The critical infrastructure currently deployed in smart cities internationally is vulnerable to hackers who could trigger ‘mass panic,’ research warns.

As smart city technology becomes ubiquitous, a new kind of “supervillain” capable of taking control of traffic lights, dams and even causing alarm systems to malfunction is placing cities at risk, a report from IBM says.

This risk is growing as expenditure on smart city technology rises, with worldwide spending on smart cities projected to reach $80 billion in 2018 and $135 billion by 2021.

There are at least 17 vulnerabilities in smart city sensors and control devices currently deployed in various cities around the world, the joint IBM and Threatcare study found.

“The vulnerabilities discovered in this project could not only allow “supervillain” hackers to break into individual sensors and monitors, but to trigger false alerts that could terrify residents, cause city leaders to divert resources to non-existent problems, or block warnings about real dangers.”

Dr Paul Barnes, head of risk and resilience at the Australian Strategic Policy Institute (ASPI) said that while the level of vulnerability of cities to cyber risks varies depending on the level of connectivity of systems and their age, most councils “probably do” need to improve their safeguards to mitigate these risks.

“The larger a system gets, the more vulnerable it gets,” he said.

But the increasingly restricted revenue stream of local governments often compromises their ability to respond to these concerns.

“Some local governments’ revenue streams aren’t as large as some of the larger councils so the ability of some local governments to deal with some of these vulnerabilities or to address or identify where they may be vulnerable is going to be limited compared to some of the larger ones,” Dr Barnes said.

Of these vulnerabilities, the most recurring including the use of default passwords and a lack of authentication – vulnerabilities that are “painfully easy” to track down, according to the IBM report.

Adam Beck, executive director of the Smart Cities Council, told Government News that as cities continue to digitise, both cities and smart cities will increasingly be vulnerable to these sorts of risks.

“As we continue to connect sensors to the internet, adopt new ways via the net and networks, risk is going to increase,” he said.

Consequences of a breach

The consequences of breaches could be both serious and catastrophic, with hackers capable of manipulating alarm systems to “report incorrect data, an attacker could potentially cause an evacuation as a distraction,” the IBM report says.

Even accidental manipulations of smart city infrastructure, such as the false missile alert triggered in Hawaii, can “trigger mass panic,” while malicious breaches by actors “determined to incite mass chaos” can create “far greater impact,” according to the report.

But Dr Barnes says the more likely outcome of a breach, such as complete shutdown of traffic lights, would be a lockdown of transport system:

“You’d be looking at rapidly cascading effects, predominantly in the transport system.”

The warning comes two years after a massive cyber breach in the Ukrainian capital of Kiev caused the city to lose the equivalent of a fifth of its total power capacity for an hour. Around the same time, the New York Times reported Iranian hackers manipulated a dam in New York.

In 2016 a former employee of Maroochy Shire Council in Queensland hacked into council’s sewerage control system, causing a number of failings in the system.

The report warns that these sorts of events are increasingly likely if safeguards aren’t implemented.

“If smart city device manufacturers and the agencies deploying them do not learn from these recent examples and work harder to secure them today, they will be faced with episodes of mass confusion and potentially chaos when they’re compromised in the future,” it says.

Call for security safeguards

This vulnerability can be mitigated if both the manufacturer looks to design their products securely and users ensure they have sound security safeguards in place, according to IBM.

The report highlights the importance of implementing IP address restrictions, leveraging scanning tools to identify vulnerabilities, using strong network rules and disabling unnecessary remote administration ports.

While these risks are present, there is also a suite of resources to help councils mitigate them, Mr Beck says.

“There is a plethora of guidance on how to avoid these risks. There are international standards around cyber risks, we have guidelines, resources, case studies, technology and other solutions that can avoid or mitigate risks,” he said.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter