Skip to main content

Cesar Cerrudo: Securing the Intelligent City

Cesar Cerrudo Ioactive
September 27, 2015

As they invest in smart technologies to improve services and save money, cities also need to step up security against cyber threats.


Cities are incorporating new technologies at an increasingly rapid pace, becoming ever smarter. Newer technologies — along with faster and easier connectivity — allow cities to optimize resources, save money and provide better services to their citizens.

The potential market for smart cities could be more than $1 trillion by 2020, with technology helping to improve everything from traffic control and lighting to energy and water management.

Yet every new innovation brings new challenges. Cities around the world — whether considered smart or not — face significant cyber security threats. These problems could have a direct impact on government, residents and the companies and organizations doing business there. Cyber security in cities is extremely important, but we have yet to fully realize the risk.

Imagine what could happen if one or more technology-reliant services stopped working. What would commuting look like with no working traffic control systems, street lights or public transportation? How would citizens respond to an inadequate supply of electricity or water, dark streets and no cameras? What if waste collection was interrupted during the summer?

These scenarios might not be as unlikely as you think. There are many cyber security problems that could trigger them, such as:

Lack of proper security testing: Cities around the world are implementing new, untested technologies. My latest research found about 200,000 vulnerable and insecure traffic control sensors installed in cities such as Washington D.C., New York, Seattle, San Francisco, London, Lyon and Melbourne.

At IOActive Labs, we constantly find vulnerable technology in use across industries. The same technology is used for critical infrastructure without undergoing any security testing. Although cities may rigorously test devices and systems for functionality and resistance to weather conditions, there is often little or no cyber security testing at all.

Technologies with poor or nonexistent cyber security features: Some vendors claim to implement security features that turn out to be obscure, nonexistent, undocumented or only described in a sales pitch. At IOActive Labs, we continue to encounter vendors with little or no experience in implementing security features, a lack of skilled security people and weak investment in security. Poor security practices are common in industrial systems and devices on the Internet of Things (IoT).

These bad practices are being propagated into smart cities, as well. Most new technologies are wireless, which makes them easy to implement and even easier to hack — if communication is not properly encrypted. Cities frequently lack good encryption, or fail to implement it correctly or turn it on.

Patch deployment and system updates: Because of their complexity, patches are often difficult and costly to install. It is increasingly common for cities to use vulnerable devices and systems, because vendors are either slow to release patches or patches are not available.

Lack of specific Computer Emergency Response Teams (CERTs): Existing CERTs can suffer from problems with coordination and communication. While many cities have plans for how to react on natural disasters, they don’t have any plans for responding to cyber attacks. Cities should be required to prepare for cyber attacks, given how dependent they are becoming on technology. Cities need to develop emergency plans that provides step-by-step procedures to follow during a cyber attack and educate people on how to react. Fast and effective action can be key to preventing bigger problems, including city-wide chaos.

Government bureaucracy: When dealing with security issues, there is no time to lose. On top of time pressures, cities have a shortage of workers with security skills as well as inadequate budgets, training and resources to help workers develop these skills.

Large and complex systems: When a city is running hundreds of systems and devices for critical services, a simple software bug can have huge impact. With so much complexity and interdependency, it is difficult to identify what is exposed and how the system will react.


Cities are currently wide open to cyber attacks, which presents a real and immediate danger. The more technology a city uses, the more vulnerable to cyber attacks it is, so the smartest cities face the highest risks. It’s only a matter of time.

For cities, being prepared is key to preventing bigger problems and chaos. That means:

  • Ensuring that the infrastructure is secure;

  • Conducting a security audit of technologies before they are implemented; and

  • Preparing an action plan in the case of a cyber attack.

For technology vendors, it’s time to start taking cyber security very seriously and produce more secure products.


When we combine the fact that the technology used by smart cities can be easily hacked with the knowledge that there are cyber security problems everywhere, smart cities risk becoming dumb cities.

(Top GIF: Video courtesy of IOActive)


cerrudo headshotCesar Cerrudo is Chief Technology Officer for IOActive.





All views expressed are those of the author.