A Review of Zero Trust Security Framework (ZTF) for Sustainable and Resilient Smart Cities

In recent years, cities as they adopt smart technology in an ever-evolving technological environment, face new complex threats and security challenges. Threats that affect the privacy of citizens but often impact critical infrastructure of a smart city, creating sustainability risks. Hence, the cyber security incidents have multiplied, allowing these threats to disrupt the functioning of a smart digitized ecosystem. In addition to these challenges, the smart cities have been developed like a technological complex puzzle with different interconnected sensors and software. This Internet of Things (IoT) – based infrastructure of a smart city includes different smart grid systems which will be studied. This paper highlights the vulnerabilities of a digital ecosystem in a smart city environment and addresses the security and privacy issues regarding the IoT-based infrastructure and cloud computing. We also present future trends on blockchain technology and we focus on the presentation of a zero trust blockchain-security framework (ZTF) which can be developed to mitigate the urban surface area of vulnerability exploitation and security risks.


INTRODUCTION
The global landscape of smart cities is changing as they use more and more digital technology to increase efficiency and benefits to meet community goals about the quality of life such as economic growth, social equity and environmental sustainability [1].Technological development and the digital transformation of cities have led to the creation of new innovative cities, whose sustainability is highly dependent on the security and privacy of data in the City Cloud [2].Smart cities efficiency is ranked according to the Smart City Index (SCI) and their classification is based on the technological infrastructure they use in the modern era, without including the required security and privacy issues [3,4].Moreover, the integrated approach to new technologies applied to smart cities doesn't highlight the security and privacy problems of devices and Cloud services, where and how data are stored [5].
A smart city now aims at smart sustainability which is based on the interconnection of all smart grid systems based on the IoT and their interaction.A sustainable smart city means a secure innovative city and implies the existence of a Zero Trust Security Framework [6] in which everything is connected and exchange data in a Cloud fully decentralized and secure.
To address this topic, this paper structure is the following: On Section 2 we will analyze the IoT environment and strategy of managing critical infrastructure, such as renewable energy in a smart ecosystem.Moreover, we will present the Smart grid systems and their interoperability from NIST with many different communication protocols and standards [7].Next, on Section 3, we will emphasize on cloud computing and the vulnerabilities they address [8], quoting real cases of cyber-attacks on the clouds of large companies.In correlation with the above, we will present some resilient aspects of smart cities and the case of a smart environment with key performance indicators based on the holistic approach of NIST [9].On Section 4, we will focus on blockchain and IPFS security solutions [10] as the state of the art of future cyber security trends.To conclude, on Section 5, concepts such as security, privacy, and data protection in a smart city are the significant challenges due to limited offered resources, different standards of IoT-based systems and vast sensitive user data over the edge.

SMART CITY ENVIRONMENT AND SMART THREATS
The rapid development of smart grids and IoT devices constitutes the backbone of the technological improvement of smart cities. Sustainability is a key issue for citizen's life [11] and IoT-based systems bring embedded technological elements in emerging cities and different functionalities.However, the smart grid systems face a significant disadvantage: cyber-security issues.There is an interconnection among these smart devices and sensors.Therefore, we must address the possible threats as a whole approach to ensure protection [12].According to Nokia Threat Intelligence report 2023 [ 13], a single botnet DdoS attack can involve hundreds of thousands of IoT devices, representing a significant threat to networks globally.Botnets have become a major generator of DdoS traffic.Between 500,000 and 1,000,000 globally distributed, remotely controlled IoT hosts, or cloud server instances are active daily, generating more than 40% of all DdoS traffic [13].Thus, the attacks against IoT devices are often simple and easy to conduct [14].The collected data can indeed range from simple temperature and humidity measurements to more sensitive information such as the user's location and living habits [15].

