Even though the previously described threats against smart cities continuously evolve, many advanced methods continue to be developed to support cyber threats’ visibility. In this section, we describe the selected methods followed by their categorization in “Discussion and key findings” section.
Interdependency models
Heterogeneous communication protocols and shared infrastructure connect various embedded systems to make cities more effective. Additionally, different service providers exchange information and resources to support the sustainable operation of a smart city. This high interdependence introduces a large number of possible attacks and vulnerabilities that directly relate to the severity of the threat and have a multiplicative effect on the prioritization of mitigation. Indeed, a threat that results in the loss of one service or infrastructure can potentially impact other services as they use each other’s resources. Moreover, identifying these vulnerabilities and their impact is challenging because of the high complexity of the connection among different infrastructure. Further, each smart city’s component has a variety of security requirements which introduces additional challenges.
Any disruption in smart cities’ systems would have an impact on its effective operation as well as the safety and well-being of its citizens. Additionally, a formal dependency model of the smart city’s elements would uncover insights into fundamental characteristics of the system’s topology and could be instrumental in developing its security profile, assessing the cumulative impact of cyber threats, and estimating the effect of countermeasures. While the discussed dependency models do not consider cyber threats, understanding the connection between different domains affects threat prioritization and mitigation.
To this end, Laugé et al. [48] demonstrated how a failure in one service could affect other domains. In this context, the researchers conducted a series of interviews with experts and quantified the magnitude of the adverse effect on dependent services such as energy and connectivity. The results, which include characterization of the time dimension to dynamically study the impact, enabled a deep understanding of direct and higher-order dependencies to prioritize mitigation.
Further, König et al. [49] proposed a framework to represent the effect of adverse events in highly coupled critical infrastructures (CI). The approach modeled the dependencies between infrastructures as a directed graph. In fact, each CI is denoted as a single vertex, while the edges symbolize the reliance on the others CIs’ resources. Each edge is then assigned to a class \(c \in \left\{ {1,2, \ldots C} \right\}\) which represents a fixed type of inner or mutual dependency. Additionally, these dependencies are assessed using a Markov chain and by leveraging interviews with experts. Moreover, the visualization of dependencies illustrated how the limitations in one CI affect dependent CIs and how this impact changes over time.
To identify the minimum subset of critical infrastructure nodes and select the most rewarding mitigation priorities, Stergiopoulos et al. [50] input a dependency risk graph into their model and define the correlation between centrality metrics and high impact nodes. Further, the authors used centrality metrics to develop and test various risk mitigation strategies that maximize risk reduction. The results demonstrated that centrality measures could characterize critical infrastructure nodes that significantly affect the overall risk in a dependency risk graph.
In an alternative work, Stergiopoulos et al. [51] modeled dependencies among infrastructures as a graph \(G = \left( {N,E} \right)\), where \(N\) is a set of nodes representing infrastructures or components, and \(E\) is a set of edges that symbolize dependencies. In fact, an edge from node \(CI_{i}\) to node \(CI_{ij}\), i.e., \(CI_{i} \to CI_{i}\), denotes a risk relation that is derived from the dependence of infrastructure \(CI_{j}\) on a service provided by infrastructure \(CI_{i}\). This relation is quantified using the impact \(I_{i,j}\) and the likelihood \(L_{i,j}\) that a disruption will be realized. Additionally, the cascading resulting risk is represented as a numerical value of each edge. The growth level is then precomputed and is passed to a fuzzy ranking system that provides realistic assessments of the evolution of potential failures.
One of the goals of Beccuti et al. [52] was to investigate the consequences of a malfunctioning communication system when the power grid experienced a failure. To this end, the authors modeled and simulated the electrical state of the Electrical Power System (EPS) using a Stochastic Activity Network (SAN). In contrast, a Denial of Service (DoS) attack was modeled using Stochastic Well-formed Nets (SWN). The researchers investigated how these two models can be integrated to characterize the DoS attack impact. While the approach is focused on specific scenarios, the executed analysis illustrated that the user satisfaction of a power line can differ significantly depending on the severity and progression of the DoS attack.
