The Internet of Things: An Overview

The Internet of Things is an emerging topic of technical, social, and economic significance. Consumer products, durable goods, cars and trucks, industrial and utility components, sensors, and other everyday objects are being combined with Internet connectivity and powerful data analytic capabilities that promise to transform the way we work, live, and play. Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025.

At the same time, however, the Internet of Things raises significant challenges that could stand in the way of realizing its potential benefits. Attention-grabbing headlines about the hacking of Internet-connected devices, surveillance concerns, and privacy fears already have captured public attention. Technical challenges remain and new policy, legal and development challenges are emerging.

This overview article is designed to help the Internet Society community navigate the dialogue surrounding the Internet of Things in light of the competing predictions about its promises and perils. The Internet of Things engages a broad set of ideas that are complex and intertwined from different perspectives. Key concepts that serve as a foundation for exploring the opportunities and challenges of IoT include:

  • IoT Definitions: The term Internet of Things generally refers to scenarios where network

connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human intervention. There is, however, no single, universal definition.

  • Enabling Technologies: The concept of combining computers, sensors, and networks to monitor

and control devices has existed for decades. The recent confluence of several technology market trends, however, is bringing the Internet of Things closer to widespread reality. These include Ubiquitous Connectivity, Widespread Adoption of IP-based Networking, Computing Economics, Miniaturization, Advances in Data Analytics, and the Rise of Cloud Computing.

  • Connectivity Models: IoT implementations use different technical communications models, each with its own characteristics. Four common communications models described by the Internet Architecture Board include: Device-to-Device, Device-to-Cloud, Device-to-Gateway, and Back-End Data-Sharing. These models highlight the flexibility in the ways that IoT devices can connect and provide value to the user.
  • Transformational Potential: If the projections and trends towards IoT become reality, it may force a shift in thinking about the implications and issues in a world where the most common interaction with the Internet comes from passive engagement with connected objects rather than active engagement with content. The potential realization of this outcome – a “hyperconnected world” – is testament to the general-purpose nature of the Internet architecture itself, which does not place inherent limitations on the applications or services that can make use of the technology.

Five key IoT issue areas are examined to explore some of the most pressing challenges and questions related to the technology. These include security; privacy; interoperability and standards; legal, regulatory, and rights; and emerging economies and development.

  • Security: While security considerations are not new in the context of information technology, the attributes of many IoT implementations present new and unique security challenges. Addressing these challenges and ensuring security in IoT products and services must be a fundamental priority.

Users need to trust that IoT devices and related data services are secure from vulnerabilities, especially as this technology become more pervasive and integrated into our daily lives. Poorly secured IoT devices and services can serve as potential entry points for cyber attack and expose user data to theft by leaving data streams inadequately protected.

The interconnected nature of IoT devices means that every poorly secured device that is connected online potentially affects the security and resilience of the Internet globally. This challenge is amplified by other considerations like the mass-scale deployment of homogenous IoT devices, the ability of some devices to automatically connect to other devices, and the likelihood of fielding these devices in unsecure environments.

As a matter of principle, developers and users of IoT devices and systems have a collective obligation to ensure they do not expose users and the Internet itself to potential harm. Accordingly, a collaborative approach to security will be needed to develop effective and appropriate solutions to IoT security challenges that are well suited to the scale and complexity of the issues.

  • Privacy: The full potential of the Internet of Things depends on strategies that respect individual privacy choices across a broad spectrum of expectations. The data streams and user specificity

afforded by IoT devices can unlock incredible and unique value to IoT users, but concerns about privacy and potential harms might hold back full adoption of the Internet of Things. This means that privacy rights and respect for user privacy expectations are integral to ensuring user trust and confidence in the Internet, connected devices, and related services.

Indeed, the Internet of Things is redefining the debate about privacy issues, as many implementations can dramatically change the ways personal data is collected, analyzed, used, and  protected. For example, IoT amplifies concerns about the potential for increased surveillance and tracking, difficulty in being able to opt out of certain data collection, and the strength of aggregating IoT data streams to paint detailed digital portraits of users. While these are important challenges, they are not insurmountable. In order to realize the opportunities, strategies will need to be developed to respect individual privacy choices across a broad spectrum of expectations, while still fostering innovation in new technology and services.

  • Interoperability / Standards: A fragmented environment of proprietary IoT technical

implementations will inhibit value for users and industry. While full interoperability across products and services is not always feasible or necessary, purchasers may be hesitant to buy IoT products and services if there is integration inflexibility, high ownership complexity, and concern over vendor lock-in.

In addition, poorly designed and configured IoT devices may have negative consequences for the networking resources they connect to and the broader Internet. Appropriate standards, reference models, and best practices also will help curb the proliferation of devices that may act in disrupted ways to the Internet. The use of generic, open, and widely available standards as technical building blocks for IoT devices and services (such as the Internet Protocol) will support greater user benefits,
innovation, and economic opportunity.

  • Legal, Regulatory and Rights: The use of IoT devices raises many new regulatory and legal

questions as well as amplifies existing legal issues around the Internet. The questions are wide in scope, and the rapid rate of change in IoT technology frequently outpaces the ability of the associated policy, legal, and regulatory structures to adapt.

One set of issues surrounds cross border data flows, which occur when IoT devices collect data about people in one jurisdiction and transmit it to another jurisdiction with different data protection laws for processing. Further, data collected by IoT devices is sometimes susceptible to misuse, potentially causing discriminatory outcomes for some users. Other legal issues with IoT devices include the conflict between law enforcement surveillance and civil rights; data retention and destruction policies; and legal liability for unintended uses, security breaches or privacy lapses. While the legal and regulatory challenges are broad and complex in scope, adopting the guiding Internet Society principles of promoting a user’s ability to connect, speak, innovate, share, choose, and trust are core considerations for evolving IoT laws and regulations that enable user rights.

