Vieraj,+5920 Adsi-1
Vieraj,+5920 Adsi-1
Vieraj,+5920 Adsi-1
Saqib Ali
Sultan Qaboos University
Muscat, Sultanate of Oman
e-mail: [email protected]
Abstract. There has been a swift rise in the development of smart cities. This
evolution has been prompted by the rise in emerging technologies such as edge
computing, IoT, data science, and analytics. Combining these technologies has
paved the way for new, automated systems for managing and monitoring proce-
dures and industries, resulting in increased efficiency and improved quality of life.
While these interconnected services assist in managing the growing population in
the urban environments through efficient service delivery and increased operational
efficiency, they also increase the risk of adversary threats, security, and privacy
challenges to smart cities. This paper presents the holistic view of the security
landscape and highlights the security threats, challenges, and risks to the smart
city environment.
Keywords: Smart cities, IoT, data science, security, threats, privacy, risk
1 INTRODUCTION
In the last few decades, provisioning smart cities have become the prime focus
due to facilities offered such as economic development, improved infrastructure,
406 R. Waseem Anwar, S. Ali
machine learning, and data mining has increased the chances of attacks where ad-
versaries using advanced technologies can easily bypass the traditional security tech-
niques. Preserving users’ privacy in a smart city is another equally important issue
to consider while proposing the security solution [9]. Security issues are not new,
however, the advances in technology make it necessary to produce new and innova-
tive ways to protect data and privacy [10].
This paper highlights the vulnerabilities with associated attacks for the smart
cities and presents the open issues such as up-to-date requirements for security and
challenges which could build the foundation for developing more secure and privacy-
protected futuristic smart cities.
The sections of the paper are organized as follows. Section 2 discusses the related
work comprising relevant studies focusing on security risks and threats associated
with smart city’s environment. Section 3 presents the IoT architecture for smart
cities. Sections 4 and 5 discuss the elements of a smart city and its architecture.
Sections 6 and 7 highlight the security measures, threats, attacks related to smart
cities. Lastly, the Sections 8 and 9 present the direction for future work and the
conclusion.
2 RELATED WORK
Numerous researchers have discussed the role of technology and proposed frame-
works for designing the structure of smart cities. The paper [16] presents the frame-
work for understanding the core components of smart cities in terms of the key fac-
tors driving the initiative of smart cities namely people, environment, governance,
technology, policy context, and economy. In addition to the key drivers of smart
cities, the authors have also discussed the core challenges in three domains namely,
IT infrastructure, security and privacy, and operational cost. Overall, the paper
defines the important aspects of the smart cities’ initiative however, the paper has
not discussed the ideal technologies that can be used for designing the smart cities’
infrastructure. This limitation has been covered in the paper [17] where the authors
have discussed the importance of IoT, data science and analytics, and related data
sources generating real-time data for analyzing and monitoring smart infrastruc-
tures such as smart transportation, resource efficiency, crowd source-based services.
However, it does not comprise the risks and threats associated with the smart cities’
architecture. In comparison to the previously defined papers, the proposed paper
demonstrates a systematic view of the security requirements, threats, and attacks
associated with the smart cities’ infrastructures.
layer are the Wireless Sensor Networks (WSNs) routing protocols for the devices to
communicate with each other and with the gateway. Similarly, cloud computing,
Wi-Fi, LTE, Bluetooth, ZigBee, 4G/5G are also a part of this layer. The topmost
layer is the application layer that is responsible for providing services to various
applications such as smart city, smart grid, and smart health. Also, this layer han-
dles the decision making process and controls commands to efficiently handle the
aggregated data [23]. Figure 1 depicts the IoT-based layered architecture for smart
cities.
The distinction between these layers helps to understand the complexity and
heterogeneity of devices and communication patterns employed in smart cities.
Moreover, smart cities are becoming smarter due to the enriching nature of dig-
ital technologies deployed and hailed as the modern way forward for any urban
area.
Smart city elements positively impacted people’s lives due to the offered benefits
and quality of services provided. According to the National Institute of Standards
and Technology (NIST), one of the most widely and adopted reference models for
smart cities categorizes six distinctive areas as smart people, smart economy, smart
410 R. Waseem Anwar, S. Ali
governance, smart environment, smart mobility, and living [2, 22]. However, there
are various priorities and constitutions of smart cities from one location to another,
for example, design and deployment of wastewater management have a higher pri-
ority at one place while on the other location it is disaster management [23]. Some
of the key elements of smart cities are as follows.
