Photo

So-called smart cities, with wireless sensors controlling everything from traffic lights to water management, may be vulnerable to cyberattacks, according to a computer security expert.

Last year, Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, demonstrated how 200,000 traffic control sensors installed in major hubs like Washington; New York; New Jersey; San Francisco; Seattle; Lyon, France; and Melbourne, Australia, were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — because one company had failed to encrypt its traffic.

Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.

Mr. Cerrudo said he was increasingly uncovering similar problems in other products and systems incorporated into smart cities. He has discovered simple software bugs, poorly installed encryption or even no encryption at all in these systems. And he has found that many are wide open to a fairly common attack, known as a distributed denial of service, or DDoS, in which hackers overwhelm a network with requests until it collapses under the load.

Mr. Cerrudo has found ways to make red or green traffic lights stay red or green, tweak electronic speed limit signs, or mess with ramp meters to send cars onto the freeway all at once.

Security researchers say that the opportunities for a maliciously minded hacker or government abound. Last year, security researchers at the Black Hat Europe conference in Amsterdam demonstrated how to black out parts of cites simply by manipulating smart meters and exploiting encryption problems in power line communication technology.

Increasingly, cities are automating systems and services. Saudi Arabia, for example, is investing $70 million to build four new smart cities. In South Africa, a $7.4 billion smart city project is already underway. By 2020, the market for smart cities is predicted to reach $1 trillion, according to Frost & Sullivan, a consulting firm.

“The current attack surface for cities is huge and wide open to attack,” Mr. Cerrudo writes in a report he plans to present this week in San Francisco at the annual RSA Conference on security. “This is a real and immediate danger.”

The threat is not just hypothetical. Last year, security companies discovered a hacking group, known both as Dragonfly and Energetic Bear, that was actively targeting power networks across the United States and Europe.

Last year, the Department of Homeland Security acknowledged in a report that “a sophisticated threat actor” had broken into the control system network at a public utility, simply by guessing a password on an Internet-connected system.

And in 2012, Chinese military hackers successfully breached the Canadian arm of Telvent. The company, now owned by Schneider Electric, produces software that allows oil and gas pipeline companies and power grid operators to gain access to valves, switches and security systems remotely. It also keeps detailed blueprints on more than half the oil and gas pipelines in North America.

In 2013, the energy industry became the most-targeted sector for hackers in the United States, accounting for 56 percent of the 257 attacks reported to the Department of Homeland Security that year.

Some scientists are trying to redesign the smart grid to make it less vulnerable. Currently, the smart grid is centralized, controlled by the energy suppliers, which makes utility companies a juicy target for hackers.

But this year, Science Daily reported that Benjamin Schäfer, a physicist from the Max Planck Institute for Dynamics and Self-Organization; his colleagues Marc Timme and Dirk Witthaut; and a master’s student, Moritz Matthiae, developed a model that showed, in theory, that smart meters could be monitored directly at customer sites, and decentralized in such a way that would make them much less vulnerable to attack.

For now, their research only works in principle. So Mr. Cerrudo said municipal leaders had to start thinking of their cities as vast attack surfaces that require security protection just as a corporate network might.

He encourages municipalities to adopt basic security measures like encryption, passwords and other authentication schemes and an easy mechanism for patching security holes.

He suggests that cities create their own computer emergency response teams, or CERTs, to address security incidents, coordinate responses and share threat information with other cities.

He also suggests that cities restrict access to their data; track and monitor those who do have access; and run so-called penetration tests, in which hackers try to break into cities so that municipalities can learn where they are most exposed.

Finally, he suggests that cities prepare for the worst, as they would for a natural disaster.

“When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated — that the systems can be easily hacked and there are security problems everywhere — that is when smart cities become dumb cities,” Mr. Cerrudo said.