  • Emerging Economy and Development Issues: The Internet of Things holds significant promise for delivering social and economic benefits to emerging and developing economies. This includes areas such as sustainable agriculture, water quality and use, healthcare, industrialization, and environmental management, among others. As such, IoT holds promise as a tool in achieving the United Nations Sustainable Development Goals.

The broad scope of IoT challenges will not be unique to industrialized countries. Developing regions also will need to respond to realize the potential benefits of IoT. In addition, the unique needs and challenges of implementation in less-developed regions will need to be addressed, including infrastructure readiness, market and investment incentives, technical skill requirements, and policy
resources.

The Internet of Things is happening now. It promises to offer a revolutionary, fully connected “smart” world as the relationships between objects, their environment, and people become more tightly intertwined. Yet the issues and challenges associated with IoT need to be considered and addressed in order for the potential benefits for individuals, society, and the economy to be realized.

Ultimately, solutions for maximizing the benefits of the Internet of Things while minimizing the risks will not be found by engaging in a polarized debate that pits the promises of IoT against its possible perils. Rather, it will take informed engagement, dialogue, and collaboration across a range of stakeholders to plot the most effective ways forward.

Introduction

The Internet of Things (IoT) is an important topic in technology industry, policy, and engineering circles and has become headline news in both the specialty press and the popular media. This technology is embodied in a wide spectrum of networked products, systems, and sensors, which take advantage of advancements in computing power, electronics miniaturization, and network interconnections to offer new capabilities not previously possible. An abundance of conferences, reports, and news articles discuss and debate the  prospective impact of the “IoT revolution”—from new market opportunities and business models to concerns about security, privacy, and technical interoperability.

The large-scale implementation of IoT devices promises to transform many aspects of the way we live. For consumers, new IoT products like Internet-enabled appliances, home automation components, and energy management devices are moving us toward a vision of the “smart home’’, offering more security and energy efficiency. Other personal IoT devices like wearable fitness and health monitoring devices and network enabled medical devices are transforming the way healthcare services are delivered. This technology  promises to be beneficial for people with disabilities and the elderly, enabling improved levels of independence and quality of life at a reasonable cost. IoT systems like networked vehicles, intelligent traffic systems, and sensors embedded in roads and bridges move us closer to the idea of “smart cities’’, which help minimize congestion and energy consumption. IoT technology offers the possibility to transform agriculture, industry, and energy production and distribution by increasing the availability of information along the value chain of production using networked sensors. However, IoT raises many issues and challenges that need to be considered and addressed in order for potential benefits to be realized.

A number of companies and research organizations have offered a wide range of projections about the potential impact of IoT on the Internet and the economy during the next five to ten years. Cisco, for example, projects more than 24 billion Internet–connected objects by 2019; Morgan Stanley, however, projects 75 billion networked devices by 2020. Looking out further and raising the stakes higher, Huawei forecasts 100 billion IoT connections by 2025. McKinsey Global Institute suggests that the financial impact of IoT on the global economy may be as much as $3.9 to $11.1 trillion by 2025. While the variability in predictions makes any specific number questionable, collectively they paint a picture of significant growth and influence.

Some observers see the IoT as a revolutionary fully–interconnected “smart” world of progress, efficiency, and opportunity, with the potential for adding billions in value to industry and the global economy.  Others warn that the IoT represents a darker world of surveillance, privacy and security violations, and consumer lock–in. Attention-grabbing headlines about the hacking of Internet-connected automobiles, surveillance concerns stemming from voice recognition features in “smart” TVs, and privacy fears stemming from the potential misuse of IoT data9 have captured public attention. This “promise vs. peril” debate along with an influx of information though popular media and marketing can make the IoT a complex topic to understand.

Fundamentally, the Internet Society cares about the IoT as it represents a growing aspect of how people and institutions are likely to interact with the Internet in their personal, social, and economic lives. If even modest projections are correct, an explosion of IoT applications could present a fundamental shift in how users engage with and are impacted by the Internet, raising new issues and different dimensions of existing challenges across user/consumer concerns, technology, policy and law. IoT also will likely have varying consequences in different economies and regions, bringing a diverse set of opportunities and challenges across the globe.

This overview cover article is designed to help the Internet Society community navigate the dialogue surrounding the Internet of Things in light of the competing predictions about its promises and perils.

What is the Internet of Things?

The term “Internet of Things” (IoT) was first used in 1999 by British technology pioneer Kevin Ashton to describe a system in which objects in the physical world could be connected to the Internet by sensors. Ashton coined the term to illustrate the power of connecting Radio-Frequency Identification (RFID) tags used in corporate supply chains to the Internet in order to count and track goods without the need for human intervention. Today, the Internet of Things has become a popular term for describing scenarios in which Internet connectivity and computing capability extend to a variety of objects, devices, sensors, and everyday items.

