Security is a major concern for local governments and utilities. Whether it's foreign hackers, hacking collectives or just individuals effectively committing online vandalism, industrial facilities, US federal email servers, weather systems, worker databases and infrastructure databases are all frequently targeted. If databases are insecure, how much more insecure would thousands of wirelessly networked devices be? They may be convenient from the perspective of city planners, but smart cities could be a target for hackers.
The Guardian published an article detailing how cities that have networked systems like traffic controls, lighting and others are vulnerable to attacks. These devices both gather data as well as control the these vital city functions. The data is invaluable for city planning; accurate, detailed and easily gathered data on traffic patterns would make route planning for public transportation much easier, for instance. The ability to detect and possibly fix sign outages is similarly valuable.
Both the data and possibly the controls have significant value to parties other than local governments, however. Typically, these breaches come from foreign countries, but hacktivists seeking to send a message could easily exploit vulnerabilities to disrupt businesses and gain attention as well. There's also the possibility of this data being monetised, meaning that businesses would have an interest as well, giving hackers more reason to access the data on behalf of less scrupulous businesses. Typically, local governments don't have access to the level of security that corporations or central governments do and even those haven't gone without major breaches. Local governments simply lack the resources to both test and keep themselves secure and instead, are relying on obscurity to avoid potential break-ins.
Once the service has been found, it's no longer secure. There are plenty of individuals and groups constantly prowling open connections on the internet for those very openings. As connectivity comes to more devices, doubtless there will be growing concern over their security; it's already been noted that connected devices in the private sector are insecure, but with the possibility of things like smart cars on the roads, the urgency of those concerns will grow.
The devices being installed right now are not easily upgradable on a hardware level, defeating the purpose of centralised controls and also increasing the concerns regarding security; any flaw could take months rather than days to rectify and prevent exploitation. Not only that, as this Forbes article points out, the threat isn't just from a lack of properly deployed and tested technology, but also from a lack of knowledge and staff. The threat comes not just from an increasing reliance on technology, but from the sectors using that technology.