Future-Proof Security & Privacy in IoT

Transcription

1 All rights reserved, Arthur s Legal B.V. Future-Proof Security & Privacy in IoT From State of Play, To State of The Art Arthur van der Wees, LLM Managing Director Arthur s Legal, the global tech-by-design law firm & strategic knowledge partner Expert Advisor to the European Commission (IoT, Data Value Chain, AI, Robotics, Computing, Cybersecurity, Privacy & Accountability) Project Leader H2020 IoT LSPs & CSAs Activity Group on Trust, Security, Privacy, Accountability & Liability Specialist Task Force ETSI (STF 547) Co-Leader for Security in IoT & Privacy in IoT Co-Founding Member, Alliance for IoT Innovation (AIOTI) Leader AIOTI Privacy in IoT Taskforce & Co-Leader Security in IoT Taskforce

2 Smart Everything What s Your Next Smart?

3 Combination of Smart Features & Functionalities But Do They Actually Work?

4 Smart Everything: Symbiosis of Functional and Non-Functional Functionalities

5 Multi-Disciplinary Inter-Disciplinary All rights reserved, Arthur s Legal B.V.

6 Stand-Alone vs Hyper-Connectivity

7 Who is Responsible? All rights reserved, Arthur s Legal B.V.

8 Fragmentation

9 What Can We Do? What Should We Do?

10 Back to Basics

11 All rights reserved, Arthur s Legal B.V. People, Process, Technology & Data Human-Centric Organisations & Systems Data, Information, Knowledge Process People & Society Technology

12 From Static Markets to Dynamic Markets

13 From State of Play to State of the Art

14 From Rule-Based to Principle-Based

15 From Continual to Continuous

16 From Compliance to Accountability

17 Digital Transparency

18 All rights reserved, Arthur s Legal B.V. From 2018, Digital & Data Are Highly Regulated Domains PSD2: 13 January 2018 NIS: 9 May 2018 Identifying operators of Essential Services 9 November 2018 GDPR: 25 May 2018 Trade Secrets Directive 9 June 2018 Radio Equipment Directive (2016) Registration of radio equipment within some categories: 12 June 2018 e-privacy Regulation (draft) Free Flow of Data Regulation (draft) Cyber Security Act & Certification Scheme (draft) Public Services Information Directive (revision) 1 January 2018 All rights reserved, Arthur s Legal B.V.

19 All rights reserved, Arthur s Legal B.V. A. Technical Measures B. Organisational Measures C. Policies & Documentation

20 Build Your Own SOTA Security in IoT Model It s Easy; Just Think N-Dimensional! SOTA Security Recommendations, Frameworks & Guidelines Security Requirements & Principles (450+ Unique) 3. Segmentation into 4 Layers & 3 Dimensions 4. Structure, Systemize & Semantic Sanitization without Interpretation 5. Context (initially: each of the 5 LSPs) 6. Stakeholders (User, Customer, Supplier, Policy Makers, SDO, Authorities) 7. 5 Life Cycle Metholodogies (Device, Data, Stakeholder, Context, Legal) 8. Interdependencies & Double-Looping

21 Security & Privacy in IoT / State of the Art (SOTA) 1. European Commission (EC) & Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security & Privacy in IoT (2016 & 2017) 2. Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security and Privacy in the Hyper-Connected World (2016) 3. European Commission (EC): Best available techniques reference document for the cyber-security and privacy of the 10 minimum functional requirements of the Smart Metering Systems (2016) 4. European Union Agency for Network and Information Security (ENISA): Auditing Security Measures (2013) 5. European Union Agency for Network and Information Security (ENISA): Cloud Certification Schemes Metaframework (2014) 6. Energy Expert Cyber Security Platform: Cyber Security in the Energy Sector (2017) 7. HM Government, Department for Transport and Centre for the Protection of National Infrastructure: The Key Principles of Cyber Security for Connected and Automated Vehicles (2017) 8. Autorité de régulation des communications électroniques et des postes (ARCEP): Preparing for the internet of things revolution (2016) 9. United States Department of Commerce (DoC): Fostering the advancement of the Internet of Things (2017) 10. United States Department of Homeland Security: Strategic Principles for Securing the Internet of Things (2016) 11. United States Department of Health and Human Services, Food and Drug Administration: Postmarket Management of Cybersecurity in Medical Devices (2016) 12. United States Department of Health and Human Services, Food and Drug Administration: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices 13. United States Government Accountability Office: Technology Assessment: Internet of Things Status and implications of an increasingly connected world (2017) 14. National Institute of Standards and Technology (NIST): Networks of Things (2016) 15. IoT Alliance Australia (IoTAA): Internet of Things Security Guideline (2017) 16. GSM Association (GSMA): IoT Security Guidelines Overview Document (2016) 17. GSM Association (GSMA): IoT Security Guidelines for Service Ecosystems (2016) 18. GSM Association (GSMA): IoT Security Guidelines for Endpoint Ecosystems (2016) 19. GSM Association (GSMA): IoT Security Guidelines for Network Operators (2016) 20. IoT Security Foundation (IoTSF): IoT Security Compliance Framework (2016) 21. IoT Security Foundation (IoTSF): Connected Consumer Products Best Practice Guidelines (2016) 22. IoT Security Foundation (IoTSF): Vulnerability Disclosure (2016) 23. Broadband Internet Technical Advisory Group (BITAG): Internet of Things (IoT) Security and Privacy Recommendations (2016) 24. International Organization for Standardization (ISO): Internet of Things Preliminary Report (2014) 25. The Center for Internet Security (CIS): Critical Security Controls v6.0 (2016) 35 + Regulatory Technical Standards of Payment Services Directive (2017) US Congress Proposal for IoT Cybersecurity Improvement Act (2017) Online Trust Alliance: IoT Security & Privacy (2017) OWASP IoT Framework Assessment (2018)

22 Dynamic Certification & Assurance How to Validate Continuous SOTA Security, Privacy & Trustworthiness? And How to Partner Up with Authorities?

23 Security & Privacy are Solutions, not Problems Better cybersecurity and (personal) data protection will enable new markets, promote innovation, and give consumers confidence to use new technologies that improve the quality of life. Poor security will likely cause the Digital Technology markets to eventually collapse on itself as consumers, other users and society (the non-users) begin to lose trust in technology from compilations of digital disasters, social meddling and market failure.

24 No One Has A Monopoly In Cyber No one has the Single Silver Bullet for Future-Proof, Continuous Cyber Resilience. Collaboration therefore is even more Essential. But not many are succeeding, yet. Therefore, I Call for Action to the ETSI Security Week Participants to locally, nationally, regionally and globally setting up collaborations with both private & public sectors combined to join forces & co-create with relevant, likeminded stakeholders: The Coalition of The Willing & Able. To navigate, enable and facilitate society, people and markets in this joint, global, challenging & continuous mission.

25 Connect & Collaborate

26 Man & Technology Symbiosis: Hyperconnectivity! Q&A: Anything Goes! Arthurslegal.com

27 Legal Notices All rights reserved, Arthur s Legal B.V. The content of this document is provided as-is and for general information purposes only; it does not constitute strategic, legal or any other professional advice. The content or parts thereof may not be complete, accurate or up to date. Notwithstanding anything contained in this document, Arthur s Legal B.V. and the Institute for Future of Living disclaim responsibility (including where Arthur s Legal B.V., the Institute for Future of Living or any of its officers, employees or contractors have been negligent) for any direct or indirect loss, damage, claim, or liability any person, company, organisation or other entity or body may incur as a result, this to the maximum extent permitted by law.