Layers of IoT-Based Systems
The security of the cloud database is considered the main problem in the analytics and application layer, which greatly affects the quality of service at the application layer.The three aspects of security such as confidentiality, data integrity and availability, describes a model to impose information security policies within an organization [16].
In general, the basic layers of smart grid and IoT architecture are [17]: 1. Perception layer, which is the hardware layer that represents the physical part of the IoT and consists of sensors and actuators.The main function of this layer consists in collecting.The end devices must be able to communicate with the network layer to transmit the collected information and to receive feedback from the upper layers.
2. Connectivity & Networking layer, which represents the point of access to the Perception layer and basically revolves around data handling, i.e., forwarding the information generated by the end devices to the perception layer and sending data produced by the latter back to the devices 3. Analytics & Application Layer, which is the intermediate layer between the physical part and the Internet and is mainly responsible for filtering and storing the data received from the end devices.It is also responsible for enforcing the security policy in the IoT network.This layer must be able to cope with the device heterogeneity and hide it to the IoT applications to facilitate their access to sensor data.
Although we observed the whole network of a smart city, many proposals have been presented to IoT layered architecture, such as an alternate approach showing a 5-layer architectural model [18], compared to OSI model and TCP/IP model.These layers have similar general characteristics and functions to the three-layer model.

IoT Communications Standards
In order to realize the commonly conceived IoT infrastructure, it is necessary to refer to the most popular IoT protocols as they provide the means to interchange the information between the proposed layers.IoT devices support many interoperable communication protocols and can interact with other devices and with the infrastructure as well.Nowadays, the most important standards in the IoT environment are the following [19]: 1) extremely short-range systems, e.g., Near Field Communications (NFC) enabled devices.
2) short-range passive and active Radio Frequency Identification (RFID) systems.
3) Wireless Personal Area Network (WPAN) including standards like ZigBee, 6LoWPAN, Threads (6LoWPAM), Z-Wave, ANT+, ISA100.11a(6LoWPAN), Bluetooth LE, EnOCEAN.The vast majority of the connected things at the moment is using IEEE 802.15.4-based systems, in particular ZigBeeTM.The most prominent features of these networks are that they operate mainly in the 2.4 GHz and optionally in the 868/915 MHz unlicensed frequency bands and the network level connecting these nodes1 uses a mesh topology [20].
LPWANs are low-power, low-bandwidth and low-cost protocols, covering smart cities and long-distance smart-grid areas with a transmission range of 1 m to 50 Km [21].

Cyber Attacks Against Smart Grid Systems
Due to crucial vulnerabilities-by-design in IoT devices, hackers can easily gain access and use them for malicious purposes, compromising their availability and data transmission.Focusing on the threat intelligence in smart city environments we refer some cyber security attacks to highlight the necessity of a new solution in smart grid systems [14]: 1. Buffer Overflow attack: It looks like a denial-of-service attack wherein a network becomes so weighed down with packets initiating incomplete connection requests that it can no longer process genuine connection requests [22][23][24].
2. Cloud malware attack: An attacker launching this type of attack tries to inject a malicious service in the cloud and creates its own malicious service implementation module and tries to add it in the cloud system.Therefore, if the attacker succeeds, the cloud automatically redirects the request of the valid user for the attacker code to start to be executed [22,24].
3. Signature wrapping attack: Based on the cloud system, this type of attack uses the XML signature to ensure service integrity.Attackers can easily modify the communication between nodes on this layer by eavesdropping without invalidating the signature [22].
4. Frequency Jamming attack: A sensor node communicates with a remote estimator through a wireless channel which may be jammed by an external attacker [25].
5. Session Hijacking: An adversary collects all transferred data during the authentication phase and the whole session and tries to re-transmit the modified packet sequence number [24,26].
6. Man-in-the-middle-attack: Attackers use this technique to place themselves in the center of two or more IoT devices using a packet sniffer and transmit data manipulation [14,15,27].
7. Exploitation for Credential Access: The attacker finds vulnerability in applications of smart systems including sensors, collects passwords from dump files and other resources executes malicious code on the system [14,15,22].
Common cyber-attacks, like ransomware, DdoS (Distributed Denial of Service), and Man-in-the-middle-attack, can cause severe consequences for smart cities. Ransomware can encrypt critical data, demanding payment for its release and disrupting city operations.DdoS attacks can overwhelm networks, causing service outages.Man-in-the-middle-attack may lead to unauthorized access, potentially compromising sensitive information or control systems.

