Continue your mission
Smart cities integrate sensors, networks, and automated control systems across urban infrastructure to improve efficiency and services. The same integration that enables adaptive traffic management, smart grids, and connected utilities creates a sprawling attack surface spanning every PDM domain simultaneously, where a successful attack against one system can cascade across an entire metropolitan area.
# Smart City Cybersecurity
A smart city is an urban environment that uses digital technology, sensors, and interconnected infrastructure to improve the efficiency of city services, optimize resource consumption, and enhance quality of life for residents. Smart city components include adaptive traffic management systems, smart electrical grids with real-time demand response, connected water treatment and distribution networks, public safety camera networks, environmental monitoring systems, smart street lighting, and connected transit infrastructure.
The security of these systems is not a single-domain problem. A smart city is a collection of converged IT and operational technology (OT) environments, each with its own attack surface, governance model, and dependency relationships. Compromise of one system frequently has downstream effects on others. A traffic management system that relies on the same underlying network as a water utility creates a lateral movement opportunity that would not exist if those systems were independently isolated.
The cybersecurity of smart cities is also a public policy problem. Urban infrastructure is owned and operated by a mix of municipal government agencies, regulated utilities, and private contractors. Coordinating security governance across these entities requires a level of inter-organizational cooperation that most jurisdictions have not yet achieved. This governance gap is as significant a vulnerability as any technical weakness in individual systems.
Smart city infrastructure operates through layers that roughly parallel the IT stack: sensors and actuators at the edge, communications networks connecting them, data aggregation and analytics platforms, and human or automated decision systems that act on the processed data.
Adaptive traffic management uses inductive loop sensors, radar, and video cameras at intersections to measure real-time traffic volumes and adjust signal timing dynamically. These systems typically run on SCADA platforms communicating over fiber or wireless backhaul to traffic operations centers. A compromised traffic management system can create deliberate gridlock, block emergency vehicle response corridors, or facilitate physical attacks by manipulating traffic flow around a target.
Water treatment systems use SCADA to control chemical dosing, pump operations, filtration systems, and distribution pressure. The Oldsmar, Florida incident in February 2021 is the most consequential known cyberattack against U.S. water infrastructure. An attacker remotely accessed the water treatment plant's control systems via TeamViewer (a remote desktop application that was configured to allow access with shared passwords and was not otherwise restricted). The attacker changed the sodium hydroxide (lye) concentration from 111 parts per million to 11,100 parts per million (111 times the normal level). A plant operator monitoring a workstation noticed the cursor moving and the chemical setting changing, recognized it as unauthorized, and immediately reversed the change. The attack did not cause harm, but it demonstrated that a vigilant operator was the only line of defense against a direct attack on a critical system accessible via a poorly secured remote access tool.
Smart grid infrastructure includes Advanced Metering Infrastructure (AMI, smart meters that report consumption in near real time), substation automation systems, and demand response platforms that can remotely adjust loads on the grid. Compromise of AMI systems could expose consumption data for thousands of homes (privacy implications) or manipulate demand response signals to cause load imbalances. Substation automation systems running on legacy protocols (DNP3, Modbus, IEC 61850) with inadequate authentication controls represent the highest-consequence targets in the smart grid.
The interconnected nature of smart city infrastructure creates cascade failure risks that are qualitatively different from attacks against isolated systems. A successful attack against a city's network backbone could simultaneously disrupt traffic management, water utility SCADA communications, public safety camera operations, and municipal administrative systems. The 2021 Colonial Pipeline ransomware attack, though not a smart city incident, demonstrated the broad real-world consequences of a successful attack against networked infrastructure: fuel shortages across the southeastern United States from a single initial access through a legacy VPN account.
Nation-state actors have specifically targeted urban and municipal infrastructure. CISA's 2024 advisory on Volt Typhoon (a People's Republic of China state-sponsored threat actor) identified pre-positioning activity in U.S. communications infrastructure, with specific mention of municipal systems. Volt Typhoon's documented operational pattern involves establishing persistent access in critical infrastructure without immediately deploying destructive capabilities, building the ability to disrupt those systems at a future time of their choosing. The strategic logic is deterrence and coercion: the ability to disrupt U.S. urban infrastructure in a conflict scenario without having to attack it prematurely.