Smart living aspires to provide basic services to its citizens by providing smart
buildings, smart homes, and the inclusion of fundamental infrastructure and archi-
tectural components that must be in place to make the city smart. Moreover, smart
living provides a secure environment that ensures the safety and security of all citi-
zens. Providing a healthy atmosphere will have a positive impact on people’s lives
which will not only actively influence the behavior of people but also increase their
creativity [24].
Mass transit and other types of public transportation are the main elements in smart
cities where many people are commuting. Like other smart applications, Intelligent
Transportation Systems (ITS) are equipped with embedded sensors, communication,
and navigation systems where all the vehicles are connected. Similarly, various other
types of IoT sensors are deployed and maintained to monitor the environment, gather
the data, and respond to changes in the smart city environment [25]. In addition to
this, they can also secure road transport, railway, and marine services by establishing
online schedules and real-time tracking. Lastly, the use of electric vehicles reduces
carbon emissions and provides a pollution-free environment.
To get the maximum benefits, people living in smart cities need to be aware of vari-
ous aspects such as protection of the environment, sustainable adoption of a healthy
lifestyle, recycling, and saving water and energy [24]. In addition, the use of technol-
ogy facilitates the inclusion of people to involve in discussions with the government,
other key stakeholders, and ultimately in the decision making process.
Smart economy refers to promoting local growth by enhancing the digital economy,
paving way for entrepreneurship, and a flexible labor market. Implementing a smart
economy would add value to the smart city where diverse and flexible opportunities
will become available for the citizens. Moreover, the innovation and entrepreneurship
activities can foster a positive and competitive business environment that could
Smart Cities Security Threat Landscape: A Review 411
promote growth for smart cities. In addition to this, economic growth has a positive
impact on people’s lives as it promotes forward-thinking and could help in reaching
global businesses [26].
Since the inception of the smart city paradigm, various ICT architectures have been
proposed based on different security requirements and characteristics. Moreover,
there is no unique standardized architecture and common security framework for
a smart city which is a major problem. However, ubiquitous sensing allows collec-
tion of information from the physical world (sensing), processing it, and decision
making through a communication world using heterogeneous network components,
processing units, and control operating components. In addition, smart city archi-
tectures are differentiated according to the characteristics of perception, network,
and application layers where each layer provides services (service-oriented architec-
ture) and works with other layers in a collaborative manner. However, the following
characteristics of smart cities must be considered before developing any security and
privacy protection mechanism [28, 29].
5.1 Heterogeneity
To bridge the gap between sensing (physical world) and communication, there are
various types of sensors such as temperature sensors, industrial sensors, smart me-
tering sensors, and video surveillance devices that can be deployed to sense the phe-
nomenon and gather the information which is then processed further for decision
making. However, the major issue with these sensors is limited energy, computa-
tional power, memory, and processing capabilities [29].
Considering the vital role of energy storage, smart cities face the resource constraint
challenge due to the inherent characteristics of IoT and the wide-scale deployment
of embedded sensors. Also, these sensors are battery-operated with limited storage
and processing capabilities. In addition, the inclusion of a malevolent node quickly
depletes the battery energy [30].
Smart Cities Security Threat Landscape: A Review 413
5.4 Scalability
Smart Cities are growing at a rapid pace hence more data and network traffic are
generated. Also, the addition of new components and services to an existing network
requires scalability and resilience. Therefore, it is equally important to consider the
scalability issue in the design of smart cities.
System users are the main stakeholders in smart cities since they are directly ben-
efitting from the services. Moreover, the user’s involvement in the system not only
increases the performance but also enhances the decision making process [30].
Cities are becoming smarter hence provisioning the required security and privacy in
a smart city environment is equally important and challenging. Like any other net-
work and system, providing security to smart city services/entities requires special
considerations due to the heterogeneity of devices, the multitude of communication
protocols, the interconnectivity of various components, and insufficient computa-
tional capabilities. In addition, without a proper security solution, the inclusion
of sensor nodes is often prone to internal and external attacks. Moreover, smart
city applications use wireless sensor networks where the interaction between cyber
and physical components for gathering and processing the data makes an ideal tar-
get for adversaries [31]. In an unprotected environment, mutual authentication is
required for the communication process to ensure the security of smart city appli-
cations.
A growing concern for smart cities is cybersecurity which is considered the most
vital issue [32]. Any security breach can cause catastrophic effects such as finan-
cial and information loss, and physical harm due to the insertion of incorrect data
into the system resulting in a disruption in the various operations in smart cities.