CLOUD COMPUTING AND VULNERABILITIES BY DESIGN
On the other hand, cloud vulnerabilities in smart cities can pose significant risks, potentially leading to data breaches, service disruptions, or unauthorized access.Issues like inadequate security measures, weak authentication, and misconfigurations can make smart city systems susceptible to cyberattacks, impacting essential services such as transportation, energy, and public safety.Additionally, cloud computing is not resilient to Data leakage, concerning the latest cyber security incidents that have been published.When the data are being transferred across the cloud unencrypted, can be created vulnerability holes for, spoofing, traffic sniffing and man-inthe-middle attacks and DDOS as usual [8].Moreover, in some cases cloud computer providers do not offer confidentiality agreements which make liabilities unclear and subject the client's reputation at major risk.Personal data and metadata about citizens and organizations, may be transferred to third parties without the consent of their rightful owners [8,28], to create targeted advertising or political campaigns.

Security Incidents in Cloud Data Centers
Many solutions have been developed with the main goal of finding a cure for the unknown diseases and problems of large data centers.Unfortunately, problems and misconfigurations persist.Specially, Cloud Security Alliance introduced the concept of Shadow Access, which is invisible and unauthorized, and generally operates with over-permissioned access in a cloud environment [29].The consequences of Shadow Access in relation to the development of artificial intelligence threaten to impact any organization that has an evolving cloud.Lately, there have been many cases of cyberattacks and here are some of them on well-known multinational companies.
3.1.1Data Breach exposes 530 million Facebook user's personal data.Before August 2019, Facebook was breached without to notify over 530 million users that their personal data was stolen-and shortly after that, posted to a public database-until April 2021.The data exposed through scraping which is a common tactic that often relies on automated software [30].

Hardening Cloud Computing
As a solution to the vulnerabilities of cloud computing and to hardening the cloud information systems, CIS Hardened Images platforms helped IT professionals around the globe avoid misconfigurations on cloud data centers.CIS Hardened Images are virtual machine (VM) images that are pre-configured to meet the robust security recommendations of the associated CIS Benchmark.They provide users with a secure, on-demand, and scalable computing environment.Today, there are more than 100 CIS Hardened Images available on Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Marketplaces [32].

Resilience Aspects in Smart Cities
The race for IT companies and university researchers to tackle cybersecurity problems continues.International cybersecurity organizations such as NIST and ENISA issue guidelines and frameworks for the secure operation of information systems.Regarding security issues in smart cities, NIST created an H-KPI (holistic Key Performance Indicator) to plan a smart city ecosystem with different domains that all cooperates in a smart grid [9].The H-KPI Framework is a methodology for self-assessment for the current state of 'smart' characteristics and methodologies enabling the cities to set realistic goals and addresses the gap between convenience and security.In a smart city there are many different smart grid systems such as smart governance, smart manufacturing, smart farming/agriculture, smart grid/ energy, smart transportation, smart healthcare, smart education, smart buildings/homes, smart citizens, and smart protection.Urbanization and climate change makes it imperative to use technology (sensors, cameras, drones, etc.) in civil protection of a smart city to prevent and respond to major natural disasters such as fires, floods, earthquakes, etc.Without protecting the citizens and critical infrastructure in a smart city, its sustainability cannot be supported [33].

