NCSC warns councils over ‘foreign influence’ in smart city projects

16-page report details cyber security and privacy risks of signing agreements with foreign state-backed companies

The UK in red and the EU in blue as seen in a digitised map

UK security officials are growing increasingly anxious about the prospect of local councils signing smart city agreements with foreign state-backed companies, potentially gaining unchecked influence over critical national infrastructure.

With cities across the UK on the cusp of pursuing their own smart city projects, the National Cyber Security Centre (NCSC) has issued guidance on the security considerations they must take, and the risks involved in pursuing such projects.

It comes in light of dual fears that local authorities may inadvertently extend the UK’s attack surface on a massive scale by not taking security seriously enough, while also relinquishing sensitive data to state-backed entities.

“A connected place provides a range of critical functions and services to its citizens,” the guidance said. “The systems that these functions and services rely on will be moving, processing, and storing sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors.

"If UK connected place data is hosted in or routed through a foreign country, the government of that country may be able to influence the supplier to provide it with access to that data, or it may be able to access that data directly under national security and intelligence laws," the report continued. "If a foreign corporate group provides corporate services to the supplier, the corporate group may be able to directly view or access certain data held by the supplier."

It added that if connected systems are compromised through a hack or viewed by a foreign entity, the consequences could range from "breaches of privacy to the disruption or failure of critical functions", which in some cases "could endanger the local citizens".

One of the greatest risks, according to the NCSC, are countries seeking to obtain sensitive commercial and personal data from the UK, while seeking to cause disruption to overseas services. These entities may be influenced by foreign governments to exfiltrate data from UK smart cities and feed this into their own intelligence services.

These suppliers may also be used as a vehicle for cyber attacks, either by attempting to instigate denial of service attacks or by poisoning a digital service through data manipulation or code injection that can affect how the service operates.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

China remains one of the leading smart city technology providers, although the report doesn’t mention China, or Chinese companies, by name. For instance, the Financial Times (FT) reported that Bournemouth council was close to signing an agreement for “smart place” services with Alibaba before it was terminated at the last minute.

“The more connected devices, the more threat vectors become open for cybercriminals to exploit,” said cyber security specialist with ESET, Jake Moore. “When creating smart cities it is vital that those designing them have security in mind from the outset and attempt to future-proof the infrastructures.

“Failure to prepare for cyber attacks now will mean they will inevitably fall over later and with the amount of data at risk, smart cities could be a disaster. More devices mean more of our private information is at stake which will remain a target to those who want to take advantage of such new technologies, so we need to be mindful of how much of our personal data we release.”

The guidance also includes general rules and principles for local authorities to follow when designing their systems. Specific examples the NCSC references include CCTV platforms, traffic light management, waste management, streetlight management, and transport services, among other public services.

These guiding principles, the NCSC said, must be read by local councils in conjunction with advice from the Centre of Protection of National Infrastructure (CPNI), which focuses on physical and personnel security.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

2 Jun 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021