A year ago, Cesar Cerrudo flew to Washington, strolled over to Capitol Hill and pulled out his laptop. Then he began to hack the city’s traffic system.
The traffic lights — like so many he had tested before in Manhattan and elsewhere — were wide open to attack. Mr. Cerrudo, an Argentine security researcher at IOActive Labs, an Internet security company, found he could turn red lights green and green lights red. He could have gridlocked the whole town with the touch of a few keys, or turned a busy thoroughfare into a fast-paced highway. He could have paralyzed emergency responders, or shut down all roads to the Capitol.
Special Section: Transportation
A look at how technology is changing how we get around
Instead, Mr. Cerrudo approached the company that designs city traffic sensors, but does not encrypt the traffic running through them, in hopes executives would fix the security hole. When he was ignored, he blogged about the vulnerability in hopes that people would wake up to the issue and pressure cities to get it fixed. “What I found is that cities are filled with security problems that could have a very direct and physical impact on our lives,” Mr. Cerrudo said in a recent interview.
He is hacking into cities’ traffic infrastructure as security flaws in municipal technology networks are becoming a growing problem. For the last three years, government officials — and security specialists long before them — have warned that malicious hackers could shut down so-called smart cities, where network sensors connect traffic, water, waste and air management systems and the electric grid online to increase efficiency. As it stands, no comprehensive system exists for vetting security and responding to cyberattacks at the municipal level.
Spending on smart city technology is also soaring around the globe. In Saudi Arabia, $70 million has been poured into a project to build four smart cities. In South Africa, $7.4 billion has been funneled into a smart city project that is underway. By 2023, spending on smart cities will reach $27.5 billion, according to an estimate by Navigant Research. “It’s going to be a machine planet pretty soon,” said David Jordan, the chief information security officer for Arlington County, Va. “They’re going to be telling us what to do if nobody starts paying attention.”
Already, incidents involving computer bugs in traffic systems have caused havoc, with one such bug closing down San Francisco’s public train system two years ago, trapping passengers underground. In 2006, during a labor strike, two Los Angeles traffic engineers were accused of hacking smart traffic light systems at only four major Los Angeles intersections. The ensuing gridlock lasted four days, clogging entries to Los Angeles International Airport and the on ramp to the Glendale Freeway, and turning major intersections in Studio City and downtown into parking lots.
Yet the Obama administration, which has called cybersecurity a top priority, has failed to persuade regulators that the threat to the nation’s critical infrastructure is real.
Cybersecurity legislation stalled in the Senate after Republicans argued that mandating basic security for the private companies that oversee the nation’s dams, water treatment facilities and the power grid would be too onerous.
After a Republican filibuster, President Obama signed an executive order two years ago that set cybersecurity recommendations for companies that oversee the country’s critical infrastructure like utilities, dams and bridges. Yet the order lacked teeth because, without legislation, the recommendations are voluntary.
That is where hackers like Mr. Cerrudo have stepped in, hoping to illustrate the extent of the problem by breaking into the systems themselves. He has demonstrated how 200,000 control sensors for traffic flow in major cities like New York, San Francisco and Washington were open to attack. Because vendors did not encrypt the data running through their systems, Mr. Cerrudo could intercept and alter traffic sensors from 1,500 feet away, or even by drone.
Mr. Cerrudo is also hacking away at public apathy about security issues by using another tack: He is starting a nonprofit initiative, Securing Smart Cities, that aims to bring together security researchers and officials in the public and private sectors to tackle the vulnerabilities in increasingly connected cities, before another 50 billion devices go online in the next five years.
“This is where everyone lives, including myself, and I am tired of pointing out the problem without offering a solution,” Mr. Cerrudo said.
He and his colleagues are aiming for defenses like encryption and passwords, and a proper process for patching holes like the ones discovered in traffic sensors. Ideally, cities will start tracking access to their systems, run regular tests to look for loopholes and set up emergency response teams that can solicit vulnerability reports from hackers, coordinate patches and share that information across cities. They also want to create manual overrides for all smart city systems, in the event attackers take control.
Some municipalities are paying close attention to the issue. In Arlington County, Mr. Jordan said his proximity to the Department of Homeland Security and the Federal Bureau of Investigation made his county’s situation unique. He has put together a “fusion” team of computer forensics specialists at the county police department, network engineers, and his security vendors at Palo Alto Networks, Trend Micro and Symantec. He also has an alert system to notify 22 other jurisdictions if his county comes under a cyberattack.
No law or requirement mandates that the nation’s other 3,100 or so counties do the same. In Arlington County, while the law requires that a government official manage the county’s records and archives, no digital equivalent requires one person to track and monitor for suspicious activity on the networks for traffic, sewerage or the power grid.
“I don’t think the federal government, or the states know the status of cyber in all those counties,” Mr. Jordan said. “Cyber has yet to become a tenet of government, largely because nobody understands this, and they certainly don’t like it because it’s expensive.”
Mr. Jordan is working with Mr. Cerrudo and others, including Alan Seow, former head of cybersecurity preparedness for Singapore, and top security specialists from Symantec, Kaspersky Labs and Bastille to raise awareness of the increasing vulnerabilities in cities and counties as more of their critical systems move online.
“There’s been a huge disconnect between those in the security community, who do all the complaining, and those affected,” said Patrick Nielsen, a security researcher at Kaspersky. “The big goal of this project is to connect those in the security community with officials in cities to understand what the risks are, and how to neutralize them.”
Security researchers have long been accused of fostering “FUD,” an acronym for fear, uncertainty and doubt, to sell their products. As a result, Mr. Cerrudo said he and others had purposely set up their initiative as a nonprofit project. “We are not selling anything,” he said. “The technologies are broad, the problem is huge, and we didn’t want to point out problems without offering solutions. The only way to solve this is going to be collaboration.”
The potential for damage, he and others said, has already eclipsed the hypothetical. Last year, a Russian hacking group, known to researchers as Dragonfly and Energetic Bear, was found to be probing power networks in the United States and Europe.
In 2013, the Homeland Security Department acknowledged that the energy industry became the most-targeted sector for hackers in the United States, accounting for 56 percent of the 257 attacks reported to the agency that year. And last year, the agency acknowledged in a report that “a sophisticated threat actor” had broken into a public utility’s control system using a simple attack. The attacker just guessed the password to a system that never should have been plugged into the Internet in the first place, the agency said. Just how far Mr. Cerrudo can take his initiative is open to debate. A year after publishing his findings on traffic sensor research, Mr. Cerrudo tested San Francisco’s traffic light system and found that the city had still not encrypted its traffic sensor data, leaving the city wide open to attack.
“Every day, cities incorporate a new ‘smart’ technology, without any testing,” he said. “What they don’t realize is that they are putting citizens and businesses at risk. If that technology is not protected, people will suffer the consequences.”