Cities around the world are increasingly using technologies to connect their services and people. Smart Cities use sensors to collect data – on public services, traffic, garbage collection, road conditions and much more – and then use these data to provide services to residents.
But this race to become a smart city has a significant disadvantage: the more connected a city becomes, the more exposed it is to cyber-attacks. In recent years, hackers have taken cities hostage through ransomware, sometimes paralysing critical systems for several months at a time. Damage compensation can amount to millions of euros, as Baltimore and Atlanta have seen.
And this is only the beginning. The more cities add devices connected to their streetlights, power grids, dams, transit lines and other services, the more targets they offer to be hacked. Besides, officials fear that the vast amounts of data resulting from the collection of additional information on residents may attract states or terrorists who may use them to wage physical and cyberwars.
Sensors, data and confidentiality
Sensors are the essential elements of smart city projects. Cities place them on traffic lights, garbage bins, streetlights and buildings to collect mountains of data – such as air pollution levels, vehicle and population movements over certain areas at different times of the day.
These sensors transmit the data to collection stations, which can use them to, for example, identify and cut down sources of pollution, manage traffic flows and organise the waste collection.
Unfortunately, the technology itself is often far from being as intelligent, and it could be a gateway for determined attackers, potentially allowing them to access other systems in the city as well as capture the data itself.
The potential damage is almost infinite. Hackers could, for example, create erroneous data or withhold real information on the strength of bridges, direct emergency services towards non-existent floods, or even alter information on air quality or trigger false alarms.
A recent study of IBM’s offensive cybersecurity unit, X-Force Red, found seventeen significant vulnerabilities in one sensor deployed in a major American metropolis. They made this discovery merely by analysing the software that operates the sensors, without any of them being physically in their possession.
All the data collected by these sensors can be the main target of hackers who seek to compromise smart city systems. The amount of data collected on a city’s residents, even using simple traffic and pedestrian sensors, is vast.
It raises privacy concerns: personal information tracked could be used to identify individuals and their locations. In the past, hackers had already expressed an interest in this type of information, such as when they hacked into the United States Office of Personnel Management in 2015 and disclosed the files of more than 20 million people.
Cities have long recognised the potential of smart technologies to help reduce waste management problems. Garbage collection sites that can provide information on their capacity levels can save money by avoiding unnecessary collection, improving living conditions, controlling the spread of pests and preventing health crises.
New York, for example, has deployed hundreds of smart bins developed by Bigbelly across the city; the city has also converted a number of these bins into public access points for Wi-Fi.
Again, the disruption of waste management services can have serious repercussions, primarily if the connected technology extends to the sewer system.
Hackers, for example, could create health disasters by diverting sewage or stitching up parts of the network.
What happened in Maroochy Shire, Australia, where a disgruntled former employee of the local city council hacked into the wastewater management system dozens of times in two months in 2000, can serve as a warning. More than 1,000 raw sewage had been discharged into parks and rivers, causing considerable environmental damage.
Energy and water supply systems
Smart technologies allow a more efficient distribution of electricity and water in urban areas, especially in areas with large populations during the day, such as central business districts. Smart grids, coupled with monitoring technologies, can redirect electricity to areas of high demand or, on the contrary, reduce supply to areas that do not need it. Smart grids also allow utilities to know more precisely how much energy a household consumes over a given period.
Here again, the risk is high. Malware could disable power plants, as seen, for example, in 2017 when NotPetya malware was released in Ukraine before it spread around the world.
The widespread presence of smart meters also means that there are thousands of potential entry points into the grid.
A pirate who manages to compromise electrical networks would have complete freedom to cause damage, such as diverting electricity from a hospital, depriving fire departments of water supply during a fire by diverting water from hydrants or triggering a blackout.
At the individual level, infected smart meters could start fires by overheating the circuits, distort billing and, perhaps most worryingly, allow access to other Internet-connected devices in the home.
Moreover, when a public service system is the victim of an attack, it is difficult to stop it to find the origin of the problem.
When a city equips itself with technology connected to the Internet and comes to depend on it – as is the case with hospitals with smart grids – it must think about how to deal with an attack while keeping services running. It is, therefore, crucial to anticipate these attacks by taking the necessary measures when designing the system.
Traffic control systems
In addition to reducing traffic pressure at peak times, cities see the potential benefits that smarter traffic control systems can bring to first aid and law enforcement in their activities. Traffic lights can be adjusted at any time, making it easier for safety vehicles to get to the scene in an emergency.
Traffic lights that pass through the wrong hands could result in a massive loss of lives. Imagine for a moment a hacker turning all the traffic lights in a city green at the same time.
In 2018, a group of researchers at the University of Michigan successfully misled a system tested by the U.S. Department of Transportation. They effectively hacked data between the system and the vehicle equipped to receive it without touching the network. They were able to change the timing of traffic lights and turn all signals red, which could create traffic jams.
Additionally, to basic “cyber hygiene” – which includes encrypting data sent over networks – cities can also ensure that not all their systems are on the same network.
Kevin Martin, program director for Smart City PDX, the Portland, Oregon urban technology project, explains that its sensors are deliberately compartmentalised from the city’s more extensive networks as much as possible, to prevent them from an entry point for potential attacks.
Portland also anonymises its data and destroys the video recordings it collects immediately after their analysis. In New York, the managers have set up a test laboratory for the Internet of Things and have carried out complete checks on more than a dozen devices to date, examining both their performance and vulnerabilities. As the technology matures, more real-life use cases are made available to security researchers to review.