IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NCSC warns councils over ‘foreign influence’ in smart city projects

16-page report details cyber security and privacy risks of signing agreements with foreign state-backed companies

UK security officials are growing increasingly anxious about the prospect of local councils signing smart city agreements with foreign state-backed companies, potentially gaining unchecked influence over critical national infrastructure.

With cities across the UK on the cusp of pursuing their own smart city projects, the National Cyber Security Centre (NCSC) has issued guidance on the security considerations they must take, and the risks involved in pursuing such projects.

It comes in light of dual fears that local authorities may inadvertently extend the UK’s attack surface on a massive scale by not taking security seriously enough, while also relinquishing sensitive data to state-backed entities.

“A connected place provides a range of critical functions and services to its citizens,” the guidance said. “The systems that these functions and services rely on will be moving, processing, and storing sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors.

"If UK connected place data is hosted in or routed through a foreign country, the government of that country may be able to influence the supplier to provide it with access to that data, or it may be able to access that data directly under national security and intelligence laws," the report continued. "If a foreign corporate group provides corporate services to the supplier, the corporate group may be able to directly view or access certain data held by the supplier."

It added that if connected systems are compromised through a hack or viewed by a foreign entity, the consequences could range from "breaches of privacy to the disruption or failure of critical functions", which in some cases "could endanger the local citizens".

One of the greatest risks, according to the NCSC, are countries seeking to obtain sensitive commercial and personal data from the UK, while seeking to cause disruption to overseas services. These entities may be influenced by foreign governments to exfiltrate data from UK smart cities and feed this into their own intelligence services.

These suppliers may also be used as a vehicle for cyber attacks, either by attempting to instigate denial of service attacks or by poisoning a digital service through data manipulation or code injection that can affect how the service operates.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

China remains one of the leading smart city technology providers, although the report doesn’t mention China, or Chinese companies, by name. For instance, the Financial Times (FT) reported that Bournemouth council was close to signing an agreement for “smart place” services with Alibaba before it was terminated at the last minute.

“The more connected devices, the more threat vectors become open for cybercriminals to exploit,” said cyber security specialist with ESET, Jake Moore. “When creating smart cities it is vital that those designing them have security in mind from the outset and attempt to future-proof the infrastructures.

“Failure to prepare for cyber attacks now will mean they will inevitably fall over later and with the amount of data at risk, smart cities could be a disaster. More devices mean more of our private information is at stake which will remain a target to those who want to take advantage of such new technologies, so we need to be mindful of how much of our personal data we release.”

The guidance also includes general rules and principles for local authorities to follow when designing their systems. Specific examples the NCSC references include CCTV platforms, traffic light management, waste management, streetlight management, and transport services, among other public services.

These guiding principles, the NCSC said, must be read by local councils in conjunction with advice from the Centre of Protection of National Infrastructure (CPNI), which focuses on physical and personnel security.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

What is cyber warfare?
Security

What is cyber warfare?

20 May 2022
UC Irvine selects Velodyne Lidar’s traffic-monitoring solution
smart city

UC Irvine selects Velodyne Lidar’s traffic-monitoring solution

28 Sep 2021
Derq moves into Qualcomm Smart Cities Accelerator Program
smart city

Derq moves into Qualcomm Smart Cities Accelerator Program

20 Aug 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022