Connected Places Cyber Security Principles 101
Updated 6 March 2024
This resource forms part of the Secure Connected Places Playbook developed for local authorities by DSIT in collaboration with Plexal, Daintta and Configured Things. This Playbook resource is the ‘beta’ version published in March 2024, which has been updated since the original version following a phase of testing and iteration.
1. Executive summary
1.1 What is this resource?
This resource is designed to be a presentation that local authorities can use to share introductory information on the NCSC’s Connected Places Cyber Security Principles (the Principles) with the staff in their organisation.
1.2 How should I use it?
The slides in this document and accompanying presenter notes can be used to deliver an introductory presentation to local authority staff to share awareness of the Principles and how to apply them to secure your connected places. The resource can also be included in onboarding packs for new staff.
1.3 Who does this resource apply to?
The contents of this resource apply to a broad range of stakeholders within your local authority, from new starters to board members. It is especially relevant to staff who will be involved in the design and maintenance of connected places projects or the procurement of connected technologies.
1.4 What will I get out of using this resource?
Connected places projects are looked after by a range of internal teams within a local authority and not all stakeholders will have cyber expertise. This lack of cyber security awareness can make it difficult to embed the Principles into the design, understanding and maintenance of connected places projects.
Using this resource will give teams in your local authority a basic awareness of the Principles. When your teams are thinking of using connected places technology in their business areas, as is increasingly happening, they will know (1) to consider cyber security from the outset and (2) where to look for more detailed information as their project(s) progress.
This Principles 101 resource aims to increase basic connected places cyber security awareness across the authority, not make everyone an expert.
1.5 Case study: Westminster City Council (WCC)
Westminster City Council has embarked on a project to develop a Smart City Operating System, which is a modern data platform that aggregates and shares connected places data both internally and externally to deliver economic and social value for the organisation.
In the absence of the Smart City Operating System, service lines are aware of the data protection requirements for any given project. However, cyber security considerations do not always share the same level of awareness across the organisation.
Westminster City Council has run sessions using the Principles 101 resource to raise security awareness across its relevant teams. An early session resulted in a service area and Digital and Innovation (D&I) exploring cyber security in a connected places project previously unknown to D&I.
See the Appendix for more on the case study.
2. Advisory
The Secure Connected Places Playbook is designed to meet the general cyber security needs of local authorities across the UK’s four nations when integrating smart cities technologies. Whilst this guidance is appropriate to all local authorities there may be separate nation specific guidance and processes that should be considered.
Similarly, the resources within the playbook generally assume the local authority has control over technology policies and their implementation. Additional consideration may be required where this is not the case such as the interactions between combined and unitary authorities where one must collaborate and co-ordinate with other parties.
3. Introduction and definitions
3.1 What are connected places?
The fundamental aim of a connected place is to enhance the quality of living for citizens through collaborative, interactive, and connected technology.
For the purpose of this guidance, a connected place can be described as a community that integrates information and communication technologies and IoT devices to collect and analyse data to deliver new services to the built environment, and enhance the quality of living for citizens.
A connected place will use a system of sensors, networks, and applications to collect data to improve its operation, including its transportation, buildings, utilities, environment, infrastructure, and public services.
NCSC Connected Places Cyber Security Principles, May 2021
Some examples of connected places technologies in local authority services are:
-
Traffic light management: using sensors to optimise wait times and therefore pollution levels.
-
Waste management: using sensors to improve the visibility of waste levels and oversight of suppliers, measuring their ability to meet their agreed service levels.
-
Streetlight management: optimising power usage based on time of day, seasonality, activity and local crime data.
-
Parking management: using sensors to provide smarter city navigation based on directing visitors to free parking spaces, thereby reducing emissions and congestion.
-
Environmental monitoring: using sensors to monitor water levels in areas at risk of flooding, or air quality to provide citizens with clean air walking routes.
-
Social care, health and wellbeing: the deployment of temperature and moisture sensors in houses to monitor and improve living conditions, or the use of sensors that help facilitate assisted living and improve accident response times.
-
Critical infrastructure and utilities: crowd monitoring to determine town centre business and provide citizens with information on the best times to shop, or the use of smart local energy systems to reduce pressure on the grid.
-
CCTV: for public safety and crowd monitoring.
These could use various networking technologies terrestrial (fibre), wireless (WiFi, Cellular LTE / 5G / NB-IoT, LoRaWAN) or satellite to communicate with fixed or mobile (drones, vehicles) assets.
3.2 What is cyber security?
Cyber security is the means by which individuals and organisations reduce the risk of becoming victims of cyber attack.
Cyber security is important because smartphones, computers and the internet are now such a fundamental part of modern life, that it’s difficult to imagine how we’d function without them. From online banking and shopping, to email and social media, it’s more important than ever to take steps that can prevent cyber criminals getting hold of our accounts, data and devices.
In the context of connected places, cyber security is what makes connected places a safe place to live and to work. Designing connected places with an assumption that they will be compromised is a useful approach to ensure that appropriate controls are designed for detecting, protecting against, responding to and recovering from cyber incidents.
It is important to take a holistic approach when securing your connected places, considering personnel, physical and cyber security. Further information about personnel and physical security is available on the NPSA website.
3.3 What is the role of DSIT?
The National Cyber Strategy 2022 outlined the Government’s objective for the UK to be at the forefront of the secure and sustainable adoption of connected places technology.
DSIT’s work contributes to this aim by delivering policy that supports the cyber security of the UK’s connected places.
To do so, DSIT’s Secure Connected Places team works closely with managers of connected places projects and suppliers of connected places technologies to ensure that communities across the UK can enjoy the benefits of secure connected places.
DSIT created the Secure Connected Places Playbook to complement the NCSC’s Principles and support local authorities’ connected place cyber security.
4. Connected places threats
Cyber security
As places become more connected, and local authorities become more reliant on this connectedness to provide efficient services to their residents, the risk of hacking, malware, accidental misconfiguration and administrative abuse rises. Connected places are attractive targets to malicious actors as they process large amounts of data, and an attack on this infrastructure could have a societal-wide impact. Some examples could be:
-
A traffic light prioritisation system that does not authenticate emergency vehicles would be open to anyone changing traffic signals to green, potentially risking lives and damage to vehicles.
-
In-home health monitoring can be abused for criminal and commercial gain. An attacker could target victims based on their activity patterns. Protecting individuals’ privacy is vital.
-
Electric vehicle chargers should be protected. An attacker could sequence all chargers in the network to draw a large current simultaneously, causing a brownout (a drop in voltage in an electrical power supply system)
Privacy
As data collection is becoming more pervasive, the legal right to individual privacy needs to be protected. With such widespread data collection and correlation, seemingly anonymous datasets can be aggregated to de-anonymise individuals.
Data privacy is a very important consideration when deploying smart infrastructure within connected places, particularly given suppliers may be exporting data outside of the UK as part of their service.
5. About the NCSC Connected Places Cyber Security Principles
5.1 Background
The National Cyber Security Centre (NCSC) released its Connected Places Cyber Security Principles in May 2021.
Whilst the adoption of connected places technology seemed to be increasing, there was a perception that security controls proportionate to the risk were not being considered.
It is principle-based guidance to support local authorities to make better-informed security decisions, not a baseline for compliance.
See the Principles in full here
6. Principles structure
The Principles are structured into three sections that relate to the phases of creating connected places. The first step in designing, building, and operating a connected place is to develop an understanding and context for it.
Having developed your understanding and the context for your connected place, the next priority should be to design your connected place in a way that makes it difficult for an attacker to compromise.
Then, having followed the connected place design principles, the priority should be to manage the connected place’s privileged accesses and supply chain throughout its life cycle. This will include managing incidents, and planning for response and recovery. Importantly, this is not just for whole connected places, but should also be considered for each connected places project.
6.1 Understanding your connected place
-
Understanding your connected place and the potential impacts. To identify what is critical to your connected place, a clear and complete understanding of its goals and ambitions is necessary.
-
Understanding the risks to your connected place. Knowing what assets and projects make up your connected place, as well as their dependencies and inter-dependencies is essential to know what risks exist. Knowing this, a risk management process can access what risks are acceptable and require treatment. Understanding the risks is vital to knowing which business outcomes will be affected by any risk being realised. Please consult the Governance in a box resource for further details.
-
Understanding cyber security governance and skills. Having management ownership and a governance process for connected places enables alignment across the organisation and that training programmes are appropriately budgeted. Please consult the Governance in a box resource for further details.
-
Understanding your suppliers’ role within your connected place. Connected Places can be complex systems with responsibility for service delivery split between the local authority and its suppliers. However, it is important to remember that whilst responsibility can be outsourced, accountability cannot, and therefore your local authority will remain the overall risk owner. Therefore, ensuring suppliers meet your requirements throughout a service’s lifetime is essential. Please consult the Procurement and Supply Chain Management resource for more details.
-
Understanding legal and regulatory requirements. It is essential to understand the legal and regulatory framework within which your local authority must operate, this may vary based on the type of use cases being implemented. Statutory regulations, such as GDPR and the NIS Directive, must be observed regardless.
It is essential to know your local authority’s desired business outcomes and how these can be affected.
6.2 Designing your connected place
-
Designing your connected place architecture. Understanding how your connected place is designed and architected is essential to assess whether it meets your organisation’s security requirements. For example, whether data is processed without first being validated and its sources authenticated. With an architecture understood, threats can be reasoned about, and decisions made as to whether residual risk within the systems needs to be mitigated by some means. Please consult the Threat Analysis resource for further details.
-
Designing your connected place to reduce exposure. Reducing the connected places attack surface (i.e. the interfaces of systems that are exposed to attack) will reduce the chance that an attacker will be able to successfully target your systems. System hardening e.g. closing down unused services and network segregation are good practice measures that can not only reduce the risk of an external attack but should the local authority become compromised can limit the blast damage.
-
Designing your connected place to protect its data. Connected Places by their nature collect and process data, it is therefore essential that it is appropriately protected. Personal information should only be collected if necessary and where it is, it is advised to protect it at rest and in transit. Maintaining a record of what data is collected, where and by whom it is stored and processed is essential not only for day-to-day operations but especially in the case of a security incident and potential data breach.
-
Designing your connected place to be resilient and scalable. Connected Places should be designed with the assumption that, at some point in their lifetime, they will be compromised, be it by an adversary or a mistaken user. To ensure resilience they therefore should be designed to be recovered easily and quickly. Connected Place projects often start as proofs of concepts, when they are determined to be business as usual they should be made scalable. This not only allows the local authority to flex its systems to its needs but also provides added resilience due to unexpected demand.
-
Designing your connected place monitoring. A connected place’s monitoring system should be out of the band to the connected place system itself. This approach ensures that a compromise of the connected place system can remain detected. Logging functionality of connected place technologies and supplier platforms should be utilised to identify incidents. The level of monitoring should also be commensurate with the criticality of the system, i.e. if a system is monitoring life-critical data, then its security monitoring should be frequent and rich enough to detect abnormalities rapidly.
Building security in at the start of a project is widely considered more cost effective than having an attack and paying to remediate later.
6.3 Managing your connected place
-
Managing your connected place’s privileges. Most systems provide different levels of accounts, devices and interfaces based on a particular user’s rights within that system. Ensuring that those users that require increased levels of access are regularly reviewed and that they have secure means of accessing their accounts is necessary to maintain system security.
-
Managing your connected place’s supply chain. It is important that if a supplier is providing you with services they adhere at least to your security requirements and that you maintain a right to audit their compliance with these requirements. Please consult the Procurement and Supply Chain Management resource for more details.
-
Managing your connected place throughout its lifecycle. Connected places each develop a life of their own. Understanding how the technology and its requirements change over that lifetime is essential to maintaining its security. Vulnerabilities will likely be discovered in technology utilised to build your connected place, therefore planning a vulnerability and threat management process that can manage and mitigate these is necessary. Devices and projects do at some point come to an end state, and understanding the security implications for how these are treated in their decommissioning ensures the security of any data is protected
-
Managing incidents and planning your response and recovery. “Inevitably security incidents will occur and in the context of connected places, this could result in degradation or loss of critical public services” – NCSC Connected Places Cyber Security Principles. Ensuring your local authority is monitoring for potential harm, that there are incident teams that can investigate attacks and playbooks for how the local authority may need to respond is advised in advance, doing so post-hoc can be extremely costly not only in monetary terms but also to the organisation’s reputation.
As your connected place grows – collecting more data and automating responses – it is likely to become of increasing interest to attackers and malicious actors. This increased automation and data sharing will also intensify the risk of cascade service failures across your connected place and its partners. Therefore, a mindset that assumes your connected place will be compromised is essential to being resilient and ensuring the continued provision of services.
7. Summary and next steps
1. Key takeaways
Having completed this resource, you should feel better informed in the way in which the Principles are trying help local authorities improve cyber security across connected places.
You should know that the Principles set out processes and guidance for three stages of connected places projects: understand, design and manage.
You should also have a basic understanding of connected places, their cyber security risks and where to begin looking for more information to help mitigate them.
2. Questions to ask
It is likely you may have outstanding questions as to how to make progress towards implementing these Principles in your connected places such as:
-
Where do we start?
-
Who is responsible for our connected place?
-
Are there existing process for managing these risks?
We recommend that you discuss these questions with the relevant teams within your organisation.
3. Next steps
This resource serves as an introductory module of the DSIT Secure Connected Places Playbook.
For further guidance on the processes and policies that will help you to secure your connected places, please consult the other chapters in the Playbook.
8. Appendix: How this resource has been used by local authorities
8.1 Case study: Westminster City Council
Use case: Community safety
Need
Westminster City Council has embarked on a project to develop a Smart City Operating System which is a modern data platform that aggregates and shares data both internally and externally to deliver economic or social value for the organisation. In the absence of the Smart City Operating System, service lines are aware of the data protection requirements for any given project. However, cyber security considerations do not always share the same level of awareness across the organisation.
