All rights reserved, Arthur’s Legal B.V.

Addressing Security & Privacy in IoT

State of the Art Best Practices & Guidelines As Enablers

Arthur van der Wees

Managing Director Arthur’s Legal, the global tech by design law firm & knowledge partner

Expert Advisor to the European Commission (Cloud, IoT, Data Value Chain, Cybersecurity, Privacy & Accountability) Project Leader H2020 IoT LSPs & CSAs Activity Group on Trust, Security, Privacy, Accountability & Liability

Founding Member, Alliance for IoT Innovation (AIOTI) Project Leader AIOTI WG3 & WG4 Security in IoT & Privacy in IoT

Co-Chair of AIOTI WG4

The State of the Art Angle

All rights reserved, Arthur’s Legal B.V.

Trusted Digital is a Need to Have, not a Nice to Have

Whether one likes it or not, technology changes the world in a fast pace, so better embrace it. Cloud computing, internet of things, robotics, AI and data analytics are what organizations are talking about on a daily basis and are increasingly assessing the opportunities, benefits and risks. Technology makes innovation possible, and technology is a Need-to-Have in organizations, society and economy.

However, risk assessment, risk management, legal and other compliance frameworks have generally not caught up with technology.

All rights reserved, Arthur’s Legal B.V.

Smart Everything!

Right?

All rights reserved, Arthur’s Legal B.V.

Exposed Systems

Rather than focus on connected systems, services & devices, a

more comprehensive approach would examine exposed devices. Focus on outcomes, not modalities.

All rights reserved, Arthur’s Legal B.V.

Security = Safety

Unlike inconvenient security problems for your tablet, laptop or desktop computer, connected digital technology insecurity puts

human safety at risk. Systems will not be safe if they are not secure.

If one can not afford to protect, then you can not afford to connect.

All rights reserved, Arthur’s Legal B.V.

Trusted Security is a Need to Have, not a Nice to Have

All rights reserved, Arthur’s Legal B.V.

We are in a position today, in this Digital Age, where

Technology has outstripped our Security & Safety Legal &

Standard Framework

All rights reserved, Arthur’s Legal B.V.

You & Your Organisation are here.

#Sensor Downstream

#Algorithm Downstream #Code Downstream #Data Downstream

All rights reserved, Arthur’s Legal B.V.

What Can We Do?

What Should We Do?

All rights reserved, Arthur’s Legal B.V.

Back to Basics

All rights reserved, Arthur’s Legal B.V.

Technology

Knowledge

Process

People

People, Process, Technology & Knowledge Human-Centric Organisations & Systems

All rights reserved, Arthur’s Legal B.V.

Security is a Solution, not a Problem

Better cybersecurity will enable new markets, promote innovation, and give consumers confidence to use new technologies that improve

the quality of life.

Poor security will likely cause the Digital Technology markets to eventually collapse on itself as consumers and other users begin to

lose trust in technology from compilations of horror stories & market failure.

All rights reserved, Arthur’s Legal B.V.

State of the Art Security Accountability:

Information Security Standards vs GDPR (25 May 2018)

The GDPR offers an equation for finding the appropriate level of protection, per purpose, per impact assessment, and per economic feasibility. See the Articles 25 & 32 GDPR.

We call this the Appropriate Dynamic Accountability (ADA) Formula:

State of the Art Security – Costs – Purposes + Impact

Although the current information security standards aim for ‘achieving continual improvement’, the GDPR aims to ensure up-to-date levels of protection by requiring the

levels of data protection and security to continuously meet the ADA formula.

All rights reserved, Arthur’s Legal B.V.

Build Your Own SOTA Security in IoT Model It’s Easy; Just Think N-Dimensional!

1. 27 SOTA Security Recommendations, Frameworks & Guidelines

2. 1.000+ Security Requirements & Principles (350+ Unique)

3. Segmentation into 4 Layers & 3 Dimensions

4. Structure, Systemize & Semantic Sanitization without Interpretation

5. Context (initially: each of the 5 LSPs)

6. Stakeholders (User, Customer, Supplier, Policy Makers, SDO, Authorities)

7. 5 Life Cycle Metholodogies (Device, Data, Stakeholder, Context, Legal)

8. Interdependencies & Double-Looping

All rights reserved, Arthur’s Legal B.V.

General State of The Art Layered Plotting Methodology

1. Service 2. Software/Application 3. Hardware 4. Infrastructure/Network

Security in IoT / State of the Art (SOTA)

All rights reserved, Arthur’s Legal B.V.

