Unit V

1. Internet of Things Privacy, Security and Governance

• Internet of Things (IoT) is broad term, which indicates the concept that increasingly
pervasive(it's everywhere )connected devices (embedded within, attached to or related to
“Things”) will support various applications to enhance the awareness and the capabilities
of users
• For example, users will be able to interact with home automation systems to remotely
control the heating or the alarm system.
• The possibility of implementing “intelligence” in these pervasive systems and
applications has also suggested the definition of “Smart” contexts, where digital and real-
word objects cooperate in a cognitive and autonomic way to fulfil specific goals in a more
efficient way than basic systems implemented on static rules and logic.
• Firstly IoT is different because it will be possible and likely that objects will
autonomously manage their connections with the Internet or, this will be done upon the
request of someone or something remotely. When someone shares a video or a photo
taken on their mobile phone over the Internet they “call the shots”.there is a large overlap
between IoT and Internet in many areas pertaining to trust however IoT brings many new
specific dimensions too.
• The adoption of IoT essentially depends upon trust. Moreover this trust must be
established and maintained with respect to a broad group of stakeholders otherwise IoT
will face, to some degree or other, challenges which may restrict adoption scope or delay
its timing some IoT applications may adopt the same or similar model but there may be
other instances or applications where this will not be the case. This remote control is not
essentially bad.
• For example if you were incapacitated due to an accident it could be advantageous that
rescue services would be able to access objects in your environment to locate you or
communicate with you.
• However if these devices were configured to automatically inform your children what
presents had been bought or There are also potential ethical issues if essential services
oblige you to use IoT connected health monitoring devices. Also a number of Internet
services are already struggling with the ethical issues of capturing and publishing
information affecting 3rd parties where appropriate permissions have not been sought
from the 3rd parties involved bought this could spoil much of the excitement of receiving
gifts.
• Security in its broadest definitions includes health and wellbeing as well as other forms
of protection. These aspects need to be viewed from the perspectives of the majority if
not all the principle stake- holder groups and extended to include the relevant influencing
and influenced elements of the general environment.
• The objectives are not currently focused upon seeking specific IoT measures to deter
cyber-crime, cyber-warfare nor terrorism. Without sufficient IoT security it is highly
likely that some applications will more resemble the Intranet of Things rather than the
Internet of Things as users seek to place their own proprietary protection barriers and
thus frustrating broad interoperability
• The future of IoT is not only influenced by users. The potential autonomy of IoT or
lack of control over IoT by those it impacts will doubtless generate IoT adoption
resistance potentially manifested by public protests, negative publicity campaigns and
actions by governments In reality privacy encompasses the interests of individuals,
informal groups and including all forms of organizations and is therefore a complex
multidimensional subject.
• In an age of social media it is interesting to see growing examples of how industry
groups and governments begin to encourage greater individual responsibility for
protecting our own privacy, defending our virtual representation in order to protect our
identity and diminish the challenges of real-world or virtual-world authentications and
authorization processes.
• One specific challenge in IoT is the control of the information collected and distributed
by mobile devices which are increasingly small and pervasive like RFID or future micro-
nano sensors, which can be worn or distributed in the environment.
• One aspect which often gets overlooked particularly frequently by those of us who
entered adulthood before the year 1990 is the importance of the virtual-world. Today the
virtual identities of children are as important to them if not more so than their real-world
identities. This trend highlights even more the need for security and privacy, because data
breaches in the virtual-world can have consequences in the real-world.
• In some contexts and applications, security and privacy threats can even become safety
threats with more dramatic consequences for the lives of the citizen. As a conceptual
example, actuators in the real-world may be set remotely within a “smart house” to
provoke fires or flooding.

2. Overview — Governance, Privacy and Security Issues

• The European Research Cluster on the Internet of Things has created a number of
activity chains to favour close cooperation between the projects addressing IoT topics and
to form an arena for exchange of ideas and open dialog on important research challenges.
• The activity chains are defined as work streams that group together partners or specific
participants from partners around well- defined technical activities that will result into at
least one output or delivery that will be used in addressing the IERC (International
Energy Research Centre )objectives
• IERC Activity Chain 05 is a cross-project activity focused on making a valued
contribution to IoT privacy, security and governance among the EC funded research
 projects in the area of Internet of Things. the three aspects are closely interlinked
“Privacy, security and competition have been identified as the main issues related to IOT
Governance, however those issues should not be discussed in a separate or isolated way”
• In the same reference, it was also highlighted the challenge to define a common agreed
definition for Governance of IoT. In a similar way, the concepts of security and privacy
do not have a uniform definition in literature even if there is a common agreement on
these concepts.
• Overall, the main objective of the Activity Chain 05 is to identify research challenges
and topics, which could make IoT more secure for users (i.e. citizen, business and
government), to guarantee the privacy of users and support the confident, successful and
trusted development of the IoT market
• In comparison to IoT initiatives in Europe or at a global level (e.g., IGF), Activity
Chain 05 does not define government policies but focuses upon research (which could
eventually be used to support policies or standardization activities). .

