The Australian Signals Directorate (ASD) has issued a new set of guidelines warning about the security risks posed by the use of 5G technology in so-called Smart Cities. The ASD’s concerns align with those of the Five Eyes security alliance, which has warned that the interconnected nature of a fully connected city makes it vulnerable to cyberattacks. While Smart Cities offer benefits such as increased efficiency and data-driven decision-making, the downside is that they may expose national and economic security, public health and safety, and critical infrastructure operations to potential vulnerabilities.
These renewed warnings come amid the Australian government’s plan to strengthen national security and make Australia one of the most secure countries in the world by 2030. As part of this plan, the Home Affairs department is currently reviewing submissions to its Cyber Security Discussion paper, which closed last week. The ASD’s guidelines provide a timely reminder of the need to consider the security implications of Smart City technology as Australia becomes more enmeshed within the connected infrastructure environment.
The risks associated with Smart Cities are not new. In 2020, the US National Security Agency (NSA) warned that 5G technology used in Smart Cities could create new attack vectors for hackers, including the potential to disrupt critical infrastructure. The UK’s National Cyber Security Centre (NCSC) has also highlighted the risks of Smart City technology, including the potential for attacks on autonomous vehicles and the use of data to target individuals.
Smart Cities rely on the Internet of Things (IoT) to connect urban infrastructure to the internet. This interconnectedness creates a web of potential vulnerabilities, with any weakness in the system potentially exposing the entire network to attack. For example, a hacker could exploit a vulnerability in a single IoT device, such as a traffic light, to gain access to the wider network and disrupt critical services such as emergency services or public transport.
To address these risks, the ASD’s guidelines recommend that Smart Cities adopt a risk management approach that includes identifying potential vulnerabilities and implementing appropriate security measures. This could include measures such as ensuring that all IoT devices are secure by default, using encryption to protect data in transit and at rest, and implementing multi-factor authentication to prevent unauthorised access.
The ASD also recommends that Smart Cities adopt a “defence in depth” approach, where multiple layers of security are used to protect the network. This could include measures such as segmenting the network to prevent the spread of malware, implementing intrusion detection and prevention systems, and regularly testing the security of the network through penetration testing and vulnerability scanning.
The risks associated with Smart Cities are not limited to cyberattacks. There are also concerns about the potential for misuse of data collected by IoT devices. For example, data collected from smart cameras could be used to track the movements of individuals, raising concerns about privacy and civil liberties. To address these concerns, the ASD recommends that Smart Cities adopt a privacy-by-design approach, where privacy considerations are built into the design of the network from the outset.
The risks associated with Smart Cities are not unique to Australia. Governments around the world are grappling with the security implications of Smart City technology as they seek to harness the benefits of technological innovation while mitigating the risks. In the UK, the NCSC has issued guidance on securing Smart Cities, while in the US, the NSA has published a report on securing 5G networks.
The risks associated with Smart Cities are real, and governments and organisations must take steps to mitigate them. The ASD’s guidelines provide a useful starting point for organisations looking to implement Smart City technology while maintaining the security of critical services and infrastructure. As the world becomes increasingly interconnected, the need to secure our digital infrastructure will only become more pressing, and it is essential that we take a risk-based approach to managing these risks.
Paul Budde