The main objective of security in smart cities is to protect physical assets, data,
and networks from known and unknown vulnerabilities, threats, and attacks. In
addition, the diverse range of devices generates a massive amount of data that is
used in the decision making process. Moreover, this collected data is considered
the most critical asset and requires proper security for protecting its confidentiality,
integrity, availability (CIA), authenticity, and validation. Integrity is the trust in
the truthfulness of the resources in the systems that ensure that the performed op-
erations are carried out by the intended and authorized user [33]. Thus, smart cities
need to maintain their data integrity and implement the necessary precautionary
measures to repel the attack from adversaries and from eavesdropping the commu-
nication. Similarly, it is also mandatory to maintain the confidentiality of data and
communication among systems and ensure the complete security of the smart cities
414 R. Waseem Anwar, S. Ali
Security Description
Requirements
for Smart Cities
Confidentiality The protection of data between communication entities from
unauthorized access.
Integrity Ensuring the security of data from alteration or modification
from a malicious user while the data is fetched through sensors
and transferred to centralized authority such as base station (BS)
or communication center.
Availability The continued availability of devices and services of smart city
entities whenever required by the user.
Authentication Identification of communicating peers.
Authorization Only authorized parties have access to available resources and
services.
Non-repudiation Communicating parties cannot deny the transactions made
among them.
Data Freshness Enabling the assurance of data generated by smart city devices
are fresh with time-stamped and no adversary has altered the
data or replays the old messages.
Anonymity Ensuring the information is protected and inaccessible to an ad-
versary.
Scalability The ability of the system to provide services successively while
adding the new devices and services to an existing system.
Attack Resistance Resiliency against various potential attacks.
Smart cities are facing the large number of security challenges which range from
technical problems to complex attacks due to distinguishing characteristics, there-
fore, the smart city requires special security consideration as compared to tradi-
tional IT systems and networks where proposed techniques and countermeasures
are devel-oped based on conventional network security. Also, protecting the smart
city compo-nents is challenging due to the heterogeneity of devices, insecure and
Smart Cities Security Threat Landscape: A Review 415
hostile envi-ronments, and inadequate protection of data and privacy, for exam-
ple during data transmissions, protection of devices, and security of data storage
devices [28, 29]. The following subsections describe these requirements.
The massive increase in data exchange among multiple services and assets requires
proper security controls to protects the integrity of data and to detect malicious
activities. In addition, secure data transmission reduces the impact of data theft
and misuse including denial of service (DoS) attacks where the malicious attackers
could capture the transmission and manipulate the messages [30].
Security refers to a state of being safe and protected. With references to smart
cities, security includes precautionary measures essential for protecting the city and
its citizens from direct or indirect harm resulting from unlawful access to information
and cyber or physical attacks that can disrupt the system [36].
Unlike traditional security mechanisms, smart city security requires new and
innovative ways of securing the devices and applications while considering the char-
acteristics such as resource constraints, distributed architecture nature, and geo-
graphic distribution. Smart cities are prone to several unique challenges such as
unreliable communication, inadequate level of data, and privilege protection.
Providing the required services round the clock uninterruptable is the main
objective of smart cities. Also, the unavailability of any service could have a catas-
trophic impact. However, smart cities are exposed to several attacks due to the
416 R. Waseem Anwar, S. Ali
The devices that work at the perception layer are sensors, tags, RFID, actuators,
and GPS, which have limited energy, computational power, and memory. Moreover,
the placement of these devices is usually in open and hostile environments where
adversaries can capture them physically, tamper, or even get the keys. Therefore,
these devices are susceptible to a variety of attacks [38]. Thus, it is important to
protect the devices and put the necessary measures in place to prevent information
disclosure and to reduce the attack impact. The common attacks at the perception
layer are [34, 39]:
Denial of Service (DoS) attack: In this attack, network services are unavailable
to legitimate users because all the available resources are flooded with false
messages and fake requests that make the network inaccessible.
Malicious node: The inclusion of malicious nodes in the existing network not only
spreads false information but threatens the network’s security, data integrity,
and availability.
Resonance attack: During resonance attacks, the forged sensor which uses differ-
ent frequencies disrupts the communication among legitimate components.
Smart Cities Security Threat Landscape: A Review 417
The network layer is responsible for the transmission and routing of data. However,
due to the nature of communication, this layer could face radio interference, data
leakage, and interruption problems. Moreover, several security attacks can threaten
the network layer and the availability of services. The common attacks which occur
at this layer are [10, 40]:
Jamming attack: The jamming attack is one of the most common attacks es-
pecially for sensor-based networks where the communication is corrupted by
jamming signals which result in damaging the ongoing communication between
devices and eventually reduces the bandwidth availability.