3. Contribution From FP7 Projects

FP7 iCore Access Framework (iCore Contribution)
 the principle that any real world object and any digital object that is available, accessible,
observable or con- trollable can have a virtual representation in the “Internet of Things”,
which is called Virtual Object (VO).
 The virtual objects (VOs) are primarily targeted to the abstraction of technological
heterogeneity and include semantic descrip-tion of functionality that enables situation-
aware selection and use of objects. Composite virtual objects (CVOs) use the services of
virtual objects. A CVOis a cognitive mash-up of semantically interoperable VOs that
renders ser- vices in accordance with the user/stakeholder perspectives and the application
requirements.
The overall layered approach of the iCore project is provided in Figure 4.1.
 The first cognitive management layer (VO level cognitive framework) is responsible for
managing the VOs throughout their lifecycle, ensuring reliabil- ity of the link to the real
world object/entity (e.g., sensors, actuators, devices, etc.). They represent for example, in
a logistic related scenario, tracking tem- perature controlled goods transport, individual
goods boxes are represented by VOs the container transported by a truck is a VO as is
the truck itself. IoT related applications can interface for different service reasons each
of these VOs separately.
 The second cognitive management layer (CVO level cognitive framework) is responsible
for composing the VOs in Composite VO. CVOs will be usingthe services of VO to
compose more sophisticated objects.
 The third level (User level cognitive framework) is responsible for inter- action with
User/stakeholders. The cognitive management frameworks will record the users needs
and requirements (e.g., human intentions) by col- lecting and analyzing the user profiles,
 stakeholders contracts (e.g., Service Level Agreements) and will create/activate relevant
VO/CVOs on behalf of the users

Fig. 4.1 iCore framework.

IoT@Work Capability Based Access Control System (IoT@Work

Contribution)
 The Internet of Things (IoT) envisages new security challenges, including in the area of
access control that can hardly be met by existing security solutions.

 Indeed, IoT is a more demanding environment in terms of scalability and man- ageability
due both to the potentially unbounded number of things (resources and subjects), the
expected most relevant need to support the orchestration and integration of different
services, the relevance of short-lived, often casual and/ or spontaneous interaction
patterns, the relevance of contexts, etc.
Fig. 4.4 Capability-based authorization architectural components and their interactions

4.2.1 GAMBAS Adaptive Middleware (GAMBAS Contribution)

The GAMBAS project develops an innovative and adaptive middleware to enable the privacy-
preserving and automated utilization of behaviour-driven services that adapt autonomously to the
context of users
 As indicated in Figure 4.5, the core innovations realized by GAMBAS are the development of
models and infrastructures to support the interoperable rep- resentation and scalable processing of
context, the development of a generic, yet resource-efficient framework to enable the
multimodal recognition of the user’s context, protocols and mechanisms to enforce the user’s
privacy as well as user interface concepts to optimize the interaction with behaviour-driven
services.

security and privacy is based on the following elements.

Personal acquisition and local storage:

The primary means of data acquisition in GAMBAS are personal Internet-connected objects that
are owned by a particular user such as a user’s mobile phone, tablet, laptop, etc.
 Anonymised data discovery:
 In order to enable the sharing of dataamong the devices of a single user or a group of
users, the data storages on the local device can be connected to form a distributed data
processing system.
 Policy-based access control:
 To limit the access to the user’s data, the networked data storages perform access control
based on a pol- icy that can be defined by a user.
 Secure distributed query processing:
On top of the resulting set of connected and access-controlled local data storages, the GAM- BAS
middleware enables distributed query processing in a securemanner.
IoT-A Architecture (IoT-A Contribution)
 Security is an important cornerstone for the Internet of Things (IoT). This is why, in the IoT-
 A project, we deemed as very important to thoroughly address security and privacy issues in
various aspects.
 Finally, WP5 deals with privacy and security at device level. In particular, it describes the
mechanisms needed to authenticate RFID devices and to pro- vide confidentiality of the
communication between reader and tag. The PS&T features of the IoT-A architecture will
be tested in the forthcoming IoT-A eHealth Use Case.
Governance, Security and Privacy in the Butler Project (Butler Contribution)
 The goal of the BUTLER project is the creation of an experimental techni- cal platform to
support the development of the Internet of Things.
 The mainspecificity of the BUTLER approach is its targeted “horizontality”:
 The vision behind BUTLER is that of a ubiquitous Internet of Things, affecting several
Fig. 4.6 Components for privacy and security in the IoT-A resolution infrastructure.

