This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with other global and national governmental agencies, released a joint guide on cybersecurity best practices intended to help communities navigate through the complexities of becoming a smart city.

Integrating public services into a connected environment can increase the efficiency and resilience of the infrastructure that supports day-to-day life in communities. However, communities considering becoming “smart cities” should thoroughly assess and mitigate the cybersecurity risk that comes with this integration.

The guide, “Cybersecurity Best Practices for Smart Cities” was released as a joint effort between CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC NZ).

The joint guide provides an overview of risks to smart cities, including expanded and interconnected attack surfaces; information and communications technologies (ICT) supply chain risks and increasing automation of infrastructure operations. To protect against these risks, the government partners offer three recommendations to help communities strengthen their cyber posture: secure planning and design, proactive supply chain risk management and operational resilience.

Strategies for secure planning and design include enforcing multifactor authentication, implementing zero trust architecture, protecting internet-facing services and patching systems and applications in a timely manner.

Proactive supply chain risk management recommendations include setting clear requirements for software, hardware, and Internet-of-Things (IoT) supply chains and carefully reviewing agreements with third-party vendors, such as managed service providers and cloud service providers.  

In the event of a compromise, operational resilience strategies, such as workforce training and incident response and recovery plans, can prepare organizations to isolate affected systems and operate infrastructure with as little disruption as possible.