Municipalities looking to deploy smart-city technology must shore up their cybersecurity systems, warn global experts.
A smart city is any community that uses information and communications technologies (ICT) to improve its infrastructure and provide services to its residents.
Think of streetlights adjusting brightness depending on the time of day, mobile apps that allow drivers to find open parking spaces and other cloud-based IT solutions that assist with increasing infrastructure efficiency and capacity.
While smart cities can unlock new efficiencies, they also serve as an attractive target for hackers given their collection, storage and processing of data. Cyber authorities from around the globe recently published a paper on how smart cities can protect themselves and their residents.
Below, we’ve highlighted some key recommendations.
Secure by design
Smart cities should be secure by design – i.e., they should be designed with mitigating vulnerabilities top of mind. Legacy infrastructure may require a redesign before being integrated with smart technology.
The principle of least privilege
Network environments should apply the principle of least privilege– i.e., providing minimum access by limiting user, service provider, hardware and software access to the systems and data required for the intended function. When you have new administrators or an administrator changes roles, access privileges should be updated immediately. Access levels should be tiered and determined by an administrator’s job requirements.
You should use multifactor authentication on local and remote accounts and devices, particularly for users who perform privileged actions or access sensitive data.
Zero trust architecture
You should consider zero trust architecture by requiring new authentication and authorization for each connection to increase security and your ability to identify risks.
Patch vulnerabilities promptly
Actively monitor threats to your network, be able to isolate critical business systems and enable automatic patching of all software and hardware devices that include authenticity and integrity validation wherever possible. You should also have plans to replace components and software at or near their end of life – these could become particularly vulnerable if developers aren’t creating new patches to address known threats.
Manage risks with vendors
When procuring smart-city technology, only use trusted ICT vendors and components. Communicate your minimum security requirements to your vendors and have them sign a contract that addresses the actions to be taken if those requirements are breached.
Require your vendors to use secure development practices, actively monitor for vulnerabilities and enable patches. Vendors should also assume some of the risk associated with the use of their products. For more on this topic, see our Key tips for managing privacy and cybersecurity risks with vendors blog.
Be prepared to operate systems manually
Have contingency plans to ensure critical infrastructure can operate manually in the event of a cyber incident. Be prepared to disconnect infrastructure systems from one another or from the internet so they operate autonomously. In the event of a breach, you should be able to isolate the affected systems and continue to operate other infrastructure with minimal disruption. For more on this topic, see our Pro-Russian hackers ramp up attacks on Canadian infrastructure blog.
Review legal, security and privacy risks before implementation
Before implementing new technology, smart cities should ensure that they are aware of and have taken steps to mitigate the associated legal and privacy risks.
The tips in this blog cover only some of the recommendations in Cybersecurity Best Practices for Smart Cities paper published jointly by cybersecurity authorities from around the world, including the Canadian Centre for Cyber Security. For more information, see the full document.
If your municipality is considering implementing smart-city technology, cybersecurity should be a key priority. Our lawyers have wide-ranging experience advising municipalities across Western Canada on their privacy law obligations and strategies for defending against cyber threats. To learn more, contact our Municipal or Privacy, Data Protection & Cybersecurity team.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.