Routing attack: Inclusion of malicious nodes to the network creates forge paths
and routing loops which increase the transmission delay and overhead.
Selective-forwarding attack: In this attack, the compromised node drops some
of the legitimate data packets and forwards a few selected packets.
Sleep deprivation attack: During a sleep deprivation attack, the intruder con-
stantly sends the messages to the sensor node to drain its energy so the life-time
of the network is minimized.
Wormhole attacks: Constituting the communication network multiple malicious
nodes participate in this attack and create the information hole in the network
through the creation of false routes.
Sinkhole attack: In the sinkhole attack, the compromised node propagates the
forge path information to other nodes to re-route the traffic. Also, this attack
is used to launch other similar attacks.
One of the most important layers in smart city architecture is responsible for ex-
changing a large amount of user data among various entities and applications. The
application layer faces most threats related to user data, privacy, and unauthorized
access to resources. Also, the application layer can be configured in different ways
according to the level of services provided. The common attacks at this layer in-
clude [35, 41]:
SQL injection attack: An input string is injected into the database through the
application which changes the SQL statements and the attacker gains control
over the database and gets access to information.
Net-
work
Layer • Bluetooth • Communication • Jamming • Confidentiality • Access Control
Disruption
• Wi-Fi • Routing • Authentication • Authentication
• Denial of Ser-
• Access • Selective for- • Integrity • Secure Routing
vice (DoS)
Points warding
• Trust Mechanism • Attack Detec-
(Aps) • Network Rout-
• Sleep depriva- tion
ing • Confidentiality
• LAN tion
• Integrity
• Wormhole
• Availability
• Sinkhole
• Authentication
Applica-
tion
Layer • Smart • Privacy • Malware attack • Authentication • Authentication
Home
• Information In- • Buffer over- • Availability • Authorization
• Smart terception flows
• Privacy • Encryption
Health
• Access Control • Social Engi-
• Integrity • Trust Manage-
• Smart neering
• Denial of Ser- ment
Grid • Non-repudiation
vice (DoS) • SQL Injection
• End-to-End en-
attack
cryption
Directions for the significant growth and the provision of services provided by smart
cities to its resident are phenomenal. However, the interdependency between the
various components/objects of smart cities possesses significant threats and security
challenges that need to be addressed at the early stages. Some of the future research
directions and challenges are:
• Since smart cities are interdependent and rely on critical infrastructures, there-
fore, changes in one major process can slow down or disrupt services in mission-
critical industries such as the healthcare and telecommunication industries.
• The resource-constraint devices such as sensors that play an important role
in sensing and acquiring the information are vulnerable to both internal and
external attacks, therefore, they can be easily disrupted or penetrated via the
denial-of-service or man-in-the-middle attacks.
From the above analysis, it can be concluded that the diverse and complex
environment of smart cities requires proper standardization of security measures
with new and vibrant frameworks that ensure end-to-end security between the layers
and among the resource-constraint devices.
9 CONCLUSION
Smart cities are emerging and comprise a plethora of interconnected devices, there-
fore, the provision of security and privacy is challenging. This paper highlights
a brief review of security threats and challenges faced by smart cities and their
applications. The interconnectivity and the complex heterogeneity between the
physical and cyberinfrastructure of smart cities require special security countermea-
sures. The architecture of smart cities is discussed followed by the various attacks
at Network, Perception, and Application layers. Overall, this review paper serves as
a valuable resource and reference point for academia and industrial practitioners.
REFERENCES
[1] DeLuca, L.: United Nations: Online Data Repositories and Resources. College and
Research Libraries News, Vol. 78, 2017, No. 1, pp. 41–45, doi: 10.5860/crln.78.1.9607.
[2] Khatoun, R.—Zeadally, S.: Smart Cities: Concepts, Architectures, Research
Opportunities. Communications of the ACM, Vol. 59, 2016, No. 8, pp. 46–57, doi:
10.1145/2858789.
[3] Yang, Y.—Wang, X.—Zhu, S.—Cao, G.: Distributed Software-Based Attesta-
tion for Node Compromise Detection in Sensor Networks. 2007 26th IEEE Interna-
tional Symposium on Reliable Distributed Systems (SRDS 2007), 2007, pp. 219–230,
doi: 10.1109/SRDS.2007.31.
420 R. Waseem Anwar, S. Ali
Future. International Journal of Distributed Sensor Networks, Vol. 15, 2019, No. 6,
doi: 10.1177/1550147719853984.