In a different work, Bloomfield et al. [53] centered their study on how the strength of dependencies between power and telecommunication networks affects various measures of risk and uncertainty. The approach begins with a high-level of abstraction aiming to identify dependencies between the components of CIs which is then followed by a detailed service behavior model. Further, the authors employed probabilistic models to come up with various measures for risk assessment, e.g. the likelihood of cascade failure under a given set of assumptions.
Netkachov et al. [54] used stochastic modeling of an industrial control system and studied the effect of both accidental failure and cyber attacks. In fact, the researchers used a stochastic state machine to model the behavior of the adversary while the dependencies between the elements are modeled using a deterministic or a probabilistic approach. The study of the employed approach unveiled the most critical elements of the network and a high correlation between the impact and the capability of the attackers.
Further, Johansen et al. [55] proposed to model the interdependencies by using a Bayesian network and a minimum link set (MLS) formulation to create the network model. The latter represented a set of functioning components required from the system to function. Moreover, the authors distinguished three types of dependencies; service provision, geographic, and access to repair interdependencies. This dependency relationship was then defined by the joint probability distribution of the components. Regardless of parent choice, the entire system is defined using joint probabilities divided by the marginal chances of failure. By applying their framework on a real system and given the complex interdependencies, the researchers quantified the cascading effect of an individual component’s performance on the entire network performance.
Additionally, Heracleous et al. [56] proposed a dependency modeling method that supports the investigation of the cascading effect, performs vulnerability analysis, and plans maintenance strategies. The authors demonstrated how an open hybrid automata allows modeling individual subsystems and composing them together to create more complex and detailed systems with the aim to capture different types of dependencies. By connecting six open automata models that represent various components of CIs, the authors ran simulations to study the effect of the malfunctioning of one infrastructure on other elements, perform vulnerability analysis, and offer a maintenance plan.
In another work, Ferdowsi et al. [57] analyzed the problem of allocating security resources over the various components of interdependent cyber-physical systems (CPS) in order to protect the entire ecosystem against cyber attacks. Indeed, the authors formulated a Colonel Blotto game where the attacker seeks to allocate its resources with the intention of compromising the CPS. At the same time, the defender chooses how to prioritize the defense against potential attacks. The reported result illustrated the correlation between the attacker's knowledge of interdependencies and the defense's success.
Risk assessment and threat intelligence
The growing number and scale of cyber threats demand proactive decisions for the development of ample cyber security capabilities. In fact, the core challenges for cyber-related decision making are the uncertainty of cyber threats and their severity, and the technological advances that introduce new vulnerabilities. Given the heterogeneity of IoT devices, a myriad of vulnerabilities requires patching and monitoring. Therefore, it is imperative to set the priority to secure critical weaknesses and allocate time and budget effectively. Contextualized cyber threat intelligence capabilities complement the risk assessment objective by helping discover unknown incidents, attack trends while assessing and comprehending their impacts.
In the context of risk assessment, Li et al. [58] estimated cyber security risk in traffic light systems. The authors first employed a game-theoretic framework to determine the worst-case traffic management performance under attack. The metric is then used to determine the severity of a particular attack as \(S_{i} = P_{0} - P_{i}^{*}\), where \(P_{0}\) represents a system performance that is not under an attack and \(P_{i}^{*}\) represents a system performance under an attack. The researchers then determined a cyber security risk of a traffic light system under a certain traffic network condition by calculating it as \(R = \mathop \sum \limits_{{i \in {\text{C}}}} L_{i} *S_{i}\). Further, a cyber-risk mitigation framework is formulated using subjective decision rule known as a minimax-regret criterion. Here, the regret is defined as the risk under a specific traffic condition with no countermeasures employed. Additionally, the ranked countermeasures manage to minimize the worst-case regret.
