All rights reserved, Arthur’s Legal B.V.

Future-ProofSecurity & Privacy in IoT

From State of Play, To State of The Art

Arthur van der Wees, LLMManaging Director Arthur’s Legal, the global tech-by-design law firm & strategic knowledge partner

Expert Advisor to the European Commission (IoT, Data Value Chain, AI, Robotics, Computing, Cybersecurity, Privacy & Accountability)

Project Leader H2020 IoT LSPs & CSAs Activity Group on Trust, Security, Privacy, Accountability & Liability

Specialist Task Force ETSI (STF 547) Co-Leader for Security in IoT & Privacy in IoT

Co-Founding Member, Alliance for IoT Innovation (AIOTI)

Leader AIOTI Privacy in IoT Taskforce & Co-Leader Security in IoT Taskforce

Smart EverythingWhat’s Your Next Smart?

Combination of Smart Features &

Functionalities But Do They Actually Work?

Smart Everything:Symbiosis of Functional and

Non-Functional Functionalities

All rights reserved, Arthur’s Legal B.V.

Mul

ti-D

isci

plin

ary Inter-D

isciplinary

Stand-Alonevs

Hyper-Connectivity

All rights reserved, Arthur’s Legal B.V.

Who is Responsible?

Fragmentation

What Can We Do?

What Should We Do?

Back to Basics

All rights reserved, Arthur’s Legal B.V.

Technology

Data, Information, Knowledge

Process

People & Society

People, Process, Technology & DataHuman-Centric Organisations & Systems

From Static Marketsto

Dynamic Markets

From State of Play to

State of the Art

From Rule-Basedto

Principle-Based

From Continualto

Continuous

From Complianceto

Accountability

Digital Transparency

All rights reserved, Arthur’s Legal B.V.

From 2018, Digital & Data Are Highly Regulated Domains

Trade Secrets Directive 9 June 2018

1 January 2018

NIS: 9 May 2018 Identifying operators of ‘Essential Services’ 9 November 2018

GDPR: 25 May 2018

e-Privacy Regulation (draft)

Free Flow of Data Regulation (draft)

All rights reserved, Arthur’s Legal B.V.

PSD2: 13 January 2018

Cyber Security Act & Certification Scheme (draft)

Public Services Information Directive (revision)

Radio Equipment Directive (2016) Registration of radio equipment within some categories: 12 June 2018

All rights reserved, Arthur’s Legal B.V.

A. Technical MeasuresB. Organisational MeasuresC. Policies & Documentation

Build Your Own SOTA Security in IoT ModelIt’s Easy; Just Think N-Dimensional!

1. 35+ SOTA Security Recommendations, Frameworks & Guidelines

2. 1.000+ Security Requirements & Principles (450+ Unique)

3. Segmentation into 4 Layers & 3 Dimensions

4. Structure, Systemize & Semantic Sanitization without Interpretation

5. Context (initially: each of the 5 LSPs)

6. Stakeholders (User, Customer, Supplier, Policy Makers, SDO, Authorities)

7. 5 Life Cycle Metholodogies (Device, Data, Stakeholder, Context, Legal)