The regulatory landscape for smart city cybersecurity is fragmented. Water utilities are subject to America's Water Infrastructure Act (AWIA) cybersecurity requirements. Electrical utilities are subject to NERC CIP. Municipal traffic systems often fall under no specific federal cybersecurity mandate. This creates a patchwork where the level of security a given city system receives depends largely on whether it happens to fall under a regulated category.
Smart city systems typically run on SCADA or industrial control system (ICS) platforms designed for reliability and operational continuity, not for security. Many of these systems were originally air-gapped from external networks, and their security assumptions were built around that isolation. The integration of remote access capabilities (for monitoring and maintenance by contractors), network connectivity to corporate IT systems, and cloud-based analytics platforms has progressively eroded that isolation without a corresponding upgrade to security architecture.
Common vulnerabilities in smart city SCADA environments include: default credentials on ICS components that were never changed during deployment, legacy industrial protocols (Modbus, DNP3) without authentication, remote access tools (VNC, TeamViewer, RDP) configured for convenience rather than security, flat network architectures where a single compromised device can reach any other on the operational network, and lack of asset inventories that make it difficult to identify exposed systems.
Authentication weaknesses are pervasive. The Oldsmar water plant used TeamViewer with shared passwords and had not implemented multi-factor authentication. CISA's advisories on water sector security consistently identify inadequate authentication and unpatched remote access tools as the most common vulnerabilities in the water sector. Similar patterns appear in traffic management and municipal utility environments.
Network segmentation between IT (administrative) networks and OT (operational) networks is a foundational control that is widely recommended but inconsistently implemented. The ICS community has developed the Purdue Model (also called the ISA/IEC 62443 reference architecture) as a framework for network segmentation in industrial environments, defining levels from field devices (Level 0) through enterprise networks (Level 4) with security controls at each boundary. Implementing this architecture for existing city infrastructure is a significant retrofit challenge.
Singapore's Smart Nation initiative and Amsterdam's smart city program represent international examples of integrating security governance into smart city architecture from the planning phase. Singapore established a dedicated Cybersecurity Agency of Singapore (CSA) with specific mandates for critical information infrastructure, and the Smart Nation initiative includes security-by-design requirements. Amsterdam's data governance framework includes requirements for security assessments of city data systems and public transparency about data collection.
Smart city cybersecurity is the single scenario in CDA's service portfolio where all six PDM domains are simultaneously implicated.
DPS: Smart cities collect an enormous volume of data about residents' movements, behaviors, and activities. Traffic cameras, environmental sensors, smart meters, and public Wi-Fi infrastructure generate data with significant privacy implications. The Sovereign Data Protocol (SDP) methodology applies to governance of this data: defining what is collected, where it is stored, who has access, and how long it is retained.
VSD: The attack surface of a smart city is vast and difficult to fully inventory. Continuous Surface Reduction (CSR) methodology applied to a municipal environment means systematic discovery and assessment of internet-exposed ICS interfaces, remote access entry points, and OT-to-IT connection points. Cities that have deployed smart systems over decades without systematic security architecture often have significant exposed infrastructure that is not tracked in any asset inventory.
SPH: The physical systems controlled by smart city infrastructure (water pumps, traffic signals, electrical substations, street lighting) represent the physical security posture of the city itself. Autonomous Posture Command (APC) applied to city infrastructure means continuous monitoring of OT system health and configuration status, detecting anomalous changes before they result in physical consequences.
IAT: Authentication and access control failures are the most consistently cited vulnerability in smart city ICS incidents. Zero Possession Architecture (ZPA) applied to OT environments means eliminating standing credentials for remote access, implementing privileged access management, and enforcing multi-factor authentication for all remote access to operational systems.
TID: Threat intelligence specific to the critical infrastructure threat landscape (Volt Typhoon, Sandworm, IRGC-affiliated actors) must be operationalized into detection capabilities. Predictive Defense Intelligence (PDI) for city clients means monitoring for indicators of pre-positioning activity, unusual outbound connections from OT environments, and lateral movement patterns consistent with nation-state reconnaissance.
RGA: The multi-jurisdictional governance complexity of smart city infrastructure (federal regulatory requirements, state utility regulations, municipal procurement and operational authority, private contractor relationships) requires mature compliance management. Perpetual Compliance Assurance (PCA) for municipal clients means tracking obligations across AWIA, NERC CIP where applicable, CISA advisories, and state-level requirements.
CDA treats smart city and critical infrastructure municipal clients as full-domain engagements by default, given the inherent cross-domain scope of their threat and compliance environment.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by Evan Morgan
Found an issue? Help improve this article.