Kelarestaghi et al. [59] conducted a vulnerability-oriented risk assessment by employing a National Institute of Standards and Technology (NIST) risk model. The authors synthesized real-world misdemeanors and research publications that study the attacks against in-vehicle network vulnerabilities in order to quantify the potential impact of the exploitations. Safety, operational, and security issues were then mapped into a visual matrix to facilitate risk prioritization. Moreover, an empirical study unveiled the severe impact of cyber attacks on the safety, security, and operation of the vehicle.
In an alternative work, Kotzanikolaou et al. [60] assessed a possible cascading effect of a single incident on multiple CIs. In fact, the approach models the connections between infrastructure as a graph where the edges represent the dependencies under regular operation. Additionally, the method does not differentiate the risks but uses the impact of adverse effects as a result of a risk assessment for each infrastructure.
It is hard to overestimate the importance of IoT in a smart city’s ecosystem. Given the diversity of IoT devices, the vulnerabilities of the entire system are countless [61]. Sicari et al. [62] proposed a general-purpose risk assessment methodology in the context of IoT deployment. The framework first identifies the model’s components and forms an attack tree with the nodes representing a different way of attacks and the leaves symbolizing the vulnerabilities \(v_{i}\). Indeed, each vulnerability is associated with an exploitability level \(E_{i}\). The latter indicates a measure of how probable the \(v_{i}\) is exploited to perform the attack. In the next step, the framework models a graph to depict the dependencies \(d_{i}\) among \(v_{i}\). The exploitability level is then assigned to each edge of the graph and is updated according to the formula \(E_{i + 1} = \max \left( {E_{0} \left( {v_{i} } \right), \min \left( {E\left( {d_{i} } \right), E_{i} \left( {E_{i} } \right)} \right)} \right)\), which indicates the risk of exploitation. Moreover, the approach enables scalability in terms of effortless adding or removing components from the framework.
Further, Wang et al. [63] proposed a vulnerability assessment method rooted in an attribute attack graph. In fact, the model takes a network topology, the vulnerabilities, and an attack graph to generate an optimal attack map. It further calculates max loss from the exploitation by using a score from the Common Vulnerability Scoring System (CVSS) [64]. Finally, the model employs an augmented path algorithm to suggest an attack priority order and determines the weakest link in the system to prioritize their monitoring and security.
In a complementary work, Radanliev et al. [65] proposed an economic impact assessment framework for IoT. The authors adopted the Cyber Value at Risk model to measure the maximum possible loss over a given time period and the MicroMort model to predict uncertainty through units of mortality risk.
Nazeeruddin [66] leveraged Markov’s decision process in order to model the security of smart cities at a high level of abstraction. The model considers the system components and their types (e.g., sensor, actuator, etc.), the cyber attack against each element, the vulnerabilities with the exploitation probabilities that are extracted from the CVSS database, and the human involvement at the last level of defense. In case the attack successfully passed two levels of defense mechanisms, the model generates an alert for review by security analysts for further investigation. The authors demonstrated that the model could easily be adjusted with vulnerabilities to recalculate the risk level.
Shivraj et al. [67] offered a generic risk assessment framework for IoT systems. The authors described information flow across the different components as a weighted directed acyclic graph \({\text{G}}\left( {{\text{V}},{\text{ E}}} \right)\). The edge \(E\) between nodes \(V\) indicates a dependency of one node to another. Indeed, one node can be connected to multiple ones, producing numerous connections. Additionally, the value of the edge weight is directly linked to the impact of the attacks. Moreover, various attacks are modeled through attack trees, while their propagation is represented using a bipartite graph. The latter allows capturing nested attacks (e.g., through spoofing an attack on a node; tampering, spoofing and denial of service attacks can be carried out on its parent node). The authors demonstrated the risk computation based on a simulated system of a connected car.
