The Internet of Things (IoT) is a key enabling technology for applications with high societal relevance and impact. Application domains include smart cities, making the life in dense urban environments more comfortable; smart cars, increasing driving safety and comfort; smart factories, controlling and optimizing production processes; smart grids, improving the efficiency of production, distribution, and consumption of energy; as well as smart buildings, maximizing the comfort of its inhabitants and reducing energy consumption.

These attractive applications represent a long-term investment and are only feasible if the underlying IoT technology does not fail. Any failure in meeting application-specific requirements and in conveying information about the state of things and places in a reliable, timely, and energy-efficient manner may result in high costs, insufficient user satisfaction, and physical damage to people or things.

The key challenge is that in the traditional Internet powerful servers are sheltered in air-conditioned data centers directly connected to power plants, whereas the Internet of Things requires highly resource-constrained computers to be embedded into adverse environments. Smart objects are indeed often directly exposed to heat, humidity, mechanical shock, electromagnetic radiation, and physical attacks, and some of these hostile environmental conditions can drastically affect the overall system performance. Electromagnetic radiation and ambient temperature, for example, have a profound impact on the achievable performance of low-power wireless sensor networks used to sense and convey information about the state of things [5]. For example, radio interference from co-located Wi-Fi and Bluetooth networks may cause a significant message loss, which in turn leads to an increase in end-to-end latency and energy consumption [6]. Variations in temperature over time and space affect the operation of electrical and electronic components and can have a significant impact on clock drift, battery capacity and discharge, as well as on the efficiency of low-power radios [9].

Adverse environmental conditions have typically a strong impact on the reliability and energy-efficiency of IoT communication and are not only hard to predict for a given deployment site, but they may also largely vary from one deployment site to another, thus hindering the scalable deployment of IoT applications. As a result, the development of IoT solutions is severely constrained and often limited to non-critical monitoring applications. Typical methods to avoid failures and to increase fault-tolerance rely heavily on redundancy, which however collides with the resource constraints of common IoT devices and with the space/cost requirements for additional backup hardware. For this reason, withstanding the severe threats posed by adverse environmental effects with scarce resources remains an open challenge.

In this article, we illustrate our efforts in tackling this challenge and providing methods and tools to predict, guarantee, and ultimately raise the level of dependability of the IoT. In Sect. 2, we describe a systematic framework that enables the development of dependable IoT applications by taking into account the challenging interaction of IoT platforms and protocols with the surrounding environment, and show how it can be employed to mitigate the impact of temperature variations on low-power wireless networks.

We then describe in Sect. 3 additional dependability threats for typical IoT systems such as complexity (e.g., scaling bugs) and physical attacks, arguing that different scientific disciplines should join forces and work towards a coherent view of dependability. We provide examples of open research challenges (e.g., how to systematically ascertain that independently developed smart things interact correctly and robustly) and delineate our research road-map for the systematic construction of a dependable IoT that is resilient against failures and attacks. We finally conclude this article in Sect. 4 with a summary of our contributions.

In order to allow IoT applications to withstand adverse environmental conditions, we have studied methods to increase the reliability and energy-efficiency of networks deployed in harsh settings. In the context of the RELYonIT project,¹ we have created a systematic framework that enables the development of dependable IoT applications by taking into account the challenging interaction of IoT platforms and communication protocols with the surrounding environment [8]. To this end, we followed the methodology illustrated in Fig. 1 and devised parameterizable environmental models that capture how environmental properties (e.g., temperature and radio interference) vary over time and platform models that capture how these environmental properties affect the operation of a hardware (HW) platform. A specification language allows a user to specify dependability requirements for a given application that drive the automatic selection and parametrization of environment-aware communication protocols such that performance requirements can be met for a given environment and HW platform (or the infeasibility of these requirements is detected). If environmental properties change at runtime, the framework automatically adapts protocol parameters to reflect the new environmental model.

Open image in new window

We illustrate next an example of how we employed this framework to mitigate the impact of temperature variations on low-power wireless networks deployed outdoors [16].

2.1 Mitigating the impact of temperature variations on low-power wireless networks

Real-world deployments of IoT systems have shown how low-power wireless sensors deployed outdoors often experience high on-board temperature fluctuations, especially if they are placed inside IR-transparent enclosures exposed to direct sun radiation [9]. These large temperature variations can have a severe impact on the operation of carrier sense multiple access (CSMA) protocols, because they can reduce the effectiveness of clear channel assessment (CCA) and compromise the ability of a sensor node to avoid collisions and to successfully wake-up from low-power mode [7]. At high temperatures, indeed, the efficiency of low-power radios reduces significantly: as a result, the signal strength between two wireless sensor nodes \(A\) and \(B\) decreases by up to 10 dB when the on-board temperature of both nodes increases from 5 °C to 55 °C [9]. State-of-the-art CSMA protocols typically compare the received signal strength \(s_{\mathrm{r}}\) to a static CCA threshold \(\zeta \) to determine if a node should remain awake to receive a packet or if it should return to sleep mode. As illustrated in Fig. 2, the decrease in signal strength induced by an increase in temperature may lead to a situation in which \(s_{\mathrm{r}}\) decreases and becomes lower than \(\zeta \). If this happens, the receiver node remains constantly in sleep mode, causing the disruption of the wireless link [7].

