NCSC warns councils over ‘foreign influence’ in smart city projects

UK security officials are growing increasingly anxious about the prospect of local councils signing smart city agreements with foreign state-backed companies, potentially gaining unchecked influence over critical national infrastructure.

With cities across the UK on the cusp of pursuing their own smart city projects, the National Cyber Security Centre (NCSC) has issued guidance on the security considerations they must take, and the risks involved in pursuing such projects.

It comes in light of dual fears that local authorities may inadvertently extend the UK’s attack surface on a massive scale by not taking security seriously enough, while also relinquishing sensitive data to state-backed entities.

“A connected place provides a range of critical functions and services to its citizens,” the guidance said. “The systems that these functions and services rely on will be moving, processing, and storing sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors.

"If UK connected place data is hosted in or routed through a foreign country, the government of that country may be able to influence the supplier to provide it with access to that data, or it may be able to access that data directly under national security and intelligence laws," the report continued. "If a foreign corporate group provides corporate services to the supplier, the corporate group may be able to directly view or access certain data held by the supplier."

It added that if connected systems are compromised through a hack or viewed by a foreign entity, the consequences could range from "breaches of privacy to the disruption or failure of critical functions", which in some cases "could endanger the local citizens".

One of the greatest risks, according to the NCSC, are countries seeking to obtain sensitive commercial and personal data from the UK, while seeking to cause disruption to overseas services. These entities may be influenced by foreign governments to exfiltrate data from UK smart cities and feed this into their own intelligence services.

These suppliers may also be used as a vehicle for cyber attacks, either by attempting to instigate denial of service attacks or by poisoning a digital service through data manipulation or code injection that can affect how the service operates.

China remains one of the leading smart city technology providers, although the report doesn’t mention China, or Chinese companies, by name. For instance, the Financial Times (FT) reported that Bournemouth council was close to signing an agreement for “smart place” services with Alibaba before it was terminated at the last minute.

“The more connected devices, the more threat vectors become open for cybercriminals to exploit,” said cyber security specialist with ESET, Jake Moore. “When creating smart cities it is vital that those designing them have security in mind from the outset and attempt to future-proof the infrastructures.

“Failure to prepare for cyber attacks now will mean they will inevitably fall over later and with the amount of data at risk, smart cities could be a disaster. More devices mean more of our private information is at stake which will remain a target to those who want to take advantage of such new technologies, so we need to be mindful of how much of our personal data we release.”

The guidance also includes general rules and principles for local authorities to follow when designing their systems. Specific examples the NCSC references include CCTV platforms, traffic light management, waste management, streetlight management, and transport services, among other public services.

These guiding principles, the NCSC said, must be read by local councils in conjunction with advice from the Centre of Protection of National Infrastructure (CPNI), which focuses on physical and personnel security.