The underlying premise of smart cities is that greater availability of data and information, integration of services and systems, and outcome-based contracting can increase the capacity, efficiency, reliability and resilience, and thereby availability, of existing assets to enable enhanced service provision for its citizens.
A key purpose of a smart city is to join up specific vertical sectors (e.g. utilities, transport, health, etc.) across organisational boundaries into a whole-city approach for the creation, delivery and use of city spaces and services. These changes should allow the city to:
- take better account of the needs of current and future citizens;
- integrate physical and digital planning;
- more efficiently and sustainably identify, anticipate and respond to emerging challenges, including emergency situations; and
- increase the capacity for service delivery and innovation which in turn has the capability to drive efficiencies and effectiveness.
Advancements in digital engineering, information and communication technologies are significant enablers of these changes. However, the increased use of, and dependence on, these technologies, especially when coupled with much wider sharing and use of city data and information, and new service delivery models, also creates significant vulnerabilities and associated security issues. A range of threat actors might seek to make use of these vulnerabilities in order to compromise the value, longevity and ongoing use of a city’s built assets and services, as well as the safety and security of its citizens.
The approach to security that is developed within a smart city will therefore need to differ from any security-minded policies and processes that might already be in place within an individual local authority or other service delivery organisation as it needs to respond to the new or enhanced vulnerabilities created by changes to existing ways of working.
PAS 185:2017, commissioned by CPNI and facilitated by BSI, is a specification for establishing and implementing a city-wide, strategic-level, security-minded approach as part of both its development and operation. It details the approach for applying holistic measures that are appropriate and proportionate to the risks, while not preventing the delivery of a city’s aims. Copies of PAS 185:2017 are available for download.
CPNI are publishing a range of advisory materials to help with understanding PAS 185:2017, its context and implementation. These are available in the resources section below.
NCSC has published a set of cyber security principles that will help manage cyber security risks of a connected place and its underlying infrastructure. These principles will help organisations to become more resilient to cyber-attack. The cyber security principles should be considered alongside physical and personnel security measures to develop a robust, holistic security-minded approach.