IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NCSC warns councils over ‘foreign influence’ in smart city projects

16-page report details cyber security and privacy risks of signing agreements with foreign state-backed companies

UK security officials are growing increasingly anxious about the prospect of local councils signing smart city agreements with foreign state-backed companies, potentially gaining unchecked influence over critical national infrastructure.

With cities across the UK on the cusp of pursuing their own smart city projects, the National Cyber Security Centre (NCSC) has issued guidance on the security considerations they must take, and the risks involved in pursuing such projects.

It comes in light of dual fears that local authorities may inadvertently extend the UK’s attack surface on a massive scale by not taking security seriously enough, while also relinquishing sensitive data to state-backed entities.

“A connected place provides a range of critical functions and services to its citizens,” the guidance said. “The systems that these functions and services rely on will be moving, processing, and storing sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors.

"If UK connected place data is hosted in or routed through a foreign country, the government of that country may be able to influence the supplier to provide it with access to that data, or it may be able to access that data directly under national security and intelligence laws," the report continued. "If a foreign corporate group provides corporate services to the supplier, the corporate group may be able to directly view or access certain data held by the supplier."

It added that if connected systems are compromised through a hack or viewed by a foreign entity, the consequences could range from "breaches of privacy to the disruption or failure of critical functions", which in some cases "could endanger the local citizens".

One of the greatest risks, according to the NCSC, are countries seeking to obtain sensitive commercial and personal data from the UK, while seeking to cause disruption to overseas services. These entities may be influenced by foreign governments to exfiltrate data from UK smart cities and feed this into their own intelligence services.

These suppliers may also be used as a vehicle for cyber attacks, either by attempting to instigate denial of service attacks or by poisoning a digital service through data manipulation or code injection that can affect how the service operates.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

China remains one of the leading smart city technology providers, although the report doesn’t mention China, or Chinese companies, by name. For instance, the Financial Times (FT) reported that Bournemouth council was close to signing an agreement for “smart place” services with Alibaba before it was terminated at the last minute.

“The more connected devices, the more threat vectors become open for cybercriminals to exploit,” said cyber security specialist with ESET, Jake Moore. “When creating smart cities it is vital that those designing them have security in mind from the outset and attempt to future-proof the infrastructures.

“Failure to prepare for cyber attacks now will mean they will inevitably fall over later and with the amount of data at risk, smart cities could be a disaster. More devices mean more of our private information is at stake which will remain a target to those who want to take advantage of such new technologies, so we need to be mindful of how much of our personal data we release.”

The guidance also includes general rules and principles for local authorities to follow when designing their systems. Specific examples the NCSC references include CCTV platforms, traffic light management, waste management, streetlight management, and transport services, among other public services.

These guiding principles, the NCSC said, must be read by local councils in conjunction with advice from the Centre of Protection of National Infrastructure (CPNI), which focuses on physical and personnel security.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download


What is cyber warfare?

What is cyber warfare?

20 May 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
What is GPT-4?
artificial intelligence (AI)

What is GPT-4?

15 Mar 2023