IEEE Trust and Security Workshop for the Internet of ... · 1 Copyright © 2016 IEEE.All rights...

i

Copyright © 2016 IEEE. All rights reserved.

MEETING RECAP

IEEE Trust and Security

Workshop for the

Internet of Things (IOT)

Washington, D.C.

4 February 2016

ii


TrademarksandDisclaimers

IEEEbelievestheinformationinthispublicationisaccurateasofitspublicationdate;suchinformationissubjecttochangewithoutnotice.IEEEisnotresponsibleforanyinadvertenterrors.

TheInstituteofElectricalandElectronicsEngineers,Inc.3ParkAvenue,NewYork,NY10016-5997,USACopyright©2016byTheInstituteofElectricalandElectronicsEngineers,Inc.Allrightsreserved.PublishedMonth20xx.PrintedintheUnitedStatesofAmerica.IEEEisaregisteredtrademarkintheU.S.Patent&TrademarkOffice,ownedbyTheInstituteofElectricalandElectronicsEngineers,Incorporated.IEEEprohibitsdiscrimination,harassment,andbullying.Formoreinformation,visithttp://www.ieee.org/web/aboutus/whatis/policies/p9-26.html.Nopartof thispublicationmaybe reproduced inany form, inanelectronic retrieval system,orotherwise,without thepriorwrittenpermissionofthepublisher.ToorderIEEEPressPublications,call1-800-678-IEEE.FindIEEEstandardsandstandards-relatedproductlistingsat:http://standards.ieee.org

iii


NoticeandDisclaimerofLiabilityConcerningtheUseofIEEE-SADocuments

This IEEE Standards Association (“IEEE-SA”) publication (“Work”) is not a consensus standard document.Specifically,thisdocumentisNOTANIEEESTANDARD.InformationcontainedinthisWorkhasbeencreatedby,orobtainedfrom,sourcesbelievedtobereliable,andreviewedbymembersofthe IndustryConnectionsIoTactivitythatproducedthisWork.IEEEandtheIndustryConnectionsIoTActivitymembersexpresslydisclaimallwarranties(express, implied, and statutory) related to this Work, including, but not limited to, the warranties of:merchantability; fitness for a particular purpose; non-infringement; quality, accuracy, effectiveness, currency, orcompletenessoftheWorkorcontentwithintheWork.Inaddition,IEEEandtheIndustryConnectionsIoTmembersdisclaimanyandallconditionsrelatingto:results;andworkmanlikeeffort.ThisIndustryConnectionsIoTdocumentissupplied“ASIS”and“WITHALLFAULTS.”Although the Industry Connections IoTmembers who have created thisWork believe that the information andguidance given in thisWork serve as an enhancement to users, all personsmust rely upon their own skill andjudgmentwhenmakinguseofit.INNOEVENTSHALLIEEEORIndustryConnectionsIoTMEMBERSBELIABLEFORANY ERRORS OR OMISSIONS OR DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO:PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER INCONTRACT, STRICT LIABILITY,OR TORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISWORK,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGEANDREGARDLESSOFWHETHERSUCHDAMAGEWASFORESEEABLE.Further,informationcontainedinthisWorkmaybeprotectedbyintellectualpropertyrightsheldbythirdpartiesororganizations,and theuseof this informationmay require theuser tonegotiatewithany such rightsholders inorder to legallyacquire the rights todoso. IEEEandthe IndustryConnections IoTmembersmakenoassurancesthattheuseofthematerialcontainedinthiswork isfreefrompatent infringement.EssentialPatentClaimsmayexistforwhichnoassuranceshavebeenmadetotheIEEE,whetherbyparticipantsinthisIndustryConnectionsIoTactivityorentitiesoutsidetheactivity.TheIEEEisnotresponsibleforidentifyingessentialpatentclaimsforwhichalicensemayberequired,forconductinginquiriesintothelegalvalidityorscopeofpatentsclaims,ordeterminingwhether any licensing terms or conditions, if any, or any licensing agreements are reasonable or non-discriminatory.Usersareexpresslyadvisedthatdeterminationofthevalidityofanypatentrights,andtheriskofinfringement of such rights, is entirely their own responsibility. No commitment to grant licenses under patentrightsonareasonableornon-discriminatorybasishasbeensoughtorreceivedfromanyrightsholder.Thepoliciesand procedures under which this document was created can be viewed athttp://standards.ieee.org/about/sasb/iccom/.ThisWorkispublishedwiththeunderstandingthatIEEEandtheIndustryConnectionsIoTmembersaresupplyinginformationthroughthisWork,notattemptingtorenderengineeringorotherprofessionalservices.Ifsuchservicesare required, the assistance of an appropriate professional should be sought. IEEE is not responsible for thestatementsandopinionsadvancedinthisWork.

iv


Contents

ExecutiveSummary ............................................................................................. 1InvitedSpeakers ................................................................................................. 3OpeningRemarks ............................................................................................... 2OpeningPanel:TheNeedsandChallengesinTrust,Security,andPrivacyfortheIoT ...... 4PresentationsonTrustandSecurityfortheInternetofThings .............................. 5AccessControlandIdentityManagement ............................................................ 7KeyPointsfromAccessControl&IdentityManagementBreakoutSession .......... 9ArchitecturalFramework ................................................................................... 10KeyPointsfromArchitecturalFrameworkBreakoutSession ............................. 12Policy&Standards ............................................................................................ 13KeyPointsfromPolicy&StandardsBreakoutSession ...................................... 15ScenariosandUseCases .................................................................................... 17KeyObservationsfromBrainstormingSessions ................................................ 19

1


IEEETrustandSecurityWorkshopfortheInternetofThings

ExecutiveSummary

Estimatesrunashighas50to200billionInternetofThings(IoT)-connecteddeviceswillbeintheworldby2020-2025—everythingfromhomeappliancestohealthmonitorstocountlessdevicesinourenvironmentmakingsurethatcropsaregrowing,thatpowerisflowing,thatthingsareworkingandsafe.

Essentialtoreachingthisfuture,however,isthatthepublictrustsit—thattheybelievethattheirprivacyisprotectedandtheirsecurityisnotcompromised.TheEndtoEndTrust&SecurityWorkshopfortheInternetofThingsheldinFebruary2016inWashington,DCincludeddozensofpresentationsonaspectsofthesequestions,developedandpresentedbythoughtleadersinacademia,industry,not-for-profits,technicalorganizations,consortiums,andgovernmentsfromaroundtheworld.

