CISA, the Critical Infrastructure Security Agency that works under DHS and is charged with protecting the nation’s critical infrastructure from cyberattacks, recently released a really good paper on how to build cybersecurity into your smart city project. The name of the paper is “Trust in Smart City Systems: Characteristics and Key Considerations” This kind of document is long overdue, and apparently came out several months in January, but I wasn’t aware of its existence until someone from NIST forwarded me the link.
A Lifecycle Perspective on Smart City Cybersecurity
The good thing about this document is that it takes a lifecycle perspective of cybersecurity for smart cities, from the earliest phases of a project through the lifecycle of the city. ARC has written extensively about the lack of focus on cybersecurity on the part of both end-users and suppliers of smart city technology solutions, particularly in the world of operations technology (OT).
The opening paragraph of the paper sums up the problem pretty well:
The Smart Cities Council, a global advocate for smart city adoption, states that the term “smart cities” still lacks a universally agreed-upon definition.  However, the term generally refers to the integration of information technology (IT) with the management and operation of civic functions. As these civic functions can include operational technology (OT) elements that monitor and operate physical systems, a smart city system can be seen as representing the intersection of the IT, OT, and public service domains of practice. All three domains are represented by mature fields of practice, but their combination in cross-domain projects can expose gaps within each domain, where key characteristics important to one domain might not be considered by the others. If not addressed, these gaps can introduce security, safety, and privacy risks, including risks to critical infrastructure and its underpinning technology.