Infosec professionals have welcomed the UK National Cyber Security Centre’s (NCSC) blueprint for protecting smart city technology from cyberattacks, describing it as a “brilliant start” but warned “urgent action” is needed to prevent disaster.

On Friday the NCSC published guidance for local and national authorities to protect smart cities from “destructive” cyberattacks that could “endanger local citizens”.

Cities around the world are increasingly full of internet-connected devices used to collect data and control services. Examples include sensors to monitor pollution levels, energy-saving smart streetlamps and smart traffic lights.

These systems are a prime target for cyberattackers due to the critical role they can play in city infrastructure.

“Impacts could range from breaches of privacy to the disruption or failure of critical functions,” the NCSC report notes. “This could mean destructive impacts, which in some cases could endanger the local citizens.”

In a 15-page document titled “Connected Places Cyber Security Principles” the NCSC gives advice for carrying out a smart city risk assessment and tips for designing and managing connected places.

Among the guidance is removing default passwords on internet of things (IoT) devices, switching off unnecessary services and adopting the principle of least privilege.

“Local authorities are using sensors and intelligent systems to improve our lives and make our cities more efficient and environmentally friendly,” said Dr Ian Levy, technical director at the NCSC, a part of GCHQ.

“While these benefits should be embraced, it’s important to take steps now to reduce the risk of cyberattacks and their potentially serious impact on these interconnected networks. I urge every individual and organisation establishing a connected place in the UK to consult our newly published cybersecurity principles.”

The guidance, which is aimed at CISOs, cybersecurity engineers and those involved in running connected city infrastructure, has been well-received by the infosec community.

“The NCSC is right to warn of the cybersecurity risks to smart cities,” said John Morrison, SVP of international markets at wireless infrastructure company Extreme Networks. “Urgent action needs to be taken now to prevent them from becoming valuable and high-profile targets for hackers.”

Oz Alashe, CEO and founder of behavioural security platform CybSafe, described the smart cities guidance as a “brilliant starting point” but warned “we also have a responsibility to be aware of how our behaviour plays an important role in minimising cyber risk”.

He highlights the role that low-level attacks, such as phishing, can play in compromising a smart city solution. For example, a malicious link sent to a member of staff at an energy supplier could provide a way into the wider network.

One NCSC recommendation is to segment smart security networks so that a breach in one area can be contained.

“Network segmentation isn’t a silver bullet against all cybercrime, but it is an essential building block of the cybersecurity defences required to properly protect our cities from cybercriminals,” said Morrison.

Smart city solutions should only cache necessary data, the NCSC said, and stakeholders should ensure they are fully aware of any third parties that store or process data. They should also have procedures in place in the event of a data breach.

“When creating smart cities, it is vital that those designing them have security in mind from the outset and attempt to future-proof the infrastructures,” said Jake Moore, cybersecurity specialist at internet security company ESET. “Failure to prepare for cyberattacks now will mean they will inevitably fall over later and with the amount of data at risk, smart cities could be a disaster.”

The NCSC also recommends having separate systems for monitoring and controlling smart city technology. “This ensures that if the system operating the connected place is compromised, the attacker will have no visibility of whether the breach has been detected, and cannot remove their tracks from the logs,” the report explained.

An attack on a water treatment facility in Florida in February gave a taste of the threat posed by cyberattacks on critical infrastructure. The threat was underscored again this week when a ransomware attack knocked a major US fuel pipeline offline.

“A nation state, a serious organised crime group or attackers wishing to harm critical, national infrastructure without direct loss of life could create chaos,” said Tom Van de Wiele, principal security consultant at cybersecurity firm F-Secure. “Threat actors on the prowl looking to abuse smart city networks and decision-making patterns really are viable threats and this isn’t far off from what we saw happen at the Florida water plant hack in February.”

He added: “Striking the right balance between efficiency, privacy and security is important so it’s no surprise the NCSC are setting out guidelines to get a hold over some of the risks.”