Although ultra-connected, today’s smart city suffers from a chronic cybersecurity shortfall in its urban mobility equipment. As players in the urban mobility sector become increasingly diverse, we focus on the growing frequency and intensity of cyberattacks that undermine a connected but vulnerable mobility fleet. First paper in a series of articles on cybersecurity issues in smart and connected cities.
This morning in June 2023, in Olsztyn, Poland, the municipality is on alert: public transport ticket offices are at a standstill, traffic is slowing down on many of the city’s roads and the traffic light management system is operating in degraded mode. The day before, a cyberattack targeted the connected transport infrastructure of this Polish city, which presents itself as one of the most advanced smart cities in the country.
In Olsztyn, as in other so-called smart cities, urban mobility is a concern for several players: the fleet includes both historic public transport operators, soft mobility startups and private means of transport (including cars). All these services must therefore be connected to make multi-modality a reality. But one of today’s major challenges is that most transport services are insufficiently protected against cyberthreats. This is one of the main conclusions of a report by ENISA, the European cybersecurity agency, which highlights the vulnerability of this sector to cyberattacks.
The challenges of cybersecurity in urban mobility
Today, connected urban mobility enables traffic flows to be optimised. One of the best-known cases is London, with tolls at the entrance to the city, but if can also involve traffic lights or other CCTV cameras, which are equipped with smart sensors to collect traffic data. In particular, all these connected services aim to reduce the effects of congestion and better organise traffic during peak periods.
Connected interfaces are also found on the majority of soft mobility services, at charging stations as well as on applications used to reserve equipment, bicycles or scooters. Connected networks then offer the possibility of coordinating the various transport networks to facilitate interoperability between means of transport. MaaS (or mobility-as-a-service) is thus one of the key areas of urban mobility policies.
However, these innovations pose new challenges for cybersecurity. Because the connected city is often synonymous with vulnerabilities. In 2022, opportunistic cyberattacks targeting connected transport infrastructures in cities have exploded, as ENISA points out. But they are not the only ones: some attacks, also based on exploiting security breaches, can target open-access bicycle or scooter sharing terminals to siphon off users’ personal data and banking information, while others, such as malware or DDoS attacks, explicitly target urban mobility services. In the transport sector, while vulnerabilities concern “IT systems in particular”, as ENISA points out, this does not mean that OT networks are not targeted.
As in other sectors, ransomware remains the preferred weapon for cybercriminals. These attacks have increased by 25% in 2022, notes the European agency. And this, around the world: Germany in May 2017, Denmark in May 2018 and November 2022, Italy in March 2022, or Poland in August 2023; while rail companies are often singled out when it comes to cyberattacks in the world of transport, the whole sector is affected.
A look back at cyberattacks that affected urban mobility
Such cyberattacks are potentially dramatic. An attack on traffic lights, for example, could result in all traffic lights turning green at the same time, leading to serious traffic accidents, as predicted by the specialised website a/o proptech. A projection that has not gone unnoticed by researchers at the University of Michigan. As early as 2014, a team succeeded in hacking the unencrypted data stream to control the colour of traffic lights, disrupting the display and causing traffic jams in the process. This experience has served as a textbook case for other cities to implement a principle of segmentation between the networks connected to traffic lights and general city transport networks.
In addition to cyberattacks directly targeting urban mobility systems, attempts to sabotage or hijack shared mobility services are also a very real threat, and not just to the world’s major cities! Between 2019 and 2022, France saw its share of malicious attacks on the transport systems in smaller cities, as was the case in Sarrebourg (Moselle), Sequedin (Nord), Huez (Oisans), La Croix-Valmer (Var) and Nuits-Saint-Georges (Cotes-d’Or). This time, one of the latest examples involves a larger city: the Ile-de-France Mobilites service, victim of a hack that led to 4,000 user email addresses and passwords being siphoned, as reported by L’Usine Digitale.
And this type of cyberattack takes on an even greater dimension when it targets a megacity. In April 2023, the transport authority of Uttar Pradesh, a state in northern India, reported a cyberattack targeting its ticketing system. Blocked for 10 days, the system did not allow users to pay their tickets and the municipality was deprived of a substantial part of its revenue, CNBC reported. In August 2023, one of Chicago’s train management terminals was attacked, crippling the network for several hours. In addition to disrupting system operations, the cybercriminal group Akira claimed responsibility for the theft of 85 gigabytes of sensitive data.
Another type of risk is the compromise of navigation or parking systems. On the latter, vehicle charging stations are prime targets for intrusions. So how can we better protect Smart City transport infrastructures?
How can mobility in connected cities be made secure?
The heterogeneity of equipment and players is a major obstacle to the deployment of a harmonious cybersecurity strategy, noted Khobeib Ben Boubaker, Head of Industrial Security Business Line Stormshield, in 2021, in a previous paper on protecting the smart city. In addition to this, the diversity of security standards and repositories (SRI2, GDPR, pending application of NIS2, etc.).
However, cyber defence strategies already exist for connected cities, in line with a defence in depth approach. The precise, exhaustive mapping of the various systems and equipment related to the issue of urban mobility is a first step that brings together all the players concerned. The installation of different levels of security (physical and digital access rights management, multi-factor authentication, network segmentation, backup management, data encryption, etc.) will then follow. The use of certified or qualified cybersecurity solutions, in line with ANSSI recommendations in France, also makes it possible to comply with European regulations, such as the GDPR on the protection of personal data and the SRI2 directive on cyber resilience.
The cybersecurity approach to the city of today and tomorrow can now go as far as embedding security solutions directly into urban mobility equipment. However, the specificities of these often constrained environments, such as temperature, humidity and dust, must be taken into account. Using appropriate security solutions is the only way to effectively protect this equipment, away from the IT racks. These interoperable solutions will have to extract as much data as possible directly from the field. This data will then be analysed by a SOC, whose role will be to read the security events of the various local transport information systems, and to identify potential overflows, malfunctions or threats.
But this more secure urban mobility can only be truly effective if there is an effective collaboration between cybersecurity players, industry and local authorities. The city of tomorrow is already mobile and connected; all that remains is to make it secure.