IEEE,Internet2, and theNational Science Foundation (NSF)as well as a host of other sponsors workedtogethertogather industrytechnologists forthisworkshopwhocanhelpdrivethe InternetofThings (IoT)conversation and contribute to the development of an open architectural framework. The focus of theworkshop submissions anddiscussionswas to address the TIPPSS elements of IOT: trust, identity, privacy,protection,safety,andsecurity.

Thepresentationsenabledrichdiscussionsfocusedinthefollowingbroadareas:

EndtoEndTrustandSecurity

Dependingonwhereyouaredefinitionsofprivacyandsecuritydifferandsometimessignificantly,yetthechallengewillbetomaketheIoT’sarchitectureasuniversalaspossibletomeetthoseexpectationswhileenablingbroadsystemlevelinteroperabilityandeliminatevulnerabilities.Differentsolutionstoaspectsofthisquestionrangefromcreatinganarchitecturalmodel,tosecure,self-monitoringfiberopticandwirelessnetworks,tochangingthewaydevicesaredevelopedtomakeTIPPSS–trust,identity,privacy,protection,safetyandsecurity-aprimaryobjectivefromthestart.

AccessControl&IdentityManagement

Withnewdevicescomingontothenetworkconstantly,howtheyareverifiedandwhattheyareallowedtodoisessentialtonotallowingthemtointroducevulnerabilities.Atthesametime,noteverydevicehastobeidentifiedinthesameway,andinfactdoingsopresentsprivacyrisksifeveryinteractionidentifiestheuserfully.Inthehighlyinterconnectedworldusersgainaccesstotheinformationthatmayresideintheneighboringapplicationdomains.Biometricsasasecureformofidentification,theSemanticWebasawaytostandardizedefinitionsforprivacyandsecurity,securewaystobringnewdevicesintouse,andnewschemessuchasVirtualOrganizationsforsecuritywerealldiscussedinthesesessions.

2


ArchitecturalFramework

TIPPSSelementsareimportanttobebuiltinwithdefenseindepth,whichcanbebakedinatthehardware,firmware,softwareandservicelevelofthedeviceandapplication—butit’salsoimportantthatitbedoneinanefficientwaythatdoesn’thaveahighresourcecost.Approachestoimprovingsecuritywhilekeepingitscostlowwerediscussed.Thisincludedalayeredapproachtosecurity,hardwareapproachessuchasdeterministicphotonicpacketswitches,animprovedtaxonomyoferrorcontrol,andacentralizedauthoritytomanagesecurityissuessothateverydevicedoesn’thavetoontheirown.Theopportunitytoprovideanabilityfordevicedemocracyforapplicationsandusecasesthatrequirein-siturealtimetrust,identityandsecuritywasalsodiscussed.TheapplicationoftheseTIPPSSideasinanarchitecturalframeworkthatwouldapplyinmultiplescenarioswasexplored,includinghowalltheseconcernsinteractwiththedynamicenvironmentofintelligenthighways,connectedvehiclesandconnectedhealthcare.

Policy&StandardsTheIoT’sfuturedependsonacceptanceofstandardsforprivacyandsecurity;italsorequiresknowingwhatauthoritiescanandwillestablishsuchstandardsinordertomakenormsaccepted.Policyissuesbeginwithagreementastowheregovernanceiscomingfrom,makingittechnologicallypossibleinlowpowerenvironments,whileprovidingtransparencyfromallparties,incentivizationformanufacturers,andapplicationtonewareasthatopenupnewlawandpolicysuchasdronesandbrain-digitalinterfaces.Thediscussionalsotouchedthesubjectofthegapthatexistsbetweenpoliciesandtechnologiesandhowthisgapcanbeclosedthroughthecollaborativeeffortsofpolicymakersandtechnologydevelopers.ScenariosandUseCasesIntherealworld,consumersdon’tthinkaboutsecurityenough,andtheyoftenconsideritthemanufacturer’sresponsibility.,ManyofthesystemsthatarebeingimplementedsuchastheSmartGridarevulnerabletoattackorpresentprivacyconcerns.Connectedvehicleswon’tsellifthey’reseenasreportingeverytimeyouspeedtoauthorities.Privacyneedscallforprivacymediatorswhoadvocateforusersandanonymizetheminordetailsofourdailylives.TheDIY(DoItYourself)and“maker”culturecallsforwideeducationontheissuesoftrust,identity,privacy,protection,safetyandsecurity,leadingtoadiscussionofIoTEthicsandeducation.

3


IEEETrustandSecurityWorkshopfortheInternetofThings

InvitedSpeakers

FlorenceHudson,Internet2RosioAlvarez,USDepartmentofEnergyOlegLogvinov,IEEE(IEEEInternetInitiativeandIEEEP2413WorkingGroup)RobertMartin,MITRE,IndustrialInternetConsortium(IIC)SteeringCommitteeAnitaNikolich,NSFSarahCooper,M2MiAlanKarp,EarthComputingIraKovalinka,DSPOmniaInc.RobGingell,ResilientNetworkSystemsProf.ScottStreit,JasonBravermanandHectorHoyos,HoyosLabsKenKlingenstein,Internet2BrianScriber,CableLabsDr.WenjiaLi,NewYorkInstituteofTechnologyDr.CraigA.Lee,TheAerospaceCorporationDr.ErfanIbrahim,MauriceMartin,NationalRenewableEnergyLabTedSzymanski,McMasterUniversityCleonRogers,LRDCSystemsLLCYiorgosMakris,Dr.AngelosAntonopolous,KirubaS.Subramani,AriaNosratinla,Trela,UniversityofTexasatDallasMargaretLyell,ExplorationsMinervaLLCVamsiGondi,DavidL.White,JillGemmillandChristopherW.Post,ClemsonUniversityVyacheslavZolotnikov,SemenKort,EkaterinaRudina,KasperskyLabsWilliamJ.Miller,ISO/IEC/IEEEP21451-1-4(Sensei-IoT*)

