Earlier this month, the UK National Cyber Security Centre (NCSC) issued new guidance to assist UK authorities in securing smart cities and protecting them from the threat of cyber-attacks. 

The guidance is a set of principles which are aimed at UK local and national authorities responsible for the design, build and operation of UK connected places. The NCSC also highlights that the guidance will be relevant for those with responsibility for risk and cyber security and who are involved in the day-to-day operations of the connected places infrastructure. 

The guidance is split into 3 sections under which the relevant principles are included. 

1. Understanding your connected place including: 
   • the need to have a clear and complete understanding of the relevant connected place with a view to developing a clear picture of factors such as accountability and responsibility for the connected place, dependencies (including with systems and/or suppliers) and data mapping (including personal data);
   • understanding the risks to the connected place including understanding connections, data and a clear understanding of system architecture, access controls and system resilience;
   • the need for cyber security to be owned, governed and promoted at the most senior levels within organisations responsible for connected places;
   • the role of suppliers in delivering connected place, and the guidance emphasises that responsibility for cyber security remains with the relevant authority; 
   • ensuring that there is a clear understanding of the legal and regulatory requirements including the need to ensure that the requirements of UK GDPR and the Data Protection Act 2018 are met. 
2. Designing your connected place including:
   • secure design of the connected place architecture. The guidance highlights the importance of ensuring that this covers the cyber domain, the cyber-physical domain and the physical space;
   • designing the connected place to reduce exposure and ensuring that connected place interfaces are only exposed where absolutely necessary;
   • ensuring that the design of the connected place protects data. The guidance acknowledges the vast amounts of data that will be processed in delivering a connected place;
   • designing the connected place in such a way that it is scalable and able to respond to increasing demand or new services;
   • the need to have a monitoring system which is independent from operational systems.
3. Managing your connected place including:
   • managing access to minimise the risk of an unauthorised person obtaining access to your system. This includes managing devices, interfaces and privileged accounts;
   • managing supply chains and encouraging them to improve security hygiene to deal with an evolving threat landscape; 
   • the need to manage security and technology requirements throughout the connected place's life cycle. In particular, the guidance recognises the need to ensure that there is a suitable approach to ensuring that the approach to security is evolving in response to new services, technology and threats;
   • preparing and planning for incidents including through maintaining incident management policies and procedures and planning for recovery following an incident.  

It is hoped the cyber-security principles will help encourage councils to embrace the opportunities that digital technology has to offer, whilst ensuring that connected places and their underlying infrastructure are more manageable and resilient to cyber-attacks.

If you'd like to discuss cyber security and smart cities or hear more about our practice, please contact Lucy Pegler.  

This blog post was written by Ebony Ezekwesili.