While the term “Internet of Things” is relatively new, the concept of combining computers and networks to monitor and control devices has been around for decades. By the late 1970s, for example, systems for remotely monitoring meters on the electrical grid via telephone lines were already in commercial use. In the 1990s, advances in wireless technology allowed “machine–to–machine” (M2M) enterprise and industrial solutions for equipment monitoring and operation to become widespread. Many of these early M2M solutions, however, were based on closed purpose–built networks and proprietary or industry–specific standards,  rather than on Internet Protocol (IP)–based networks and Internet standards. Using IP to connect devices other than computers to the Internet is not a new idea. The first Internet “device”—an IP–enabled toaster that could be turned on and off over the Internet—was featured at an Internet conference in 1990.16 Over the next several years, other “things” were IP–enabled, including a soda machine at Carnegie Mellon University in the US and a coffee pot18 in the Trojan Room at the University of Cambridge in the UK (which remained Internet–connected until 2001). From these whimsical beginnings, a robust field of research and development into “smart object networking” helped create the foundation for today’s Internet of Things.

If the idea of connecting objects to each other and to the Internet is not new, it is reasonable to ask, “Why is the Internet of Things a newly popular topic today?”
From a broad perspective, the confluence of several technology and market trends is making it possible to interconnect more and smaller devices cheaply and easily:

* Ubiquitous Connectivity—Low–cost, high–speed, pervasive network connectivity, especially through licensed and unlicensed wireless services and technology, makes almost everything “connectable’’.

* Widespread adoption of IP–based networking— IP has become the dominant global standard for networking, providing a well–defined and widely implemented platform of software and tools that can be incorporated into a broad range of devices easily and inexpensively.

* Computing Economics— Driven by industry investment in research, development, and manufacturing, Moore’s law continues to deliver greater computing power at lower price points and lower power consumption.

* Miniaturization— Manufacturing advances allow cutting-edge computing and communications technology to be incorporated into very small objects.23 Coupled with greater computing economics, this has fueled the advancement of small and inexpensive sensor devices, which drive many IoT applications.

* Advances in Data Analytics— New algorithms and rapid increases in computing power, data storage, and cloud services enable the aggregation, correlation, and analysis of vast quantities of data; these large and dynamic datasets provide new opportunities for extracting information and knowledge.

* Rise of Cloud Computing– Cloud computing, which leverages remote, networked computing resources to process, manage, and store data, allows small and distributed devices to interact with powerful back-end analytic and control capabilities.

From this perspective, the IoT represents the convergence of a variety of computing and connectivity trends that have been evolving for many decades. At present, a wide range of industry sectors – including automotive, healthcare, manufacturing, home and consumer electronics, and well beyond -- are considering the potential for incorporating IoT technology into their products, services, and operations.

In their report “Unlocking the Potential of the Internet of Things’’, the McKinsey Global Institute describes the broad range of potential applications in terms of “settings” where IoT is expected to create value for industry and users.

“Settings” for IoT Applications (Source: McKinsey Global Institute)

Setting

Description

Examples

Human

Devices attached or
inside the human
body

Devices (wearables and ingestibles) to monitor and
maintain human health and wellness; disease
management, increased fitness, higher productivity

Home

Buildings where
people live

Home controllers and security systems

Retail Environments

Spaces where
consumers engage in
commerce

Stores, banks, restaurants, arenas – anywhere
consumers consider and buy; self-checkout, in-store
offers, inventory optimization

Offices

Spaces where
knowledge workers
work

Energy management and security in office buildings;
improved productivity, including for mobile employees

Factories

Standardized
production
environments

Places with repetitive work routines, including hospitals
and farms; operating efficiencies, optimizing equipment
use and inventory

Worksites

Custom production
environments

Mining, oil and gas, construction; operating efficiencies,
predictive maintenance, health and safety

Vehicles

Systems inside
moving vehicles

Vehicles including cars, trucks, ships, aircraft, and
trains; condition-based maintenance, usage-based
design, pre-sales analytics

Cities

Urban environments

Public spaces and infrastructure in urban settings;
adaptive traffic control, smart meters, environmental
monitoring, resource management

Outside

Between urban
environments (and
outside other settings)

Outside uses include railroad tracks, autonomous
vehicles (outside urban locations), and flight navigation;
real-time routing, connected navigation, shipment
tracking

Many organizations have developed their own taxonomies and categorizations of IoT applications and use cases. For example, “Industrial IoT’’ is a term widely used by companies and associations to describe IoT applications related to the production of goods and services, including in manufacturing and utilities. Others discuss IoT by device type, such as wearables and appliances. Still others focus on IoT in the context of integrated location-based implementations such as “smart homes” or “smart cities’’. Whatever the application, it is clear that IoT use cases could extend to nearly every aspect of our lives.

As the number of Internet-connected devices grows, the amount of traffic they generate is expected to rise significantly. For example, Cisco estimates that Internet traffic generated by non-PC devices will rise from 40% in 2014 to just under 70% in 2019.30 Cisco also forecasts that the number of “Machine to Machine” (“M2M”) connections (including in industrial, home, healthcare, automotive, and other IoT verticals) will rise from 24% of all connected devices in 2014 to 43% in 2019.

One implication of these trends is that over the next ten years we could see a shift in the popular notion of what it means to be “on the Internet’’.  As MIT Professor Neil Gershenfied noted, “… The rapid growth of the World Wide Web may have been just the trigger charge that is now setting off the real explosion, as things start to use the Net’’.

In the popular mindset, the World Wide Web has almost become synonymous with the Internet itself. Web technologies facilitate most interactions between people and content, making it a defining characteristic of the current Internet experience. The Web-based experience is largely characterized by the active engagement of users downloading and generating content through computers and smartphones. If the growth projections about IoT become reality, we may see a shift towards more passive Internet interaction by users with objects such as car components, home appliances and self-monitoring devices; these devices send and receive data on the user’s behalf, with little human intervention or even awareness.