WilliamWoodward,SAEInternationalGlennFink,PacificNorthwestNationalLaboratoryKarenO’Donoghue,InternetSocietyLillieConey,chair,IEEEPAR1912PrivacyandSecurityArchitectureforConsumerWirelessDevicesWorkingGroupJuanCarlosZuniga,InterDigitalLabsJohnMurray,SRIInternationalDr.BertrandCambou,PaulFlikkerma,ConstantinCiocanel,NorthernArizonaUniversityEdwardAractingi,MarshallUniversity/Internet2CINO-IoTWorkingGroupMichaelA.Eisenberg,UniversityofColorado-BoulderMartinMurillo,UniversityofNotreDameMarkCather,UMBCChiefInformationSecurityOfficerPamelaGupta,OutSecureInc.CarlHewitt,StandardIoTFoundationLukeRussell,CarletonUniversityDr.RezaArghandeh,FloridaStateUniversityNigelDavies,LancasterUniversityDr.GeorgeCorser,SaginawValleyStateUniversityDr.RabindraChakraborty,SenslyticsRonWinward,RadwareUlfLindqvist,SRIInternationalSteveWallace,IndianaUniversity

2


OpeningRemarks

OlegLogvinov,Director,SpecialAssignments,Industrial&PowerConversionDivision,STMicroelectronics;Chair,IEEEInternetInitiativeandIEEEP2413Standard

ThiseventwasbornattheintersectionoftwoIEEEInitiatives:

- IEEEInternetInitiative(internetinitiative.ieee.org)- IEEEIoTInitiative(http://iot.ieee.org/)

IEEEInternetInitiative

Themission of the IEEE Internet Initiative is to raise IEEE’s influence and profile in global technologypolicy in the areas of Internet governance, cybersecurity and cyberprivacy policy development byprovidingaconsensusofsoundtechnicalandscientificknowledgeandguidancetotheprocess.

The IEEE Internet Initiative is a cross-organizational, multi-domain community that connectstechnologists and policymakers from around the world to foster a better understanding of, and toimprove decisions affecting, Internet governance, cybersecurity, and privacy issues. Regardless of thespecificareasofInternet-relatedtechnologyandpolicyyouworkin,nearlyeveryonehasastakeinthefuture of Internet governance and the related issues of cybersecurity and privacy. Both technologistsand policymakers can derive practical benefits from learning more about each other’s perspectives,challengesandopportunities.For technologists,anadvancedawarenessofpublicpolicy issuesshouldlead to the development of sound technical solutions andbest practices. For policymakers, access totechnologists and an improved grasp of technologywill help clarify the trade-offs inherent in relatedpublicpolicychoicesanddecisions.

Tohelptechnologistsandpolicymakersaccomplishtheseandothergoals,theIEEE–recognizedforitsopen, transparent, collaborative processes – is convening neutral platforms to support mutuallybeneficial dialogue and engage other pertinent stakeholders. The IEEE Internet Initiativewebsite, forinstance,offers aone-stopdestination for currentnews,upcomingevents, recentpublications, andagrowingtroveofrichresources.Otherkeyrelatedactivities,include:

- supporting and facilitating the development of open standards to address cybersecurity andprivacychallenges;

- workingtoidentifysocietalimplicationsofalternativetechnologypolicysolutions;- monitoringthetechnologypolicylandscape;- supporting,collaboratingandpartneringwithInternetecosystementities,and- connectingstakeholderstoacomprehensiveframeworkofconferences,educationalprograms,

andstandards.

DialoguewithallinterestedstakeholdersisanessentialelementofIEEEInternetInitiative’smission.

IEEEIoTInitiative

The mission of the IEEE IoT Initiative is to serve as the gathering place for the global technicalcommunityworkingontheInternetofThings;toprovidetheplatformwhereprofessionalslearn,shareknowledge,andcollaborateon this sweepingconvergenceof technologies,markets,applications,andtheInternet,andtogetherchangetheworld.

3


TheIEEEInternetofThingsisoneofIEEE’s important,multi-disciplinary,cross-platformInitiatives.TheInternetofThings(IoT) isoneofthemostexcitingtechnologicaldevelopmentsintheworldtodayandthe global technical community is coalescing around the thought-leading content, resources, andcollaborativeopportunitiesprovidedbytheIEEEIoTInitiative.

MoreinformationisrevealeddailyabouttheInternetofThingsanditspotentialtotransformhowwecommunicatewithmachinesandeachother.Tobringclarity toanddisseminate informationglobally,IEEE Future Directions launched the IEEE IoT Initiative in 2014. It serves as a home for the globalcommunityofengineeringandtechnologyprofessionalsinindustry,academia,andgovernmentworkingin related technologies.Here,professionals learn, share knowledge, and collaborateon this sweepingconvergence of technologies, markets, applications, and the Internet. Participants in the communityhave access to the most trusted resources developed including publications, videos, articles, andinterviews,aswellaswebinars,Hangouts,presentations,workshops,andconferences,thiswebportal,andmuchmore.

4


OpeningPanel:TheNeedsandChallengesinTrust,Security,andPrivacyfortheIoT

Panelists:

RosioAlvarez,ChiefInformationOfficer,LawrenceBerkeleyNationalLaboratory

SarahCooper,ChiefOperatingOfficer,M2Mi

OlegLogvinov,Director,SpecialAssignments,Industrial&PowerConversionDivision,STMicroelectronics;Chair,IEEEInternetInitiativeandIEEEP2413Standard

BobMartin,SeniorPrincipalSecureSoftware&TechnologyEngineer,MITRECorporation;SteeringCommittee,IndustrialInternetConsortium

AnitaNikolich,CybersecurityProgramDirector,NationalScienceFoundation

Moderator:FlorenceHudson,SeniorVicePresident&ChiefInnovationOfficer,Internet2TheopeningpanelpresentedperspectivesfrommultipleleadersfromacrossthepublicandprivatesectoronTIPPSS–Trust,Identity,Privacy,Protection,SafetyandSecurity–inIoT.Fromindustrialapplications,togovernmentassets,toconsumerapplications,cybersecurityandTIPPSSareprimeareasofrequiredfocus.ThediscussionincludedarchitecturalframeworksalreadybeingdevelopedbytheIndustrialinternetConsortium,IEEE,theNationalinstituteofStandardsandTechnology(NIST)alongwiththeneedtoensureinteroperabilityandsafe,securesystemswhetherinbrownfieldorgreenfieldapplications.Thereisresearch,developmentanddiscoveryyettobedoneinIoTandthoseareasneedtobeexplicitlyenunciatedandaddressed.FromdefenseindepthstrategiesinanIoTdevice,totheprocessofensuringtrustandidentityofusersanddevices,toensureweprotectthedataandprivacyoftheindividualorentitytowhichthedatapertains,toincreasingthesafetyandsecurityoftheapplicationanddevice,thereismuchmoretodo.Thereiscriticalinfrastructurethatrequirestheutmostsafetyandsecurity,whichcanalsobeinanorganizationwithanopencollaborativeculture,requiringanambidextrousmanagementparadigm.