Open image in new window

In order to allow IoT applications to meet their performance requirements despite temperature variations, we employ the framework shown in Fig. 1 to find a suitable configuration of \(\zeta \). To this end, we derive three models:

1. 1.

   An environmental model capturing the relevant aspects of the environment. Such model can be simply based on on-board temperature ranges recorded on the sensor nodes at specific times of the day. If we sub-divide each day into intervals of equal length and run a data collection application prior deployment capturing the on-board temperature variations over several days, we can obtain a model that outputs the minimum/maximum expected temperature as a function of the time of the day.

    
2. 2.
   A platform model mapping environmental parameters to variables that are relevant for the operation of IoT hardware: such models would capture the relationship between the on-board temperature of sender and receiver nodes and the attenuation of the received signal strength for the HW in use. Denoting \(\mathit{PL}\) as the path loss between a transmitter-receiver pair, \(P_{\mathrm{t}}\) as the transmission power, \(P_{\mathrm{r}} = P_{t} - \mathit{PL}\) as the received power, and \(P_{ \mathrm{n}}\) as the noise floor at the receiver, the impact of temperature on the signal-to-noise ratio (SNR) can be described as:

   $$\begin{aligned} \mathrm{SNR} =& (P_{\mathrm{t}} - \alpha \Delta T_{\mathrm{t}}) - ( \mathit{PL} + \beta \Delta T_{\mathrm{r}}) \\ &{} - \biggl(P_{\mathrm{n}} - \gamma \Delta T_{\mathrm{r}} + 10 \log_{10}\biggl(1 + \frac{\Delta T_{\mathrm{r}}}{T_{\mathrm{r}}}\biggr) \biggr) \\ =& (P_{\mathrm{r}} - \alpha \Delta T_{\mathrm{t}} - \beta \Delta T _{\mathrm{r}}) \\ &{} - \biggl(P_{\mathrm{n}} - \gamma \Delta T_{\mathrm{r}} + 10 \log_{10}\biggl(1 + \frac{\Delta T_{\mathrm{r}}}{T_{\mathrm{r}}}\biggr) \biggr) \end{aligned}$$

   (1)

   where the constants \(\alpha \), \(\beta \), and \(\gamma \) with units \(\mathrm{dB}/\mathrm{K}\) denote respectively the effect on transmitted power, received power, and on the noise floor, the values \(T_{ \mathrm{t}}\) and \(T_{\mathrm{r}}\) represent the reference temperature of transmitter and receiver; whilst \(\Delta T_{\mathrm{t}}\) and \(\Delta T_{\mathrm{r}}\) capture the difference of current temperature with respect to \(T_{\mathrm{t}}\) and \(T_{\mathrm{r}}\) [9].
    
3. 3.
   A protocol model describing how the operations of the employed protocol are affected by temperature changes. In our case, the packet reception rate (PRR) in IoT CSMA-based protocols such as ContikiMAC [10] can be estimated by analyzing how the signal strength \(s_{\mathrm{r}}\) with which the packet is received relates to the selected CCA threshold \(\zeta \) and to the transitional phase of the radio response. If \(s_{\mathrm{r}} \geq \zeta \), the node infers that an ongoing transmission is present and remains awake to receive the packet; if \(s_{\mathrm{r}} < \zeta \), the node infers that there is no ongoing transmission and returns to sleep mode without receiving the packet. The PRR further decreases in the transitional region according to a sigmoid curve \(f\) in which the probability \(p\) of receiving a packet is \(p = (1-f(P_{\mathrm{r}} - P_{\mathrm{n}}))^{b}\) with \(P_{\mathrm{r}}\) being the received signal strength, \(P_{ \mathrm{n}}\) the sensitivity threshold of the radio, and \(b\) the number of bits in the packet [20]. Denoting \(s_{0.99}\) and \(s_{0.01}\) as the signal strength that leads to a delivery rate of 0.99 and 0.01, respectively, we can define three reception regions, as shown in Fig. 3: a connected region, where the received signal strength is above \(s_{0.99}\); a disconnected region, where the signal strength is below \(s_{0.01}\), and a transitional region of length \(\tau \) dB, where the delivery rate drops monotonically between 1 and 0.

