All rights reserved, Arthur’s Legal B.V.
Future-ProofSecurity & Privacy in IoT
From State of Play, To State of The Art
Arthur van der Wees, LLMManaging Director Arthur’s Legal, the global tech-by-design law firm & strategic knowledge partner
Expert Advisor to the European Commission (IoT, Data Value Chain, AI, Robotics, Computing, Cybersecurity, Privacy & Accountability)
Project Leader H2020 IoT LSPs & CSAs Activity Group on Trust, Security, Privacy, Accountability & Liability
Specialist Task Force ETSI (STF 547) Co-Leader for Security in IoT & Privacy in IoT
Co-Founding Member, Alliance for IoT Innovation (AIOTI)
Leader AIOTI Privacy in IoT Taskforce & Co-Leader Security in IoT Taskforce
Smart EverythingWhat’s Your Next Smart?
Combination of Smart Features &
Functionalities But Do They Actually Work?
Smart Everything:Symbiosis of Functional and
Non-Functional Functionalities
All rights reserved, Arthur’s Legal B.V.
Mul
ti-D
isci
plin
ary Inter-D
isciplinary
Stand-Alonevs
Hyper-Connectivity
All rights reserved, Arthur’s Legal B.V.
Who is Responsible?
Fragmentation
What Can We Do?
What Should We Do?
Back to Basics
All rights reserved, Arthur’s Legal B.V.
Technology
Data, Information, Knowledge
Process
People & Society
People, Process, Technology & DataHuman-Centric Organisations & Systems
From Static Marketsto
Dynamic Markets
From State of Play to
State of the Art
From Rule-Basedto
Principle-Based
From Continualto
Continuous
From Complianceto
Accountability
Digital Transparency
All rights reserved, Arthur’s Legal B.V.
From 2018, Digital & Data Are Highly Regulated Domains
Trade Secrets Directive 9 June 2018
1 January 2018
NIS: 9 May 2018 Identifying operators of ‘Essential Services’ 9 November 2018
GDPR: 25 May 2018
e-Privacy Regulation (draft)
Free Flow of Data Regulation (draft)
All rights reserved, Arthur’s Legal B.V.
PSD2: 13 January 2018
Cyber Security Act & Certification Scheme (draft)
Public Services Information Directive (revision)
Radio Equipment Directive (2016) Registration of radio equipment within some categories: 12 June 2018
All rights reserved, Arthur’s Legal B.V.
A. Technical MeasuresB. Organisational MeasuresC. Policies & Documentation
Build Your Own SOTA Security in IoT ModelIt’s Easy; Just Think N-Dimensional!
1. 35+ SOTA Security Recommendations, Frameworks & Guidelines
2. 1.000+ Security Requirements & Principles (450+ Unique)
3. Segmentation into 4 Layers & 3 Dimensions
4. Structure, Systemize & Semantic Sanitization without Interpretation
5. Context (initially: each of the 5 LSPs)
6. Stakeholders (User, Customer, Supplier, Policy Makers, SDO, Authorities)
7. 5 Life Cycle Metholodogies (Device, Data, Stakeholder, Context, Legal)
8. Interdependencies & Double-Looping
1. European Commission (EC) & Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security & Privacy in IoT (2016 & 2017)2. Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security and Privacy in the Hyper-Connected World (2016)3. European Commission (EC): Best available techniques reference document for the cyber-security and privacy of the 10 minimum functional requirements of the Smart Metering Systems (2016)4. European Union Agency for Network and Information Security (ENISA): Auditing Security Measures (2013)5. European Union Agency for Network and Information Security (ENISA): Cloud Certification Schemes Metaframework (2014)6. Energy Expert Cyber Security Platform: Cyber Security in the Energy Sector (2017)7. HM Government, Department for Transport and Centre for the Protection of National Infrastructure: The Key Principles of Cyber Security for Connected and Automated Vehicles (2017)8. Autorité de régulation des communications électroniques et des postes (ARCEP): Preparing for the internet of things revolution (2016)9. United States Department of Commerce (DoC): Fostering the advancement of the Internet of Things (2017)10. United States Department of Homeland Security: Strategic