Secure Onboarding & Zero-Touch Provisioning for Millions of Smart City Devices with Compliance Mapping to Saudi Smart-City Guidance: A Systematic Review (2020–2025)

Q: How many days will it take for my paper to be published?

The review time for papers is not fixed. However, if the paper is accepted and the author completes the processing charges formalities, the paper will be published within a few working days.

Q: I would like to receive a hard copy of the journal materials. Are there any additional charges?

You can log in to the author portal and pay 500 INR to receive the hard copy materials.

Q: Do IJIRT provide DOI for published papers?

Yes, we provide a DOI (Digital Object Identifier) upon request. Authors can contact us at editor@ijirt.org after publication to obtain the DOI for their paper.

Q: Do we provide Published Journal Print copy?

No, we do not provide Published Journal Print copy.

Q: Why am I not able to register to IPN?

There might be three potential reasons: 1) You did not verify your mobile number before clicking on the register button. Please click on the Verify sign immediately after entering your mobile number and complete OTP verification. 2) You are an international author. The IPN is enabled only for Indian Authors. 3) You did not tick the Terms & Conditions checkbox. Please make sure to select it before clicking on the register button.

Q: Where can I get a sample publication certificate?

Please login to Author Home, where you will find the sample copy of the publication certificate and confirmation letter.

Q: I made the processing charges payment and the amount is deducted from my bank account, but it is not updated in my Author Home. What should I do?

Please wait for one working day. We will check at our end and update the status. If it is still not updated after one working day, please email your Razorpay Payment ID along with the payment proof snapshot to editor@ijirt.org.

Q: Where can I sign the Copyright and Undertaking Declaration?

To publish your paper in IJIRT, copyright and undertaking is mandatory. You can digitally sign both by logging into Author Home and checking the right-side section.

Q: How many pages are allowed?

There is no page limit. However, to enhance quality and reader experience, we recommend keeping the paper up to 30 pages (single or double column) without extra charges.

Q: How many authors per paper are allowed?

Up to 13 authors are allowed without extra charges.

Adeel Sadaqat

Secure Onboarding & Zero-Touch Provisioning for Millions of Smart City Devices with Compliance Mapping to Saudi Smart-City Guidance: A Systematic Review (2020–2025)

Authors: Adeel Sadaqat

Unique Paper ID: 189606
Volume: 12
Issue: 8
PageNo: 257-269

Keywords: zero-touch provisioning; secure onboarding; device identity; ownership transfer; remote attestation; Zero Trust; smart cities; Saudi Arabia; ECC; PDPL; NDMO; CST IoT

DOI: doi.org/10.64643/IJIRTV12I8-189606-459

Abstract:
Saudi smart city schemes involve the use of cyber-physical systems on a massive scale, such as environmental sensors, smart meters, intelligent transport endpoints, and video analytics cameras installed all over the city. With a potential increase from thousands to millions of units per fleet, the viable approach of manually enrolling units (performing credential injection, site-by-site configuration, and ad-hoc authorization decisions) becomes implausible from the standpoint of operational feasibility and/or security risks. This systematic review integrates the 2020-2025 peer-reviewed literature with widely accepted standards and regulative control frameworks relating to secure enrollment procedures of massive numbers of IoT devices. The literary sources cover voucher-based bootstrap and transfer-of-ownership provisioning, device management bootstraps, remote attestation frameworks and token structures, firmware update frameworks, and policy-based authorization according to the principles of the Zero Trust Architecture. From these sources, we extract four primitives described below for modern-day enrollment: (P1) device-anchored identity with protected roots, (P2) ownership transfer w.r.t late binding to limit trusted installers, (P3) posture attestation as a statement w.r.t verifiable evidence, and (P4) policy-based authorization as a least-privilege and purpose-bound directive. We combine the above primitives to form a reference architecture by composition, which is called the Zero-Touch Assurance Stack (Z-TAS). We then align the Z-TAS controls over lifecycles to Saudi smart city best practices, which include NCA Essential Cybersecurity Controls (ECC-2:2024), Cloud Cybersecurity Controls (CCC-2:2024), NDMO data management norms (2021), Saudi Personal Data Protection Law (PDPL, 2023), and CST IoT Regulations (2024). The alignment is useful for forming the basis of a compliance-by-design conclusion that, for Saudi smart cities, trust on-boarding has to be considered as an auditable lifecycle governance process that generates robust evidence artefacts (identity lineage, enrollment data, attestation appraisal results, policy decisions, and data governance markers).