Mohsin et al. [68] proposed a probabilistic model aiming to automatically assess the likelihood of a threat realization in various IoT system configurations. At the very first stage, the framework leverages a Markov model to represent the system’s architecture, security threats, and attackers’ capabilities to predict the likelihood of an attack and suggest a secure configuration. Additionally, the framework addresses both concurrent and sequential elements of the system by assigning the synchronization labels for modeling concurrency, flags and counters for the subsequent flow. Moreover, the framework, dubbed as IoTRiskAnalyzer, answers the question of what the best possible configuration for a security requirement is, and how promising it is to enable the diagnostic of a cyber security posture.
One of the core goals of advanced threat detection is to determine the potential progress of the discovered malicious event through the ecosystem. In this context, Falco et al. [69] designed a method for automatic identification of attack strategies that can be used to compromise a CCTV network. The approach combines several established frameworks to address the full lifecycle of the attack. Additionally, a Lockheed Martin’s cyber kill chain is used to define the sequential phases. Moreover, the Open Web Application Security Project (OWASP) allowed identifying attack surface areas. Further, a MITRE’s Common Attack Pattern Enumeration and Classifications (CAPEC), along with Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework defined the required actions to conduct the attack. Finally, Kali Linux tools and known exploit tactics by MITRE’s ATT&CK Matrix execute the actions. The result, compared with the manually generated attack tree, demonstrated considerably greater depth and information granularity than the manual tree because it moves through each phase of the Cyber Kill Chain.
Angelini et al. [70] associated network topology and geography with the resultant impact using a visualization based on areas of corruption. This method was used in order to concentrate the attention on the most harmful risk of cyber incidents. In fact, the method's architecture is comprised of several components, including knowledge base generation, attack, risk, and response modeling. First, the model defines business processes of the power distribution system, and then assigns the mission priority and the cyber events that can adversely affect the business process. For visualization purposes, the authors clustered dense areas of network nodes and employed the Voronoi diagram to effectively spot the geographical placement. The reported results highlighted the sub-network which could cause mission degradation if compromised.
To analyze the degree of exploitation, Wang et al. [71] measured smart cities threat factors by combining more than 200 gathered features based on a Hardware, intelligence, Software, Policies and Operation (HiSPO) approach [72]. After assigning a weight \(w_{i} = 1/\mathop \sum \limits_{i} (r_{i} )\) to each threat, the threat factor was calculated as \(t = 0.5*\sum w_{i} *\left( {t_{i} + \delta } \right) + 0.001*\left( {C_{B} + C_{T} + C_{E} } \right) + 0.02*f_{TI}\), where \(C_{B} ,C_{T} ,C_{E}\) are base, temporal, and environmental scores in CVSS, respectively. Additionally, an adjusted weight for a threat is denoted as \(\delta\), while \(f_{TI}\) symbolizes a threat intelligence value. Moreover, the final report produced threat factors that were calculated before mitigation and after the assessment and mitigation period. Further, it showed that the proposed methodology can considerably minimize the risks for smart cities.
In an alternative work, Bou-Harb et al. [73] prototyped a IoT cyber threat intelligence platform for inferring and disclosing Internet-scale compromised IoT devices. To this end, the authors amalgamated the results from passive and active measurements of Internet-wide network traffic analysis. In fact, through an authenticated platform, they disclosed raw data related to numerous compromised IoT devices in diverse sectors, including critical infrastructure. Indeed, the platform estimates the indicators of a highly exploited hosting environment to provide early warnings regarding such exploitations and leverage visual dashboards in order to facilitate threat exploration and prioritization.
Further, honeypots trap an adversary by intentionally creating security vulnerabilities in specific technologies. These devices (or software) record malicious activities so that attack vectors and patterns can be further investigated. Given that ZigBee-based IoT devices are actively used in smart cities settings [74], the honeypot that simulates a ZigBee gateway proposed by Dowling et al. [75] is instrumental to explore attacks against smart cities. After 3-month of monitoring the activity that has targeted the ZigBee gateway, the researchers reported 6 types of executed attacks. These include dictionary and brute force attacks, scans, botnets and a number of other independent events. The authors also reported that dictionary attacks represented nearly 94% of all attacks.