8. Interdependencies & Double-Looping

1. European Commission (EC) & Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security & Privacy in IoT (2016 & 2017)2. Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security and Privacy in the Hyper-Connected World (2016)3. European Commission (EC): Best available techniques reference document for the cyber-security and privacy of the 10 minimum functional requirements of the Smart Metering Systems (2016)4. European Union Agency for Network and Information Security (ENISA): Auditing Security Measures (2013)5. European Union Agency for Network and Information Security (ENISA): Cloud Certification Schemes Metaframework (2014)6. Energy Expert Cyber Security Platform: Cyber Security in the Energy Sector (2017)7. HM Government, Department for Transport and Centre for the Protection of National Infrastructure: The Key Principles of Cyber Security for Connected and Automated Vehicles (2017)8. Autorité de régulation des communications électroniques et des postes (ARCEP): Preparing for the internet of things revolution (2016)9. United States Department of Commerce (DoC): Fostering the advancement of the Internet of Things (2017)10. United States Department of Homeland Security: Strategic Principles for Securing the Internet of Things (2016)11. United States Department of Health and Human Services, Food and Drug Administration: Postmarket Management of Cybersecurity in Medical Devices (2016)12. United States Department of Health and Human Services, Food and Drug Administration: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices13. United States Government Accountability Office: Technology Assessment: Internet of Things – Status and implications of an increasingly connected world (2017)14. National Institute of Standards and Technology (NIST): Networks of ‘Things’ (2016)15. IoT Alliance Australia (IoTAA): Internet of Things Security Guideline (2017)16. GSM Association (GSMA): IoT Security Guidelines Overview Document (2016)17. GSM Association (GSMA): IoT Security Guidelines for Service Ecosystems (2016)18. GSM Association (GSMA): IoT Security Guidelines for Endpoint Ecosystems (2016)19. GSM Association (GSMA): IoT Security Guidelines for Network Operators (2016)20. IoT Security Foundation (IoTSF): IoT Security Compliance Framework (2016)21. IoT Security Foundation (IoTSF): Connected Consumer Products Best Practice Guidelines (2016)22. IoT Security Foundation (IoTSF): Vulnerability Disclosure (2016)23. Broadband Internet Technical Advisory Group (BITAG): Internet of Things (IoT) Security and Privacy Recommendations (2016)24. International Organization for Standardization (ISO): Internet of Things Preliminary Report (2014)25. The Center for Internet Security (CIS): Critical Security Controls v6.0 (2016)35 +

Regulatory Technical Standards of Payment Services Directive (2017)US Congress Proposal for IoT Cybersecurity Improvement Act (2017)Online Trust Alliance: IoT Security & Privacy (2017)OWASP IoT Framework Assessment (2018)

Security & Privacy in IoT / State of the Art (SOTA)

DynamicCertification & Assurance

How to Validate ContinuousSOTA Security, Privacy & Trustworthiness?

And How to Partner Up with Authorities?

Security & Privacy are Solutions, not Problems

Better cybersecurity and (personal) data protection will enable new markets, promote innovation, and give consumers confidence

to use new technologies that improve the quality of life.

Poor security will likely cause the Digital Technology markets to eventually collapse on itself as consumers, other users and society

(the non-users) begin to lose trust in technology from compilations of digital disasters, social meddling and market failure.

No One Has A Monopoly In CyberNo one has the Single Silver Bullet for

Future-Proof, Continuous Cyber Resilience. Collaboration therefore is even more Essential.

But not many are succeeding, yet. Therefore, I Call for Action to the ETSI Security Week Participants to locally, nationally, regionally and globally setting up collaborations with both

private & public sectors combined to join forces & co-create with relevant, likeminded stakeholders: The Coalition of The Willing & Able. To navigate, enable and facilitate society,

people and markets in this joint, global, challenging & continuous mission.

Connect & Collaborate

Q&A: Anything

Goes!

vanderwees@arthurslegal.com

Arthurslegal.comArthur.nl

@Arthurslegal

Man & Technology Symbiosis: Hyperconnectivity!

Legal NoticesAll rights reserved, Arthur’s Legal B.V. The content of this document is provided ‘as-is’ and for general information purposes only; itdoes not constitute strategic, legal or any other professional advice. The content or parts thereof may not be complete, accurate or upto date. Notwithstanding anything contained in this document, Arthur’s Legal B.V. and the Institute for Future of Living disclaimresponsibility (including where Arthur’s Legal B.V., the Institute for Future of Living or any of its officers, employees or contractorshave been negligent) for any direct or indirect loss, damage, claim, or liability any person, company, organisation or other entity or bodymay incur as a result, this to the maximum extent permitted by law.