The issue of security and privacy is therefore central in the BUTLER project and develops in
several requirements, the main require- ments relate to:

 Standard issues of data security, both at data storage level as at data communication level
exists in IoT application.
 The application enabled by the Internet of Things may pose additional privacy issues in
the use that is made of the data
 However, Privacy and Security do not only refer to security of the exchange of data over the
network, but shall also include:
(a) Protection of the accu- racy of the data exchanged,
(b) Protection of the server information,
(c) Protec- tion of the usage of the data by explicit, dynamic authorization mechanisms,
(d) Selected disclosure of Data and
(e) The implementation of “Transparency of data usage” policies.
4. Security, Privacy and Trust in Iot-Data-Platformsfor Smart Cities
Smart City technologies is to provide different optimization mechanisms for different aspects of
data management
Figure 5.1 shows the components of a typical smart city information sys-tem. From this
picture it is clearly visible that information needs to cross multiple administrative boundaries
and can be used for multiple purposes —in fact it could be used for, at the time of gathering,
unknown purposes
Fig. 5.1 Architectural components

Risks to a Smart City IoT Platform

• smart city data will eventually be stored in the cloud and employ cloud
computing techniques, due to the high scalability of resources and
computing performance and reduced cost in maintenance and operation.
the smart city management system inherits also the security and privacy risks of cloud computing,
for instance the compromise of cloud servers or data abuse by insider attacks.
This clearly requires to authenticate and authorize the access and to provide trusted information
in a secure and privacy-preserving way.
The actual damages caused by pos- sible threats can range from small interferences in the
system to personal losses/exposure of private information. With more information and manage-
ment and control the smart city assets being available over ICT networks, therisk and impact of
security or privacy threats is foreseen to be increasing and can have profound and serious
consequences for the community.
SMARTIE will focus on challenges that concern privacy, security and trust of the information
available in the smart city. An attacker can simultaneously attack on multiple layers:
 • Manipulate the sensor measurements to infiltrate the system with wrong data, e.g. to
cause certain actuations
• Attack the sensors and actuators physically to obtain credentials
• Attack or impersonate network components to act as a man-in-the- middle
• Obtain sensitive data or cause actuation by attacking the sharing platform with forged or
malicious requests
Standard network security tools such as firewalls, monitoring or typically access control will not
suffice to prevent such sophisticated attacks due to the distributed nature of the IoT and the problem
of defining/finding trusted parties. It is essential that security is built into the infrastructure rather than
being added as an extra plug-ins. An effective protection approach is to have security in depth,
where data and services are protected by several independent systems.

5. First Steps Towards a Secure Platform

Trust and Quality-of-Information in an Open Heterogeneous Network
In SMARTIE and in other IoT systems, systems belonging to different owners need to cooperate.
Such a cooperating system can be denoted as a system of systems (SoS).

The major proper- ties of SoS especially for application fields as those intended in the
SMARTIE project are dependability, security and privacy. Dependability comprises the
following attributes:
• Availability — readiness for correct service
• Reliability — continuity of correct service
• Safety — absence of catastrophic consequences on the system user and its
environment
• Integrity — lack of inappropriate system alternations
• Maintainability — ability to undergo updates and repairs
The main aspects of security are confidentiality (absence of unauthorized disclosure of
information), integrity, (the prevention of unauthorized modification or deletion of information)
andavailability for authorized actions.
There is a limited theory on how to SoS should be managed [19]. The authors present five
characteristics that give possible representation of funda- mental building blocks for realizing
and managing SoS.
• Autonomy — the ability to make independent choices — the SoShas a higher purpose
than any of its constituent systems, indepen-dently or additively.
• Belonging — happiness found in a secure relationship — systems
may need to undergo some changes to be part of SoS.
• Connectivity — the ability of system to link with other systems — systems are
heterogeneous and unlikely to conform to a priori con- nectivity protocols and the SoS
relies on effective connectivity indynamic operations.
• Diversity — distinct elements in a group — SoS can achieve its
purposes by leveraging the diversity of its constituent systems.
 Emergence — new properties appear in the course of development or evolution — SoS has
 dynamic boundaries, which are always clearly defined, SoS should be capable of developing
an emergence culture with enhanced agility and adaptability
FAIR (fuzzy-based aggregation providing in-network resilience) [43] is an example how trust
can be established and maintained at least between a base station and sensor node in the field.
The strength of FAIR is the com- patibility with the aggregation hierarchy that makes FAIR
well suitable for medium size or large sensor networks
There are three roles pseudo-randomly distributed among the nodes at the begin- ning of
each epoch: the Aggregator Node, the Normal Nodes and the Storage Nodes. The protocol
consists of two message rounds, where each message is authenticated and broadcasted:

