It seems hardly a week goes by without a report about some system being hacked. Hospital breaches, cyberwarfare, ransomware attacks – the list goes on. But a more alarming trend is the risk to critical infrastructure, like the electric grid, dams and water management systems, and police stations.
A recent attack on the tornado warning system in Dallas highlights some of the problems faced by cities in managing the security of their systems. In this particular case, the hacker used radio frequencies to set off the alarm system. Ultimately, to stop the blaring of the sirens, city workers had to shut down the system. The motive of the attacker is not yet clear.
Dallas is far from the only city to suffer from infrastructure compromises. Another recent event occurred at a water utility company, where an attacker compromised the system not to gain access to records, but to use the cell signal from the utility for their own purposes. In this case, the hackers were able to use a known vulnerability in the routers used by the utility to compromise the system.
In both the case of the Dallas sirens and with the water utility, options existed to secure the systems, but were not implemented before the attacks. While it may seem obvious that cities should immediately implement any necessary steps to secure these types of systems, the nature of the infrastructure means the fixes are often difficult to implement in the normal course of operations. Cities often do not have employees with sufficient experience and expertise in security, and systems have often been in place for years, making updates expensive and time consuming.
Take the case of securing traffic signal systems: in 2014, a research team in Michigan found a number of vulnerabilities in the traffic control infrastructure in an unnamed municipality. Some of the issues would require updates to sensors that are embedded in the ground, which would be a costly and time consuming process. But many of the issues only required simpler fixes, like enabling encryption on radio signals and changing default passwords. In the future, we can only hope that cities build security in by design, to help minimize the threats to our infrastructure, and to ensure the safety of all citizens.