Cybersecurity Best Practices for Smart Cities

Cities worldwide consume ~66% of global energy, account for ~3/4th of GHG emissions, and host over a billion people in informal settlements with barely enough to survive. This underlines the need to create sustainable, connected, and inclusive urban areas that offer a decent quality of life, since by 2050, 7 out of 10 people globally are estimated to live in such regions. 

At a basic level, this involves leveraging technologies such as artificial intelligence, IoT, cloud computing, and big data analytics to enhance public safety, healthcare, transportation, energy, and water supply, among others. 

But smartness is only short-lived without cybersecurity best practices for smart cities. 

Incidents such as the slew of cyberattacks on the Israeli Water treatment facility, the AIIMS patient data breach, and the ransomware attack on municipal services in Oakland underscore the need for critical public service systems to undergo continuous VAPT assessments, among other best practices. 

This is what we discuss below for policymakers, urban infrastructure managers, technology providers, cybersecurity professionals, or anyone interested in the best practices that a smart city should implement.  

Why Astra is the best in pentesting?

• We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform.
• Vetted scans ensure zero false positives.
• Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest.
• Astra’s scanner helps you shift left by integrating with your CI/CD.
• Our platform helps you uncover, manage & fix vulnerabilities in one place.
• Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.

Let’s Talk Get Started

Cyber Threat Landscape in a Smart City

1. Attack Surfaces

The system of systems that a smart city operates on primarily faces the challenge of data heterogeneity, encompassing a wide range of data types, user interfaces, and transmission methods. This creates a multi-level threat surface with many attack points that facilitate lateral movement. 

Major cyber threats include adversaries targeting critical infrastructure, such as water systems, the energy grid, public address systems, public transportation, and municipal services, including public records, emergency response operations, and tax collection. The graphic below outlines some of the smart solutions, each of which forms a deep and lucrative attack surface. 

2. Threat Actors

From cybercriminals to adversarial states, hacktivists, saboteurs, cyber terrorists, or even a kid with lots of free time and a penchant for Kali Linux, individuals might be interested in each system or a combination of systems that smart cities deploy. 

In short, the wiser you want your city to become, the more vulnerable your ecosystem becomes to almost every threat actor.  

3. Potential Impact

Such a broad threat landscape exposes critical city infrastructure to a multitude of risks, including but not limited to, 

• Public safety 
• Wrongful/misleading announcements
• Illegal surveillance
• Data tampering/leakage
• Denial/disruption or harmful use of public services (water, energy, metro and rail systems, etc.)
• Operations and financial setbacks for service operators.

In 2024, smart cities faced a sobering reality: over 96% of discovered vulnerabilities were traced back to web applications—core components of everything from traffic control dashboards to citizen service portals. Left unaddressed, these flaws carried a staggering $266 million in potential losses, putting the very systems that power urban life at risk.

Worse still, the nature of these threats is evolving. Critical vulnerabilities surged by more than 83% compared to 2023, reflecting a shift toward more targeted, opportunistic attacks. The bar graph above breaks down this rise across different smart city asset types, revealing that essential digital infrastructure is becoming a growing attack surface.

The graphic below paints an even clearer picture: a rise in unique vulnerabilities across all severity levels, many of which evade detection by automated tools. These are the subtle, context-specific flaws buried within smart grids, public safety systems, and IoT-powered services—systems that demand more than routine scans.

This is where manual, continuous penetration testing proves vital. Unlike automated solutions, it adapts to the complexity of urban tech ecosystems, identifying threats tailored to the unique configurations of each city.

For smart cities, the message is clear: safeguarding digital infrastructure requires not just cybersecurity, but a living, ongoing strategy of comprehensive pentesting.

No other pentest product combines automated scanning + expert guidance like we do.

Discuss your security
needs & get started today!

Schedule your call

Best Practices for Smart Cities

1. Start Right from the Planning and Design Phase

You don’t build a house, start living in it, and then think about fixing doors, locks and gates, now do you? 

In the same way, cybersecurity for a smart city cannot be an afterthought; it has to be embedded alongside the fundamental architecture to induce resilience and robustness, core to the healthy functioning of an advanced urban ecosystem.

Thus, in this section, we discuss a few such cybersecurity practices that need attention right from the start. 

A. Shift Left to Grow Right

The primary objective is to integrate security practices into the SDLC (Software Development Lifecycle) phase itself. So, you can monitor, detect, and fix loopholes as they arise while scaling your public service or innovative solution that’ll cater to millions. 

This includes implementing automated vulnerability scanning tools that offer seamless integration with your CI/CD pipelines, TL;DR-proof reports and fix guides, as well as continuous and real-time threat detection and mitigation. 

B. Zero Trust Architecture

This architecture is based on three simple rules: never trust, always verify, and always assume breach. 

The nuanced, interconnected systems that multiple smart city solutions, such as energy grids, smart public transportation, and wastewater management systems, deploy via numerous cloud platforms, IoT devices, APIs, and citizen-centered applications tickle threat actors pink. Even a single endpoint compromise can cascade into a system-wide breach.

The need is for continuous threat exposure and management (CTEM) within the software and application logic, API endpoints, and cloud setups. This entails implementing granular security, comprehensive and AI-based threat scanning across the ecosystem that doesn’t fail as you scale.

C. MFA

IAM (Identity and Access Management) is necessary to safeguard the PII of millions of citizens and access to big data from endpoint devices spread across the city, among other purposes, and MFA forms an integral part of this.  

Implementing Multi-factor Authentication requires at least two authentication factors (TOPS, biometrics, passwords). Using it in tandem with adaptive authentication (assessing risk based on user location and behaviour) and SSO (via OAuth 2.0, SAML), and RBAC provides additional robustness by reducing risks associated with insider threats, compromised credentials, and human errors. 

D. Network Segmentation

The core component of a smart city ecosystem is a stack of multiple interconnected layers:

• Command and control centres
• Cloud and data storage layer
• Communication and data transmission layer
• IoT and edge computing layer, etc., with each requiring customised security controls.

Segmentation enables us to reduce the attack surface by isolating data and critical systems, thereby limiting lateral movement and unauthorized access. This entails scalable network penetration testing, real-time monitoring, and threat detection to prevent intrusion via tools such as MDR, EDR, and XDR, thereby sustaining a proactive security posture. 

2. Shield your Supply Chain from Security Risks

A. Assessing Vendors’ Security Posture and Practices 

As the wide-area networks and enterprise-grade systems that smart cities thrive on become more efficient, complex, and interconnected, the reliance on third-party vendors for hardware, software, and other services becomes inevitable. 

This makes it necessary to ensure suppliers are certifiably compliant to safeguard the supply chain of a smart city. For example, assess vendors on their access control and data handling practices, incident response capabilities, and compliance with at least one relevant cybersecurity framework (NIST, PTES, ISO 27001, etc). 

B. Enforce Policies Addressing Procurement-Related Security Concerns

You need to have clauses on cybersecurity in SLAs and contracts that mandate continuous periodic updates, incident response co-operation, and vulnerability disclosure. 

C. Continuous Monitoring is, Of Course, a No-Brainer

Ask your technology (endpoints, big data collection, storage, communication, and transmission) vendors to deploy SIEM and AI-based threat and anomaly detection tools that gauge:

• Unusual access patterns
• Endpoint devices health 
• Network traffic 

Why AI, though? As a smart city caters to millions of people 24/7, manual procedures and practices are more prone to error and failure due to factors such as fatigue and burnout. 

Also, conducting hacker-style pentesting across your citizen-facing web and mobile applications, devices, APIs, and cloud networks regularly helps you and your vendors stay globally compliant and puts your stakeholders and finance department at ease.   

3. Build Resilience and Response Capabilities

The requirement here is to have clear protocols in place before, during, and after a cyberattack. This includes developing, distributing, and communicating the value and importance of incident response playbooks to stakeholders, along with citizens. 

Secondly, organise drills such as red-team, tabletop, and breach and attack simulation exercises to improve incident response preparedness and close gaps.

Thirdly, have backups! 

