IoT Devices Make Municipal Infrastructure an Easy Target for Cyberattackers - HSToday

In their rush to embrace the benefits of today’s smart technologies, city agencies have inadvertently created a security issue that threatens to disrupt essential services and endanger public safety. In April 2025, hackers gained access to audio-enabled crosswalk buttons in Palo Alto, Menlo Park, and Redwood City, CA.

The cybercriminals then utilized artificial intelligence (AI)-generated voices to broadcast fake messages from well-known tech executives in place of safety messages for visually impaired pedestrians. The crosswalk attack exploited default passwords in devices housed in exposed outdoor cabinets. It affected at least 12 intersections and forced the cities to disable critical accessibility features while they scrambled to fix the issue. Fortunately, no one was injured, and there were no reports of financial damage. But the incident exposed a structural vulnerability that threatens most municipalities deploying smart city technology today. To put it simply, Internet of Things (IoT) and operational technology (OT) devices are proliferating faster than the security frameworks required to protect them.

IoT Analytics reports that the number of connected IoT devices will exceed 39 billion globally by 2030. This is significant because 57% of enterprise IoT devices already harbor medium to high-severity vulnerabilities such as default passwords and outdated operating systems. These factors are a primary reason that IoT attacks surged 124% in 2024. For municipal governments, which manage traffic systems, water treatment plants, building controls, and public safety infrastructure that serve hundreds of thousands of residents, the consequences of inaction extend well beyond inconvenience. They threaten public safety.

The segmentation myth

The most common defense encountered when assessing public agencies across California and Nevada is network segmentation. Traffic systems occupy one virtual local area network (VLAN), security cameras another, and wireless a third. Chief information security officers (CISOs) point to this architecture as sufficient isolation. In practice, segmentation provides false comfort.

The reason is straightforward: humans still need access to manage these systems. Contractors, heating, ventilation, air conditioning (HVAC) technicians, and third-party service providers connect unmanaged laptops to operational networks via remote desktop protocol (RDP) or remote access portals, creating pivot points that bridge supposedly isolated environments. Assessments of public agencies serving over three million residents across Southern California and Nevada commonly found that separate IT teams distinct from the central city IT department manage IoT and OT devices, but the systems maintain connectivity to the city’s core data center. As a result, one compromised contractor device could easily traverse established network boundaries.

This is not a hypothetical situation either. A Las Vegas casino was breached through an internet-connected fish tank. The attackers used their tank access to move laterally into the corporate network. In another example of what is possible today, a security researcher in the Netherlands demonstrated in October 2024 that tens of thousands of traffic lights across the country could be remotely manipulated via radio commands sent to their emergency services control systems. Once identified, the vulnerability required replacing every affected traffic light. The replacement process is currently ongoing and will likely not be completed until 2030 at the earliest. These incidents share a common pattern: devices were designed for operational convenience, deployed without authentication controls, and then connected to networks that allowed lateral movement.

The visibility gap

A significant problem for cities is that they typically do not know everything connected to their networks. Government sector assessments consistently find that agencies cannot produce a complete inventory of connected IoT devices, identify which devices carry known vulnerabilities, and lack protocols to prevent unauthorized devices from joining the network. One Nevada agency acknowledged operating 60 different IT tools without a proper inventory and lacked visibility into device configurations and patch status.

Forescout’s 2025 Riskiest Connected Devices report found a 15% year-over-year increase in average device risk. The report also determined that routers accounted for over 50% of the most vulnerable devices. Forrester Research concluded that corporate IoT devices were the most often reported target of external attacks in 2024. These devices were hacked more frequently than corporate computers or mobile devices. The technology sector, education, manufacturing, and government rank among the industries with the highest average device risk.

Municipal agencies face additional complexity because IoT assets are distributed across departments with different reporting structures, budget cycles, and security standards. Traffic management equipment sits in roadside cabinets. Facilities departments maintain building management systems. Supervisory control and data acquisition (SCADA) systems controlling water treatment and utilities are segmented and airgapped until they require internet connectivity or offline updates to patch vulnerabilities, creating the exact attack windows adversaries like to exploit.

What Georgia got right

The Georgia Department of Transportation (GDOT) is a rare success story in today’s high-risk environment. The GDOT recognized that its 8,000-plus connected roadside communication devices represented a critical attack surface. To resolve the issue, the agency deployed next-generation firewall capabilities at the network edge and integrated secure edge devices into traffic systems through standardized installation procedures. It also coordinated cross-team alignment among cybersecurity specialists, network architects, operations engineers, and field technicians.

The GDOT’s efforts earned it the 2025 Transportation Systems Management and Operations Award for Cybersecurity from the National Operations Center of Excellence (NOCoE). As NOCoE Director Nicholas Ramfos noted, GDOT’s proactive approach “protects both infrastructure and public safety, while reducing future costs linked to system breaches, downtime, and emergency responses.”

GDOT’s approach succeeded because it treated IoT and traffic systems as enterprise-critical assets requiring the same security governance as traditional IT infrastructure. Unfortunately, most agencies have not taken similar action.

A practical framework for municipal IoT security

Experts recommend agencies take the following steps to secure IoT and OT infrastructure:

Conduct a comprehensive device inventory across all departments, not just central IT.Traffic management, facilities, utilities, and public safety maintain connected devices that may not appear in the IT department’s asset management system. It’s crucial for automated discovery tools to scan for all connected endpoints, including shadow IoT devices deployed without formal approval.Eliminate default credentials.The Silicon Valley crosswalk hack and the Netherlands traffic light vulnerability exploited the unchanged default passwords. It’s essential for every IoT device deployed on municipal networks to undergo credential hardening before activation, with ongoing audits to verify compliance.Enforce strict contractor access controls.Unmanaged contractor devices are among the most dangerous and overlooked attack vectors in public sector environments. To limit lateral movement, agencies can implement managed access solutions that enforce security policies on contractor devices without requiring endpoint agents.Rely on zero trust architecture for IoT devices.Segmentation is no longer enough for IoT device security. Utilizing zero trust principles is now required to keep IoT and OT environments safe. These measures include consistently verifying identity and device posture. Another effective measure is to authorize every connection regardless of network location. Agencies can also continuously monitor device behavior for anomalies that may indicate compromise.Unify governance across IT and OT domains.Gaps betweentraffic IT teams and central city IT can create security vulnerabilities for attackers to exploit. Unified security governance ensures consistent policy enforcement and vulnerability management. It also enables faster incident response across all connected infrastructure.

Increasing safety by reducing risk

Smart city technology has numerous benefits, including optimized traffic flow, energy efficiency, improved emergency response, and better services for residents. To ensure the realization of all benefits, it’s vital that the security foundations required to protect the systems keep pace with deployment. IoT attacks are increasing at triple-digit rates, and agencies can’t afford to ignore security despite limited budgets, competing priorities, or staffing shortages. It is imperative that they remember their infrastructure affects hundreds of thousands of lives daily.

One compromised traffic signal or one hacked water-treatment SCADA system does not just generate headlines. It puts public safety at risk. The crosswalk hack in Silicon Valley was a nuisance. The next attack on municipal IoT infrastructure may be much worse.