Download article

email to a friend

Copyright & License

Copyright © 2026 Authors retain the copyright of this article. This article is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

BibTeX

@article{189606,
        author = {Adeel Sadaqat},
        title = {Secure Onboarding & Zero-Touch Provisioning for Millions of Smart City Devices with Compliance Mapping to Saudi Smart-City Guidance: A Systematic Review (2020–2025)},
        journal = {International Journal of Innovative Research in Technology},
        year = {2026},
        volume = {12},
        number = {8},
        pages = {257-269},
        issn = {2349-6002},
        url = {https://ijirt.org/article?manuscript=189606},
        abstract = {Saudi smart city schemes involve the use of cyber-physical systems on a massive scale, such as environmental sensors, smart meters, intelligent transport endpoints, and video analytics cameras installed all over the city. With a potential increase from thousands to millions of units per fleet, the viable approach of manually enrolling units (performing credential injection, site-by-site configuration, and ad-hoc authorization decisions) becomes implausible from the standpoint of operational feasibility and/or security risks. This systematic review integrates the 2020-2025 peer-reviewed literature with widely accepted standards and regulative control frameworks relating to secure enrollment procedures of massive numbers of IoT devices. The literary sources cover voucher-based bootstrap and transfer-of-ownership provisioning, device management bootstraps, remote attestation frameworks and token structures, firmware update frameworks, and policy-based authorization according to the principles of the Zero Trust Architecture. From these sources, we extract four primitives described below for modern-day enrollment: (P1) device-anchored identity with protected roots, (P2) ownership transfer w.r.t late binding to limit trusted installers, (P3) posture attestation as a statement w.r.t verifiable evidence, and (P4) policy-based authorization as a least-privilege and purpose-bound directive. We combine the above primitives to form a reference architecture by composition, which is called the Zero-Touch Assurance Stack (Z-TAS). We then align the Z-TAS controls over lifecycles to Saudi smart city best practices, which include NCA Essential Cybersecurity Controls (ECC-2:2024), Cloud Cybersecurity Controls (CCC-2:2024), NDMO data management norms (2021), Saudi Personal Data Protection Law (PDPL, 2023), and CST IoT Regulations (2024). The alignment is useful for forming the basis of a compliance-by-design conclusion that, for Saudi smart cities, trust on-boarding has to be considered as an auditable lifecycle governance process that generates robust evidence artefacts (identity lineage, enrollment data, attestation appraisal results, policy decisions, and data governance markers).},
        keywords = {zero-touch provisioning; secure onboarding; device identity; ownership transfer; remote attestation; Zero Trust; smart cities; Saudi Arabia; ECC; PDPL; NDMO; CST IoT},
        month = {January},
        }

Download .bib

Cite This Article

Sadaqat, A. (2026). Secure Onboarding & Zero-Touch Provisioning for Millions of Smart City Devices with Compliance Mapping to Saudi Smart-City Guidance: A Systematic Review (2020–2025). International Journal of Innovative Research in Technology (IJIRT). https://doi.org/doi.org/10.64643/IJIRTV12I8-189606-459

05 Jan, 2026

Energy Storage Technologies for Desert Conditions: Battery Chemistries, Thermal Storage and Large-Scale Innovations

27 Dec, 2025

A Risk-Based Cyber security Policy Model Using Artificial Intelligence

Impact Factor
8.412 (Year 2026)

An UGC-Compliant International Research Journal

Join Our IPN

IJIRT Partner Network

Submit your research paper and those of your network (friends, colleagues, or peers) through your IPN account, and receive 800 INR for each paper that gets published.

Join Now