Privacy, Technology and Perspective
Five Eyes Issues Guidance for the Deployment of “Smart City” Technologies. This week, we welcome new “smart city” cybersecurity guidance issued by the Five Eyes intelligence alliance, which consists of Australia, Canada, New Zealand, the United Kingdom, and the United States. For our municipal clients (and for vendors who provide these technologies), this guidance is as long overdue as it is important.
Background: The term “smart cities” refers to communities that:
· Integrate information and communications technologies (ICT), community-wide data, and intelligent solutions to digitally transform infrastructure and optimize governance in response to citizens’ needs; and
· Connect the operational technology (OT) managing physical infrastructure with networks and applications that collect and analyze data using ICT components—such as internet of things (IoT) devices, cloud computing, artificial intelligence (AI), and 5G.
“Smart city” technologies include interconnected networks, sensors, and advanced analytics that manage various aspects of city life, from traffic and waste management to public safety and energy consumption. Many communities and commercial developments have deployed these technologies in an effort to improve the quality of life for their citizens, enhance public services, and create more efficient urban environments (think of parking and urban-transit planning, to name just two examples).
But smart city technologies are accompanied by substantial cybersecurity risks, and specifically introduce “potential vulnerabilities that, if exploited, could impact national security, economic security, public health and safety, and critical infrastructure operations.”
Don’t just take our word for it. The preceding quote appears on page 4 of the new Five Eyes guidance, which is available for you to read by clicking on the following link:
Here are more details:
Five Eyes’ Guidance: On April 19, 2023, Five Eyes issued its “Cybersecurity Best Practices for Smart Cities.” The guidance aims to help governments, city planners, and technology partners build secure, resilient, and privacy-respecting smart cities. Generally, the guidance highlights the risks to “smart cities” and makes recommendations.
Smart City Risks. Summarized, the guidance identifies key smart city risks, including the creation of an expanded and interconnected attack surface, and the potential loss of visibility into components owned and operated by vendors. The guidance notes that communities that deploy such technologies may find it difficult to maintain awareness and control of their evolving network topology. Additional risks include those presented by automating critical operations (e.g. wastewater treatment), and poor security practices associated with the supply chain and vendors. These can lead to disruption of availability in operational technology, network failures, theft of data and intellectual property, and worse.
Recommendations. The guidance suggests the following recommendations:
Secure planning and design: Communities should be strategic and exercise “proactive cybersecurity risk management processes in their plans and designs for integrating smart city technologies into their infrastructure systems.” This means assessing the risks associated with deploying smart city technologies and prioritizing mitigations based on potential consequences before deploying such technologies. Secure planning and design should focus on accounting for both physical and cyber risk as the cyber-physical environment converge. Organizations should ensure that Information Technology (IT) and OT security issues are adequately considered and addressed
Prioritize cybersecurity and data privacy: The guidance specifically encourages organizations implementing smart city technologies to take some prescriptive cybersecurity and privacy steps, including:
· Applying the principle of least privilege throughout their network environments,
· Utilizing and enforcing multi-factor authentication,
· Implementing zero trust network design principles,
· Maintaining awareness of changes to network architecture,
· Securely managing smart city assets, including sensors and monitors,
· Protecting internet-facing services and devices by securing remote access,
· Timely patching apps and systems, and
· Reviewing the legal, security, and privacy risks associated with deployments.
Proactive Supply Chain Risk Management: The guidance encourages communities to gain and maintain control of their supply chains, recognizing that “a vulnerable…supply chain could allow the degradation or disruption of infrastructure operations and the compromise or theft of sensitive data from utility operations, emergency service communications, or visual surveillance technologies…” and that “smart city IT vendors may also have access to vast amounts of sensitive data from multiple communities to support the integration of infrastructure services—including sensitive government information and personally identifiable information (PII)—which would be an attractive target for malicious actors.” The guidance therefore encourages procurement officials to establish minimum security requirements and controls for vendors, and to require vendors to be transparent with how their systems will collect and process data. The guidance further urges that product vendors should assume some of the risk associated with their products, and develop their technologies in adherence to secure-by-design and secure-by-default principles. Additionally, it prescribes due diligence on hardware and IoT device components, and appropriate contracting that includes organizational security standards with all vendors, including managed service and cloud service providers.
Ensuring Operational Resilience. The guidance also suggests that deployments of smart city technologies need a back-up plan if the technologies fail, and particularly have manual operations of all critical infrastructure functions. Staff should also be trained accordingly, and incident response and recovery plans should be robust.
Lower Cost, Higher Risk. Many “smart city technology” vendors pitch to cities not only the benefits to the cities, but a high value for a low, low cost, offering discounts or even free installations in return for being able to sell advertising. Nirvana! This is obviously eye-grabbing to city planners and department heads who are watching their budgets. But selling advertising requires more and better surveillance, in order to gather potential-customer data to sell to advertisers or data brokers (or to real estate agents, brokers, or developers). This raises a host of data-privacy issues across an increasing number of states and even nationally (FTC).
What about the Data? “Smart city” vendors may amass, sell, and otherwise leverage data associated with the technologies, unless specifically restricted by contract, then monitored regularly. This means that communities that consider deploying these technologies need to be particularly sensitive to data issues. Yet, anecdotally, we have noticed that the backgrounds of lawyers who run “smart city” deals often consider data issues only tangentially, if at all. This is a huge mistake, especially at a time when vendors everywhere are chasing additional revenue streams. If left unrestricted, vendors may sell the data to data brokers or chase the AI “Golden Goose” by “decanting” the data into huge vats of data from other sources – namely, the “training sets” for AI models, which are being created by AI developers and perhaps even the smart city vendors themselves. See above – then take the existing complexity and risk, and multiply it.
Here, Security Breaches may Mean Literal Danger. More, better, and interconnected surveillance over where you live, drive, or ride (and when you leave), where and when you park, when you leave work (and walk to the parking lot in the dark), etc., would strike many people as creepy – and dangerous – enough. (The Drivers’ Privacy Protection Act and state analogues, inspired from stalking incidents, already exist for a reason. We think their concepts should be expanded to exploitation of “smart city” data.)
No matter how snazzy it is and how free it sounds, “smart city” technology must be secured like the critical-infrastructure technology it often is. We’ve already seen oil-rig technology penetrated, water-dam controls hijacked, and more, often by indirect attacks through innocent-looking controls that are interconnected with larger ones. (Remember the Target stores breach, years ago? Hackers gained entry through the controls to a Target building’s smart HVAC system.) We emphatically do not need hackers taking control of – for example – light-rail streetcars, running through downtown cities.
If You’re Already “Smart,” revisit your deployments, and particularly scrutinize the contracts, components, system access and data use rights associated with those technologies. If you’re hungry for progress, take the necessary steps in order to be ready for the attendant risks.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.