Five Eyes Smart City Cybersecurity Guidance

  • May 15, 2023
  • William Payne

Five governments have published new advice to secure smart cities from cyber-attacks. The US, UK, Canadian, Australian and New Zealand governments have published advice for local government and smart city technology providers to help them better secure smart city developments against cyber attacks by organised crime, terrorist and state actors. The move comes as the international threat level for critical infrastructure, including city technology, is seen as being at an all time high due to the war in Ukraine, increased tension between China and the West, and disturbances in Iran.

The five agencies are part of the Five Eyes global cybersecurity alliance between the United States, UK, Canada, Australia and New Zealand.

The new joint Cybersecurity Best Practices for Smart Cities guide a collaborative effort from the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ).

The guidance notes that communities considering becoming smart cities should thoroughly assess and mitigate the cybersecurity risk that comes with this integration. The report states that smart cities are attractive targets for malicious cyber actors due to data being collected, transmitted, stored, and processed, which can include significant amounts of sensitive information from governments, businesses, and private citizens.

It notes that the complex artificial intelligence-powered software systems employed by smart cities to integrate this data may have vulnerabilities that expose citizen data to attack and capture.

The intrinsic value of the large data sets and potential vulnerabilities in digital systems means there is a risk of exploitation for espionage and for financial or political gain by malicious threat actors, including nation-states, cybercriminals, hacktivists, insider threats, and terrorists.

The agencies state that no technology solution can be completely secure. As communities implement smart city technologies, the new guidance is intended to provide recommendations to balance efficiency and innovation with cybersecurity, privacy protections, and national security. Organisations should implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizens’ private data, and security of sensitive government and business data.

The security agencies who have authored the report recommend reviewing this guidance in conjunction with NCSC-UK’s Connected Places Cyber Security Principles, ACSC’s An Introduction to Securing Smart Places, CCCS’s Security Considerations for Critical Infrastructure, CISA’s Cross-Sector Cybersecurity Performance Goals, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, and Protecting Against Cyber Threats to Managed Service Providers and their Customers.

Britain’s Lindy Cameron, chief executive of NCSC, said: “Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way which safeguards security and data privacy. Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”

The full ‘Cybersecurity Best Practices for Smart Cities’ guidance can be read and downloaded from the CISA website at: