Guidance

Secure connected places playbook

Resources to help local authorities secure their connected places ("smart cities") against cyber threats. This is the updated beta release.

Video: Connected Places Cyber Security Playbook

Start by watching this introductory video where you can find out more about cyber security for connected places.

This video can also be shared with your team members to give them an introduction to the Playbook and connected places cyber security.


1. What is a connected place?

Connected places leverage a combination of sensors, hardware, networks and applications to analyse and improve services and places from transport and air quality to infrastructure and utilities. Some examples include:

  • Transport and new mobility solutions: such as the instalment of smart traffic light systems to reduce congestion on busy roads or future air mobility solutions.
  • Social care, health and wellbeing: such as the deployment of temperature and moisture sensors in houses to monitor and improve living conditions, or the use of sensors that help facilitate assisted living and improve accident response times.
  • Environmental monitoring: such as the use of sensors to monitor water levels in areas at risk of flooding or air quality to provide citizens with clean air walking routes.
  • Critical infrastructure and utilities: such as crowd monitoring to determine town centre business and provide citizens with information on best times to shop, or the use of smart local energy systems to reduce pressure on the grid.

Connected places present an opportunity for local authorities to enhance the quality of living for their citizens. However, without the necessary protection in place, the diversity and interconnectedness of technologies needed to operate connected places also makes them vulnerable to cyber attacks. These attacks can lead to reputational damage, the loss of sensitive data, and the damaging of physical infrastructure that residents rely on.

Strengthening and maintaining cyber security and resilience within connected places systems, and the security-mindedness of the people deploying them, is crucial for local authorities to ensure that connected places are secure, citizens’ data is protected and the provision of critical services is not interrupted.


2. Where to start

Use this flowchart to understand which of the Playbook’s resources may be of most use to you and your organisation. These questions should be considered by anyone within a local authority who will be working on projects that use connected place technologies, or is involved in the procurement of connected technologies. Even if you have answered ‘Yes’ to all questions, it is still recommended that you consult the Playbook to ensure you are aligned with best practise.


3. The Secure Connected Places Playbook (beta version)

The Secure Connected Places team has developed this Playbook to support local authorities to improve the cyber security of their connected places. It was designed in collaboration with six local authorities.

The Playbook comprises four cyber security resources covering topics including governance, procurement and supply chain management and how to conduct a good threat analysis. The guidance set out in the resources has been developed to specifically highlight the nuanced approaches that are needed to secure connected places and their technologies.

This Playbook resource is the ‘beta’ version published in March 2024, which has been updated from the original version following a phase of testing and iteration.


Connected places cyber security principles 101

This resource is designed to be a presentation local authorities can use to share introductory information on connected places cyber security with the staff in their organisation. ​It also includes an introductory overview of the NCSC’s Connected Places Cyber Security Principles (the Principles).

Connected places cyber security principles 101 (PDF)

Connected places cyber security principles 101 (HTML)

Supporting document: presenter notes


Governance in a box

This resource is designed to advise local authorities on the processes and considerations needed to set up good security governance across all connected places projects, to enable the flow of security information and decisions around the organisation.​

Governance in a box (PDF)

Governance in a box (HTML)

Supporting document: template commission form

Supporting document: CPSSG terms of reference


Procurement and Supply Chain Management

This resource is designed to provide local authorities with guidance on how to best incorporate cyber security considerations throughout their whole supply chain management lifecycle, with a focus on the procurement element.​

Procurement and Supply Chain Management (PDF)

Procurement and Supply Chain Management (HTML)


Conducting a STRIDE-based threat analysis

This resource is designed to provide local authorities with the skills, expertise and a structured framework to better understand the risks they are taking on with a proposed connected places system. ​

Conducting a STRIDE-based threat analysis (PDF)

Conducting a STRIDE-based threat analysis (HTML)


Incident response

This resource is designed to provide local authorities with guidance on how to plan for cyber incidents. All connected systems are vulnerable to cyber incident, which can vary from targeted criminal activity to accidental misconfiguration of settings.​ Knowing how to respond to these cyber incidents is critically important, and having a plan in place which has been tested can greatly increase the likelihood of successfully overcoming an incident while reducing the impact on the organisation and its stakeholders.

Incident response (PDF)

Incident response (HTML)


4. The NCSC’s Connected Places Cyber Security Principles

To help support local authorities, the National Cyber Security Centre (NCSC) published the Connected Places Cyber Security Principles in 2021. The Principles are designed to help local authorities build awareness and understanding of the security considerations needed to design, build, and manage their connected places.

The DSIT Secure Connected Places team supports NCSC in promoting awareness and uptake of the Principles.


5. What’s next

This version of the Secure Connected Playbook is considered alpha-grade and will be subject to further testing and iteration. If you would like to be involved in future work on the Playbook or have any questions about this guidance, please contact secureconnectedplaces@dsit.gov.uk.

You can also visit the Secure Connected Places policy page for more information.


The original alpha release of the Secure Connected Places Playbook was the product of a research and testing project commissioned by DSIT and delivered by Plexal, Daintta and Configured Things (the research group). DSIT and the research group worked with 6 UK local authorities to identify challenges in securing their connected places and collectively develop, test and iterate the guidance set out in this Playbook. This has resulted in the newly updated ‘beta’ version of the playbook, published in March 2024.

Updates to this page

Published 16 May 2023
Last updated 6 March 2024 + show all updates
  1. The newly-updated documents which comprise the 'beta' version of the playbook have been added to this page. The 'alpha' version was published in May 2023 and has since been subject to testing and iteration, including feedback from local authorities, resulting in this new version.

  2. First published.

Sign up for emails or print this page