In the film Un colpo all’italiana (The Italian Job), a group of English robbers manage to rob an armoured car travelling with the proceeds of Fiat, and then flee with the loot in three Mini Coopers. Their secret weapon is tampering with a complex traffic monitoring system that paralyses the city of Turin. It was 1969 and today such traffic jams do not scare us at all: they are triggered by causes having little to do with science fiction and, on the contrary, are unfortunately an integral part of our metropolitan normality. Would a sabotage like the cinematic one carried out by the thieves played by Micheal Caine and Benny Hill be possible in 2022? What would it hit? And to what effect?
The answers are right in front of us as we walk through our now connected cities, the so-called smart cities, so much so that the technical director of the UK’s National Cyber Security Centre (NCSC), Ian Levy, recently mentioned that old movie. He did so by announcing the publication of the first draft of the Connected Places Cyber Security Principles, a guide for local authorities on how they can protect transport systems from cyber attacks, given that the vitality of metropolitan areas is based on them. In July 2021 the European Union had already released its Transport Cybersecurity Toolkit, a guidance document to raise awareness among member states about cyber threats that could disrupt the movement of people and goods, or put the citizens’ personal data at risk. Exactly what took place in Italy a few weeks ago.
A bulletin of attacks
Last 23 March the ticket offices stopped working and the timetable boards went haywire in many stations. The Italian Railway Network (Rfi) had turned them off to stem the action of a cryptolocker, a virus that encrypts a user’s data and asks for a ransom to make it usable again: 10 million euro in bitcoin was the sum demanded by Hive, the Russian-Bulgarian criminal group responsible for the attack. Though the news aroused great interest, it is however, nothing new.
For number of ransomware attacks (the category of attacks that block a system and rehabilitate it in exchange for money, which also includes the recent episode of the Italian State Railways) Italy is the twelfth most affected country in the world and the fourth in Europe, preceded by Germany, France and the United Kingdom. If we consider instead the total amount of malware in circulation, with more than 62.3 million attacks intercepted in 2021 and almost tripled compared to the previous year, we move to the fourth global position, after the United States, Japan and India, and the first in the European continent. These are the numbers from the annual cybersecurity report by Trend Micro, a Japanese multinational company active in 65 countries and a leader in cloud security solutions for 30 years, that has blocked more than 94 billion cyber threats in 2020 alone.
“Today, the turnover related to cybercrime is worth more than drug trafficking, if in addition to the money that cybercriminals pocket, one also considers the costs of restoring the damaged systems,” says the manager of Trend Micro Italy, Gastone Nencini, reached by Infra Journal. “Estimates, by the way, are based only on what has been reported, i.e., attacks that we are aware of. The European data processing regulation (GDPR) requires reporting and disclosure when a so-called data bridge, or data theft, occurs, but not in all other cases. In the absence of specific obligations, companies and institutions often avoid disclosing the hacks they are subject to in order to avoid reputational damage.”
After all, these attacks are increasingly common, because cybercrime has built a kind of parallel economy. “You don’t need to be a hacker to threaten someone,” Nencini continued. “On the net there are actual price lists for commissioning attacks or illegally buying sensitive information. On the so-called dark web there are active groups of cybercriminals that specialise in ransomware, others that sell databases or online user access, and still others that can compromise camera-based surveillance systems. We’re spoiled for choice.” More than geopolitics or activism, as in the case of Anonymous, the driving force is in fact often money, which remains the main motive behind them. “The attackers definitely do a cost-benefit analysis and based on that, they decide who to target,” explains Gastone Nencini.
The scenery in smart cities
“In the mobility sector, for example, we can imagine that an attack on sharing mobility services could be quite lucrative: faced with an app lockdown or the theft of all customer data, it would be difficult for companies to avoid paying the ransom. Cars, then, will increasingly be technology-based, and tomorrow they may even ‘drive’ themselves. Do planners have any idea what risks this will pose?” These are just a few of the conditions that could slow down or completely block the lives of hundreds of thousands of people: in addition to transportation, virtually everything is now controlled remotely via sensors connected to the internet. We often continue to associate science fiction scenarios with this term, yet we already live in smart cities.
“Most of our cities today fall into this category, just think of traffic light control, electric and gas meters, or water flow regulation,” Nencini says. Well, all of this is potentially at risk. “In such a context, the question is not so much how vulnerable one system is compared to another, because all of them are: there is no such thing as a totally secure system, you have to see if it has been configured to be adequately protected. Abroad, we’ve seen water supplies cut off, public lighting turned off, traffic lights knocked out.” So the question begs: are we protecting transport systems and smart cities? “It tends to be a matter of running for cover. There is still a lack of awareness, not by technicians, but by top managers. Security is often seen as a cost instead of a guarantee on fundamental assets, which must now be an integral part of every process with a view to prevention rather than cure. The key concept, which more active policies should promote, is security by design.”