ThepanelagreedthepotentialvalueofIoTisindeeddrivingthedevelopmentofusecasesanddevices,requiringallofustoworktogethertoensurethediligenceofarchitectingtrust,safety,security,andprivacyintotheIoTtechnologiesandprocessestodayandintothefuture.

5


PresentationsonTrustandSecurityfortheInternetofThings

TrustAndSecurityDraftStandardUsingTheSemanticWeb–W.J.Miller

OneimportantgoalistoprovideanIoTapproachthatmeetsdifferingdefinitionsofprivacyforpersonaldataaroundtheworld.ISO/IEC/IEEEP21451-1-4offersSemanticWeb3.0capabilitiesthatincludeuniqueidentification,accesscontrolandidentitymanagement,devicesharing,built-inTransportLayerSecurity(TLS),acommonreferencearchitecturefordataexchangethatistechnologyagnosticandprotocolindependent.Privacyisprotectedbyuseof“ThingRegistries”limitingaccesstothoseauthorizedandtrustedbytheowneroftheThing.

IIRAMeta-ReferenceArchitectureForDiverseApplications–RobertMartin

TheIndustrialInternetConsortium’sIIRA(industrialinternetreferencearchitecture)definesandsupportsawideanddiversesetofsystemtypesinmanyconfigurations,connectedinmanydifferentwaysacrossawiderangeofindustries,sectorsandusecasecontexts.Itsupportsandguidesanycreationofsolutionsforarchitecturalneeds,anditsopenarchitectureandinteroperabilityandtheuseofalliedtestbedshelpsadvanceinnovationandbestpractices.

NetworkEndtoEndDataLinkEvaluationSystem(NEEDLES)ForOpticalCableMonitoring–WilliamWoodward

OriginallydevelopedfortheNavy,NEEDLESisastandardfordetectingimpairmentinfiberoptics.Itconsistsofonemaindocumentandseveralslashsheets.Designedtobenon-intrusiveandnon-destructive,itprovidesa24/7-conditionstatusoftheentirefiberopticnetwork,detectingfaultsandisolatingtheminrealtime.

Reporton2015IoTSecurityandPrivacyKeynotesWorkshop–GlennFink

Atthe2015IoTSecurityandPrivacyKeynotesWorkshop,heldinconjunctionwiththeIoTWorldForuminMilan,participantsidentifiedsixkeyareaswheresecurityandprivacyimprovementswereneededfortheIoT’sfuturegrowth:dataprivacy,dataprovenance,lifecycledataencryption,scalableinfrastructures,standardprotocolsandstandardizedriskmetrics.Topissuesthatwereidentifiedincludeanalysisanduseofdatawhileencryptedtoensureconfidentialityandintegrity,standardizationofvendorprotocols,sensoridentityverificationanddatasecurity,andpoliciesfordatasensitivityandprivacyinaworldofsophisticateddataanalysis.

6


IoT:IssuesAndChallengesOfAMoreConnectedWorld–KarenO'Donoghue

DevicesontheInternetarenotnew,buttheirabilitiesandthescaleoftheIoTwillbe.ThekeychallengesoftheIoTincludesecurity,privacy,interoperability/standards,legalandregulatoryissuesandrights,andissuesrelatedtotheemergingeconomyandeconomicdevelopment.Securitychallengesincludenotonlythescalebutalsotheinvisibilityofinternalworkingsandtherelativelackofphysicalsecurityforeverydayobjects.Similarly,privacyissuesmustbedealtwithinacontextwhoseubiquitymakesithardtokeepprivacy.TheIoTpresentsamazingopportunitiesbutalsoseriouschallengesthatmustbesolvedcollaboratively.

DefendingAgainstTheSilentIntruder–LillieConey

IEEEPAR1912isworkingtodevelopastandardforacommonprivacyandsecurityarchitectureforconsumerwirelessdevices,makingiteasierforconsumerstointegratethosetechnologiesintotheirlivesandhavegreatercontroloverdevicesandtechnology.Recommendationsincluderethinkingoperatingsystemsfromasecurityandprivacyperspective,makingthemfail-safeorfail-secure,referencelibrariesforsoftwarereflectinghigherlevelsofsecurity,greatertransparencyforapps,andaccountabilityregardingthechainofcustodyforboththedigitalandphysicalIoT.

7


BREAKOUTGROUPPRESENTATIONS

AccessControlandIdentityManagementA New Model For IoT Sharing And Access Control – Vyacheslav Zolotnikov, Semen Kort,EkaterinaRudina

Aneffectivesharingsystemhassixaspects—it’sdynamic,attenuated(can’tbesharedfurtherwithoutyour permission), chained (tied to the person who shares), composable (you set the terms for eachtransaction).accountable,anditworksacrossdomains.Atpresentyourarelyhaveanyoftheselevelsofcontrolwhilesharingelectronicfilesorpermissions,andIoTmaywellmaketheproblemsworse.Anewmodelbuiltontokensavoidsthoseproblems.PrivateBiometricVerificationInIoTAuthorization-IraKonvalinka

Existingone-to-manymodelsforbiometricverificationhavemultiplepointsofvulnerability.Spoofingcanoccuratanyofthesepoints,themostvulnerableofallbeingalsothemostcommon,handheldpersonaldevicessuchascellphones.Anewone-to-onemodelshiftskeypartsoftheprocessoutsidethereachofthesevulnerabilitiestoanencrypteddomain,usingarevocablehardwiredkeyandPUF(PhysicalUnclonableFunction)thatauthenticatesdevicesassurelyasirisscansauthenticatehumans.NoTInTheIoTIsAnIsland-RobGingell

Atleastthat’sthegoal.RightnowwearestillintheislandphasewhereThingsarerelativelyisolatedonthenetwork,butsoontherewillbeadynamicnetworkofinterconnecteddevicesformingtrustrelationshipsquicklyandwithlowoverhead.Togetthere,though,weneedeffortstopreserveprivacythroughbetteruseoftrustrelationships,andexplicitpoliciesforconnectionsbetweenauthorities.SystematictrustmaximizesIoTutilityandhelpsprotectthenetworkasawhole.IoT Security: “A Nightmare In Progress” - Prof. Scott Streit, Jason Braverman, and HectorHoyos

