.jpg?h=100&w=600)
Protect Your Google Workspace with Purpose-Built Security
Built specifically for Google Workspace, Material is a detection and response platform that protects Gmail, Google Drive, and accounts by proactively eliminating security gaps, stopping misconfigurations, and preventing shadow IT before they turn into costly problems.
Smart Public Infrastructure
As public infrastructure becomes increasingly “smart” and interconnected, it’s important to consider the cybersecurity implications of what can often be legacy operational technology (OT) that’s being incorporated into a wider, connected infrastructure network.
Many, many years ago, the author of this article was an inquisitive 10-year-old that discovered the cover on a roadside traffic signal control box was hanging loose. “I wonder what happens if I push the button marked RED”. The answer was: all the lights at the junction go red and stay there.
Fast forward to today, engineers don’t need on-site buttons to press: they can connect to the public infrastructure they manage from their tablets and laptops, often wirelessly. I am reminded of this most days, because if I sit at a particular set of traffic lights, or at the barrier to the parking lot where I leave my car for the day, Wireless Apple CarPlay drops out on my car’s infotainment system because of the strong radio interference from the control systems for the lights and the barriers a few feet away from the car.
If You Can Connect, So Could They
In a world where everything is both electronic and connected, this means everything can potentially be hacked. In May 2025 a Russian state-sponsored attack hacked border security cameras to enable bad actors to monitor goods being transported into Ukraine. In 2023 the Polish railway found that the use of unencrypted radio transmissions for controlling signals left them open to attack that stopped trains at will with a radio costing just $30. Then we have the hacking of warning signs on Alabama roads and similar ones in North Carolina, both a result of the default security settings being sub-standard.
In 2024 a researcher explained how he had been able to take control of traffic lights from afar – no 10-year-old child needed at the roadside – just by leveraging an unauthenticated, internet-facing GUI.
ISC2 Insights has looked at the security challenges of operational technology (OT) and all these are classic examples. Making great infrastructure equipment cannot be at the expense of security being an after-thought. However, things that seem obvious to cybersecurity professionals may not be to the designers or owners of the infrastructure in question, which is why collaboration is so important in smart public infrastructure projects.
Modernizing Public Infrastructure
First is the legacy nature of public infrastructure. This equipment is complex and expensive, and some of it can be easily 20 or 30 years old. It may well have been completely unconnected when it was installed, with the remote management options being retrofitted a long time after installation. Anything that comes along as a later addition, particularly if it serves an ancillary purpose rather than core functionality, runs the risk of not having strong security designed into it. With older underlying hardware, it is highly possible that there is simply not enough processing power to add significant layers of security – particularly modern encryption algorithms which are complex and need fast processors if they are to work at all.
There can also be a mismatch between the refresh cycles of public infrastructure equipment and the need for security-related software updates. A traffic light system or a railway signaling network might receive updates once a year, or perhaps even less often, yet we see new cybersecurity threats all the time, with big innovations in attack vectors sometimes occurring several times a year.
Expectations vs Security
Operational priorities can overshadow security, too. Upgrading infrastructure is usually complex and will normally require downtime of some sort. Downtime on transport infrastructure, power stations and the like can be expensive and difficult – the shutdown and (in particular) startup processes alone may run into hours or even days for some types of infrastructure, on top of the outage that is required for the actual upgrade. In our organizations our colleagues have learned to accept that we may need monthly reboots to install the latest functionality and security patches on equipment. However, telling the public the buses are on a restricted timetable for a week while you update the infrastructure that governs their movement is unlikely to be accepted.
Cost is also a factor. The public purse is usually not deep, which means that when a big infrastructure project is put out for bids, price is generally the major factor alongside safety and delivery time, with cybersecurity one of an ensemble of priorities.
As we saw in some of the examples earlier, default credentials are also often a problem. Taking a complex, critical piece of equipment and making it accessible on the internet using an easy-to-discover password sounds silly, but it continues to happen all the time.
Finally, we have the issue of skills. OT engineers are highly skilled in making OT equipment work and keeping the lights on, but they are potentially less skilled in the cybersecurity elements and in working with any hardware and software that has been bolted on to make equipment remotely manageable. Perhaps this is exemplified by the parking lot example from earlier: if the Wi-Fi signal of the barrier control can overwhelm the Bluetooth/Wi-Fi signal of a car’s infotainment system, clearly nobody has considered or adjusted the radio strength in the roadside equipment. This lack of insight brings with it an obvious security risk.
There are some reassurances that things are getting better. In particular, that governments are realizing that something needs to be done about levels of security in public infrastructure. An excellent example is the EU’s Cyber Resilience Act, which will mandate security requirements in any product that has, as the EU puts it, “digital elements”. As with many security concepts the Act does not demand anything particularly difficult or expensive to implement: it’s all about security by design, being open about vulnerabilities so that customers know they need to do something. Providing security updates throughout the life of the equipment being one such example. The U.S. also has some legal concepts gathering pace: the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), for example, which mandates prompt security incident reporting for critical infrastructure systems. In 2023, President Biden spoke of the National Cyber Security Strategy, some of whose principles overlap with the new EU law.
Due to the longevity of our public infrastructure, though, we must plan for it to continue to be exploitable by bad actors. For example, the Los Angeles, CA traffic system is estimated to have been installed in 1928, with many of the design principles from then still in place; a new system was installed for the Olympics … in 1984. Legacy infrastructure is tricky and expensive to replace, so our governments – both national and local – face the challenges of dealing with the impact of the security attacks that will, inevitably, happen to many of them over time.
Related Insights