NCSC warns councils over ‘foreign influence’ in smart city projects

16-page report details cyber security and privacy risks of signing agreements with foreign state-backed companies

UK security officials are growing increasingly anxious about the prospect of local councils signing smart city agreements with foreign state-backed companies, potentially gaining unchecked influence over critical national infrastructure.

With cities across the UK on the cusp of pursuing their own smart city projects, the National Cyber Security Centre (NCSC) has issued guidance on the security considerations they must take, and the risks involved in pursuing such projects.

It comes in light of dual fears that local authorities may inadvertently extend the UK’s attack surface on a massive scale by not taking security seriously enough, while also relinquishing sensitive data to state-backed entities.

“A connected place provides a range of critical functions and services to its citizens,” the guidance said. “The systems that these functions and services rely on will be moving, processing, and storing sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors.

"If UK connected place data is hosted in or routed through a foreign country, the government of that country may be able to influence the supplier to provide it with access to that data, or it may be able to access that data directly under national security and intelligence laws," the report continued. "If a foreign corporate group provides corporate services to the supplier, the corporate group may be able to directly view or access certain data held by the supplier."

It added that if connected systems are compromised through a hack or viewed by a foreign entity, the consequences could range from "breaches of privacy to the disruption or failure of critical functions", which in some cases "could endanger the local citizens".

One of the greatest risks, according to the NCSC, are countries seeking to obtain sensitive commercial and personal data from the UK, while seeking to cause disruption to overseas services. These entities may be influenced by foreign governments to exfiltrate data from UK smart cities and feed this into their own intelligence services.

These suppliers may also be used as a vehicle for cyber attacks, either by attempting to instigate denial of service attacks or by poisoning a digital service through data manipulation or code injection that can affect how the service operates.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

China remains one of the leading smart city technology providers, although the report doesn’t mention China, or Chinese companies, by name. For instance, the Financial Times (FT) reported that Bournemouth council was close to signing an agreement for “smart place” services with Alibaba before it was terminated at the last minute.

“The more connected devices, the more threat vectors become open for cybercriminals to exploit,” said cyber security specialist with ESET, Jake Moore. “When creating smart cities it is vital that those designing them have security in mind from the outset and attempt to future-proof the infrastructures.

“Failure to prepare for cyber attacks now will mean they will inevitably fall over later and with the amount of data at risk, smart cities could be a disaster. More devices mean more of our private information is at stake which will remain a target to those who want to take advantage of such new technologies, so we need to be mindful of how much of our personal data we release.”

The guidance also includes general rules and principles for local authorities to follow when designing their systems. Specific examples the NCSC references include CCTV platforms, traffic light management, waste management, streetlight management, and transport services, among other public services.

These guiding principles, the NCSC said, must be read by local councils in conjunction with advice from the Centre of Protection of National Infrastructure (CPNI), which focuses on physical and personnel security.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021
UC Irvine selects Velodyne Lidar’s traffic-monitoring solution
smart city

UC Irvine selects Velodyne Lidar’s traffic-monitoring solution

28 Sep 2021
Derq moves into Qualcomm Smart Cities Accelerator Program
smart city

Derq moves into Qualcomm Smart Cities Accelerator Program

20 Aug 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022