With the advent of the Internet of Things (IoT), the impact of cybersecurity and privacy risks is not further restricted to the cyberspace. The IoT connects physical objects such as buildings, vehicles, production facilities and wind turbines with the Internet enabling them to collect and exchange an increasing amount of data. With Internet connectivity and data collection built into all physical objects, cyber risks threaten the functioning of society’s critical services such as food, energy and water supply and endanger human privacy.

As Marc Elsberg has contemplated in his novel “Blackout”, cyberterrorist attacks on the smart electricity grid may trigger a power breakdown of nearly global reach. An elongated, widespread cyber-induced blackout could have disastrous consequences on human safety, health and welfare. Global corporate and government networks been compromised by advanced persistent threats (APTs) for years enable attackers to destroy industry facilities and public infrastructure on a mouse-click causing economic damage in the billions. The possibility of effective and universal cyberwarfare has become an alarming reality. Personal health data aggregated from different smart health devices may have the potential to expose a meaningful health status of patients to employers, and the government infringing their privacy.

This course approaches how IoT-connected cyberphysical systems can be designed to be resilient against these cyber risks by rigorously following a Security and Privacy by Design process. The European Union’s regulatory frameworks addressing the new threat landscape such as the Network and Information Security Directive 2016/1148 and the General Data Protection Regulation 2016/679 are embraced. Risks and mitigating controls specific to essential services for different critical industry sectors such as energy, transport, banking, financial market infrastructure, health, drinking water supply and telecommunication are elucidated.

Subject-related skills

• Know about threats, risks and controls to security and data protection in the Internet of Things.
• Understand the specific challenges to security and crisis protection specific to essential services in critical sectors (energy, transport, banking, financial market infrastructure, health, drinking water supply and telecommunication).
• Understand the regulatory context of security and data protection in the Internet of Things within the European Union.
• Judge on the impact IoT technologies have on human safety, privacy, freedom and autonomy as well as on the security of connected ICT systems.

Transferable skills

• Apply a Security and Privacy by Design process in the lifecycle of IoT systems.
• Discuss research-oriented topics related to the design, security, privacy, resilience, ethical and legal foundations of information technology in the IoT and in critical infrastructures.

Following attendance is mandatory:

• attendance in the introductory unit (else you will lose the place in the course)
• The attendance requirement is met if a student is present at least 80% of the time.

The seminar is taught in an interactive manner and is guided by current research results. Students are expected to work in teams and at their own discretion.

Grading involves at least 3 independent components, including:

• 45% Student lecture and accompanying written materials
• 35% Mini-test
• 20% Active participation in lectures and in-class exercises

Grading system

87.5% - 100%   = Excellent ("Sehr gut" )
75% - 87.49%   = Good ("Gut")
62.5% - 74.99%  = Satisfactory ("Befriedigend")
50% - 62.49%  = Sufficient ("Genügend" )
Below 50%  = Fail ("Nicht Genügend")

Text book

Gilchrist, A. (2017). IoT Security Issues. Boston: De Gruyter.

The textbook is a mandatory reading for all students and available in the university library.

Successful completion of course 1 (“Basics of ICT” / “Grundzüge der IKT”) of the SBWL Business Information Systems.

It is strongly recommended to also have completed course 2 to 4 of the SBWL before commencing with this course.

If you hold a valid registration for the course but are unable to participate, please deregister during the open registration period in LPIS. Your spot can be granted to other fellow students.

Spots are allocated on a first-come, first-served basis during the registration period.

After completion of the registration period, available spots will be allocated to students on the waiting list who have no valid registration for the relevant curricula's point. Students will be ranked by their study progress as determined by the vice rectorat for teaching ("hardship principle"), not by their rank on the waiting list.

Important Note: The participation in the first unit is mandatory; students who fail to come forfeit their place to students on the waiting list. Students can excuse themselves if the reason for missing the first unit is serious and will concern only the first unit. Free places are allocated to students in the waiting list sequence who come to the first unit.