Awide-ranginglistofthesecurityproblemsintheIoTwaspresented:“Usernamesandpasswordsarebroken,”there’snotwo-factorauthenticationforconnecteddevices,Oauth-typeloginshavealargesurfaceofattack,mobileappsstayloggedin,hackersleveragemobiledevicestoattackothers,unencrypteddataiseverywhere,andfewdevicesusetwo-wayTSLconnections.OpenSesame™offersasmarter,biometric-basedwaytolockconnecteddevices.TogetherwithBOPS—BiometricsOpenProtocolStandard—itsecuresphysicalaccessthroughbiometricauthenticationandencryptsalldatatoprotecttheuser.LessonsfromtheInternetofPeople-KenKlingenstein

TheInternetasitexistsnowforhumanusershaslessonstoteachabouttheshapeoftheIoT.Internetidentityevolvedwiththeriseoffederatedauthentication.Metadatacametoplaya

8


criticalroleinauthenticationandaccesscontrol.Differentformsoftrustcametoworktogetherindifferentcircumstances.Inall,thereareemergingtoolsonthepeoplesidethatcanaddresstheprivacy,personalizationandsecurityneedsforthePtoTinterface,thoughtheIoThasotherissuesasyetunexplored.SecurityImprovementsInNewDeviceOnboarding-BrianScriber

Bringingnewdevicesonboardposes,andexposes,commonsecurityrisks,thatcanmakethedevicetheentrypointtofutureattacks.AnonymousdevicesaremostvulnerablebutPIN-basedonesarenearlyasrisky,notleastbecausetheyseemtooffermoresecuritythantheyreallydo.Weneednewsystemsrootedinsecurelystoredkeysandmanufacturer-basedcertificates.TrustandSecurityfortheIoT-WenjiaLi

TrustandsecurityarerealandseverechallengesthatthreatenthewidedeploymentofIoT—theycanevenbelife-threatening.Themajorityofcurrenttrustmanagementschemesmodeltrustinonesinglescalarorvalue,whichistoocrudeforsophisticatedsystems.Anewmodeloftrustmanagementwouldcollectandevaluatepriorbehaviorofothernodesandbuildatrustvalueforeachnodebasedonthebehaviorassessment,identifyingharmfulplayersmorequickly.Atthesametime,evaluatingthetrustworthinessofthedataitselfcanbeasimportantasevaluatingindividualnodes.VirtualOrganizationsForManagingTrustAndCollaboration-Dr.CraigA.Lee

Federationsareawaytomanagecollaborationsutilizingthecloud,andcanbedoneatanylevelinthesystemstacktosecurelymanagecollaborationsandthesharingorresourcesacrossawidespectrumofapplicationandadministrativedomains.Thisvastlyexpandstheapplicabilityandpotentialimpactofwhatcloudfederationcouldmean,allthewaytoaglobalintercloudofthings.Forthistoberealized,certainthingswillbeneededincludingsemanticinteroperability,astandardfederationgatewayoragentandmodulartrustcomponents.SuchVirtualOrganizationsalreadyrunundertheInteroperableGlobalTrustFederation,andthenextstepiscreatingaKeystone-based,GeneralFederationAgent.GoalsoftheIEEECyberSecurityInitiative-UlfLindqvist

TheIEEECyberSecurityInitiativehasthreeprimarygoals—tobecomethego-toonlinepresenceforsecurityandprivacy,toimproveunderstandingoftheissuesatthestudentlevel,andtoimprovedesignsandimplementationattheprofessionallevel.TothatendIEEEhasanumberofsecondaryinitiativesinprocess.TheTryCyberSecurityInitiativefocusesonraisingawarenessofa“Top10”ofsecurityflaws,whiletheCenterforSecureDesign(CSD)bringstogethersoftwaresecurityexpertisefromindustry,academiaandgovernmenttodevise“buildingcodes”forsoftware.

9


KeyPointsfromAccessControl&IdentityManagementBreakoutSession

o Identityvs.Identifiers:• Establishing identity requires authenticationand canworkagainstprivacy concerns in

manycases.Thereare,ofcourse,circumstanceswhere Identityhas tobeestablished,butanextensibleIoTenvironmentwon’tbeabletodothiseffectively.

• Identifierscanbeused to showauthorization toperformsomeactionoraccess someresource,butcanbedeployedinaprivacy-protectingmanner.

o Biometrics have the potential to address questions of strong authentication and allow

users/entitiestocontrolaccesstotheirdatabybindingtheauthenticationtodataorotherresources.

o Standardsareneededtoallowforinteroperability,heterogeneity,commonsemantics,etc.Thesoonerthesecanbeputintoplace,theeasieritwillbeforabroad-basedIoTecosystemtodevelopthatsupportssecurity,trust,andprivacy.• Manyoftheactualissueshavetechnicalsolutions.• Theneedisforstandardstolayouthowsolutionsworktogetherinacoherent/cohesive

whole.

o Accesscontrol:Thereneedstobeamechanismtokeepdevicesseparated.Simplybecausealightbulbisonthenetworkdoesn’tmeanitshouldbeabletoaccessanythingelseonthenetwork.

o Inordertopreserveprivacy,anythingshouldonlybechallengedtoauthenticatewhereneeded.It’snotneededeverywhereortoeverything.Thatis,device-to-deviceinteractionsshouldn’tnecessarilyrequireauthenticationwhentheycanshowthattheyareauthorized.

o TheredoesnotyetseemtobeameaningfuldefinitionofthelifecycleofanIoTdeviceandwhataretherequirementsateachstage.Specificstagesthatneedattention:on-boarding,normaloperation,endoflifeortransition.

o Authorization:architecturedesignwithpoliciesstoredelsewhereforexamination.

10


ArchitecturalFrameworkALayeredSolutionToCybersecurity-Dr.ErfanIbrahim,Martin,Maurice

TheNationalRenewableEnergyLaboratory(NREL)hasdemonstratedendtoendsecurityusingofftheshelftechnology,testedonNREL’sDistributionGridManagement(DGM)testbed.Thekeyischoosingtechnologytocover9systemlayers:7logicallayersintheOSIBasicReferenceModel,1semanticlayerand1businesslayer.ThetechnologychallengeofsecuringDGMhasbeenlargelysolvedwithofftheshelfproductstoday.Themoreimportantmatterissoundnetworkdesign,propertechnologyintegration,strictsecuritypoliciesonroutersandfirewalls,welldefinedsecuritypatchmanagementprocessesintheorganization,regularemployeetrainingonsecurityawareness,anddefeatingsocialengineeringschemesfordataexfiltrationandinsiderthreat.

