Improved connectivity and the increase in connected devices are directly impacting the popularization of smart cities. Local governments are promoting projects that integrate new smart technologies to benefit citizen services, both independently and in collaboration with other levels of government or entities.
A recent United Nations study presents a global overview of the adoption of these tools, with 69% of municipalities worldwide having a strategic agenda in this regard. But as the number of connected devices grows, so too does the attack surface: It is estimated that around 83,000 sensors were deployed in 2024.
There are already many real-world examples of how networked sensors can be a gateway for cyberattackers. In 2017, Dallas’s tornado alarm system was hacked, causing all its alarms to sound at once. That same year, shortly before Donald Trump’s first inauguration, 70% of Washington, DC’s video surveillance system was blocked by ransomware. In 2021, the concentration of a chemical component in a water treatment plant in Florida was altered. Urban transportation is another sensitive area, with examples such as the 2023 cyberattack on the transport management system of the Polish city of Olsztyn, known as one of the leading smart cities, which caused traffic jams or made it impossible to buy tickets for city transportation.
The possibilities for attack on civic services only increase as more devices become integrated: environmental measurement systems, irrigation systems, waste management systems, and gas and electricity management systems in public buildings, for example.
The complexity of smart city risks
For Enrique Domínguez, head of CyberPhysical Security at Accenture in Spain and Portugal, “smart cities introduce unprecedented complexity in terms of cybersecurity due to the hyperconnectivity of their critical systems … and the multiplicity of actors involved in their operation.”
As a result, the entire perimeter must be secured, as these are public services and the breach of a single device can lead to a chain reaction that impacts the entire city.
The scenario becomes more complicated when considering the disparate generations of equipment that are often combined in smart systems, many of which are obsolete or on the way to becoming so.
“These types of sensors are a gateway to corporate networks,” emphasizes Carlos de la Cuesta, head of the public sector at the digital solutions company Zebra Technologies in Spain. Whereas new technology leaves the factory with protection mechanisms, there are still many legacy devices in city networks that are quite vulnerable, he says. “They allow access to things that, although they may seem irrelevant at first, can become a problem.”
De la Cuesta mentions the case of an artist who became famous in 2020 for “hacking” Google Maps: The artist carried 99 smartphones with the location system turned on in a cart, which the navigator detected as just as many vehicles and, therefore, warned of traffic jams in areas that were actually empty.
“That’s why it’s important that everything is controlled and secure, that it’s as inaccessible as possible, because 100% complete security, as we all know, doesn’t exist,” de la Cuesta says. “There will always be a point where it declines, but it’s about putting up as many obstacles as possible and making them as difficult as possible to access.”
Enrique Domínguez, Accenture
Accenture. En la imagen, Enrique Domínguez.
Rosa Díaz Moles, director of public sector at S2GRUPO, also highlights smart cities’ complexity and their resulting cybersecurity issues.
The digital transformation of public services involves “an accelerated convergence between IT and OT systems, as well as the massive incorporation of connected IoT devices,” she explains, which gives rise to challenges such as an expanding attack surface or the coexistence of obsolete infrastructure with modern ones, in addition to a lack of visibility and control over devices deployed by multiple providers.
She also warns of multiple cases where there is no security architecture adapted to the new urban model, as well as a lack of maturity in the deployment of these infrastructures and their limited real-time detection and response capacity.
“According to the European Cyber Security Organisation, 86% of European local governments with IoT deployments have suffered some security breach related to these devices,” she says.
Accenture’s Domínguez adds that the challenge is to consider “the fragmentation of responsibilities between administrations, concessionaires, and third parties, which complicates cybersecurity governance and requires advanced coordination models.”
De la Cuesta also emphasizes the siloed nature of project development, which significantly hinders the development of an active cybersecurity strategy.
Spanish smart cities address the cyber challenge
Here in Spain, some cities’ projects have earned them notoriety as international smart city pioneers. In the 2025 Smart City Index, conducted by the IMD World Competitiveness Center, four Spanish cities are among the 146 leading smart cities in the world: Bilbao (29th place), Madrid (38th), Zaragoza (52nd), and Barcelona (92nd). Smart cities are revealed as one of Red.es’ development priorities in its financial report for the first half of 2025, with initiatives such as the Data Space for Smart Urban Infrastructures (EDINT) and the agreement with the Spanish Network of Smart Cities of the Spanish Federation of Municipalities and Provinces to promote this model.
Zebra. En la imagen, Carlos de la Cuesta.
“I have to give a lance to our public servants, because they do a lot with a little,” says Zebra Technologies’ de la Cuesta. “Obviously, there are mistakes and sometimes we have to backtrack, but things are being done quite well.”
In the integration of new tools, despite Spain holding a leading position in areas such as 5G, “technology moves much faster than the government’s ability to react,” he says.
“It’s not like a private company, which has a certain agility to make investments,” he explains. “Public administration is much slower. Budgets are different. Administrative procedures are extremely long. From the moment a project is first discussed until it is actually executed, many years pass.”
In his experience, security requirements demanded of suppliers by the government are increasingly stringent, and in line with the minimum standards set by organizations such as the National Cryptologic Center.
Accenture’s Domínguez agrees. “Spain has made significant progress in recent years in the protection of critical urban infrastructure, thanks to the regulatory push resulting from the transposition of the NIS Directive and the National Security Scheme (ENS), as well as growing institutional awareness.”
According to Domínguez, Madrid, Barcelona, Valencia, and Malaga have “structured cyber protection initiatives that integrate OT security, network segmentation, real-time monitoring, and coordinated incident response. However, the level of protection remains uneven and, in many cases, reactive.”
He identifies two main challenges municipal CISOs face: a lack of specialized resources at the municipal level and a dependence on technology providers “who do not always integrate cybersecurity from the design phase.”
Rosa Díaz Moles, S2GRUPO
S2Grupo. En la imagen, Rosa Díaz Moles.
Comprehensive security planning is needed
S2GRUPO’s Díaz says her company has worked on a number of projects that underscore the kinds of vulnerabilities that can be found in smart cities. For example, the company has undertaken cybersecurity assessments of smart street lighting systems in several municipalities “where the possibility of causing widespread shutdowns through cyberattacks was identified, with the consequent impact on citizen security,” she says.
They also have analyzed urban traffic control systems in another European city, detecting that it was possible to alter traffic light cycles.
“These cases demonstrate how a security breach can have direct physical consequences and reinforce the urgent need to invest in the cyber protection of connected urban infrastructures,” she says.
“Some large capitals are making progress in urban cybersecurity strategies, but most medium-sized and small municipalities have structural deficiencies,” she says, including deployments without a comprehensive plan, as well as unencrypted or un-updated devices.
“Cybersecurity can no longer be limited to the administrative IT environment,” she says. “It must incorporate the protection of distributed systems, connected physical assets, and intelligent platforms.”
For Díaz, zero-trust architectures, network segmentation, advanced detection, and urban cyber intelligence are some of the key components in this new scenario. Because all the advantages of IoT applied to cities can become major problems if they are not provided with adequate protection.
This is a translation of an article that originally appeared in Computerworld España.
No Responses