A REVIEW OF ZERO TRUST BLOCKCHAIN SECURITY FRAMEWORK
Since the data are stored in massive servers of providers, the entity accessing these data can control the rate at which content is delivered and to whom.At the same time, as mentioned above, the critical infrastructure of a smart city is vulnerable to either cloud misconfigurations or malfunctioning IOT devices.To address all these problems and enhance the resilience and sustainability of a smart city, we analyze a multi-stakeholder solution.We will study the application of a Zero Trust Security Framework (ZTF) where all participants can be combined.This solution is powered by Ethereum smart contracts [34], where the devices will interact with the blockchain, and the filtered data will be uploaded through the Interplanetary File System (IPFS) to different network nodes [34,35].Every node can hold a portion of the overall data.In a decentralized system, all clients will participate, such as the different cities that want to access the data.On the other hand, additionally for storage reasons, there will also be a centralized system in which the large multi-cloud providers will participate with the data divided into multiple servers, archiving high scalability [22].All of them, using distributed massive storages, will keep information on different nodes, and the IPFS content identifiers (cryptographic hashes) will be kept in the decentralized Ethereum blockchain via smart contracts and cannot be changed or deleted [21].The authentication between the IoT devices and the system will be implemented through Public Key Infrastructure (PKI) and a Hardware Security Module (HSM) which is a specialised device used to protect cryptographic keys and support cryptographic functions, such as the creation of digital signatures and encryption [36].
In this new landscape of smart city ecosystem, blockchain and IPFS will play crucial role for faster transactions, more resilient and more efficiently automated city grids [22,34,37].This Zero Trust Framework (ZTF) refers to one decentralized blockchain related to IPFS technique.All computing devices will contribute resources to the same system of files, the IPFS which is a peer-to-peer distributed file system.IPFS builds a Merkle Directed Acyclic Graph (DAG) where links between objects are cryptographic hashes of the targets embedded in the sources [35].The implementation of Blockchain, argued that trusted environment and smart contract executions could be used for enhancing interoperability of services [38].
Blockchain provides a distributed ledger which is shared among all participants in the network based on the consensus mechanism.The need for a third-party verifier is eliminated, making the system secure and completely decentralized [37].The blockchain verifies and stores data in blocks.A smart contract is triggered by consigning a transaction to its Ethereum address and executing it depending on the input given for that transaction [39].New data-blocks will be validated after data filtering in IoT-based systems reduce the huge amount of data that needs to be stored.It is necessary to create a correlation between the imported data and the extracted data analysis.
As opposed to this, Blockchain technology is cost-effective as it eliminates the need for a notarization authority.Here, Ethereum based smart contracts perform the functions of verification and maintenance of documents on IPFS.By using cryptographic techniques, the signatures from various parties can be ensured.The smart contract provides an interface for restricted access and for tracking the changes in the document [39].

CONCLUSION
Finally, the challenge to succeed a fully secured IoT-based smart grid in a smart city is on-going.Blockchain and IPFS contribute to creating standardized protocols for data exchange, fostering interoperability between different systems and devices in the smart city ecosystem.Decentralization reduces the risk of a single point of failure and makes the system more resistant to attacks targeting a central repository.The combination of blockchain and IPFS provides the groundwork for a decentralized, secure, and transparent Web 3.0 infrastructure, fostering innovation and resilience in the development and operation of smart cities.While blockchain offers various security benefits, it's important to note that Its implementation must be carefully planned, considering factors such as scalability, energy efficiency, and the specific needs of the smart city deployment.Therefore, there are multiple open issues and challenges for secure IoT networks that represent great opportunities for researchers.
.1.2Cloudmisconfigurationcauses massive data breach at Toyota Motor.In June of 2023, automaker Toyota said approximately 260,000 customers' data was exposed online due to a misconfigured cloud environment.This breach highlights that a simple cloud misconfiguration can open the door to hackers.It also shows how long it can take before a breach is discovered, with Toyota writing that the data was exposed from February 2015 to May 2023[31].