Connected Places: new NCSC security principles for ‘Smart Cities’


One of the first Hollywood depictions of a cyber attack was against critical infrastructure.

It wasn’t a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking over the world.

It was an attack against a city’s centralised traffic management system in the 1969 film ‘The Italian Job’. As part of an elaborate heist, a dodgy computer professor (played by Benny Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock. Chaos ensues, they “blow the bloody doors off”, and the thieves escape with the gold.

Lots of things have changed since then. Computers generally don’t make those calming ‘boop beep’ sounds, we don’t use 1/2” vacuum column tape drives, and no one would ever condone the professor’s unacceptable behaviour in the film. But computers do control more aspects of our physical lives than ever before, across interconnected systems of increased complexity. A similar ‘gridlock’ attack on a 21st century city would have catastrophic impacts on the people who live and work there, and criminals wouldn’t likely need physical access to the traffic control system to do it.

Now think about the impact of all the sensors and intelligent systems we’re slowly deploying in our physical environments in order to collect data to make services more efficient, more environmentally friendly, or to optimise other characteristics. Failures within individual systems can have terrible impacts, but as they are increasingly connected and become interdependent, the compound effects are magnified. Combine this with the potential privacy intrusion (for example, if the data are collected or processed in a dumb way) and there’s lots to worry about. But it doesn’t have to be like that.

These connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly. Because as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors.

On May 7th, we published the first version of our ‘Connected Places Cyber Security Principles’, a guide for system owners, designers, vendors and operators to help them consider the high level security requirements and principles that should govern connected places in the UK. These principles call out to lots of existing NCSC and CPNI guidance, but we do expect to have to create some very specific guidance over the coming years.

Connected places (often referred to as ‘smart cities’) have the potential to make people’s lives better, more efficient and greener. We need to collectively ensure we address the cyber security issues to ensure our cities are safe and resilient. Like most complex systems, that will end up as a balance between security, safety and functionality.

We hope these principles will help designers, owners and managers of connected place systems to make well-informed cyber security choices (and encourage the citizens who live and work there to trust these connected places). If you’re deploying a connected place in the UK and want to suggest we prioritise a particular topic, please get in touch via

Ian Levy is Technical Director at the National Cyber Security Centre (NCSC)

This NCSC blog has been republished under the terms of the Open Government Licence for public sector information. 

Feature Image Source:

Sign up to Smart Classes Digest to receive the latest thought leadership, innovation insights and event updates straight into your inbox. You can also follow us on LinkedIn or follow us on Twitter.

Stay in touch

Sign up to Smart Classes Digest to receive the latest thought leadership, innovation insights and event updates straight into your inbox.

We offer great opportunities for our sponsors, and would love to hear from potential speakers, contributors or new partners.