A group of cybersecurity professionals surveyed by a think tank at the University of California, Berkeley said that emergency alert systems, video surveillance devices and traffic signals pose the greatest cyber risks to local governments pursuing “smart city” programs.
The survey, conducted by researchers at Berkeley’s Center for Long-Term Cybersecurity, asked 76 experts — working in the tech industry, academia, government and the nonprofit field — to rate nine types of technologies frequently held up as core components of smart cities, based on how likely they were to be attacked by a malicious actor, how impactful a successful attack would be and how much interest they’d attract from nation-state adversaries.
Emergency alert systems that give critical guidance to the public during times of distress ranked first in all three categories, followed by street video surveillance and traffic signals. Some of the people questioned in the survey also described chaotic scenarios that might play out in a city if any of those systems were compromised. Ten respondents described situations in which spoofed emergency messages caused “widespread panic and civil unrest,” while 18 told the Berkeley researchers that tampering with traffic lights could cause accidents and gridlock and possibly prevent police, firefighters and ambulances from reaching emergency scenes.
Even false emergency alarms sent out by technical failure have caused momentary chaos. In January 2018, residents of Hawaii endured 38 minutes of terror when the state’s emergency alert system accidentally sent a message warning of an inbound ballistic missile.
Smart-city technologies related to open data, water consumption, tolling and gunshot detection were all considered lower risk than the top three items, according to the survey. The 76-person panel also judged internet-connected trash and recycling bins to be of the least amount of interest to foreign adversaries looking to disrupt a U.S. city.
“Smart city technologies are not created equally when it comes to cyber-risk,” the survey reads.
In an interview, Alison Post, an associate professor of political science at Berkeley, said the survey results should indicate to municipal leaders pursuing smart-city programs that they need to take cybersecurity into greater consideration when making their tech decisions.
“The balance of risks and potential gains is going to vary,” Post said. “As they’re thinking about different types of systems, it would behoove them to coordinate with IT departments where the impact of an attack is likely to be very high on health, trust, as well as imagining nation-state or insider threats being likely.”
Several major organizations that advise city governments on IT security, including the Multi-State Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency, offer guidance on how to assess the risk of smart-city programs.
“The systems upon which smart city projects are built can impact virtually every aspect of modern life, including communications, utilities such as water and power, transportation, and government services due to the wide-ranging scope and the amount invested,” reads a CISA paper published in January 2020.
The security of internet-connected urban infrastructure was thrust into sharp relief last month when a hacker gained access to a water facility in Oldsmar, Florida, and changed the level of sodium hydroxide to a potentially unsafe level. While the attack was detected before any harm was done, federal agencies found the intrusion was likely made possible by weak access management on the water plant’s industrial controls.
The Berkeley survey was conducted before Oldsmar water breach, Post said, and did not ask respondents about industrial control systems.