The roots of the idea of the Internet of Things – even though first references to such an idea already appeared in the 1960s – can be traced back to a vision described by Mark Weiser in the early 1990s in his seminal article ‘The Computer for the 21st Century’. In it he described a scenario which he called ‘ubiquitous computing’ where computers would vanish into the background, becoming so pervasive and unobtrusive that they would basically become invisible and ubiquitous. Such a network of sensors and processors would be permanently aware of the actors in its vicinity, and would react fully context-aware to each need expressed.

Moving from this scenario, which still had the human user and its needs at the center of attention, to a scenario where devices would communicate independently of human intervention, led to the term machine-to-machine communication.

Going even a step further and taking all these devices, independent of their focus on human or machine communication, and connecting them to the internet led to the term as we know it now, the Internet of Things (IoT).

The IoT could be defined as any networked thing equipped with the ability to generate, store, and exchange data, and in some cases as well as to act on data, thus being able to sense, to interact and to change its environment actively. This could be anything from tiny sensors embedded in moving vehicles, voice-activated loudspeakers, wearables, actuators and operational technology in industrial settings, to medical devices and implants.

This new form of seamless connectivity has many applications across various industries such as smart cities, smart grids for energy management, intelligent transportation, environmental monitoring, infrastructure management, and medical and healthcare systems, to building and home automation.

Within a business context where competition is mainly driven by lowering costs, and in combination with several constraints that IoT devices face, such as limited computing power and battery lifetime, security considerations are not the most important design feature for connected devices. And particularly in the industrial sector, legacy devices which may date back from the days when connectivity was very limited, when integrated into larger computer networks, can create risks that the original developers never anticipated.

These potentially severe implications to the security and safety of people makes the security and safety of IoT building blocks a paramount issue. Furthermore, a major barrier to the uptake of IoT on a larger scale is the lack of trust. Building trust into the IoT based on robust cybersecurity features is a precondition for exploiting its numerous potential benefits and for the realization of EuropeâĂŹs Digital Single Market.

To ensure a minimum level of interoperability, security and assurance, the European Commission issued a Common Cybersecurity Strategy for the European Union in 2013 (JOIN(2013) 1), in which for the first time the term machine-to-machine communication in the context of automated water sprinklers was used to refer to the nascent field of IoT.

The Common Cybersecurity Strategy for the EU kicked off the preparatory work on several EU cybersecurity policies which over the following years became legal acts directly relevant and applicable to the IoT domain:

1. In August 2016 the NIS Directive (2016/1148) entered into force with member states having to transpose it into national law by May 2018. The NIS Directive has three parts:

1. unmapped: label a.

   Capacity building: EU member states must possess minimum capabilities, adopt a cybersecurity strategy, and establish a single point of contact for cybersecurity issues (CSIRT)

2. unmapped: label b.

   Critical Infrastructure: operators of essential services (critical sectors such as energy, transportation, water, healthcare, and finance) have to adopt a culture of risk management and have to comply with security and notification requirements.

3. unmapped: label c.

   Cooperation: in order to build trust and confidence, member states shall collaborate across borders, a mechanism shall be put in place for the exchange of security related information, the sharing of incident information and best practices (CSIRTs network)

2. The General Data Protection Regulation (GDPR) (2016/679) was released in April 2016, and entered into force on 25 May 2018. The GDPR aims to increase the control of individuals over their personal data and to unify data protection laws across the EU. It introduces limitations to the purpose and scope of personal data collection and processing. It also governs the transfer of personal data outside the EU, and introduces notification requirements in the case of a security breach affecting personal data.

3. The latest addition to the portfolio of EU legislation in the area of cybersecurity was the Cybersecurity Act (2019/881) which entered into force on 27 June 2019 and complements the NIS Directive. It mentions prominently the Internet of Things on several occasions. It consists of two main parts:

1. unmapped: label a.

   Reinforcing the European Union Agency for Cybersecurity (ENISA) by giving it a permanent mandate and strengthening its role

2. unmapped: label b.

   Establishing a European cybersecurity certification framework for ICT products, services and processes

It is with great pleasure to see such a wide cross-section of projects presented in this book. The spectrum ranges from the secure management of personal data, the specific challenges of IoT with respect to the GDPR, through access control within a highly dynamic IoT environment, increasing trust with distributed ledger technologies, to new cryptographic approaches as a counter-measure for side-channel attacks, and the vulnerabilities of IoT-based ambient assisted living systems.

Security and safety of the Internet of Things will remain high on the agenda of policymakers for the foreseeable future. Even more so when moving towards the internet of nano-things, when things will become literally invisible to the human eye and can penetrate living things unnoticed. Together with the convergence of the physical and biological realm through nanotechnology and synthetic biology this will create an internet of living things which will blur the boundary between biological and cyber risks.

The need for proactive, forward looking policymaking, moving away from the current reactive approach, will therefore become even more important as policy development cycles and technology development cycles will presumably remain as decoupled and out of sync as they have been in the past.

Christian Wilk

Research Executive Agency