Could hackers take down a city?

Published Aug. 19, 2015

First the power goes out. It's not clear what's gone wrong, but cars are starting to jam the streets — the traffic lights are down. And something seems to be going haywire with the subways, too.

No one can get to work. And even if they could, what would they do? A cyberattack has driven the city to a halt.

Of course, that hasn't happened yet — and to a lot of people the idea of malicious hackers taking down a city still sounds like a bad movie plot. But it may not be as crazy as it sounds, according to security experts who say cities' increasing dependence on technology and the haphazard ways those systems sometimes connect could leave them vulnerable to someone looking to cause chaos.

Cities, like the rest of the world, now rely on a lot of computers. But the systems used to make even the most sensitive systems run can still contain security flaws. While the risk of an actual attack may not be imminent, the threat is looming large over cybersecurity researchers who warn that local governments aren't prepared.

"The potential attack surfaces of a city is a huge challenge," said David Raymond, deputy director of Virginia Tech's IT Security Lab. "The digital pathways between all of the entities and organizations in a city is often not well managed. In many cases, there's no overarching security architecture or even understanding of holistically what the city looks like."

Researchers have already discovered vulnerabilities with new technology being used in many cities.

Last year, researchers found that traffic monitoring system used in dozens of U.S. cities, including Washington, could allow a malicious hacker to falsify traffic data and manipulate stop lights. Washington officials say the city is reviewing the security of its traffic sensors. A few years ago, two Los Angeles traffic engineers pleaded guilty to hacking into the city's traffic system and slowing down traffic at key intersections in support of a labor protest.

In 2008, the Telegraph reported that Polish police believed a 14-year-old was responsible for a tram derailment that injured 12 people — a feat he supposedly pulled off with a modified television remote control that took control of the steering and signals on the tram system.

"No one is thinking about the security implications," Raymond said.

Transportation systems are a key "pressure point" for cities, places where technology that is otherwise well secured might intersect in ways that make them vulnerable to a targeted attack that could cascade throughout a city, according to Raymond and fellow researchers Gregory Conti, a professor who teaches cybersecurity at West Point, and Tom Cross, the chief technology officer at cybersecurity firm Drawbridge Networks. Raymond, Conti and Cross presented their research at the Black Hat USA cybersecurity conference in Las Vegas earlier this month.

"Each person is looking at their little silo and defending their department or agency — to varying degrees of success — but they don't appreciate the relationships between their piece of the puzzle and other people's pieces," Cross said.

Keep up with Tampa Bay’s top headlines

Keep up with Tampa Bay’s top headlines

Subscribe to our free DayStarter newsletter

We’ll deliver the latest news and information you need to know every weekday morning.

You’re all signed up!

Want more of our free, weekly newsletters in your inbox? Let’s get started.

Explore all your options

And in some cases, older industrial systems never designed to be online end up making their way onto the Internet. Researchers using Shodan, a search engine used to identify systems connected to the Internet, have routinely discovered traffic lights, water treatment facilities and even power plant controls online.

This summer, researchers said they found security vulnerabilities that could potentially be used to shut down a nuclear power plant. The vulnerabilities involved networked ethernet switches used in industrial environments, according to researchers Colin Cassidy, Robert Lee, and Eireann Leverett, who presented at the Black Hat USA conference. The researchers disclosed the problems to the switch makers and said that fixes are coming. But they worry that the slow patching process for these types of issues may leave some affected systems vulnerable for years.

Even finding those sort of problems can be difficult. Gaining access to power and water treatment plants is difficult. And these types of industrial facilities are not traditionally targeted by financially-motivated cybercriminals, so researchers are less likely to look for potential problems, said Cross. But nation-state or politically motivated attackers might take an interest in these types of industrial facilities in the future, Cross said.

And to make matters worse, attackers are getting stronger. "The sophistication level of attackers is increasing across the board," said Conti.

Sophisticated malware that has traditionally only been accessible to government agencies can end up in the hands of cybercriminals and one day may be used by someone aiming to cause destruction, researchers say.