Cybercriminals haven’t knocked out a city’s ability to operate yet, but that doesn’t mean it won’t happen. According to security experts cities’ increasing dependence on technology and the haphazard ways those systems sometimes connect could leave them vulnerable to someone looking to cause chaos. Cities, like the rest of the world, now rely on a lot of computers. But the systems used to make even the most sensitive systems run can still contain security flaws. While the risk of an actual attack may not be imminent, the threat is looming large over cyber security researchers who warn that local governments aren’t prepared. The digital pathways between all of the entities and organizations in a city is often not well managed. In many cases, there’s no overarching security architecture or even understanding of holistically what the city looks like.
Researchers have already discovered vulnerabilities with new technology being used in many cities. Last year, researchers found that traffic monitoring system used in dozens of U.S. cities, including Washington, D.C., could allow a malicious hacker to falsify traffic data and manipulate stop lights. District officials say the city is reviewing the security of its traffic sensors. A few years ago, two Los Angeles traffic engineers pleaded guilty to hacking into the city’s traffic system and slowing down traffic at key intersections in support of a labor protest.
In 2008, the Telegraph reported that Polish police believed a 14-year-old was responsible for a tram derailment that injured 12 people — a feat he supposedly pulled off with a modified television remote control that took control of the steering and signals on the tram system. In a research presented at the Black Hat USA cybersecurity conference in Las Vegas earlier this month. Gregory Conti, a professor who teaches cybersecurity at West Point, and Tom Cross, the chief technology officer at cybersecurity firm Drawbridge Networks states that transportation systems are a key pressure point for cities, places where technology that is otherwise well secured might intersect in ways that make them vulnerable to a targeted attack. this could cascade throughout a city, according to Each person is looking at their little silo and defending their department or agency to varying degrees of success but they don’t appreciate the relationships between their piece of the puzzle and other people’s pieces.
In some cases, older industrial systems never designed to be online end up making their way onto the Internet. Researchers using Shodan, a search engine used to identify systems connected to the Internet, have routinely discovered traffic lights, water treatment facilities and even power plant controls online. This summer, researchers said they found security vulnerabilities that could potentially be used to shut down a nuclear power plant. The vulnerabilities involved networked ethernet switches used in industrial environments disclosed the problems to the switch makers and said that fixes are coming. But they worry that the slow patching process for these types of issues may leave some affected systems vulnerable for years.
Even finding those sort of problems can be difficult. Gaining access to power and water treatment plants is difficult and these types of industrial facilities are not traditionally targeted by financially motivated cybercriminals, so researchers are less likely to look for potential problems. But nation-state or politically motivated attackers might take an interest in these types of industrial facilities in the future and to make matters worse, attackers are getting stronger while the sophistication level of attackers are increasing across the board.
Sophisticated malware that has traditionally only been accessible to government agencies can end up in the hands of cybercriminals and one day may be used by someone aiming to cause destruction.
Cities worried about cybersecurity risks often struggle to attract the right expertise and secure enough resources to address these issues over the long term and the risk management approach cities apply to traditional forms of attacks should also be used in the digital realm. Not everyone is convinced that cities are facing a cybersecurity crisis just yet: James Lewis, a senior fellow focused on cybersecurity at the the Center for Strategic and International Studies, says cities are likely only going to be a target for pranksters in the immediate future — not cyberattacks aimed at creating real world damage. “There’s been a tremendous amount of increase in vulnerability, but that does not translate into an increase in risk.
But pranksters hacking traffic signs to warn about a zombie apocalypse aren’t what keeps researchers up at night. The real threat isn’t that someone will simply launch a cyberattack against a city, it’s that the attack will be designed to do as much damage as possible and the worst case scenario is someone thinks it all through and shatters our false sense of security.
References-: DARPA, Scientific America and Andrea Paterson report in WP