First the power goes out. It's not clear what's gone wrong, but cars are starting to jam the streets -- the traffic light are down. And something seems to be going haywire with the subways, too.
No one can get to work. And even if they could, what would they do? A cyberattack has driven the city to a halt.
Of course, that hasn't happened yet -- and to a lot of people the idea of malicious hackers taking down a city still sounds like a bad movie plot. But it may not be as crazy as it sounds, according to security experts who say cities' increasing dependence on technology and the haphazard ways those systems sometimes connect could leave them vulnerable to someone looking to cause chaos.
Cities, like the rest of the world, now rely on a lot of computers. But the systems used to make even the most sensitive systems run can still contain security flaws. While the risk of an actual attack may not be imminent, the threat is looming large over cybersecurity researchers who warn that local governments aren't prepared.
"The potential attack surfaces of a city is a huge challenge," said David Raymond, deputy director of Virginia Tech's IT Security Lab. "The digital pathways between all of the entities and organizations in a city is often not well managed. In many cases, there's no overarching security architecture or even understanding of holistically what the city looks like."
Researchers have already discovered vulnerabilities with new technology being used in many cities.
Last year, researchers found that traffic monitoring system used in dozens of U.S. cities, including Washington, D.C., could allow a malicious hacker to falsify traffic data and manipulate stop lights. District officials say the city is reviewing the security of its traffic sensors. A few years ago, two Los Angeles traffic engineers pleaded guilty to hacking into the city's traffic system and slowing down traffic at key intersections in support of a labor protest.
In 2008, the Telegraph reported that Polish police believed a 14-year-old was responsible for a tram derailment that injured 12 people -- a feat he supposedly pulled off with a modified television remote control that took control of the steering and signals on the tram system.
"No one is thinking about the security implications," Raymond said.
Transportation systems are a key "pressure point" for cities, places where technology that is otherwise well secured might intersect in ways that make them vulnerable to a targeted attack that could cascade throughout a city, according to Raymond and fellow researchers Gregory Conti, a professor who teaches cybersecurity at West Point, and Tom Cross, the chief technology officer at cybersecurity firm Drawbridge Networks. Raymond, Conti and Cross presented their research at the Black Hat USA cybersecurity conference in Las Vegas earlier this month.
"Each person is looking at their little silo and defending their department or agency -- to varying degrees of success -- but they don't appreciate the relationships between their piece of the puzzle and other people's pieces," Cross said.
And in some cases, older industrial systems never designed to be online end up making their way onto the Internet. Researchers using Shodan, a search engine used to identify systems connected to the Internet, have routinely discovered traffic lights, water treatment facilities and even power plant controls online.
This summer, researchers said they found security vulnerabilities that could potentially be used to shut down a nuclear power plant. The vulnerabilities involved networked ethernet switches used in industrial environments, according to researchers Colin Cassidy, Robert Lee, and Eireann Leverett, who presented at the Black Hat USA conference. The researchers disclosed the problems to the switch makers and said that fixes are coming. But they worry that the slow patching process for these types of issues may leave some affected systems vulnerable for years.
Even finding those sort of problems can be difficult. Gaining access to power and water treatment plants is difficult. And these types of industrial facilities are not traditionally targeted by financially-motivated cybercriminals, so researchers are less likely to look for potential problems, said Cross. But nation-state or politically motivated attackers might take an interest in these types of industrial facilities in the future, Cross said.
And to make matters worse, attackers are getting stronger. "The sophistication level of attackers is increasing across the board," said Conti.
Sophisticated malware that has traditionally only been accessible to government agencies can end up in the hands of cybercriminals and one day may be used by someone aiming to cause destruction, researchers say.
Meanwhile, cities worried about cybersecurity risks often struggle to attract the right expertise and secure enough resources to address these issues over the long term, the researchers say. "One political leader may have some sort of educational event where they learn about security -- an incident that wakes them up -- but the next leader may have to relearn that," said Conti.
The risk management approach cities apply to traditional forms of attacks should also be used in the digital realm, Cross said. Cybercriminals haven't knocked out a city's ability to operate yet, but that doesn't mean it won't happen, he said, adding, "It's a false sense of security."
Not everyone is convinced that cities are facing a cybersecurity crisis just yet: James Lewis, a senior fellow focused on cybersecurity at the the Center for Strategic and International Studies, says cities are likely only going to be a target for pranksters in the immediate future -- not cyberattacks aimed at creating real world damage. "There's been a tremendous amount of increase in vulnerability, but that does not translate into an increase in risk," he said.
But pranksters hacking traffic signs to warn about a zombie apocalypse (as has happened) aren't what keeps researchers up at night. The real threat isn't that someone will simply launch a cyberattack against a city, Raymond said, it's that the attack will be designed to do as much damage as possible.
"The worst case scenario is someone thinks it all through," said Raymond.