Principles for Securing the Internet of Things (2016)11. United States Department of Health and Human Services, Food and Drug Administration: Postmarket Management of Cybersecurity in Medical Devices (2016)12. United States Department of Health and Human Services, Food and Drug Administration: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices13. United States Government Accountability Office: Technology Assessment: Internet of Things – Status and implications of an increasingly connected world (2017)14. National Institute of Standards and Technology (NIST): Networks of ‘Things’ (2016)15. IoT Alliance Australia (IoTAA): Internet of Things Security Guideline (2017)16. GSM Association (GSMA): IoT Security Guidelines Overview Document (2016)17. GSM Association (GSMA): IoT Security Guidelines for Service Ecosystems (2016)18. GSM Association (GSMA): IoT Security Guidelines for Endpoint Ecosystems (2016)19. GSM Association (GSMA): IoT Security Guidelines for Network Operators (2016)20. IoT Security Foundation (IoTSF): IoT Security Compliance Framework (2016)21. IoT Security Foundation (IoTSF): Connected Consumer Products Best Practice Guidelines (2016)22. IoT Security Foundation (IoTSF): Vulnerability Disclosure (2016)23. Broadband Internet Technical Advisory Group (BITAG): Internet of Things (IoT) Security and Privacy Recommendations (2016)24. International Organization for Standardization (ISO): Internet of Things Preliminary Report (2014)25. The Center for Internet Security (CIS): Critical Security Controls v6.0 (2016)35 +
Regulatory Technical Standards of Payment Services Directive (2017)US Congress Proposal for IoT Cybersecurity Improvement Act (2017)Online Trust Alliance: IoT Security & Privacy (2017)OWASP IoT Framework Assessment (2018)
Security & Privacy in IoT / State of the Art (SOTA)
DynamicCertification & Assurance
How to Validate ContinuousSOTA Security, Privacy & Trustworthiness?
And How to Partner Up with Authorities?
Security & Privacy are Solutions, not Problems
Better cybersecurity and (personal) data protection will enable new markets, promote innovation, and give consumers confidence
to use new technologies that improve the quality of life.
Poor security will likely cause the Digital Technology markets to eventually collapse on itself as consumers, other users and society
(the non-users) begin to lose trust in technology from compilations of digital disasters, social meddling and market failure.
No One Has A Monopoly In CyberNo one has the Single Silver Bullet for
Future-Proof, Continuous Cyber Resilience. Collaboration therefore is even more Essential.
But not many are succeeding, yet. Therefore, I Call for Action to the ETSI Security Week Participants to locally, nationally, regionally and globally setting up collaborations with both
private & public sectors combined to join forces & co-create with relevant, likeminded stakeholders: The Coalition of The Willing & Able. To navigate, enable and facilitate society,
people and markets in this joint, global, challenging & continuous mission.
Connect & Collaborate
Q&A: Anything
Goes!
Arthurslegal.comArthur.nl
@Arthurslegal
Man & Technology Symbiosis: Hyperconnectivity!
Legal NoticesAll rights reserved, Arthur’s Legal B.V. The content of this document is provided ‘as-is’ and for general information purposes only; itdoes not constitute strategic, legal or any other professional advice. The content or parts thereof may not be complete, accurate or upto date. Notwithstanding anything contained in this document, Arthur’s Legal B.V. and the Institute for Future of Living disclaimresponsibility (including where Arthur’s Legal B.V., the Institute for Future of Living or any of its officers, employees or contractorshave been negligent) for any direct or indirect loss, damage, claim, or liability any person, company, organisation or other entity or bodymay incur as a result, this to the maximum extent permitted by law.