[29] Cerrudo, C.: An Emerging US (and World) Threat: Cities Wide Open to Cyber-
Attacks. Securing Smart Cities, Vol. 17, 2015, pp. 137–151.
[30] Ijaz, S.—Shah, M. A.—Kha, A.—Ahmed, M.: Smart Cities: A Survey on Secu-
rity Concerns. International Journal of Advanced Computer Science and Applications,
Vol. 7, 2016, No. 2, pp. 612–625, doi: 10.14569/IJACSA.2016.070277.
[31] Maciag, M.—Wogan, J. B.: With Less State Aid, Localities
Look for Ways to Cope. Governing, The Future of States and Lo-
calities, 2017. Available at: https://www.governing.com/archive/
gov-state-aid-revenue-sharing-intergovernmental-revenue.html.
[32] Li, T.—Jung, T.—Qiu, Z.—Li, H.—Cao, L.—Wang, Y.: Scalable Privacy-
Preserving Participant Selection for Mobile Crowdsensing Systems: Participant
Grouping and Secure Group Bidding. IEEE Transactions on Network Science and
Engineering, Vol. 7, 2020, No. 2, pp. 855–868, doi: 10.1109/TNSE.2018.2791948.
[33] Ali, B.—Awad, A. I.: Cyber and Physical Security Vulnerability Assessment
for IoT-Based Smart Homes. Sensors, Vol. 18, 2018, No. 3, Art. No. 817, doi:
10.3390/s18030817.
[34] Ali, S.: Cybersecurity Management for Distributed Control System: Systematic
Approach. Journal of Ambient Intelligence and Humanized Computing, Vol. 12, 2021,
No. 11, pp. 10091–10103, doi: 10.1007/s12652-020-02775-5.
[35] Anwar, R. W.—Zainal, A.—Abdullah, T.—Iqbal, S.: Security Threats and
Challenges to IoT and Its Applications: A Review. 2020 Fifth International Confer-
ence on Fog and Mobile Edge Computing (FMEC), 2020, IEEE, pp. 301–305, doi:
10.1109/FMEC49853.2020.9144832.
[36] Bhattasali, T.—Chaki, R.—Sanyal, S.: Sleep Deprivation Attack Detection in
Wireless Sensor Network. International Journal of Computer Applications, Vol. 40,
2012, No. 15, pp. 19–25, doi: 10.5120/5056-7374.
[37] Fard, S. M. H.—Karimipour, H.—Dehghantanha, A.—Jahromi, A. N.—
Srivastava, G.: Ensemble Sparse Representation-Based Cyber Threat Hunting
for Security of Smart Cities. Computers and Electrical Engineering, Vol. 88, 2020,
Art. No. 106825, doi: 10.1016/j.compeleceng.2020.106825.
[38] Arias, O.—Wurm, J.—Hoang, K.—Jin, Y.: Privacy and Security in Internet
of Things and Wearable Devices. IEEE Transactions on Multi-Scale Computing Sys-
tems, Vol. 1, 2015, No. 2, pp. 99–109, doi: 10.1109/TMSCS.2015.2498605.
[39] Bellovin, S. M.: Attack Surfaces. IEEE Security and Privacy, Vol. 14, 2016, No. 3,
pp. 88–88, doi: 10.1109/MSP.2016.55.
[40] Anwar, R. W.—Bakhtiari, M.—Zainal, A.—Abdullah, A. H.—
Qureshi, K. N.: Enhanced Trust Aware Routing Against Wormhole Attacks
in Wireless Sensor Networks. 2015 International Conference on Smart Sensors and
Application (ICSSA), 2015, IEEE, pp. 56–59, doi: 10.1109/ICSSA.2015.7322510.
[41] Javadzadeh, G.—Rahmani, A. M.: Fog Computing Applications in Smart Cities:
A Systematic Survey. Wireless Networks, Vol. 26, 2020, No. 2, pp. 1433–1457, doi:
10.1007/s11276-019-02208-y.
Smart Cities Security Threat Landscape: A Review 423
Raja Waseem Anwar received his Ph.D. degree from the Uni-
versiti Teknologi Malaysia (UTM), Malaysia. Currently he
works as Assistant Professor at the Faculty of Computer Studies,
Arab Open University, Muscat, Sultanate of Oman. His research
interest is in information security, trust and security in wireless
sensor networks, cyber physical systems and IoT. Furthermore,
he has been involved in organization of many international peer-
reviewed conferences, and other scientific events.