Despite being hyper-connected, today's smart cities suffer from chronic cybersecurity deficiencies in urban mobility devices. With an increasingly diverse set of players in the urban mobility sector, we are seeing an increase in the frequency and intensity of cyber attacks that undermine connected, yet vulnerable, mobility fleets. This is the first in a series of articles on cybersecurity issues in smart and connected cities.
This June morning in 2023, city authorities in Olsztyn, Poland, are on high alert. Public transport ticket offices are out of service, traffic is jammed on many of the city's roads, and the traffic light management system is operating in degraded mode. Just the day before, the connected transport infrastructure of this Polish city, which calls itself one of the country's most advanced smart cities, was the target of a cyberattack.
In Olsztyn, as in other so-called smart cities, urban mobility is a concern for several players. Vehicles include traditional public transport, soft mobility start-ups and private transport (including cars). To achieve multimodality, therefore, all these services need to be connected. But one of the big challenges today is: Most transport services are not adequately protected against cyber threats. This is one of the main conclusions of a report by European cybersecurity agency ENISA, which highlights the sector's vulnerability to cyber attacks.
Cybersecurity challenges in urban transportation
today, Connected urban mobility can optimize traffic flows. One of the best-known cases is London, which imposes tolls at the entrances to the city, but also has traffic lights and other CCTV cameras equipped with smart sensors to collect traffic data. Notably, all these connected services aim to reduce the impact of congestion and better organize traffic during peak hours.
The connected interface is also present in most soft mobility services, charging stations and the applications used to book devices, bikes and scooters. A connected network offers the possibility to coordinate different transport networks and promote interoperability between transport modes. oh dearS (or Mobility as a Service) It is therefore one of the key areas of urban transport policy.
However, these innovations bring new challenges to cybersecurity. That's because the connected city is often synonymous with vulnerability. As ENISA points out, 2022 has seen an explosion of opportunistic cyberattacks aimed at cities' connected transport infrastructure. But that's not all. Some attacks exploiting security breaches target open-access bike and scooter sharing devices to steal users' personal data and banking information, while others explicitly target urban mobility services, such as malware and DDoS attacks. In the transport sector, vulnerability is “IT Systems especiallyAs ENISA points out, this does not mean that OT networks will not be targeted.
As in other sectors, ransomware remains the weapon of choice for cybercriminals. According to European agencies, such attacks have increased by 25% in 2022. This is a global trend: in Germany in May 2017, in Denmark in May 2018 and November 2022, in Italy in March 2022 and in Poland in August 2023. When it comes to cyberattacks in the transport sector, rail companies often get the most attention, but the whole industry is affected.
A look back at cyber attacks that affected urban transportation
Such cyber attacks could potentially have dramatic effects. For example, an attack on traffic lights could cause all lights to turn green at the same time, leading to serious traffic accidents, predicts the specialist website a/o proptech. This prediction has not gone unnoticed by researchers at the University of Michigan: in 2014, a team managed to hack an unencrypted data stream to control the color of traffic lights, disrupting their display and causing traffic jams. This experience has become a textbook case for other cities to implement the principle of separating the network connected to traffic lights from the general urban traffic network.
In addition to cyber attacks directly targeted at urban transport systems, attempts to disrupt or take over shared mobility services are also a very real threat.and not only in the world's biggest cities! Between 2019 and 2022, France experienced a series of malicious attacks on the transport systems of smaller cities, such as Sarrebourg (Moselle), Séquédan (Nord), Huet (Oisans), La Croix-Valmer (Var) and Nuits-Saint-Georges (Côte d'Or). This time, one of the latest examples involves a large city: the Mobilité service in Île-de-France has fallen victim to a hack, with 4,000 users' email addresses and passwords stolen, reports a French government spokesperson. Digital Tools.
And this type of cyber attack is even more dramatic when it targets megacities. In April 2023, the transport department of Uttar Pradesh, a northern Indian state, reported a cyber attack targeting its ticketing system. The system was blocked for 10 days, preventing users from paying for tickets and depriving the municipality of a significant portion of its revenue. CNBC According to reports, in August 2023, one of Chicago's train control terminals was attacked, causing the network to go offline for several hours. In addition to disrupting system operations, the cybercrime group “Akira” claims to have stolen 85 gigabytes of sensitive data.
Another risk is the compromise of navigation and parking systems, with vehicle charging stations being a prime target for intrusions. So how can the transport infrastructure of smart cities be better protected?
How can we make mobility safe in connected cities?
The diversity of devices and players is noted as a major obstacle to the development of a harmonised cybersecurity strategy. Kobabe Ben Boobeker, Stormshield, head of the Industrial Security business line, noted the diversity of security standards and repositories (SRI2, GDPR, NIS2 pending, etc.) in a previous paper on protecting smart cities in 2021.
but, Cyber defense strategies for connected cities already exist, in line with a defense-in-depth approach. A precise and thorough mapping of the different systems and equipment related to the urban transport problem is the first step to bring together all the players involved, followed by the installation of different levels of security (physical and digital access rights management, multi-factor authentication, network segmentation, backup management, data encryption, etc.). Using certified or certified cybersecurity solutions, in accordance with the French ANSSI recommendations, also allows you to comply with European regulations such as the GDPR on personal data protection and the SRI2 Directive on cyber resilience.
The cybersecurity approach for today's and future cities can go as far as integrating security solutions directly into urban traffic equipment. However, the peculiarities of constrained environments such as temperature, humidity and dust must be taken into account. Using the right security solutions is the only way to effectively protect these devices away from the IT rack. These interoperable solutions must extract as much data as possible directly from the field. This data is then analyzed by the SOC, whose role is to read security events from the various local traffic information systems and identify potential overflows, malfunctions and threats.
But for this safer urban transport to be truly effective, effective collaboration between cybersecurity stakeholders, industry and local governments is required. Tomorrow's city is already mobile and connected, all that remains is to make it safe.
