The underlying premise of connected places, also known as smart cities, is that greater availability of data and information, integration of services and systems, and outcome-based contracting can increase the capacity, efficiency, reliability and resilience, and thereby availability, of existing assets to enable enhanced service provision for its citizens.
A key purpose of a connected place is to join up specific vertical sectors (e.g. utilities, transport, health, etc.) across organisational boundaries into a whole-city approach for the creation, delivery and use of spaces and services. These changes should allow the place to:
- take better account of the needs of current and future citizens;
- integrate physical and digital planning;
- more efficiently and sustainably identify, anticipate and respond to emerging challenges, including emergency situations; and
- increase the capacity for service delivery and innovation which in turn has the capability to drive efficiencies and effectiveness.
Advancements in digital engineering, information and communication technologies are significant enablers of these changes. However, the increased use of, and dependence on, these technologies, especially when coupled with much wider sharing and use of city data and information, and new service delivery models, also creates significant vulnerabilities and associated security issues. A range of threat actors might seek to make use of these vulnerabilities in order to compromise the value, longevity and ongoing use of a place's built assets and services, as well as the safety and security of its citizens.
The approach to security that is developed within a connected place will therefore need to differ from any security-minded policies and processes that might already be in place within an individual local authority or other service delivery organisation as it needs to respond to the new or enhanced vulnerabilities created by changes to existing ways of working.
PAS 185:2017, commissioned by CPNI and facilitated by BSI, is a specification for establishing and implementing a city-wide, strategic-level, security-minded approach as part of both its development and operation. It details the approach for applying holistic measures that are appropriate and proportionate to the risks, while not preventing the delivery of a city’s aims. Copies of PAS 185:2017 are available for download.
CPNI are publishing a range of advisory materials to help with understanding PAS 185:2017, its context and implementation. These are available in the resources section below.
NCSC has published a set of cyber security principles that will help manage cyber security risks of a connected place and its underlying infrastructure. These principles will help organisations to become more resilient to cyber-attack. The cyber security principles should be considered alongside physical and personnel security measures to develop a robust, holistic security-minded approach.
Adopting a security minded approach to connected places.
Connected places, sometimes referred to as Smart Cities, seek to increase the capacity, efficiency, reliability and resilience and therefore availability of their built assets and services.
They do this by integrating information, communication, technologies and IOT devices to better understand how their transportation, buildings, utilities and public services are performing in right time.
Things like using intelligent street lighting to collect real time data which can be used to increase the control over the lighting network.
Rather than being on or off, it can be brightened or dimmed in response to movement. This can help with safety and security, but also increases the energy efficiency of the system.
Sensors can be used to monitor air pollution, footfall and traffic flow to help with infrastructure planning and management.
They can also be used to detect unusual levels of noise in the street, facilitating a faster response to potential anti-social disturbance.
But to deliver these considerable benefits whilst maintaining the trust of the citizens, connected places need to be aware of and manage the vulnerabilities of that arise.
A connected places functions and services increasingly rely on systems that gather, move, process and store data, some of which is sensitive.
Some of these systems also control critical operational technology. Unfortunately, this makes these systems an attractive target for a range of hostile actors, people who are motivated to cause disruption, steal, misuse or damage information and compromise our most valuable assets.
If an attack on a connected place network were to succeed, it could mean a damaging loss of trust for UK residents, making it hard for people to accept similar projects in the future. Not to mention the cost to repair, improve and resecure the connected infrastructure.
So how do we best mitigate these security risks?
By taking a security-minded approach to addressing vulnerabilities.
These vulnerabilities can arise from:
- The increase in the volume of information that is being generated, collected, used and stored including personal data, intellectual property and commercially sensitive information.
- Greater sharing of information within and across organisations.
- The combination of information from a wide range of sources.
- Differing organisational priorities, governance arrangements, security understanding and concerns, and risk appetite.
The security-minded approach needs to respond to any risks identified but shouldn’t prevent the connected place from delivering its aims.
Where the connected place involves multiple organisations, we recommended 4 steps to ensure everyone adopts a common approach.
- Create a combined governance structure, put in place a legally constituted structure. Make sure the relationship of this structure is understood and agreed within each organisation involved.
- Agree who will lead on developing the combine security-minded approach. Where roles sit in different organisations, make sure to clarify who’s accountable and responsible for what.
- Appoint individuals accountable for implementing the security-minded approach.
- Regularly review your combined approach. Setup a procedure for monitoring the security policies and regularly communicate with staff and other relevant parties to make sure you stay robust against potential attacks.
Having an agreed collaborative security-minded approach built in this way is more robust than one where organisations work in isolation.
When a governance structure is in place, the connected place as a whole can identify potential threats which may seek to exploit the vulnerabilities that exist.
Assess the resultant security risks and decide where these exceed the collective risk appetite and…
Implement appropriate and proportionate security measures to mitigate them.
That’s across personnel, physical and cyber security.
For more information and further support, click the relevant links below this video.
You’ll find additional guidance on adopting a security-minded approach to connected places and measures for managing related security risks.