ASecure,LowerOverhead“IndustrialInternetOfThings”(IIoT)-TedSzymanski

SecurityiscriticalinindustrialIoTapplications,butwillalsorequirehugeresources.DeterministicphotonicpacketswitchesofferawaytodesignasecureIIoTatalowerresourcecost,byembeddingmillionsofsecurevirtualnetworksinlayers2or3,usinglow-energy-usagefield-programmablegatearrayswithOpticalI/O.Thisallowsforasignificantincreaseincyber-security,asVNpackettransmissionscanbeencryptedanddecryptedinFPGAs,whilereducingcongestion(andeffortstocombatit).

TaxonomyOfErrorControlRequirements–Author???

TworecentpapersquestionedtheadequacyofCRCStandardsinmodernsoftwaredevelopment,andrecommendednewresearchonerrorcontrolincriticalsoftware-intensivesystems.Theresultingproposalisforataxonomytoclassifyandaidthespecificationandverificationoferrorcontrolsolutions,followedbyimplementationofthestandardsbytrainingandauthorizingtheappropriateauthoritiesglobally.Themodelforthiseffortwouldbetheadvancedpracticesalreadyusedtoensureahighleveloferrorcontrolintheaviationsector.

VulnerabilitiesThatBeginWithTheHardware-VamsiGondi,DavidL.White,JillGemmillandChristopherW.Post

DoyoutrustyourIoThardware?Insecurenetworkservices(UPnP),cloudservices,andinsecurewirelesscommunicationsallrepresentvulnerabilities.Hardwaretrojansatthedeviceornetworklevelcanstealsensitiveinformationbyexploitinggapsbetweenwirelessstandards,andthesegapscanbeamplifiedinthepresenceofmultipleintroperablecommunicationprotocols,linksanddevices.Weneedtoaddresstheabilityofdevicestobesensitivetodatamisuse,andtoalerttheuser.

11


PreparingForTheEraOfConnectedVehiclesAndIntelligentRoadways-MargaretLyell

TheIntelligentTransportationSystem(ITS)andConnectedVehicle(CV)provideasystemslevelexemplaroftheInternetofThings.ITS/CVwillmakeuseofwirelesstechnologiesandembeddeddevicesandalgorithmstocontrolavehicle'sbehaviorwhileintraffic,evenifoverridingdriverinstructions.Providingforsafety,security,privacyandreliabilityisamust,andtheinterfaceofITS/CVwithcurrentbusiness/societalstructures(cardealerships,embeddeddevicemanufacturers,insurancecompanies,etc.)mustbecarefullyworkedthrough.

CentralizedAuthorityToManageSecurityIssuesWithIoTInstallations–Author???

ResourceconstrainedCPUs,memoryandcommunicationcapabilitiescoupledwithlowenergyconsumptionresultinlimitedsecurityusinglow-endalgorithms.Addinthephysicalrisktomonitorsanddata,therisksofthingslikedenialofserviceattacks,andvulnerabilitiesonthecommunicationandapplicationlayers,andtheIoTisvulnerableinmanyways.Thereisaneedforacentralizedfederatedmanagementauthoritytogenerate,distributeandmanagethecredentialsacrosssecuritylayersintheIoTframeworkandacrossmultipleapplicationenvironments.

TheSecurityToSafetyModel-VyacheslavZolotnikov,SemenKort,EkaterinaRudina

Cyberphysicalsystemsexistinatleasttwotypesofenvironment:theinformationalenvironmentandthephysicalenvironment.Issuesmayarisefrombothtypesofenvironmentandaffectphysicalaspects,informationalaspectsandthesystemitself.ConductedresearchhelpsussimplifydeterminingofsignificantthreatsinIoTsystems,identifythepossibleweaknessesinsecuritysolutions,andreasonablyenhancetheapproachtothesecurityandsafetyenforcementusingtheprinciplesofsecurearchitecturaldesign.

SecureDataArchitecture:Ensuringdataintegrityatthebeginningofthescientificworkflow;aMini-ScienceDMZ1(Mini-DMZ)forinstruments-StevenWallace

12


KeyPointsfromArchitecturalFrameworkBreakoutSession

Whilemanyhavebeentalkingabout“EndtoEndSecurity,”thereal issuetobediscussedforenterpriseuseofIoTis“EndtoEndSecurityandSafety”whichisnotjustanetworkissuereally,ratheritisaboutthesecurityandsafetyofeachoftheelements,eachofthecomponents,theirconnections,howtheyaremaintained,howtheyareused.Weneedtomakesurewedon’tgetfixatedonthe“network”partofIoTonly.

o ThefirstthingwecameupwithisthatforIoT,safetyneedstobeconsideredalongwiththeprivacyandperformance typesof issues (reliabilityand resiliency),andof course securityforthesesystems.

o Thenextthingthatneedstobeaddressedistheliabilityofsoftwaredevelopmentandthesoftwaredrivencapabilitiesofthedevicesthemselves.

Thatleadsusintoamorerigorous,holisticsystemsapproachanddevelopingthatprocess.More specifically, what is the role of policy, both public and private policy, and definingsomegeneralguidelinesandrulesforIoTtypesystems?

A. Issuesofscale–bothscaleupandscaledown

B. Professionalismofthesoftwareworkforceisreallyanopenquestionthatisalmosttheothersideoftheliabilityissue.Everyotherengineeringtradehaslicensing,certifications,andithasahistoryoffailuresandwhatyoudotoresolvethoseandavoidthem

C. Theneedforstandardizationofbestpracticesandreallyknowingthatthingsarenotgoingtofalloverwhenthefirst“wrong”thingcomesatthemorsomethingmalicious.

o IoTisgoingtobeextremelydisruptivetotoday’spolicyregimes.Inanyindustryinanyarea,because there are very entwined groups driving policy, there is going to be a lot ofresistanceandalotofmisunderstanding

13


Policy&Standards

DevelopingEthicsForAData-DrivenWorld-JohnMurray

Privacyandsecurityhavebeenmuchinthenews,andhaveraisedawarenessnotonlyofhowmuchdataiscollectedbuthowanalyticsuseitwithoutourpermission,resultinginprofiling,surveillance,andsocialdiscrimination.Theeffectofadata-centricapproachcanbeharmfultohumans,andweneedanewapproachinwhichthecollectionandenduseofdataarebothdrivenbyanethical,honestapproach.

