Connected places, also known as smart cities, are intended to enable enhanced service provision for its citizens. This is achieved through greater availability of information, integration of services and systems, and outcome-based contracting. These measures can increase the capacity, efficiency, reliability, resilience, and availability, of existing assets and services. These developments can introduce new vulnerabilities and security issues.
One purpose of a connected place is to join up specific vertical sectors (e.g., utilities, transport, health, etc.), for example, in the deployment of public EV charging points. The integration crosses organisational boundaries to achieve a whole-place approach for the creation, delivery and use of spaces and services. These changes should allow the place to:
- take better account of the needs of current and future citizens;
- integrate physical and digital planning;
- more efficiently and sustainably identify, anticipate, and respond to emerging challenges, including emergency situations; and
- increase the capacity for service delivery and innovation which in turn has the capability to drive efficiencies and effectiveness.
Advances in digital engineering, information and communication technologies are significant enablers of these changes. However, the increased use of, and dependence on, these technologies, creates significant vulnerabilities and associated security issues. The impact of these issues can be increased when coupled with greater sharing and use of place data and information, and adoption of new service delivery models. A range of threat actors might seek to exploit these vulnerabilities to compromise the value, longevity and ongoing use of built assets and services. Threat actors may also seek to affect the safety and security of the place’s citizens.
The approach to security of a connected place differs from any security-minded policies and processes adopted within an individual local authority or service delivery organisation. Security of connected place depends on how organisations plan to respond to these new or enhanced vulnerabilities created by changes to existing ways of working and greater information sharing.
PAS 185:2023, commissioned by NPSA and facilitated by BSI, is a specification for establishing and implementing a place-wide, strategic-level, security-minded approach as part of both its development and operation. It details the approach for applying holistic measures that are appropriate and proportionate to the risks, while not preventing the delivery of a place's aims. Copies of PAS 185:2023 may be purchased from BSI.
NPSA are publishing a range of advisory materials to help with understanding PAS 185:2023, its context and implementation. These are available in the resources section below.
NCSC has published a set of cyber security principles that will help manage cyber security risks of a connected place and its underlying infrastructure. These principles will help organisations to become more resilient to cyber-attack. A particular consideration of connected place systems is the use of cloud services, the NCSC guidance on cloud services.
The cyber security principles should be considered alongside physical, personnel and process security measures to develop a robust, holistic security-minded approach. In addition, connected places should adopt information management good practices to understand the value and sensitivity of information that is being shared.
The triage process document linked at the foot of this page provides detailed advice on the assessment and management of information before it is shared with a third part, published, or otherwise disclosed.
In developing a connected place, decision-makers need to be aware that a range of legislation and regulations can create obligations to publish or disclose information about assets and services. Advice linked at the foot of this page provides suggestions as to how these obligations may be fulfilled in a security-minded manner. It is the responsibility of decision-makers to take appropriate legal and security advice when considering these suggestions.
Adopting a security minded approach to connected places.
Connected places, sometimes referred to as Smart Cities, seek to increase the capacity, efficiency, reliability and resilience and therefore availability of their built assets and services.
They do this by integrating information, communication, technologies and IOT devices to better understand how their transportation, buildings, utilities and public services are performing in right time.
Things like using intelligent street lighting to collect real time data which can be used to increase the control over the lighting network.
Rather than being on or off, it can be brightened or dimmed in response to movement. This can help with safety and security, but also increases the energy efficiency of the system.
Sensors can be used to monitor air pollution, footfall and traffic flow to help with infrastructure planning and management.
They can also be used to detect unusual levels of noise in the street, facilitating a faster response to potential anti-social disturbance.
But to deliver these considerable benefits whilst maintaining the trust of the citizens, connected places need to be aware of and manage the vulnerabilities of that arise.
A connected places functions and services increasingly rely on systems that gather, move, process and store data, some of which is sensitive.
Some of these systems also control critical operational technology. Unfortunately, this makes these systems an attractive target for a range of hostile actors, people who are motivated to cause disruption, steal, misuse or damage information and compromise our most valuable assets.
If an attack on a connected place network were to succeed, it could mean a damaging loss of trust for UK residents, making it hard for people to accept similar projects in the future. Not to mention the cost to repair, improve and resecure the connected infrastructure.
So how do we best mitigate these security risks?
By taking a security-minded approach to addressing vulnerabilities.
These vulnerabilities can arise from:
- The increase in the volume of information that is being generated, collected, used and stored including personal data, intellectual property and commercially sensitive information.
- Greater sharing of information within and across organisations.
- The combination of information from a wide range of sources.
- Differing organisational priorities, governance arrangements, security understanding and concerns, and risk appetite.
The security-minded approach needs to respond to any risks identified but shouldn’t prevent the connected place from delivering its aims.
Where the connected place involves multiple organisations, we recommended 4 steps to ensure everyone adopts a common approach.
- Create a combined governance structure, put in place a legally constituted structure. Make sure the relationship of this structure is understood and agreed within each organisation involved.
- Agree who will lead on developing the combine security-minded approach. Where roles sit in different organisations, make sure to clarify who’s accountable and responsible for what.
- Appoint individuals accountable for implementing the security-minded approach.
- Regularly review your combined approach. Setup a procedure for monitoring the security policies and regularly communicate with staff and other relevant parties to make sure you stay robust against potential attacks.
Having an agreed collaborative security-minded approach built in this way is more robust than one where organisations work in isolation.
When a governance structure is in place, the connected place as a whole can identify potential threats which may seek to exploit the vulnerabilities that exist.
Assess the resultant security risks and decide where these exceed the collective risk appetite and…
Implement appropriate and proportionate security measures to mitigate them.
That’s across personnel, physical and cyber security.
For more information and further support, click the relevant links below this video.
You’ll find additional guidance on adopting a security-minded approach to connected places and measures for managing related security risks.