Attack detection methods
Data-driven threat assessment, though extremely valuable and insightful, cannot capture all possible threat capabilities. To this end, a retrospective incident analysis captures several threat attributes and system characteristics, which allows the measurement of the effectiveness of the implemented defense mechanisms. Indeed, scientific efforts towards the development of compelling techniques for the detection of threats and malicious events have been studied for decades, yielding a plethora of inference methods. A recent trend continues to converge towards machine learning techniques, which addresses the problem of recognizing malicious patterns in (network) data flows/traffic to infer anomalies.
In this vein, the main goal of the work conducted by Oza et al. [76] is to detect replay attacks—a subset of false data injection attacks—in an effort to secure traffic lights. Indeed, such attacks minimize the efficiency of traffic management systems, and potentially can introduce life-threatening situations. To this end, the authors simulated a replay attack and studied existing detection mechanisms. They identified several shortcomings in these mechanisms and offered a threshold-based method for detecting an attack. Additionally, the authors determined a threshold by analyzing the occupancy’s sensors' readings with and without attacks. The detection algorithm observes the occupancy’s sensor’s data over time and alarms the operator if the change is above a defined threshold.
To detect energy theft, He et al. [77] attempted to identify potential malicious injections in the context of a power grid. The authors proposed a real-time scheme for capturing the behavioral features of false data injection attacks. Indeed, the architecture of the solution consists of a State Vector Estimator (SVE) and a Conditional Deep Belief Network (CDBN). The latter consists of a Conditional Gaussian–Bernoulli RBM method at the first hidden layer and a conventional RBM technique at all remaining hidden layers. Additionally, the CDBN is responsible for the extraction of high-dimensional temporal features. Moreover, the SVE evaluates the quality of the measurement data by calculating the \(l_{2}\)-norm of residual measurement and compares the calculation result \(\eta\) with the predetermined threshold \(\tau\). Further, when \(\eta > \tau\), the measurement is considered to be compromised.
The infrastructure of smart cities, particularly those aspects dealing with IoT devices, can be infected by malware or recruited into botnets for conducting DDoS attacks and other coordinated events. To this end, Azmoodeh et al. [78] applied a convolution network to the vector representation of Operations Codes (OpCodes) to detect IoT malware. The model first generates the graph of OpCodes and then converts it to eigenspace (i.e., eigenvector and eigenvalue) in order to pass it as an input to a convolutional network.
Further, Dovom et al. [79] proposed a malware classification technique rooted in fuzzy and fast fuzzy pattern tree that were applied to a vector representation of OpCodes sequences. In a nutshell, a fuzzy pattern classifier is a collection of fuzzy pattern trees \(PT = \{ PT_{i} |i = 1, \ldots k\}\), and each \(PT_{i}\) is a pattern tree associated with class \(y_{i} \in \left\{ {malware, \;benign} \right\}\). The tree that produces a higher score \(\hat{y} = argmax\left( {PT_{i} \left( x \right)} \right)f\;or\;y_{i} \in \left\{ {malware,\; benign} \right\}\) is then used to assign the class. In fact, the authors leveraged a class-wise information gain to select the most beneficial features for flow graph generation. Additionally, the proposed method outperformed SVM, KNN, Random Forest, and Decision Tree classifiers. Moreover, the proposed method demonstrated a general potential in interacting with noise and ambiguity, making it a considerable solution for deployment at the edge of a network.
Malicious behaviors of recruited IoT devices (into botnets) can be detected in different stages of the attacks. Along this line of thought, Kumar et al. [80] endeavored to detect individual bots before an actual attack, i.e. during the scanning phase. Indeed, they analyzed network activities for early detection of individual bots. Towards this, several machine learning algorithms, such as Random Forest, KNN, and Gaussian Naive Bayes were used to label the network traffic that demonstrates a behavior similar to an IoT-botnet behavior. To increase the performance of the method, the authors operated on an aggregate traffic in order to detect an IoT access gateway-level. This method was proved to be faster and reduced the memory space required.