More connected, more vulnerables
This approach is based on the consideration of the cyber risk upstream, and also the consulting firm EY, according to their expert on Cyber Compentency, Samer Omar, believes it is “essential to prevent attacks and safeguard smart cities,” meaning the lives of more and more citizens. “Cities with inhabitants over 10 million people,” Omar writes, “are projected to increase from the 33 that existed in 2018 to 43 in 2030.” Along with growth of residents there will also be the growth of the use of increasingly advanced and pervasive technologies, “such as artificial intelligence, biotechnology, machine learning, quantum computing and 5G, to deliver smart services to the population. And that can only create new vulnerabilities in the city’s ecosystem.” The so-called Internet of Things (IoT) could backfire on us or, rather, it could be induced by someone to do so.
“Extracting private information. Secretly monitoring confidential activities. Making a service unavailable. Altering the operating settings. Blocking their use. These are just some of the ways cybercrime can exploit the IoT devices themselves, to compromise the critical infrastructure of a smart city,” Federica Maria Rita Livelli, a member of the steering committee of the National Association of Risk Managers (Anra) explains to Infra Journal. And transportation is a vital service in any metropolis. “New threats are emerging. In fact, a cloud-based interconnected transportation network, including public transportation, connected cars, smart sensors and autonomous vehicles, is now a widespread reality. The continued increase in attacks in this sector makes it necessary for urban administrations to make use not only of security protocols, but also of experienced personnel.” Because, warns Livelli, even if less frequent, the informatic offensives that do not start from criminal nuclei but from states can be even more massive and damaging: even leading up to the so-called cyber war.
Transportations in the crosshairs
“The actors involved may be intelligence agencies and military apparatus, intent on targeting a transportation system to cause a destructive effect or even to achieve a foreign policy objective. The 2022 report from the National Academy of Sciences in Washington cites three particularly egregious cyber attacks that targeted North American public transportation systems and were attributed, directly or otherwise, to foreign states. In the first, in April 2021, Chinese-based actors struck the New York City Metropolitan Transportation Authority. The second, which started in Iran, targeted the Colorado Department of Transportation in May 2020. In the third one, it was January 2018, North Korea allegedly hacked into Toronto’s Metrolinx suburban system.” But you do not necessarily have to go across the Atlantic. “In 2020, the email addresses and travel details of about 10 thousand people who had used the free Wi-Fi provided at UK rail stations were revealed online,” Livelli recalls. Europe should create a common cybersecurity system also in the transport sector, increasingly promoting a culture of risk management, business continuity and cybersecurity, as well as ensuring transparency, knowledge exchange and coordination.”
Weak points
A study by the Center for Long-Term Cyber Security of the University of Berkeley, The Cybersecurity Risks of Smart City Technologies (2020), confirms that nation-states and insiders would be most effective at executing cyberattacks compared to thrill seekers, cybercriminals, terrorist groups and so-called “hacktivists”. Specifically, the 76 experts interviewed “agree that states have strong motivations to attack infrastructure” and that the three most vulnerable technologies are “emergency or security alarms, roadside video surveillance, and traffic lights or smart signals.” But if sending car traffic into a tailspin causes major disruption, stopping trains can turn into a disaster. “Just think what that would mean for the morning commute,” comments Amir Levintal, CEO and co-founder of Cylus, an Israeli company founded in 2017 specialising in cybersecurity for rail transportation.
“There is no one-size-fits-all cybersecurity solution for all technologies in the transportation industry; each requires a tailored solution,” Levintal explains. The rail industry, for example, has unique needs that a cybersecurity system must take into account. For this, hand in hand with its increasing digitisation, it is called to adopt significant measures. Businesses are gradually enabling cybersecurity technologies that provide a complete view of their network infrastructure at all times, so they can detect threats in time. Trains, after all, are based on fail-safe systems, which prioritise safety over function and service availability, to the point of interrupting runs to minimise risk.”
A cyber-attack could have significant consequences, such as loss of passenger confidence, reputational damage and economic losses, all the more so if we think of freight trains. “Being a key link in the supply chain, they become a potential target, and blocking them can impact an entire national system,” he concludes. We must never forget that mobility is fundamental to the quality of urban life and essential to the local economy, because it allows people to get out to work, shop and have fun: it doesn’t just allow the movement of people, but also capital and, by extension, movement of the economy itself.”