(1) Periodically, the aggregator node triggers the network to start an aggregation process;
each node senses the environment and sends back its measurement.
(2) The aggregator node collects all the values, removes the outliers and computes the
aggregate, which consists of the result and a measure of precision. This precision
expresses the dispersion of the “genuine” data set.
Figure 5.2 gives an overview on those two protocol rounds.
Fig. 5.2 General overview of the protocol: 1. AN triggers the network 2. Network sends back
measurements
3. AN aggregates data and send back the tuple [result; precision] 4. Every node checks the
result and sends a confirmation message to the SN.

Privacy-preserving Sharing of IoT Data

 To the large extent, the IoT data may be of personal nature and therefore it is important to
protect it from unauthorised entities accessing it. Privacy is one of the most sensitive
subjects in any discussion of IoT protection
 It is also important to consider the mechanisms enabling the protection of information
based on encryption algorithms within the secure storage. In terms of the privacy policy
implemen- tation, one of the viable solutions is privacy by design, in which users would
have the tools they need to manage their own data
 The fundamental privacy mechanisms lie in the intelligent data manage-ment so that only
the required data is collected. Detecting the redundancy, data is anonymised at the earliest
possible stage and then deleted at the earli-est convenience

Minimal Disclosure
Individuals wish to control their personal information in the online domain, especially as more and
more sensors are available that could be linked to theuser in order to generate data
Three features of privacy-friendly credentials are informally described in NSTIC [28]
documents:

(1) Issuance of a credential cannot be linked to a use, or “show,” of the credential even if the
issuer and the relying party share information, except as permitted by the attributes
certified by the issuer and shown to the relying party.
(2) Two shows of the same credential to the same or different relying parties cannot be
linked together, even if the relying parties shareinformation.
(3) The user agent can disclose partial information about the attributes asserted by a
credential. For example, it can prove that the user if over 21 years of age based on a
birthdate attribute, without disclos- ing the birthdate itself.
Secure Authentication and Access Control in Constrained Devices
 Embedded systems and especially wireless sensor nodes can be easilyattacked. This is due
to the fact that they are normally unprotected by crypto- graphic means
 State of the Art: There are several lightweight security approaches designed for wireless sensor
networks. The SPINS [12] protocols encompass authenticated and confidential
communication, and authenticated broadcast. [13] uses asymmetric cryptographic schemes to
exchange secret session keys between nodes and symmetric crypto approaches for data
encryption.
 present LiSP: a lightweight security protocol, which supports all security attributes, but at a
high level of power consumption when compared to the protocols
 The lightweight security approach presented in [16] is based on the RC4 stream cipher. It
provides data confidentiality, data authentication, data integrity, and data freshness with low
overhead and simple operation.
6. Smartie Approach

The vision of SMARTIE1 (Secure and sMArter ciTIEs data management) is to create a
distributed framework for IoT based applications sharing large vol- umes of heterogeneous
information. This framework is envisioned to enable end-to-end security and trust in information
delivery for decision-making pur- poses following data owner’s privacy requirements. New
challenges identified for privacy, trust and reliability are:
• Providing trust and quality-of-information in shared information models to enable
re-use across many applications.
• Providing secure exchange of data between IoT devices and con-
sumers of their information.
• Providing protection mechanisms for vulnerable devices.

SMARTIE will design and build a data-centring information sharing platform in which information
will be accessed through an information service layer operating above heterogeneous network
devices and data sources and provide services to diverse applications in a transparent manner

It is crucial for the approach that all the layers involve appropriate mechanisms to protect the data
already at the perception layer as well as at the layers on top of it.
SMARTIE will focus on key innovations that strengthen security, privacy and trust at different
IoT Layers as depicted in the following table:
IoT layers Security requirements

Applications (IntelligentTransportation, • Authentication, Authorisation, Assurance;

Smart Energy, Public Safety, Utilities,
Service Providers, etc.)