IoT may force a shift in thinking if the most common interaction with the Internet -- and the data derived and exchanged from that interaction -- comes from passive engagement with connected objects in the broader environment. The potential realization of this outcome – a “hyperconnected world” -- is a testament to the general-purpose nature of the Internet architecture, which does not place inherent limitations on the applications or services that can make use of the technology.

Different Definitions, Similar Concepts

Despite the global buzz around the Internet of Things, there is no single, universally accepted definition for the term. Different definitions are used by various groups to describe or promote a particular view of what IoT means and its most important attributes. Some definitions specify the concept of the Internet or the Internet Protocol (IP), while others, perhaps surprisingly, do not. For example, consider the following definitions.

The Internet Architecture Board (IAB) begins RFC 7452, “Architectural Considerations in Smart Object
Networking’’, with this description:

The term "Internet of Things" (IoT) denotes a trend where a large number of embedded devices employ communication services offered by the Internet protocols. Many of these devices, often called "smart objects,’’ are not directly operated by humans, but exist as components in buildings or vehicles, or are spread out in the environment. Within the Internet Engineering Task Force (IETF), the term “smart object networking” is commonly used in reference to the Internet of Things. In this context, “smart objects” are devices that typically have significant constraints, such as limited power, memory, and processing resources, or bandwidth.34 Work in the IETF is organized around specific requirements to achieve network interoperability between several types of smart objects.

Published in 2012, the International Telecommunication Union (ITU) ITU–T Recommendation Y.2060,
Overview of the Internet of things, discusses the concept of interconnectivity, but does not specifically tie the IoT to the Internet:

Internet of things (IoT): A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.

Note 1—Through the exploitation of identification, data capture, processing and communication capabilities, the IoT makes full use of things to offer services to all kinds of applications, whilst ensuring that security and privacy requirements are fulfilled.

Note 2—From a broader perspective, the IoT can be perceived as a vision with technological and
societal implications.

This definition in a call for papers for a feature topic issue of IEEE Communications Magazine37 links the IoT back to cloud services:

The Internet of Things (IoT) is a framework in which all things have a representation and a presence in the Internet. More specifically, the Internet of Things aims at offering new applications and services bridging the physical and virtual worlds, in which Machine-to-Machine (M2M) communications represents the baseline communication that enables the interactions between
Things and applications in the cloud.

The Oxford Dictionaries offers a concise definition that invokes the Internet as an element of the IoT: Internet of things (noun): The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.

All of the definitions describe scenarios in which network connectivity and computing capability extends to a constellation of objects, devices, sensors, and everyday items that are not ordinarily considered to be “computers’’; this allows the devices to generate, exchange, and consume data, often with minimal human intervention. The various definitions of IoT do not necessarily disagree – rather they emphasize different aspects of the IoT phenomenon from different focal points and use cases.

However, the disparate definitions could be a source of confusion in dialogue on IoT issues, particularly in discussions between stakeholder groups or industry segments. Similar confusion was experienced in recent years about net neutrality and cloud computing, where different interpretations of the terms sometimes presented obstacles to dialogue. While it is probably unnecessary to develop a single definition of IoT, it should be recognized that there are different perspectives to be factored into discussions. For the purposes of this paper, the terms “Internet of Things” and “IoT” refer broadly to the extension of network connectivity and computing capability to objects, devices, sensors, and items not ordinarily considered to be computers. These “smart objects” require minimal human intervention to generate, exchange, and consume data; they often feature connectivity to remote data collection, analysis, and management capabilities.

Networking and communications models for smart objects include those where exchanged data does not traverse the Internet or an IP-based network. We include those models in our broad description of “Internet of Things” used for this article. We do so as it is likely that the data generated or processed from those smart objects will ultimately pass through gateways with connectivity to IP-based networks or will otherwise be incorporated into product features that are accessible via the Internet. Furthermore, users of IoT devices are likely to be more concerned with the services delivered and the implication of using those services than issues of when or where data passes through an IP-based network.

Internet of Things Communications Models

Figure 1. Example of device-to-device communication model.

From an operational perspective, it is useful to think about how IoT devices connect and communicate in terms of their technical communication models. In March 2015, the Internet Architecture Board (IAB) released a guiding architectural document for networking of smart objects (RFC 7452),39 which outlines a framework of four common communication models used by IoT devices. The discussion below presents this framework and explains key characteristics of each model in the framework.
Device-to-Device Communications The device-to-device communication model represents two or more devices that directly connect and communicate between one another, rather than through an intermediary application server. These devices communicate over many types of networks, including IP networks or the Internet. Often, however these devices use protocols like Bluetooth,40 Z-Wave,41 or ZigBee42 to establish direct device-to-device communications, as shown in Figure 1.

These device-to-device networks allow devices that adhere to a particular communication protocol to
communicate and exchange messages to achieve their function. This communication model is commonly used in applications like home automation systems, which typically use small data packets of information to communicate between devices with relatively low data rate requirements. Residential IoT devices like light  bulbs, light switches, thermostats, and door locks normally send small amounts of information to each other (e.g. a door lock status message or turn on light command) in a home automation scenario.

From the user’s point of view, this often means that underlying device-to-device communication protocols are not compatible, forcing the user to select a family of devices that employ a common protocol. For example, the family of devices using the Z-Wave protocol is not natively compatible with the ZigBee family of devices. While these incompatibilities limit user choice to devices within a particular protocol family, the user benefits from knowing that products within a particular family tend to communicate well.

Device-to-Cloud Communications

In a device-to-cloud communication model, the IoT device connects directly to an Internet cloud service like an application service provider to exchange data and control message traffic. This approach frequently takes advantage of existing communications mechanisms like traditional wired Ethernet or Wi-Fi connections to establish a connection between the device and the IP network, which ultimately connects to the cloud service. This is shown in Figure 2.

Figure 2. Device-to-cloud communication model diagram.

This communication model is employed by some popular consumer IoT devices like the Nest Labs Learning Thermostat and the Samsung SmartTV. In the case of the Nest Learning Thermostat, the device transmits data to a cloud database where the data can be used to analyze home energy consumption.

Further, this cloud connection enables the user to obtain remote access to their thermostat via a smartphone or Web interface, and it also supports software updates to the thermostat. Similarly with the Samsung SmartTV technology, the television uses an Internet connection to transmit user viewing information to Samsung for analysis and to enable the interactive voice recognition features of the TV. In these cases, the device-to-cloud model adds value to the end user by extending the capabilities of the device beyond its native features.

However, interoperability challenges can arise when attempting to integrate devices made by different
manufacturers. Frequently, the device and cloud service are from the same vendor.  If proprietary data protocols are used between the device and the cloud service, the device owner or user may be tied to a specific cloud service, limiting or preventing the use of alternative service providers. This is commonly referred to as “vendor lock-in’’, a term that encompasses other facets of the relationship with the provider such as ownership of and access to the data. At the same time, users can generally have confidence that devices designed for the specific platform can be integrated.

Device-to-Gateway Model

In the device-to-gateway model, or more typically, the device-to-application-layer gateway (ALG) model, the IoT device connects through an ALG service as a conduit to reach a cloud service. In simpler terms, this means that there is application software operating on a local gateway device, which acts as an intermediary between the device and the cloud service and provides security and other functionality such as data or protocol translation. The model is shown in Figure 3.

Figure 3. Device-to-gateway communication model diagram.

Several forms of this model are found in consumer devices. In many cases, the local gateway device is a
smartphone running an app to communicate with a device and relay data to a cloud service. This is often the model employed with popular consumer items like personal fitness trackers. These devices do not have the native ability to connect directly to a cloud service, so they frequently rely on smartphone app software to serve as an intermediary gateway to connect the fitness device to the cloud.

The other form of this device-to-gateway model is the emergence of “hub” devices in home automation applications. These are devices that serve as a local gateway between individual IoT devices and a cloud service, but they can also bridge the interoperability gap between devices themselves. For example, the SmartThings hub is a stand-alone gateway device that has Z-Wave and Zigbee transceivers installed to communicate with both families of devices.  It then connects to the SmartThings cloud service, allowing the user to gain access to the devices using a smartphone app and an Internet connection.
From a broader technical perspective, the IETF Journal article explains the benefit of the device-to-gateway approach:

This [communication model] is used in situations where the smart objects require interoperability with non-IP [Internet protocol] devices. Sometimes this approach is taken for integrating IPv6-only devices, which means a gateway is necessary for legacy IPv4-only devices and services. In other words, this communications model is frequently used to integrate new smart devices into a legacy system with devices that are not natively interoperable with them. A downside of this approach is that the necessary development of the application-layer gateway software and system adds complexity and cost to the overall system.

The IAB’s RFC7452 document suggests the outlook for this model: It is expected that in the future, more generic gateways will be deployed to lower cost and infrastructure complexity for end consumers, enterprises, and industrial environments. Such generic gateways are more likely to exist if IoT device designs make use of generic Internet protocols and not require application-layer gateways that translate one application-layer protocol to another one. The use of application-layer gateways will, in general, lead to a more fragile deployment, as has been observed in the past…

The evolution of systems using the device-to-gateway communication model and its larger role in addressing interoperability challenges among IoT devices is still unfolding.

Back-End Data-Sharing Model

The back-end data-sharing model refers to a communication architecture that enables users to export and analyze smart object data from a cloud service in combination with data from other sources. This architecture supports “the [user’s] desire for granting access to the uploaded sensor data to third parties”.

This approach is an extension of the single device-to-cloud communication model, which can lead to data silos where “IoT devices upload data only to a single application service provider’’.  A back-end sharingarchitecture allows the data collected from single IoT device data streams to be aggregated and analyzed. For example, a corporate user in charge of an office complex would be interested in consolidating and analyzing the energy consumption and utilities data produced by all the IoT sensors and Internet-enabled utility systems on the premises. Often in the single device-to-cloud model, the data each IoT sensor or system produces sits in a stand-alone data silo. An effective back-end data sharing architecture would allow  the company to easily access and analyze the data in the cloud produced by the whole spectrum of devices in the building. Also, this kind of architecture facilitates data portability needs. Effective back-end datasharing architectures allow users to move their data when they switch between IoT services, breaking down traditional data silo barriers.

The back-end data-sharing model suggests a federated cloud services approach or cloud applications programmer interfaces (APIs) are needed to achieve interoperability of smart device data hosted in the cloud. A graphical representation of this design is shown in Figure 4.

Figure 4. Back-end data sharing model diagram.

This architecture model is an approach to achieve interoperability among these back-end systems. As the IETF Journal suggests, “Standard protocols can help but are not sufficient to eliminate data silos because common information models are needed between the vendors.” In other words, this communication model is only as effective as the underlying IoT system designs. Back-end data sharing architectures cannot fully overcome closed system designs.

Internet of Things Communications Models Summary
The four basic communication models demonstrate the underlying design strategies used to allow IoT devices to communicate. Aside from some technical considerations, the use of these models is largely influenced by the open versus proprietary nature of the IoT devices being networked. And in the case of the device-to-gateway model, its primary feature is its ability to overcome proprietary device restrictions in connecting IoT devices. This means that device interoperability and open standards are key considerations in the design and development of internetworked IoT systems.

From a general user perspective, these communication models help illustrate the ability of networked devices to add value to the end user. By enabling the user to achieve better access to an IoT device and its data, the overall value of the device is amplified. For example, in three of the four communication models, the devices ultimately connect to data analytic services in a cloud computing setting. By creating data communication conduits to the cloud, users, and service providers can more readily employ data aggregation, big data analytics, data visualization, and predictive analytics technologies to get more value out of IoT data than can be achieved in traditional data-silo applications. In other words, effective communication architectures are an important driver of value to the end user by opening possibilities of using information in new ways. It should be noted, however, these networked benefits come with trade-offs.

Careful consideration needs to be paid to the incurred cost burdens placed on users to connect to cloud resources when considering an architecture, especially in regions where user connectivity costs are high. While the end user benefits from effective communication models, it should be mentioned that effective IoT communication models also enhance technical innovation and open opportunity for commercial growth. New products and services can be designed to take advantage of IoT data streams that didn’t exist previously, acting as a catalyst for further innovation.

IPv6 and the Internet of Things

Though they differ about the exact numbers, most technology observers agree that billions of additional devices – from industrial sensors to home appliances and vehicles – will be connected to the Internet between now and 2025. As the Internet of Things continues to grow, devices that require true end-to-end Internet connectivity will not be able to rely on IPv4, the protocol most Internet services use today. They will need a new enabling technology: IPv6.

IPv6 is a long-anticipated upgrade to the Internet’s original fundamental protocol – the Internet Protocol (IP), which supports all communications on the Internet. IPv6 is necessary because the Internet is running out of original IPv4 addresses. While IPv4 can support 4.3 billion devices connected to the Internet, IPv6 with 2 to the 128th power addresses, is for all practical purposes inexhaustible. This represents about 340 trillion, trillion, trillion addresses, which more than satisfies the demand of the estimated 100 billion IoT devices going into service in the coming decades.

Given the anticipated longevity of some of the sensors and other devices imagined for the Internet of Things, design decisions will affect the utility of solutions decades from now. Key challenges for IoT developers are that IPv6 is not natively interoperable with IPv4 and most low-cost software that is readily available for embedding in IoT devices implements only IPv4. Many experts believe, however, that IPv6 is the best connectivity option and will allow IoT to reach its potential.

For more information on IPv6 visit the Internet Society resource pages at http://www.internetsociety.org/what-we-do/internet-technology-matters/ipv6 and http://www.internetsociety.org/deploy360/ipv6/

What issues are raised by the Internet of Things?
It would be impossible to cover the broad scope of issues surrounding the Internet of Things in this article.

We begin to examine these issues through the lens of “the Abilities” – the statement of fundamental principles that guide ISOC’s work in terms of the capabilities we believe all Internet users should enjoy that must be protected. These include the ability to connect, speak, innovate, share, choose, and trust. With these principles as a guide, we present important aspects of each issue and propose several questions for discussion.

Security Issues

The IoT Security Challenge
As we note in the principles that guide our work, ensuring the security, reliability, resilience, and stability of Internet applications and services is critical to promoting trust and use of the Internet. As users of the Internet, we need to have a high degree of trust that the Internet, its applications, and the devices linked to it are secure enough to do the kinds of activities we want to do online in relation to the risk tolerance associated with those activities. The Internet of Things is no different in this respect, and security in IoT is fundamentally linked to the ability of users to trust their environment. If people don’t believe their connected devices and their information are reasonably secure from misuse or harm, the resulting erosion of trust causes a reluctance to use the Internet. This has global consequences to electronic commerce, technical
innovation, free speech, and practically every other aspect of online activities. Indeed, ensuring security in IoT products and services should be considered a top priority for the sector.

A Spectrum of Security Considerations
When thinking about Internet of Things devices, it is important to understand that security of these devices is not absolute. IoT device security is not a binary proposition of secure or insecure. Instead, it is useful to conceptualize IoT security as a spectrum of device vulnerability. The spectrum ranges from totally unprotected devices with no security features to highly secure systems with multiple layers of security features. In an endless cat-and-mouse game, new security threats evolve, and device manufacturers and network operators continuously respond to address the new threats.

Unique Security Challenges of IoT Devices
IoT devices tend to differ from traditional computers and computing devices in important ways that challenge security:
* Many Internet of Things devices, such as sensors and consumer items, are designed to be deployed at a massive scale that is orders of magnitude beyond that of traditional Internet-connected devices.

As a result, the potential quantity of interconnected links between these devices is unprecedented. Further, many of these devices will be able to establish links and communicate with other devices on their own in an unpredictable and dynamic fashion. Therefore, existing tools, methods, and strategies associated with IoT security may need new consideration.

* Many IoT deployments will consist of collections of identical or near identical devices. This homogeneity magnifies the potential impact of any single security vulnerability by the sheer number of devices that all have the same characteristics. For example, a communication protocol vulnerability of one company’s brand of Internet-enabled light bulbs might extend to every make and model of device that uses that same protocol or which shares key design or manufacturing characteristics.

* Many Internet of Things devices will be deployed with an anticipated service life many years longer than is typically associated with high-tech equipment. Further, these devices might be deployed in circumstances that make it difficult or impossible to reconfigure or upgrade them; or these devices might outlive the company that created them, leaving orphaned devices with no means of long-term support. These scenarios illustrate that security mechanisms that are adequate at deployment might not be adequate for the full lifespan of the device as security threats evolve. As such, this may create vulnerabilities that could persist for a long time. This is in contrast to the paradigm of traditional computer systems that are normally upgraded with operating system software updates throughout the life of the computer to address security threats. The long-term support and management of IoT devices is a significant security challenge.

* Many IoT devices are intentionally designed without any ability to be upgraded, or the upgrade process is cumbersome or impractical. For example, consider the 2015 Fiat Chrysler recall of 1.4 million vehicles to fix a vulnerability that allowed an attacker to wirelessly hack into the vehicle. These cars must be taken to a Fiat Chrysler dealer for a manual upgrade, or the owner must perform the upgrade themselves with a USB key. The reality is that a high percentage of these autos probably will not be upgraded because the upgrade process presents an inconvenience for owners, leaving them perpetually vulnerable to cybersecurity threats, especially when the automobile appears to be performing well otherwise.

* Many IoT devices operate in a manner where the user has little or no real visibility into the internal workings of the device or the precise data streams they produce. This creates a security
vulnerability when a user believes an IoT device is performing certain functions, when in reality it might be performing unwanted functions or collecting more data than the user intends. The device’s functions also could change without notice when the manufacturer provides an update, leaving the user vulnerable to whatever changes the manufacturer makes.

* Some IoT devices are likely to be deployed in places where physical security is difficult or impossible to achieve. Attackers may have direct physical access to IoT devices. Anti-tamper features and other design innovations will need to be considered to ensure security.

  • Some IoT devices, like many environmental sensors, are designed to be unobtrusively embedded in the environment, where a user does not actively notice the device nor monitor its operating status. Additionally, devices may have no clear way to alert the user when a security problem arises, making it difficult for a user to know that a security breach of an IoT device has occurred. A security breach might persist for a long time before being noticed and corrected if correction or mitigation is even possible or practical. Similarly, the user might not be aware that a sensor exists in her surroundings, potentially allowing a security breach to persist for long periods without detection.

* Early models of Internet of Things assume IoT will be the product of large private and/or public technology enterprises, but in the future “Build Your own Internet of Things” (BYIoT) might become more commonplace as exemplified by the growing Arduino and Raspberry Pi60 developer communities. These may or may not apply industry best practice security standards.

IoT Security Questions
A number of questions have been raised regarding security challenges posed by Internet of Things devices. Many of these questions existed prior to the growth of IoT, but they increase in importance due to the scale of deployment of IoT devices. Some prominent questions include:

a) Good Design Practices. What are the sets of best practices for engineers and developers to use to design IoT devices to make them more secure? How do lessons learned from Internet of Things security problems get captured and conveyed to development communities to improve future generations of devices? What training and educational resources are available to teach engineers and developers more secure IoT design?

b) Cost vs. Security Trade-Offs. How do stakeholders make informed cost-benefit analysis decisions with respect to Internet of Things devices? How do we accurately quantify and assess the security risks? What will motivate device designers and manufacturers to accept additional product design cost to make devices more secure, and, in particular, to take responsibility for the impact of any negative externalities resulting from their security decisions? How will incompatibilities between functionality and usability be reconciled with security? How do we ensure IoT security solutions support opportunities for IoT innovation, social and economic growth?

c) Standards and Metrics. What is the role of technical and operational standards for the
development and deployment of secure, well-behaving IoT devices? How do we effectively identify and measure characteristics of IoT device security? How do we measure the effectiveness of Internet of Things security initiatives and countermeasures? How do we ensure security best practices are implemented?

d) Data Confidentiality, Authentication and Access Control. What is the optimal role of data encryption with respect to IoT devices? Is the use of strong encryption, authentication and access  control technologies in IoT devices an adequate solution to prevent eavesdropping and hijacking attacks of the data streams these devices produce? Which encryption and authentication technologies could be adapted for the Internet of Things, and how could they be implemented within an IoT device’s constraints on cost, size, and processing speed? What are the foreseeable management issues that must be addressed as a result of IoT-scale cryptography? Are concerns about managing the crypto-key lifecycle and the expected period during which any given algorithm is expected to remain secure being addressed? Are the end-to-end processes adequately secure and simple enough for typical consumers to use?

e) Field-Upgradeability. With an extended service life expected for many IoT devices, should devices be designed for maintainability and upgradeability in the field to adapt to evolving security threats?

New software and parameter settings could be installed in a fielded IoT device by a centralized security management system if each device had an integrated device management agent. But management systems add cost and complexity; could other approaches to upgrading device software be more compatible with widespread use of IoT devices? Are there any classes of IoT
devices that are low-risk and therefore don’t warrant these kinds of features? In general, are the user interfaces IoT devices expose (usually intentionally minimal) being properly scrutinized with consideration for device management (by anyone, including the user)?

f) Shared Responsibility. How can shared responsibility and collaboration for IoT security be
encouraged across stakeholders?

g) Regulation. Should device manufacturers be penalized for selling software or hardware with known or unknown security flaws? How might product liability and consumer protection laws be adapted or extended to cover any negative externalities related to the Internet of Things and would this operate in a cross-border environment? Would it be possible for regulation to keep pace and be effective in light of evolving IoT technology and evolving security threats? How should regulation be balanced against the needs of permission-less innovation, Internet freedom, and freedom of expression?

h) Device Obsolescence. What is the right approach to take with obsolete IoT devices as the Internet evolves and security threats change? Should IoT devices be required to have a built-in end-of-life expiration feature that disables them? Such a requirement could force older, non-interoperable devices out of service and replace them with more secure and interoperable devices in the future. Certainly, this would be very challenging in the open marketplace. What are the implications of automatic decommissioning IoT devices?

The breadth of these questions is representative of the wide-ranging security considerations associated with Internet of Things devices. However, it’s important to remember that when a device is on the Internet, it is also part of the Internet, which means that effective and appropriate security solutions can be achieved only if the participants involved with these devices apply a Collaborative Security approach.

The collaborative model has emerged as an effective approach among industry, governments, and public authorities to help secure the Internet and cyberspace, including the Internet of Things. This model includes a range of practices and tools including bidirectional voluntary information sharing; effective enforcement tools; incident preparedness and cyber exercises; awareness raising and training; agreement on international norms of behavior; and development and recognition of international standards and practices. Continued work is needed to evolve collaborative and shared risk management-based approaches that are
well suited to the scale and complexity of IoT device security challenges of the future.

Privacy Considerations

Internet of Things Privacy Background
Respect for privacy rights and expectations is integral to ensuring trust in the Internet, and it also impacts the ability of individuals to speak, connect, and choose in meaningful ways. These rights and expectations are sometimes framed in terms of ethical data handling, which emphasizes the importance of respecting an individual’s expectations of privacy and the fair use of their data. The Internet of Things can challenge these traditional expectations of privacy.

Unique Privacy Aspects of Internet of Things
Generally, privacy concerns are amplified by the way in which the Internet of Things expands the feasibility and reach of surveillance and tracking. Characteristics of IoT devices and the ways they are used redefine the debate about privacy issues, because they dramatically change how personal data is collected, analyzed, used, and protected.

IoT Emerging Economy and Development Questions
To ensure that the opportunities and benefits related to IoT are global, the specific needs and potential challenges related to emerging economies must be considered. The matters discussed in the preceding issue sections are not unique to industrialized countries, and should be considered applicable to developing markets as well. However, the unique circumstances often found in emerging economies raise additional questions about maximizing the benefits and managing challenges of IoT. While by no means exhaustive, some areas for consideration include:

a) Infrastructure Resources: Internet and communications infrastructure has spread rapidly across the developing world, yet gaps remain in ensuring reliable, high-speed, and affordable access in many countries, including for commercial and business use. To what extent will the Internet of Things place pressure on Internet and telecommunications infrastructure and resources? Will current challenges curb the opportunity for IoT in emerging regions, or could IoT be a demand-driver for additional build-out of infrastructure? Does special attention need to be paid to spectrum management, given that wireless technology underpins many IoT implementations? As cloud services and related data analysis drive value in many IoT services, will the relative lack of data  center infrastructure in emerging economies hinder deployment?

b) Investment: In industrialized countries, investment in IoT research and product development is being driven by market opportunities for products and services. To what extent will the market drive investment in IoT implementations in developing countries, especially beyond applications in industries and settings that have the prospect of clear, near-term returns? On the other hand, could IoT deployments in emerging economies be more efficient and cost effective, and even leap-frog technology in the rest other world, as fewer legacy systems are often in place? Is there a role for governments to incentivize the development of innovative technical solutions by local researchers and local industries?

c) Technical and Industry Development: To what extent are researchers and entrepreneurs from developing countries involved in IoT technical development and deployment? What should be done to encourage participation in development of technical solutions and applications that meet the needs and opportunities of these markets, while being respectful of cultural norms, and building in appropriate levels of security and privacy protection? What new skills may be required in emerging economies to build, deploy, and manage IoT systems? Are industries in emerging economies ready to benefit from IoT technology? Will they be left behind or are they better positioned to leap-frog older industrial technologies? How can researchers and industries in countries with emerging economies be positioned to develop solutions to local economic and social challenges that have direct impact on their societies?

d) Policy and Regulatory Coordination: Policymakers and regulators in emerging economies have made significant progress over the past 10 years to develop and adapt policies and regulations to encourage Internet growth and address related challenges. The demands on technology policymakers in emerging economies are steep, particularly in light of rapid developments and resource constraints. While IoT promises new opportunities, it also will add a new dimension of complexity. What information and resources do policymakers in emerging economies need now to plan for policy demands and questions that will arise with the growth of IoT?

Conclusion

While the concept of combining computers, sensors, and networks to monitor and control devices has been around for decades, the recent confluence of key technologies and market trends is ushering in a new reality for the “Internet of Things’’. IoT promises to usher in a revolutionary, fully interconnected “smart” world, with relationships between objects and their environment and objects and people becoming more tightly intertwined. The prospect of the Internet of Things as a ubiquitous array of devices bound to the Internet might fundamentally change how people think about what it means to be “online”.

While the potential ramifications are significant, a number of potential challenges may stand in the way of this vision – particularly in the areas of security; privacy; interoperability and standards; legal, regulatory, and rights issues; and the inclusion of emerging economies. The Internet of Things involves a complex and evolving set of technological, social, and policy considerations across a diverse set of stakeholders. The Internet of Things is happening now, and there is a need to address its challenges and maximize its benefits while reducing its risks.

The Internet Society cares about IoT because it represents a growing aspect of how people and institutions are likely to interact with and incorporate the Internet and network connectivity into their personal, social, and  economic lives. Solutions to maximizing the benefits of IoT while minimizing the risks will not be found by engaging in a polarized debate that pits the promises of IoT against its possible perils. Rather, it will take informed engagement, dialogue, and collaboration across a range of stakeholders to plot the most effective ways forward.








}