   Open image in new window

   Because of the dependency between signal strength and temperature, a variation in the on-board temperature at the receiver or at the transmitter will cause the receiver to measure a signal strength \(s_{\mathrm{r}}^{\prime} = (s_{\mathrm{r}} - \alpha \Delta T_{\mathrm{t}} - \beta \Delta T_{\mathrm{r}})\) (see Eq. (1)), i.e., an increase (decrease) in \(T_{\mathrm{t}}\) and/or \(T_{\mathrm{r}}\) will attenuate (strengthen) \(s_{\mathrm{r}}\) into \(s_{\mathrm{r}}^{\prime}\). Figure 3 shows an example in which the received signal strength \(s_{\mathrm{r}}\) decreases (i.e., is shifted to the left) due to an increase of temperature in both transmitter (\(\alpha \Delta T_{\mathrm{t}}\) component) and receiver (\(\beta \Delta T_{ \mathrm{r}}\) component). To predict if a change in the on-board temperature affects packet reception, we need to verify if \(s_{ \mathrm{r}}^{\prime} < \zeta \). If this is the case, no packet will be received, as the device will return to sleep mode after having assumed no ongoing transmission. Similarly, if the on-board temperature of the receiver changes, also the position of the sigmoid curve may change. To predict how \(s_{0.01}\) and \(s_{0.99}\) would change in relation to temperature variation we use Eq. (1) to derive \(s_{0.99}' = s _{0.99} - \Delta T_{\mathrm{r}} \gamma \) and \(s_{0.01}' = s_{0.01} - \Delta T_{\mathrm{t}} \gamma \).

   Finally, we can estimate the packet delivery rate \(PRR'\) given a specific \(\zeta \) value for each link \(i\) in the network as:

   $$ \mathrm{PRR}' = \left \{ \textstyle\begin{array}{l@{\quad }l} 1, & \text{if }\max \{\zeta , s_{0.99}'\} < s_{\mathrm{r}}' \\ p, & \text{if }s_{0.01}' \le \zeta < s_{\mathrm{r}}' \le s_{0.99}' \\ 0, & \text{otherwise} \end{array}\displaystyle \right . $$

   (2)

   and use this model to estimate the worst case delivery rate given a specific temperature variation/range.
    

These three models allow predictions of the performance of a low-power wireless network in presence of temperature variations given specific configurations of \(\zeta \). To automatically identify a (near-)optimal configuration that satisfies the dependability requirements of an IoT application, the framework employs mathematical optimization. Given user-defined dependability requirements as input, the framework outputs optimal parameters for the employed communication protocol. In our case, the framework exposes one configuration parameter, \(\zeta \), and provides a number of metrics that can be used to define goals or constraints. The primary metric is the worst-case PRR of a link that can be accepted by the application of interest. Another metric is minimal energy consumption to ensure a long system lifetime. These requirements lead to an optimization problem such as:

$$ \textstyle\begin{array}{l@{\quad }l} \textrm{Maximize} & \operatorname{CCA}([\zeta ]) \\ \textrm{Subject to} & \operatorname{PRR}([\zeta ]) \geq 0.85\text{ with probability}\ 1.00 \\ & \operatorname{PRR}([\zeta ]) \geq 0.95\text{ with probability}\ 0.9 \end{array} $$

(3)

where \(\zeta \) should be maximized while not violating the constraints on PRR (in this example at least 85 % at all times and at least 95 % in at least 90 % of the cases). Maximizing CCA ensures low energy-consumption, as lower CCA values lead to a higher number of false wake-ups and an increased radio usage. A real-world evaluation has shown that the framework is indeed able to pick the most optimal CCA threshold given a set of dependability requirements and correctly parametrize IoT protocols such that the impact of harsh temperature variations can be predicted and minimized [16].

In our research, we developed further models and employed the described framework to configure other protocol parameters and increase the resilience of low-power networks to surrounding radio interference, as well as to optimize to cycling selection in order to minimize energy expenditure. Further details can be found in [8].

The framework presented in Sect. 2 enables resilient low-power wireless communication despite harsh environmental conditions. However, dependability is the combination of several attributes that allow a user to put trust into and rely on a system [3]. Such attributes are reliability (i.e., continuity of correct, accurate, and timely service), availability (i.e., readiness for correct service), safety (i.e., absence of catastrophic consequences on users and environments); confidentiality (absence of unauthorized disclosure of information); and integrity (i.e., absence of improper system alteration).

Providing methods and concepts to guarantee that IoT applications meet specific dependability requirements is a hot research topic. In this article, we have illustrated our efforts in the area of low-power wireless networking and described a framework that helps guaranteeing that specific performance requirements can be met despite the impact of the surrounding environment. We have further analyzed common dependability threats for IoT systems and outlined our research road-map for the systematic construction of a dependable IoT that is resilient against failures and attacks.