Alternatively, since some attackers made successful attempts to avoid detection, it is crucial to be able to detect the infections in later stages of the attack. To this end, Meidan et al. [81] proposed N-BaIoT, a network-based approach which detects compromised IoT devices that are used to launch attacks. The approach extracts statistical features that capture the behavior of the network and uses deep autoencoders (DAE) in order to detect anomalous network traffic generated by compromised IoT devices. The method was proven to be able to detect previously unseen botnets with low rates of false alarms, which is crucial for resource allocation.
In an alternative work, Alazab et al. [82] proposed a detection technique which semantically discriminates botnets and verifies the behavioral legitimacy of numerous smart city’s IoT-based applications. Indeed, the authors leveraged the domain name system’s (DNS) services to build-upon a framework which initially visualizes DNS features (such as domain name length, domain name entropy, and domain name n-gram). Consequently, the method estimates a similarity score and compares it with a predefined threshold. The domain names that did not pass the threshold are labeled as spoofed. Additionally, a cost-sensitive deep learning algorithm analyzes other domains. Here, the results are also visualized for the administrator for easy of digestion.
Alternatively, Raza et al. [83] proposed a method to detect attacks inside the 6LoWPAN network protocol, which is actively used in smart lighting solutions. By observing a network topology, the framework’s modules grasp inconsistencies in node communications and detect attacks. First, the approach gathers information about the network to reconstruct a Destination-Oriented Directed Acyclic Graph (DODAG). Then, it infuses the node’s parent and neighbor information into the graph. An algorithm which analyzes consistency in a network graph carries the detection of false data injection and routing attacks. In an extended version [84], the authors leveraged Expected Transmissions (ETX) metrics, which are measured by sending periodical probe packets between the participating neighbors.
By modeling non-linear correlation among multiple time series, Li et al. [85] designed an unsupervised GAN-based anomaly detection (GAN-AD) method for inferring attacks in multi-process CPS with various network sensors and actuators. The proposed GAN employed Long Short Term-Recurrent Neural Networks (LSTM-RNN) for both the generator and discriminator and calculated scores to indicate the level of abnormality in the time series. In fact, when tested on the CPS dataset from the Secure Water Treatment Testbed (SwaT), the model demonstrated that it outperformed existing unsupervised detection methods.
Alternatively, to detect crypto-ransomware in IoT networks, Azmoodeh et al. [86] classified power usage patterns on IoT nodes and discriminated ransomware-infected nodes. At the first stage, the methodology recorded a sequence of energy usage for each process of the targeted devices, followed by a calculation of the distance that measures an optimal alignment between two time-dependent sequences known as Dynamic Time Warping (DTW). Finally, the authors employed three classifiers, namely Neural Network, SVM, and KNN. In combination with Dynamic time warping, KNN outperformed other classifiers and demonstrated remarkable performance (94.27%) in detecting ransomware in the IoT nodes.
One of the biggest cyber security concerns directly refers to the inability of machine learning methods to combat adversarial attacks. Indeed, the proactive data-driven defense methods that aim to cope with the attack against machine learning algorithms propose to sanitize the training and testing data by detecting the adversarial injection. For instance, Baracaldo et al. [87] leveraged provenance data, which consists of meta-data describing the origin and lineage of each data point, in order to identify malicious manipulation of the training data. Additionally, the authors pinpointed generated poisoned data, formed provenance data. Moreover, the validation unveiled that employing this method as a filter during the training phase significantly improves classification performance.
Further, the framework proposed by Laishram and Phoha [88] clusters the feature space of the input and filters out suspicious data points. The method calculates an average distance of each data point from the other points in the same cluster. It then considers a class label as an additional feature with a proper weight. Additionally, the data points with a confidence level less than 95% are removed from the training data to achieve input purity. Moreover, empirical experiments demonstrated remarkable accuracy improvement of the SVM classifier.