Follow the 3-2-1 backup strategy: store three copies of data on two different media, with one copy stored offsite, and regularly test restoration procedures. 

4. Protect Citizen Data and Privacy

A. Control Exposure via Data Minimisation

Perhaps the least discussed yet most effective way to ensure critical services that run on huge volumes of data, with high velocity and variety, from thousands of IoT and citizen devices function unhindered is data minimization. 

Collect, share, and store only what’s necessary for a limited period to reduce unauthorised exposure over time. 

B. Encrypt All Data Movement

Following privacy-by-design principles and securing data transmission (both at rest and in transit) through SSL/TLS and VPN security protocols and algorithms, such as AES, RSA, and ECC, ensures confidentiality and data integrity. 

For example, encrypting CCTV footage transmission from across the city to storage and analytics servers, vulnerability testing of video management systems, etc., becomes essential to avoid data sniffing and tampering via MiTM attacks. 

5. Create Individualistic Cybersecurity Awareness

Each connected user or device in a smart city forms an attack vector (via mobile and web applications), exploiting which allows hackers access to confidential data, lateral movement, and the capability to disrupt services. 

Organizing gamified trainings, online tutorials, interactive workshops, phishing simulations, etc., to empower the public and employees alike reduces the risk of human error, such as using weak credentials or falling for social engineering tactics. Thus, making the smart city’s overall security posture robust. 

6. Leverage Frameworks and Standards

Frameworks offer a structure for smart cities to approach their cybersecurity. They help in setting clear benchmarks and guidelines, enhance governance and risk management, facilitate system-wide integration and interoperability, and, well, keep you protected from legal pitfalls while ensuring the trust and peace of millions of citizens, national, and international stakeholders.

Some of the key frameworks that can help simplify and secure your smart city solutions from cyber threats are:

• NIST (Identify, detect, respond, recover and protect)
• ISO/IEC 27001 (deals primarily with information security management systems—ISMS)
• IEC62443 (for securing industry-grade automation and control systems)
• CIS Controls (provides 18 actionable safeguards for access control, inventory management, secure configuration, etc., derived from real-world attacks)
• ENISA Smart City Guidelines (best for building resilient security governance in tech-enabled and nuanced urban ecosystems)
• Cert-In (detailed and specific cybersecurity guidelines for smart cities in India)

Make your SaaS Platform the safest place on the Internet.

With our detailed and specially
curated SaaS security checklist.

Download Checklist

How can Astra Help?

Smart cities operate through a dense web of interconnected systems—IoT, APIs, and public-facing platforms—all of which demand constant vigilance. Our advanced AI-powered PTaaS engine continuously tests and protects these ecosystems, identifying threats before they impact critical infrastructure or citizen services.

With globally certified pentesters (CREST, CEH, OSCP, eWPTXv2, etc.), the SOC 2 vulnerability scanning platform combines automated and manual testing across 15,000+ vectors. From wireless mesh networks and ICS environments to API endpoints and mobile apps, vulnerabilities are assessed in real time, without noise or false positives.

Seamless CI/CD integrations and direct Slack/Teams channels enable secure DevOps and rapid incident response. Built-in compliance support for ISO, GDPR, HIPAA, and others, in addition to SOC 2, ensures that your city moves from reactive to resilient, armed with proactive, ongoing security intelligence.

Key Features for Smart Cities:

• Offensive AI engine tailored for public-facing platforms, IoT & APIs
• Zero false positives with scan-behind-logic
• Real-time detection of zero-days & CVEs
• CI/CD & alert system integrations (Slack, Jenkins, JIRA, GitHub, GitLab, etc.)
• Industry-specific AI test cases & reports
• Certified experts tackling city-specific threat surfaces

Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer

Book a Demo View Pricing

Final Thoughts

By the time you reach here, this is what cybersecurity for a smart city may feel like. 

Overwhelming right? 

Our concise list covering crucial cybersecurity best practices for smart cities is just the starting point. However, there is no need to worry; with the correct set of frameworks and cybersecurity vendors, this journey will feel much easier.

FAQs