federal Bureau of Investigation (FBI), United Kingdom National Cyber Security Centre (NCSC UK), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC NZ). In other words the whole gang.
The US CISA seems especially concerned.
“The Connected Communities Initiative (CCI) represents a shift in CISA’s focus from exclusively supporting the security and resilience of 5G networks, to the comprehensive examination of the technologies in which those networks are intended to enable,” CISA said in its advice.
“Integrating a greater number of previously separate infrastructure systems into a single network environment expands the digital attack surface, increasing opportunities for threat actors to successfully exploit a vulnerability for initial access, move laterally across networks, and cause cascading, cross-sector disruptions of infrastructure operations.”
The release of the advice and guidance also adds a new dimension to the recent wave of national security anxiety attacks over the proliferation of cheap, internet-enabled digital video cameras from China, like Hikvision, that have surfaced this year.
Chinese telecommunications giant Huawei has also been excluded from participating in builds of both Australia’s National Broadband Network and the nation’s rollout of 5G.
“Smart city technologies provide opportunities for more innovative and sustainable communities, but they also broaden the attack surface and risks to our security and critical infrastructure,” Head of the Australian Cyber Security Centre, Abigail Bradshaw said.
“This guidance helps forward-thinking communities to securely integrate new technologies into existing infrastructure, ensuring the resilience and protection of the data, systems and interconnected infrastructure we need for our daily lives and business.”
Risks listed in the guidance include over-reliance on vendors to procure and integrate hardware and software that link infrastructure operations via data connections.”
“ICT vendors providing smart city technology should take a holistic approach to security by adhering to secure-by-design and secure-by-default development practices. Software products developed in accordance with these practices decrease the burden on resource-constrained local jurisdictions and increase the cybersecurity baseline across smart city networks.”
Using single suppliers for smart city rollouts is also being called out.
“The risk from a single smart city vendor could be much higher than in other ICT supply chains or infrastructure operations, given the increased interdependencies between technologies and basic or vital services,” the Smart Cities warning says.
“Organisations should consider risks from each vendor carefully to avoid exposing citizens, businesses, and communities to both potentially unreliable hardware and software and deliberate exploitation of supply chain vulnerabilities as an attack vector.”
A high-profile smart city prototype is Google’s Sidewalk Labs, which targets commercial building owners, parking operators, building designers and architects and energy and HVAC providers.
Google had heavily touted a waterfront urban development in Toronto as its marquee Smart City project that included a raft of automation and augmented technologies to help reduce carbon emissions, but scaled back the venture in 2020 citing COVID pressures.
Any feedback or news tips? Here’s where to contact the relevant team.