Solution
Using this resource, Westminster City Council can deliver basic training presentations on the Principles to staff to provide a broad level of understanding of connected places cyber security. This would prompt their staff to ask questions and seek answers about the cyber security of their connected places projects. This presentation could also be embedded as a mandatory exercise at the kick-off for connected places projects to ensure that cyber security risks are appropriately addressed and mitigated at the outset. The Connected Places Cyber Security Principles 101 resource provides a high-level overview in a presentation format that allows local authorities to give a baseline understanding to their staff.
Outcome
Westminster City Council has run sessions using the Principles 101 resource to raise security awareness across its relevant teams. An early session resulted in a service area and Digital and Innovation (D&I) exploring cyber security in a connected places project previously unknown to D&I.
8.2 Case study: Renfrewshire Council
Use case(s): Housing environmental sensors, community safety, adult social care
Need
Renfrewshire Council are increasingly adopting connected places technologies and wanted to ensure that they were reviewing the security of their Internet of Things (IoT) devices using standardised guidelines across the Council. As the IoT market is evolving, they found that various suppliers adopt different approaches when looking at their cyber security and, without official guidance, it was difficult to get them to standardise to Renfrewshire’s cyber security expectations.
Solution
Using the Cyber Security Principles 101 alongside the Procurement & Supply Chain Management resources, Renfrewshire were able to identify some controls that they did not previously use and test these with their suppliers. They were also able to engage a broader range of stakeholders using the Cyber 101 Principles resources to share the importance of cyber security in connected places projects and the risks associated with them. This empowered Renfrewshire to build a Connected Places catalogue of existing solutions to provide a more strategic overview which will be applied to various projects relating to introducing future IoT devices including those for healthcare sensors and community alarms. Renfrewshire also broadened the remit of their Digital Board to include a strategy for Connected Places technologies to empower colleagues with a standardised approach to cyber security when looking at connected places technologies.
Outcome
Stakeholders at Renfrewshire Council are now more aware of cyber security in relation to connected places projects, with awareness levels rising significantly. The resources have enabled them to be more confident in cyber security standards for IoT devices, create a more standardised approach when engaging with suppliers with the council looking to create a video version of the Cyber principles 101 resource to cascade down their organisation.
8.3 Case study: Sunderland City Council
Use case(s): community safety, environmental management, smart lighting, air quality, traffic monitoring, footfall monitoring, social care, transport management
Need
Sunderland City Council has an established, innovative Smart City Strategy. This was delivered through a joint venture with Boldyn Networks as part of a 20-year partnership. The Council’s technical and information security support teams assisted with limited parts of the strategy and the partnership. However, the Council wanted to enhance the levels of awareness of the strategy and the implementation of it.
Solution
Sunderland Council wanted to align with various other teams including internal service strategy, to create a more consistent approach to connected places projects, enabling timely decision making and improve awareness of Smart City initiatives across the Council. Using the Cyber Security Principles 101 and Governance resources, Sunderland City Council’s technical and information security services engaged with the Smart City Team to understand the existing governance model and how both awareness and engagement for smart city projects is managed within the wider Council. Following this, they assessed the alignment with the resources and best practice to identify gaps and opportunities for improvement.
Outcome
The Council engaged with stakeholders to create regular reports to build awareness and provide timely updates on the Council’s Smart City strategy. Their leadership team now hold a scheduled meeting focused on the Smart City agenda to promote awareness and engagement with technical and information security services, supporting wider strategic alignment. They have also promoted the adoption of a STRIDE-based analysis to model threats and to provide a consistent approach to establishing appropriate information security assurances during software development.
9. Glossary of terms
These terms are used throughout the Secure Connected Places Playbook
Term / acronym | Definition |
---|---|
Architecture | The designed structuring of something e.g. an agreed set of components for IT systems |
Connected places | Connected places are communities that integrate information and communication technologies and Internet of Things devices to collect and analyse data to deliver new services to the built environment, and enhance the quality of living for citizens. Connected places will use a system of sensors, networks, and applications to collect data to improve its operation, including its transportation, buildings, utilities, environment, infrastructure, and public services |
Connected technology | Products with technology built in that allow them to connect with their environment and other products, for instance, Internet of Things devices |
Cyber security | The practice of protecting computer systems from attack |
DSIT | Department for Science, Innovation & Technology |
IoT | The Internet of Things describes physical objects with sensors, processing ability, and software that connect and exchange data with other devices and systems over the Internet or other communications networks |
NCSC | National Cyber Security Centre |
The Principles | The NCSC’s Connected Places Cyber Security Principles |
System | A group of people, processes and technologies that conform to a policy to achieve a desired objective |
System approach | A philosophy that considers a problem as the result of, or to be solved by, a system |
10. Contact details
Please contact secureconnectedplaces@dsit.gov.uk with any questions or feedback on these resources.