Pen Testing a City

Presented at Black Hat USA 2015, Aug. 6, 2015, 2:30 p.m. (50 minutes)

How would you take down a city? How would you prepare for and defend against such an attack? The information security community does a great job of identifying security vulnerabilities in individual technologies and penetration testing teams help secure companies. At the next level of scale, however, things tend to fall apart. The information security of cities, the backbone of modern civilization, often receives little to no holistic attention, unless you count the constant probing of nation state aggressors. The information technology infrastructure of cities is different from other entities. Cities feature complex interdependencies between agencies and infrastructure that is a combination of federal, state and local government organizations and private industry, all working closely together in an attempt to keep the city as a whole functioning properly. Preparedness varies widely. Some cities have their act together, but others are a snarl of individual fiefdoms built upon homegrown technological houses of cards. If you can untangle the policy and politics and overcome the bureaucratic infighting to create workable leadership, authorities, and funding, you are still faced with an astronomically complex system and an attack surface the size of, well, a city. Our talk identifies these necessary precursor steps and provide a broadly applicable set of tools to start taming and securing, such an attack surface. In this talk, we first explore a notional city, deconstruct it layer by layer, and use these insights to suggest a comprehensive methodology for reverse engineering any city and deriving its attack surface. We complement these insights with a broad analysis of proven capabilities demonstrated by hacker and information security researchers as well as known capabilities of criminal and nation-state actors applicable to city-level attacks. Next, we develop a coherent strategy for penetration testing as an approach to highlight and then mitigate city-level vulnerabilities. Finally, we conclude with a wide-ranging set of approaches to complement pen testing efforts, including exercises and collective training, metrics and a maturity model for measuring progress, and specialized city-level attack/defend ranges. You'll leave this talk fearing for the survival of your respective country, but also possessing a toolkit of techniques to help improve the situation. By better securing cities we have a glimmer of hope in securing nations.


  • David Raymond - USMA
    David Raymond is an Associate Professor at West Point where he teaches courses in computer networking and cybersecurity and coaches the West Point CTF Team. He is an Army officer of 25 years with a unique mix of experience in armored maneuver warfare and Army systems automation. He has published over 25 papers and articles on topics including computer architecture, wireless security, online privacy, and cyber warfare and has spoken at several academic and industry conferences including Black Hat, Shmoocon, and RSA.
  • Tom Cross / Decius - Drawbridge Networks   as Tom Cross
    Tom Cross is the CTO of Drawbridge Networks. He is credited with discovering a number of critical security vulnerabilities in enterprise class software and has written papers on collateral damage in cyber conflict, vulnerability disclosure ethics, security issues in internet routers, encrypting open wireless networks, and protecting Wikipedia from vandalism. Tom held an engineering advisory role in the export compliance program at Internet Security Systems. He was previously Director of Security Research at Lancope, and Manager of the IBM Internet Security Systems X-Force Advanced Research team. He has spoken at numerous security conferences, including Black Hat Briefings, Defcon, CyCon, HOPE, Source Boston, FIRST, and Security B-Sides.
  • Greg Conti - West Point
    Greg Conti is an Associate Professor and Director of the Army Cyber Institute at West Point. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley), as well as approximately 75 articles and papers covering cyber conflict, online privacy, usable security, and security data visualization. He has spoken at numerous security conferences, including Black Hat, DEF CON, CyCon, HOPE, Interz0ne, ShmooCon, and RSA. His work can be found at @cyberbgone and