Advanced technology has changed countless facets of everyday life, from internal enterprise processes to consumer pursuits and beyond. Even the design, management and support for large and small cities has shifted thanks to innovative smart city systems.
While advanced components to support utilities, critical infrastructure, traffic and more can bring numerous benefits, these solutions also open both urban and rural areas to new risks and cyber threats.
We’re taking a closer look at city infrastructure and roadways, including energy and water utilities and highway transportation systems, the changes being made in these areas and how new technologies must be balanced with proper risk assessment.
Upgrading water and energy infrastructure
There’s simply no doubt that access to water and energy resources are some of the most important elements for residents. In many areas, city managers and officials are looking to upgrade their existing systems – some of which are considerably legacy, and have been in place for decades – with updated, intelligent technology.
As Trend Micro pointed out, such systems are able to run in the background, helping to manage and maintain water and energy infrastructures with little human interaction. This, in turn, boosts efficiency and, in theory, helps reduce the chances of long-term outages that result from inclement weather or other critical infrastructure issues.
At the same time, though, upgrading water and energy systems with smart technologies could, as Trend Micro researchers noted, “come at a cost.” Putting intelligent platforms in place where there previously were none could create significant risks that must be considered and mitigated ahead of time.
“Using Shodan and other tools, Trend Micro researchers looked into the possible weaknesses of exposed industrial control systems (ICS) across the energy and water industries,” researchers explained. “The results give a glimpse of security gaps found in ICS and human machine interfaces (HMIs) … that could lead to bigger problems due to the interdependent nature of critical infrastructure sectors and, more importantly, the natural dependence of people on these infrastructures.”
In many instances, the security risks that could potentially impact water utilities overlap with those that threaten access to energy resources:
Cyberattacks
Unsurprisingly, a leading concern here is the possibility of cyberattacks that could prevent access to these resources, or create situations of extended downtime. A long-term power outage or inability to access running water could have severe consequences for small and large cities alike, creating panic and potential public health impacts among residents. The ways in which attackers might achieve a successful intrusion and cyberattack differ, and are delved into more deeply below, but the potential for this risk is clear across utility sectors.
Exposed devices
As Trend Micro explained in its report, “Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries,” researchers discovered that several devices – including human machine interfaces, report desktop protocols, virtual network computing systems and other components – are currently exposed on the internet. These exposed devices provide an ideal point of attack for cybercriminals looking to support an intrusion.
Researchers found different levels of exposure and different reasons behind this issue, including improper setup of remote access functions, unsecured access provided to a third-party, and/or incorrectly configured network settings. These security issues make it possible for attackers to access exposed devices and leverage them to steal sensitive personally identifiable customer information; to gain entry to the network and subsequently support sabotage or fraudulent processes; to run illegal operations using the network, including DDoS attacks, botnets, cryptocurrency mining and other malicious activity.
Once an exposed device has been identified, the potential for misuse by attackers leading to other security issues and attacks is nearly limitless. Worse still, this issue impacts all different types of energy and utility plants, including those for oil and gas, solar energy, hydroelectric plants, water treatment, and other industrial facilities.
Example of a real-world threat scenario
Within the report, Trend Micro researchers look into several potential real-world threat scenarios that could take place thanks to exposed human machine interfaces and other devices within the industrial sector.
“One of the greatest concerns for organizations in this sector is the possible effect of direct cyberattacks on their operations, thereby leading to a disruption of supply to and from the plant,” Trend Micro researchers explained. “This is especially true for water facilities that either purify water for distribution or use water in their operations.”
A water treatment plant, for instance, could be attacked via exposed human machine interface controls through public methods. Controls that are not properly secured and therefore exposed over the internet could provide the ideal opening for an attack that interrupts operations and prevents the plant from supplying drinking water.
Attacks on highway infrastructure
As Trend Micro researchers noted in the report, “Cyberattacks Against Intelligent Transportation Systems: Assessing Future Threats to ITS,” intelligent transportation systems create similar risks to smart infrastructure.
Successful attacks on transportation systems can have numerous malicious consequences, including vehicular accidents; traffic jams that impact service delivery, the movement of freight and daily commutes; additional ripple effects that create financial loss for businesses, individual people or cities.
The intelligent systems that could be impacted here include autonomous vehicles, as well as connected vehicles equipped with LAN or Wifi connections. Roadway reporting systems encompassing elements like lane cameras, roadway weather stations and other platforms fall under this risk umbrella; as do traffic flow controls like traffic signals, message signs and toll collection systems.
The potential risk of attack here differs depending on the scenario, but as Trend Micro pointed out in its report, several real-world attacks have already taken place. In one instance, an individual hijacked a dynamic traffic sign and changed its message to “Drive Crazy Y’all” as a prank. Surprisingly, this attack was made possible through default login credentials that were easy to guess.
In a more damaging example, San Francisco’s Municipal Transportation agency was attacked in 2016 by ransomware that shut down internal and commuter systems. Fare payment machines were made inaccessible, displaying “OUT OF SERVICE” messages across screens and preventing riders from paying for fares. In response, the transportation agency had to allow free rides on its light rail until the issue was resolved.
As this scenario shows, an attack on transportation infrastructure can be considerably impactful, and have significant financial repercussions. Other instances might affect emergency services, or other crucial transportation-dependent needs.
These issues highlight the critical responsibility on the part of utility providers and organizations involved with transportation management. These groups must be sure they are aware of these potential threats and are working proactively to mitigate them.
To find out more and to read about other potential and actual attack scenarios involving critical infrastructures, check out Trend Micro’s reports, “Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries,” and “Cyberattacks Against Intelligent Transportation Systems.”
