The Internet of Things (IoT) has launched for good in both business and everyday lives, with numerous distributed and highly diversified “things” sensing different aspects of their environment. Different combinations of devices, sensors and business scope across domains provide the bill of materials for numerous, often, unprecedented, applications, leaving room for both inspiration and innovation. The connected things are continuously increasing in volume, and capabilities, collecting huge amounts of data. IDC predicted in 2020 that by 2025 there will be 55.7 B connected devices worldwide, 75% of which will be connected to an IoT platform1 . IDC also estimates in the same report data generated from connected IoT devices to be 73.1 ZB by 2025, growing from 18.3 ZB in 2019. Moreover, Gartner estimated in 2020 that 47% of organizations intend to increase investments in IoT despite the impact of COVID-192 . The same survey reveals that IoT adoption is primarily driven by the Digital Twin and Artificial Intelligence (AI) technologies.
AI provides the intelligence to an IoT platform that enables translating raw information into useful forecasts and insights that allow triggering actions in business-specific defined workflows. Together, IoT and AI have revolutionized the perception of smartness in connected systems, providing insights to digital pioneers both in real time and in great detail.
Machine Learning (ML) is an AI technology, which allows to automatically identify patterns and detect anomalies in the data collected by IoT devices, such as temperature, pressure, humidity, air quality, vibration, sound, but also images, video and voice. Moreover, οther AI technologies such as speech recognition and computer vision allow identifying linguistic or visual patterns, enabling inference decisions, only possible by humans until recently. AI applications for IoT enable companies to avoid unplanned downtime, increase operating efficiency, spawn new products and services, and enhance risk management3 .
At its basic level AI enables the prediction of undesired or risky events, while at a more advanced level is combined with actuation capabilities in IoT systems, which enable automated reaction to such events, without human intervention. Indeed, several ML techniques aim to improve the efficiency of the models in making predictions, such as Deep Learning, Reinforcement Learning, Transfer Learning, as well as Federated Learning, as discussed in D3.1. Federated Learning (FL) aims to build and train global models based on training datasets that are distributed across different remote devices while avoiding data leakage.
Despite the indisputable benefits of the combined use of IoT and AI, cybersecurity concerns may be raised from the extensive use of connected and highly automated systems. As stated in the State of the Union (SOTEU) in 2021 “if everything is connected, everything can be hacked4 ”. In SOTEU 2021, the need for a European Cyber Defense Policy, including legislation on common standards under a new European Cyber Resilience Act has been identified. Moreover, the SOTEU 20205 had already identified the need for realizing the Digital Decade in Europe and IoT together with AI can be a driving force.
The legislative framework of the European Commission towards cybersecurity builds upon:
The EU Cybersecurity strategy6 , which proposes building a European Cyber Shield via a network of Security Operations Centres across the EU, identifying the significance of AI and ML techniques in malicious activities detection in such centres. Also, it suggests providing ultra-secure communication infrastructure, integrating cutting edge technologies, such as Quantum, 5G, AI, edge computing.
The Directive on Security of Network and Information Systems (the NIS Directive) (EU) 2016/11487 , which is at the core of the EU Single Market for cybersecurity. It states the need to take technical and organizational measures to “address risks” posed to systems of both Operators of Essential Services (OES) and providers of digital services. Both IoT and AI are at the core of such operations. A reformed NIS Directive has been proposed to be developed, in order to “provide the basis for more specific rules that are also necessary for strategically important sectors, including energy, transport and health8 ”. The draft NIS2 Directive9 contains a catalogue of measures listing among other things, risk analysis and security concepts, prevention of security incidents and crisis management, which must at least be implemented by the companies.
- The Cybersecurity Act10 , promotes ICT certification at EU level, based on a European Cybersecurity Certification Framework, which will result in ICT products, services and processes in the EU to operate with an adequate cybersecurity level.
In addition, the General Data Protection Regulation (GDPR) also requires risk assessment procedures to be in place for those organizations that collect, process and store Personal Identifiable Information (PII). Article 34 to the GDPR states that “the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize”11 .
Considering these, IoT-NGIN provides a set of cybersecurity tools for IoT Federated Learning systems. The main project contributions are towards anomaly detection and threat monitoring, aiming to identify both existing and zero-day network-level attacks suffered by connected systems, as well as data and model poisoning attacks compromising FL systems. IoT-NGIN leverages ML and Generative Adversarial Networks to train and develop its Malicious Attack Detection (MAD) service. Moreover, IoT-NGIN designs and develops a distributed vulnerability scanning service for IoT devices, as well as a distributed network of dynamically changing honeypots, allowing to lure and trace attackers’ activity in controlled environments, without compromising the production environment’s operation. Such threat monitoring allows companies assess and mitigate the cybersecurity risks which are possible in their IoT systems, helping them comply with the EU regulations for cybersecurity.