ReducingTheThreatAndEnhancingTheOpportunitiesOfDrones-Dr.BertrandCambou

UAVs,unmannedaerialvehicles—betterknownasdrones—makeillegalactivitieseasier;theyalsoofferenormousbenefitstosociety,muchlikecars,telephones,ormanyotherthingswe’vegrownusedtoandforwhichwehavemadepolicies.Fivetechnologicalchangesweresuggestedforhelpingusadapttoanewdroneworld:connectUAV’swirelesslytotheinternet,addasecureelementsuchasaSIMcard,personalizethemusingsecretkeys,hostauthenticationonasecureserverusingPKI,andrequireflightplanningandregistrationviatheweb.

Threenewtechnologyadvancementswerealsosuggested:increasedsecuritytechnologythatpreventstheirbeinghijacked,sensingofaerialvehiclessowarningscanbeissued,andsaferpowersourcesintheformofstructuralsupercapacitors.

AModelForIoTAssurance-EdwardAractingi

TheIoTdidnothavesecurityasafocusinitsdevelopmentalstages.Duetolowpower,minimalcomputingresourcesandslownetworks,theoverheadofencryptionwasabarriertodevelopment,andunderlyingprotocolssuchasHTTPandMQTTlackbuilt-insecurity.It’struethatnotallIoTapplicationsneedthesamelevelofprotection.Butthereisaneedforastandardsystemofsecuritylevelsfordifferentapplications.

RecommendationsincludeusingIPwhitelistingandlowoverheadnetworkACL,consideringtheuseofsessiontokensinReST,usingMACaddressesfordeviceauthentication,usingJSON&XMLencoding,andusingCertificateswhenpossible.There’saneedforcollaborationbetweenorganizationslikeIEEE,Internet2,NISTandotherstosolidifyandcertifytheIoTassurancemodel.

14


IsIoTGovernanceCreatingAsWellAsSolvingProblems?-MichaelAAisenberg

TheproliferationoforganizationalbodieswhereIoTnormsarebeingdebatedandcreatedreflectsimportantattentionbeingpaidtoanimportantprocess.Buttheabsenceofstandardprocessesforengagement,collaborationorevencommunicationthreatensdevelopmentofinconsistentorconflictingnormsinsomeareas,ortheabsenceofnormsaltogether.Developingnormswillprovidecertaintytostakeholders,enhanceutilityandavailabilityoftechnology,andguideorganizationalandindividualbehavior.

OpenSolutionsForMaintainingPrivacyAndSecurityAcrossDevices,NetworksAndMore -MarkCather

TheInternetofThingscouldgrowto50-200billiondevicesby2020,inmanydifferentareasoflife.Openmulti-vendorsolutionswillbenecessarytomeettheseneeds.Butthereareoftensubcontractorsbehindthesubcontractorsbehindtheleadvendors,andopencommunicationbetweenallofthemisessential,especiallyonsensitivesubjectssuchasprivacy.Opennessinhowdataisusedandprotectedwillbeakeyissue.Taggingtomaintainandshareconsumerpreferenceswillbeanother,andadataownershipandmanagementframeworkwillbeneededtoensuredataownersretaincontroloftheirdata.Andthemaintenanceofsuchsecurityondifferentnetworks—orwhileunconnected—isalsoacrucialconcernthatmustbeconsistentacrossmanufacturersanddevices.

PrivacyAndSecurityStandardsEnsureIoTViability-PamelaGupta

WhataretheproblemsthattheIoTfaces?Itisnotviableorscalablewithouttrust,yetdevelopersaretrainedtofocusnotonthoseissuesbutonfunctionalityandtimetomarket.We’vealreadyseentheseissuesinproductsthatturnedouttohavesecurityproblems,likeSamsungsmartTVsorZ-Waveenableddoorlocks.Weneedstandardsforauthentication,devicesecurity,webinterfaces,cloudinterfaces,3rdpartyAPIs,updatesandotheraspectsofdevices,butmostofall,weneedacultureofapproachingtheecosystemholisticallytoensuresecurityandprivacyfromthebeginning.

SecurityWithoutIoTMandatoryBackdoors-CarlHewitt

Itsoundslikesciencefiction—andforthemomentitstillis,butDARPAisdevelopinganimplantableneuralinterfacefordatatransferbetweenthehumanbrainandthedigitalworld.LongbeforewereachsuchalevelofmedicalIoT,however,theissuesofbackdoorsintotheprivateinformationIoTdevicescollectpresentsitself.Backdoorshelpdevicesinteroperate,buttheyalsonecessarilydecreasesecurity,andruntheriskofharmingeconomicdevelopmentofIoT,hamperingexportsandimports,aswellascreatingcivillibertiesissueswhensomuchdataaboutindividualsisavailablewithoutwarrantstogovernment.

15


KeyPointsfromPolicy&StandardsBreakoutSession

WhatistheIOT?

o IOTiseverythingandscaleandinterconnectednessmustbeconsideredupfront.

o 50-200BillionDevicesin2020-2025

o TrustwillbeessentialtoIOTgrowth.40%ofconsumerswouldavoidIOTwithoutTrust.

o Vendor-Neutrality,OpennessandInternationalStandardswillbenecessarytoensurethateveryone’sdevicescanworktogetherandprotectTIPPSStogether.

o Devicesinthemselvesarenotrisky.Adevice’sriskisrelatedtohowitisused.Alightbulbinahomeposeslessofarisktolifethanthelightoveranoperatingtable.Youmustunderstandthedevicewithinitsentiresystem.

o Keyprinciples:Trust,Identity,Privacy,Protection,Safety,Security

WithbillionsofdevicesacrosstheIOT,thevolumeofdevicesanddatawilldrowncentralizedarchitecturesandtraditionallyrigidframeworkswillbreak.TheTIPPSSconceptswillneedtobepusheddowntothedevicesinordertoscale.

AllpartsoftheentireIOTdevicemustbeintegratedacrossTIPPSSfromtheperspectiveofprivacyandsecurity.Thedevicehardware,firmware,cloud,mobileapplication,interfaces,software,encryption,authentication,service,everything.

OpenDataControl,Ownership,andDeviceOrganization

AnassociationlayermustbeoverlaidontheopentransportnetworktoprovideTIPPSS,dataownership,compliance,andcontrol.TheAssociationlayerwillallowdevicestorelatetoeachotherinasimilarmannertothewaythatpeoplerelatetoeachother.

ConsumersandIOTdataownersneedtoretaincontroloftheirdataregardlessofwherethedatagoes.