• Privacy Protection and Policy Management;

Information Services (In-network Data
Processing, Data aggregation, Cloud
Computing, etc.)
Network (Networking infrastructure and • Secure Computation;
Network-level protocols.)
• Application-specific Data Minimisation;
Smart Objects (Sensors fordata collection,
Actuators)
• Discovery of Information Sources

• Cryptographic Data Storage;

• Protected Data Management and Handling (Search,
Aggregation, Correlation, Compu-tation);

• Communication & Connectivity Security;

• Secure Sensor/Cloud Interaction;
• Cross-domain Data Security Handling

• Data Format and Structures;

• Trust Anchors and Attestation;
• Access Control to Nodes
• Lightweight Encryption
SMARTIE solutions will provide a set of innovations and enhancements to address the
challenges imposed by the application domains.

7. Data Aggregation for the IoT in Smart Cities, Security

Adaptation and Deployment
In order to demonstrate the advantages and potentially of our approach, we envisage the
following application areas for deploying the project architecture.

Smart Transportation
 Smart City Objectives
 Improving the management of the public transportation networks to foster greater use of
sustainable transport modes and to providetime and cost benefits to travellers.
• Involving user smartphones in order to include additional informa- tion related to their
travels.
• Improving the management of individual motor car traffic, to
reduce travelling time in the town, improve traffic flow and reduce fine dust
pollution.
• Extending traffic control systems with mobile traffic control sys-
tems to react fast on abnormal situations, planned ones (e.g. road reconstruction)
and also unplanned ones (e.g. accidents).
• Exploiting heterogeneous wireless sensor networks placed on pub-
lic transport vehicles and in the environment (streets etc.) e.g. sta- tionary traffic
sensors/actuators placed at cruces of the transporta-tion network.
Usage
• Public transportation companies monitor the current demand of travellers for public
transportation for certain routes and optimise the number of vehicles to match the
demand. They also monitor location of all public vehicles.
• Travel plan component located on the cloud infrastructure calcu-
lates the best routing option for the traveller taking into account the traveller location,
expected arrival times and current traffic condi- tions. This information is then
forwarded to the associated smart-phone application and presented to the traveller.
• City traffic authorities monitor the current traffic conditions:

◦ To optimise the traffic lights in order to achieve better traf- fic flow.

◦ To adapt speed limitation signs.
◦ To indicate detours in case of road re-construction, acci-dents or other
emergency situations.
• The required adaptation of the individual car traffic is then indicated via adapted traffic
light switching, updated electronic traffic sign, etc.
Security and Privacy Challenges

• Information related to location of public vehicles should be acces- sible to system

users according to the access policy and privacy rules.
• All data exchange between the sensor, actuators and backend server
should be implemented in a secure manner.
• All the data related to the travellers’ location and activity should be considered private,
and it should be treated according to the privacy rules.
• Integration systems owned by different parties such as public
authorities and private companies providing telematics services.
Smart campus
Smart City Objectives

• Monitoring energy efficient in the campus considering energy con- sumption and
energy generation.
• Evaluating real-time behaviour of systems jointly acting as a sus-
tainable ecosystem.
• Providing the user capability to interact with the system to facilitate the improvement
of the energy efficiency.

Usage

• Energy Supervisor entity will be able to collect from the different sources:
information in real time about building consumption and energy generation from the
different entities involved (photovoltaic generators).
• Energy Monitoring entity will collect data from the sensors being
deployed and also data aggregated and summarized about the dif- ferent energy
producers to take decisions over different actuators involved in the system.
• Energy Producer will provide data aggregated to the Entity Mon-
itoring based on the agreement established and will provide more detail data to the
Energy Supervisor as main regulator.
• User will provide in certain situations their positions and presence information to the
Energy Monitoring entity by means of the sensor within the building or light-street
pathways.

Security and Privacy Challenges

• Access to the data of the sensor should be controlled based on access control and
privacy rules. Hence only certain services of the entity monitoring could read or act over
them especially in the case the monitoring entity is a third party.
• The exchange will require mechanisms including data protection
and integrity in the transfer between the different parties.
• Scalable and secure management protocol which lets the verifica- tion and
authentication of new sensors deployed and ensure the extension of the trust domain
to new devices in the deployment environment.
• Entities are actually restricted to use the data based on the national
protection data law. They will like to explore how to reuse the data and possible being
able to share to third parties but also controlling what can be shared based on
legislation.
• Data exchange between entities needs to follow data minimization
principles and allow traceability.
• User data information exchange could be in some case anonymous and in other case could
be needed some control over the distribution of data.