Log In

Reset Password
News Education Local News Nation & World New Mexico

Hackers may be growing threat to cities

By Andrea Peterson
Tuesday, Aug 18, 2015 1:54 PM Updated Tuesday, Aug. 18, 2015 2:43 PM
Experts warn few understand the potential to create chaos
Cybersecurity experts are warning that cities’ growing dependence on technology is making them more susceptible to cyberattacks. Computer systems monitoring and controlling traffic conditions are one possible area that hackers could attack to cause chaos in U.S. cities, they say.
Josh Stephenson/Durango Herald file photo

First, the power goes out. It’s not clear what’s gone wrong, but cars are starting to jam the streets – the traffic lights are down. And something seems to be going haywire with the subways, too.

No one can get to work. And even if they could, what would they do? A cyberattack has driven the city to a halt.

Of course, that hasn’t happened yet – and, to a lot of people, the idea of malicious hackers taking down a city still sounds like a bad movie plot. But it may not be as crazy as it sounds, according to security experts who say cities’ increasing dependence on technology and the haphazard ways those systems sometimes connect could leave them vulnerable to someone looking to cause chaos.

Cities, like the rest of the world, now rely on a lot of computers. But the systems used to make even the most sensitive systems run can still contain security flaws. While the risk of an actual attack may not be imminent, the threat is looming large over cybersecurity researchers who warn that local governments aren’t prepared.

“The potential attack surfaces of a city is a huge challenge,” said David Raymond, deputy director of Virginia Tech’s IT Security Lab. “The digital pathways between all of the entities and organizations in a city is often not well-managed. In many cases, there’s no overarching security architecture or even understanding of holistically what the city looks like.”

Researchers have already discovered vulnerabilities with new technology being used in many cities.

Last year, researchers found that traffic monitoring systems used in dozens of U.S. cities, including Washington, D.C., could allow a malicious hacker to falsify traffic data and manipulate stoplights. Washington officials say the city is reviewing the security of its traffic sensors. A few years ago, two Los Angeles traffic engineers pleaded guilty to hacking into the city’s traffic system and slowing down traffic at key intersections in support of a labor protest.

In 2008, the Telegraph reported that Polish police believed a 14-year-old was responsible for a tram derailment that injured 12 people – a feat he supposedly pulled off with a modified television remote control that took control of the steering and signals on the tram system.

“No one is thinking about the security implications,” Raymond said.

Transportation systems are a key “pressure point” for cities, places where technology that is otherwise well-secured might intersect in ways that make them vulnerable to a targeted attack that could cascade throughout a city, according to Raymond and fellow researchers Gregory Conti, a professor who teaches cybersecurity at West Point, and Tom Cross, the chief technology officer at cybersecurity firm Drawbridge Networks. Raymond, Conti and Cross presented their research at the Black Hat USA cybersecurity conference in Las Vegas earlier this month.

“Each person is looking at their little silo and defending their department or agency – to varying degrees of success – but they don’t appreciate the relationships between their piece of the puzzle and other people’s pieces,” Cross said.

And in some cases, older industrial systems never designed to be online end up making their way onto the Internet. Researchers using Shodan, a search engine used to identify systems connected to the Internet, have routinely discovered traffic lights, water-treatment facilities and even power-plant controls online.

This summer, researchers said they found security vulnerabilities that could potentially be used to shut down a nuclear power plant. The vulnerabilities involved networked ethernet switches used in industrial environments, according to researchers Colin Cassidy, Robert Lee and Eireann Leverett, who presented at the Black Hat USA conference. The researchers disclosed the problems to the switch makers and said that fixes are coming. But they worry that the slow patching process for these types of issues may leave some affected systems vulnerable for years.

Even finding those sorts of problems can be difficult. Gaining access to power and water-treatment plants is difficult. And these types of industrial facilities are not traditionally targeted by financially-motivated cybercriminals, so researchers are less likely to look for potential problems, said Cross. But nation-state or politically motivated attackers might take an interest in these types of industrial facilities in the future, Cross said.

And to make matters worse, attackers are getting stronger. “The sophistication level of attackers is increasing across the board,” said Conti.

Sophisticated malware that has traditionally only been accessible to government agencies can end up in the hands of cybercriminals and one day may be used by someone aiming to cause destruction, researchers say.

Meanwhile, cities worried about cybersecurity risks often struggle to attract the right expertise and secure enough resources to address these issues over the long term, the researchers say. “One political leader may have some sort of educational event where they learn about security – an incident that wakes them up – but the next leader may have to relearn that,” said Conti.

The risk-management approach cities apply to traditional forms of attacks should also be used in the digital realm, Cross said. Cybercriminals haven’t knocked out a city’s ability to operate yet, but that doesn’t mean it won’t happen, he said, adding, “It’s a false sense of security.”

Not everyone is convinced that cities are facing a cybersecurity crisis just yet: James Lewis, a senior fellow focused on cybersecurity at the Center for Strategic and International Studies, says cities are likely only going to be a target for pranksters in the immediate future – not cyberattacks aimed at creating real world damage. “There’s been a tremendous amount of increase in vulnerability, but that does not translate into an increase in risk,” he said.

But pranksters hacking traffic signs to warn about a zombie apocalypse (as has happened) aren’t what keeps researchers up at night. The real threat isn’t that someone will simply launch a cyberattack against a city, Raymond said, it’s that the attack will be designed to do as much damage as possible.

“The worst-case scenario is someone thinks it all through,” said Raymond.



You might also like
Biden uses feisty State of the Union to contrast with Trump, sell voters on a second term
Mar 7, 2024
Marijuana banking bill advances in the Senate
Sep 28, 2023
House Republicans push off Biden impeachment bid for now
Jun 22, 2023
Reader Comments
Ballantine Communications, Inc.
Durango Herald Durango Herald Store The Journal The Tri-City Record
DGO Directory Plus BCI Media Services
Events Four Corners Expos Browse Local Jobs Careers With Us
Contact Us
News tip/feedback Letter to the Editor Submit Local Brief FAQs About/History
Report a paper delivery issue/suspend delivery Advertise with Us Staff/Contact
Find Us
E-Edition
RSS Alexa

Choose from several print and digital subscription packages

Get The Herald

Sign up for our daily email newsletter or to receive breaking news delivered to your inbox:

© 2024 Durango Herald | Ballantine Communications, Inc. All Rights Reserved. | Terms of Use | Privacy Policy