DataOwnershipandTransparency

InordertobuildandmaintaintrustintheIOT,thegovernmentandprivatesectormustactwithethicsandopenlyandtransparentlycommunicatewithconsumers.Transparencycomesinmanyways,suchashowthedataandsystemswillbeusedaswellaschangesinaccesstodataandsystems.

16


CentralizedOpenCross-VendorTools

Peopledon’tcurrentlypatchandmaintaintheirdevices.Managementofconfiguration,securityandprivacyfactorsrelatedtobillionsofdeviceswilloverloadpeopleifnotautomatedandcentralized.

Policy/Standards/Law/Litigation

Betterpoliciesandstandardsaroundcybersafety,cyberprofiling,cyberprivacyareneeded.DataCentricapproachmaybenecessary.Morecommunicationandcoordinationbetweenstandardsbodies.

HowdoyouincentivizemanufacturersandcompaniestoputresourcesbehindTIPPSS?Vendorsneedtobakesecurityintothesolutionfromtheverybeginning,butwhatwillmotivatethemtodoso?

AssuranceatScalewillbechallenging.MutualagreementisneededtoassurepartiesaboutthesecurityofaparticularIOTimplementation.Industrywideassurancestandardscouldbeawaytostandardizeandprovideapointofreferencetotheindustryandconsumer.Level0barbiedoll(basicauthandencryption->Level5pacemaker2048bitkeys/multifactordevice/userauth,sessioncontrol).

Snowden’sstatementsabouttheNationalSecurityAgency’s(NSA)activitiesareonlyadropinthebucketcomparedtothewhistle-blowerstatementsthatcouldcomeinthefutureifwedon’taddressTIPPSSrightupfront.

17


ScenariosandUseCases

UsersDon’tConsiderSecurityTheirProblem-LukeRussell

Securityisoftenanafterthoughtinafieldwherethebarrierofentryislow.Theexamplewasmadeofasmartlivingroomwherethehomeownercreatesabuildthatisdistributedtoothers;thesecurityflawsarethusspreadwidely.Wemaygivetoomuchdatatoourconnectedsystemsthroughpersonaltools;yetthepublicexpectseasyaccessibility,andregardssecurityasthedeveloper’sproblem.Privacyandsecuritymustbebuilt-inearlyinthedevelopmentprocess.

Consumer-Oriented,Closed-LoopSystemsAreVulnerable-MartinMurillo

AsconsumersystemsinareaslikepowerandcommunicationmovefromindustrialcontroltobeingIoT-based,theyarevulnerableinnewways,fromtechnicalfailuretoattacks.TheNortheastblackoutof2003isanexamplewhereasoftwarebugledtovulnerability,withnoalertsysteminplace.

SmartGridSecurityChallengesComeFromManyDirections-RezaArghandeh

Software,IThardware,powersystems,andnotleasthumansallrepresentpotentialsecurityriskpoints.Asaresult,there’saneedforsystem-widesecuritythatreflectsbothcybersecurityandcyber-physicalsystemssecurity;therewasanexampleinTurkeyinMarch2015,wheretheattempttoshutdowntwosubstationsknockedoutpowerforanentireregion.Answerswillincludeavulnerabilityassessmenttoidentifykeyriskpoints,andalgorithmstocreatesituationalawarenesstodetectnewformsofattacks.

PrivacyNeedsCallForPrivacyMediators-NigelDavies

PrivacyconcernsaboutthecentralizationofIoTsystemsareagrowingthreattoIoTadoption,whichcarrythepossibilityofstallingitsacceptancebyawidermarketplace.Onekeyprincipleisthatusersshouldbeabletocontrolthereleaseoftheirowndata.Privacymediatorswouldadvocateonbehalfofusersandcreatealayerbetweenpersonaldataandthecloudcalledcloudlets,whiletoolswouldenableuserstocontrolanonymizationanddeletion.

VehiclesProvideAUniqueSetOfPrivacyConcerns-Dr.GeorgeCorser

Vehiclesareoutintheopenandsoisthedatatheycreate.Weneedstandardsandguidelinesforhowthatdataislinkedbacktoindividualsandused.Yetsomedegreeofopenidentityisneededtoensurevehiclesafety.Weneednewmetricsforprivacyindrivingsituations,anddefinitionsoflocationprivacyandcontinuouspreciselocationprivacy.

18


RoleOfIoTAnalytics-DrivenWarningOfAccidentsAndOtherEvents-RabiChakraborty

IoTanalyticscanbeusedforsafetymanagement,environmentalprotectionandresourcepreservation,warningwhereincidentsaremostlikelytohappenbasedonobservednoncompliancedata.Whereforewarningisbasedonpastexperience(i.e.,thatfailurecanbeexpectedafteracertainamountoftime),event-drivenpredictionisbasedonobserveddata(thataspecificdevicebeingmonitoredisclosetofailing).Thisdatacanalsobeusedtoinformpublicpolicyandregulation;examplesincludeoilandgas(pipelineandstoragemonitors),agriculture(trackingchemicalusagedata),andsmartwater(predictiveanalyticsprotectingagainstwaste,leakageandsabotage).

DefiningOurselvesByOurData-RonWinward

Ouronlinepresencedefineswhowearenotonlytoourfriends,butalsotobusinessandindustry.Wearedefinedbyourdata.YetourprivacyisweaklydefinedinU.S.law,incontrasttomanyothers.Andwehavegrowncomfortablewithallowingagreatdealofdatacollection—andevenriskofthingslikeransomware—inreturnfortheconvenienceofonlinelife.Intheend,automationisboththethreatandthesolution.

19


KeyObservationsfromBrainstormingSessions

o Policymovesslowlyandinresponsetointerestgroupsandpositions;productsarebeingcreatedmoreandmorequickly.

o Developersneedtoknowtheyhaveresponsibilityforprivacy,securityandtrust.

o Differentindustriesneedtoworktowardcommongoalswithindifferentregulatoryframeworksandwithdifferentgovernmentalbodies.

o Makersanddo-it-yourselfershavetobeeducatedastoprivacy/securityneedswithoutimpedinginnovation.

o Cansecurity,privacyandethicsbebuiltintosystemsanddevelopertools?

o Technologistsneedtoleadthecreationofdefinitions,whilereflectinglocalcultures/legalsystems.

IEEE Trust and Security Workshop for the Internet of ... · 1 Copyright © 2016 IEEE.All rights...

Documents

Transcript of IEEE Trust and Security Workshop for the Internet of ... · 1 Copyright © 2016 IEEE.All rights...