The digital transformation of city infrastructures is a response to growing urban densification, and also to energy efficiency and sobriety requirements. However, the transition to increasingly connected cities raises questions about cybersecurity; for after all, anything that is connected is potentially vulnerable. Furthermore, cybercriminals have amply demonstrated their ability to exploit the vulnerabilities inherent in these new architectures. We present an overview of the attack surface for smart cities.
By joining up their essential systems, smart cities offer new prospects, but also extend their attack surface in the process: lighting, signage, urban mobility, water, video surveillance, building management systems, energy, parking, etc. We examine these cybersecurity challenges with a (non-exhaustive) run-down of the “Top 8” cyberattacks on connected cities and smart cities, in reverse chronological order.
U.S., 2023: when a water control system is temporarily decommissioned
In November 2023, the Municipal Water Authority of Aliquippa, Pennsylvania suffered a cyberattack on its water pressure control equipment, CBS News Pittsburgh reported. On Saturday 25 November, water pressure-monitoring computer equipment belonging to the water authority stopped working, instead displaying an anti-Israel message.
The cyberattack had an international dimension, with responsibility later being claimed by the Cyber Av3ngers, an Iranian cyber-criminal group already involved in similar incidents in Israel.
England, 2023: when hacktivist messages are displayed on buses
In October 2023, hacktivist group The Dyke Project hijacked adverts on London's public transport network. According to online newspaper Slate, cyber criminals replaced traditional advertisements with messages from Queering the Map, a site that allows LGBT+ people to share anonymous, geolocated messages.
The Transport for London public body confirmed the cyberattack and removed the unauthorised adverts, in line with company policy.
Poland, 2023: when a cyberattack paralyses the transport system
In June 2023, the city of Olsztyn, Poland suffered a cyberattack that paralysed its transport system, as reported by LeMagIT. Olsztyn, known for its smart city features, includes a traffic management centre, traffic intersection monitoring with detection of violations, Wi-Fi hotspots in trams, and a weather information system. The attack hit nearly a hundred intersections in the city centre, disrupting traffic lights and other vital elements of the transportation system.
As a result, major traffic jams formed on the main roads of the city, and citizens experienced problems buying public transport tickets. Following the attack, ZDZ iT – the city’s transport authority – was forced to physically disconnect the servers from the network to contain the situation.
Ireland, 2022: when a resident defrauds the electronic parking system
In May 2022, David Young appeared before the Criminal Court in Cork, Ireland, charged with exploiting a vulnerability in the computer system of the private company running the parking system on behalf of Cork City Council. According to information reported by the Irish Examiner newspaper, Young found a temporary flaw during a software update that enabled customer accounts to be modified manually. He then used the loophole to fraudulently increase his parking credit.
The company hired an IT consultant to resolve the issue, resulting in analysis and update costs of more than €12,000. Meanwhile, Young pleaded guilty and paid for these costs, plus the value of the wrongly-credited parking.
China, 2019: when a data leak reveals a widespread surveillance system
In May 2019, a data leak affecting a surveillance system in Chinese smart cities was discovered. Security researcher John Wethington’s interview with the TechCrunch news site provided an insight into the extent of this discovery. The security researcher found an Elasticsearch database exposed on the Internet, not requiring a password and containing gigabytes of facial recognition data on hundreds of people, harvested over several months.
The leak raised questions about the use of facial recognition and surveillance systems in smart cities.
US, 2017: when cybercriminals activate emergency sirens in the city
In April 2017, in Dallas, 156 emergency alarm systems were activated simultaneously by cybercriminals, Forbes reports. The attack, which occurred just before midnight, was mistaken for a severe weather warning, despite no signs of any imminent natural disaster. The Dallas Office of Emergency Management was forced to intervene quickly to disable the alarms, and worked with the Federal Communications Commission to identify the perpetrators.
The incident not only generated significant noise in the city, but also prompted a surge in 911 calls, overloading emergency services. Although the systems were quickly restored, City Mayor Mike Rawlinson was quick to react to the incident in Forbes magazine, explaining, “This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure”.
Finland, 2016: when a DDoS attack cuts off apartment heating
In November 2016, in Lappeenranta – a Finnish city of 60,000 inhabitants – a DDoS cyberattack disrupted control systems for two residential buildings, leaving residents without heating or hot water, according to information reported by Forbes. The buildings suffered an attack that caused their heating and hot water systems to be repeatedly restarted, leading to an endless loop that eventually prevented normal operation.
Although local temperatures were not at extremely low levels at the time of the attack, the incident represented a new development in the cybersecurity of connected buildings.
USA, 2014: when cybersecurity researchers control traffic lights
In August 2014, researchers at the University of Michigan, in collaboration with a local road agency, revealed a vulnerability in traffic light management systems. Using ordinary laptops, they were easily able to control 100 traffic lights in the state of Michigan by altering timings at intersections to create a series of green lights.
This information, published at the time by Britain’s Daily Mail newspaper, highlighted the security flaws in a system used in 40 US states, including the use of unsecured wireless networks and default passwords.
It is clear that increased connectivity in urban systems is opening new doors for cybercriminals. From the operation of traffic lights to compromised surveillance systems, all these incidents demonstrate the importance of implementing enhanced cybersecurity to protect vital infrastructure.
