Extreme Weather Events Increase Cybersecurity Risks for Smart Cities

From scorching heat waves to unpredictable storms, severe and extreme weather events have disruptive potential for smart cities. As people adapt to the risks associated with volatile weather patterns, a less visible impact is increased cyber risks for connected devices. The intersection of extreme weather and digital threats presents a unique challenge for smart cities, where technology and infrastructure are intricately connected.

Smart cities rely on Internet of Things (IoT) technology to function efficiently, enhance the quality of life for residents, and manage everything from the flow of traffic to energy and even waste disposal.

Given our reliance on interconnected technologies, severe weather can impact essential services such as electricity and emergency response capabilities, creating opportunities for malicious actors. By understanding the operational effects of extreme weather, smart cities can engage in proactive measures to mitigate these effects.

How Extreme Weather and Cybersecurity Intersect

While similar, there is a distinction between severe weather and extreme weather. Severe weather is an intense variation of expected weather patterns—think heavier than normal rainfall—while extreme weather can last for days, breaking records and causing damage. Extreme weather also has a measurable impact on the economy. The 10-year economic losses in the U.S. due to extreme weather events quadrupled between 1980–2020, averaging $120 billion annually in 2016-2020.

In addition to economic considerations, extreme weather events can cause major disruptions to critical infrastructure, as evidenced by Hurricane Sandy in 2012, which left close to 2 million people without power. During Sandy’s rampage, a staggering 51 square miles of New York City flooded, and much of the city’s critical infrastructure was in flooded areas. A substation explosion caused by the hurricane left most of Lower Manhattan without power for over four consecutive days.

New York City is a smart city, relying on smart sensors and technologies across districts and boroughs to help manage services from transportation to environmental monitoring and waste management.

In smart cities, IoT devices and data centers work together to collect, process, analyze, and respond to data in real-time, enabling efficient management of urban services. Extreme weather events can also cause damage to data centers, disrupting internet service and impacting connected devices and other critical services.

The damage wrought by such extreme events can leave smart cities scrambling to recover, often with compromised defenses against cyber threats.

The Vulnerability of Critical Infrastructure Components

Critical energy infrastructure, pivotal to our way of life, also faces a heightened risk of disruption from cyber attacks, potentially even during extreme weather events. In smart cities like New York, IoT devices are increasingly being integrated into smart grids to manage the production, distribution, and consumption of electricity — an enticing target for attackers, even without the added stress of a severe weather event.

According to the IBM X-Force Threat Intelligence Index 2024, energy organizations were the fourth most attacked industry, representing 11.1% of attacks. This is before factoring in external factors, like a hurricane or major weather storm, that may serve as additional motivation for threat actors. Recognizing these risks, the U.S. National Guard has conducted drills around cyber attacks during severe weather. These drills are a subtle recognition that critical infrastructure may suffer compounded vulnerabilities when tested by simultaneous physical and digital threats.

Even the Cybersecurity and Infrastructure Security Agency (CISA) has weighed in on the cybersecurity risks of extreme weather events. CISA and the Homeland Security Operational Analysis Center (HSOAC) developed a risk management framework to assess the risk of climate change to higher vulnerability National Critical Functions (NCF), areas of government and private sector that are essential to national security, the economy, and public health.

In addition to the increased risk of scams, extreme weather events can also result in disruptions in telecommunications cellular tower sites, leaving residents in a vulnerable position.

How Malicious Actors Capitalize on Extreme Weather Events

To date, there have been no cyber attacks coinciding with an extreme weather event. Perhaps unsurprisingly, threat actors are highly opportunistic and have capitalized on extreme weather events to perpetuate fraudulent activity. Often, this takes the form of tried-and-true email phishing attempts that appear to be from charities or emergency response organizations, asking for donations or personal information.

In the wake of Hurricane Sandy, the Federal Trade Commission (FTC) issued warnings about increased email phishing scams, urging residents to take caution before making donations. Later, the FTC and CISA issued similar warnings in 2017 following the devastation of Hurricane Harvey.

To mitigate the risk of a dual weather-cyber event, smart cities need to take proactive steps to reduce and mitigate their risks.

How Can Smart Cities Prepare?

By embracing IoT technology, smart cities offer many enhancements that improve the quality of life for residents. The interconnected nature of infrastructure in smart cities necessitates protection against extreme weather events — and cyber threats. Notably, the National Cybersecurity Strategy specifically calls out the risk cyber threats pose to critical infrastructure, making its defense the strategy’s first key pillar.

There are things smart cities can do to harden their security and prepare for a cyber attack, even during a disruptive, severe weather event.

Regular risk assessments can help identify vulnerabilities in both digital and physical infrastructure. Using a risk-based approach to vulnerability management, smart cities can identify their most vulnerable infrastructure and harden it against cyber threats. In today’s digital economy, a comprehensive cybersecurity plan (also called an incident response plan) is arguably a necessity. CISA and other federal agencies offer resources that can serve as the building blocks for a comprehensive plan.

The National Cybersecurity Strategy explicitly states that “robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace.” Smart cities do not need to manage all of their physical and digital risks alone. By partnering with the private sector, smart cities can fortify their infrastructure against cyber threats.

How Asimily Helps Secure Smart Cities

The convergence of extreme weather and cyberattacks poses a compound threat to smart cities. By partnering with Asimily, smart cities help safeguard their critical infrastructure. Our platform is purpose-built to provide smart cities with visibility into their entire IoT device inventory, allowing them to make good risk-based decisions about their critical infrastructure.

In the event of an extreme weather event, resources are stretched thin. Our comprehensive cybersecurity approach ensures minimal disruptions to smart city critical services. The Asimily platform, with its rapid response features, quickly captures packets to aid incident responders. 

With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.