General State of The Art Layered Plotting Methodology

1. User/Human Factor 2. Data 3. Authentication

Security in IoT / State of the Art (SOTA)

All rights reserved, Arthur’s Legal B.V.

General State of The Art Layered Plotting Methodology

1. User/Human Factor 2. Data 3. Service 4. Software/Application 5. Hardware 6. Authentication 7. Infrastructure/Network

Security in IoT / State of the Art (SOTA)

All rights reserved, Arthur’s Legal B.V.

Human-Centric Technology, Thriving Dynamic Ecosystems &

Multi-Angled Stakeholders & Influencers

1. The User (Convenience-Focused, Cheap, Curious, Creative, Ignorant) 2. Customers Who Are Willing To Pay(B2x, x2x) 3. Suppliers & Value Ecosystem (Secure In, Secure Inside, Secure Out) 4. Thriving Ecosystems & Society 5. Malicious Actors (Collaborating with Each Other) 6. Act First Seek Forgiveness Later Data Titans 7. Policy Makers, Standardisation Development Orgs & Markets 8. Authorities (Who is responsible for what, and are they capable?) 9. Data Access: Law Enforcement & Intelligence Services

7 Phases of the (Personal) Data Life Cycle

1. Obtain /Collect

2. Create / Derive

4. Store

3. Use

5. Share / Disclose

6. Archive

7. Destroy / Delete

Most PII* comes out of Phase 1 & 2

BUT

Personal Data is

created & processed in any and each

phase

Which phase(s) are we talking about? PII* + Actor +

Legal Basis + Purpose(s)

* PII: personal identified or identifiable information

All rights reserved, Arthur’s Legal B.V.

1. European Commission (EC) & Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security & Privacy in IoT (2017) 2. Alliance for Internet of Things Innovation (AIOTI): Report on Workshop on Security and Privacy in the Hyper-Connected World (2016) 3. European Commission (EC): Best available techniques reference document for the cyber-security and privacy of the 10 minimum functional requirements of the Smart Metering Systems (2016) 4. European Union Agency for Network and Information Security (ENISA): Auditing Security Measures (2013) 5. European Union Agency for Network and Information Security (ENISA): Cloud Certification Schemes Metaframework (2014) 6. Energy Expert Cyber Security Platform: Cyber Security in the Energy Sector (2017) 7. HM Government, Department for Transport and Centre for the Protection of National Infrastructure: The Key Principles of Cyber Security for Connected and Automated Vehicles (2017) 8. Autorité de régulation des communications électroniques et des postes (ARCEP): Preparing for the internet of things revolution (2016) 9. United States Department of Commerce (DoC): Fostering the advancement of the Internet of Things (2017) 10. United States Department of Homeland Security: Strategic Principles for Securing the Internet of Things (2016) 11. United States Department of Health and Human Services, Food and Drug Administration: Postmarket Management of Cybersecurity in Medical Devices (2016) 12. United States Department of Health and Human Services, Food and Drug Administration: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices 13. United States Government Accountability Office: Technology Assessment: Internet of Things – Status and implications of an increasingly connected world (2017) 14. National Institute of Standards and Technology (NIST): Networks of ‘Things’ (2016) 15. IoT Alliance Australia (IoTAA): Internet of Things Security Guideline (2017) 16. GSM Association (GSMA): IoT Security Guidelines Overview Document (2016) 17. GSM Association (GSMA): IoT Security Guidelines for Service Ecosystems (2016) 18. GSM Association (GSMA): IoT Security Guidelines for Endpoint Ecosystems (2016) 19. GSM Association (GSMA): IoT Security Guidelines for Network Operators (2016) 20. IoT Security Foundation (IoTSF): IoT Security Compliance Framework (2016) 21. IoT Security Foundation (IoTSF): Connected Consumer Products Best Practice Guidelines (2016) 22. IoT Security Foundation (IoTSF): Vulnerability Disclosure (2016) 23. Broadband Internet Technical Advisory Group (BITAG): Internet of Things (IoT) Security and Privacy Recommendations (2016) 24. International Organization for Standardization (ISO): Internet of Things Preliminary Report (2014) 25. The Center for Internet Security (CIS): Critical Security Controls v6.0 (2016) 26. Internet Society: Global Internet Report 2016 (2016) 27. Tenable: Achieving Effective Cyber Hygiene (2016)

Security in IoT / State of the Art (SOTA)

All rights reserved, Arthur’s Legal B.V.

Security in IoT / State of the Art (SOTA) 1. USER/HUMAN FACTOR (No relevant requirements identified)

2. DATA

1. Encryption: Ensure encryption of data transmitted from sensors to ensure data transmission integrity and confidentiality.

2. Precision: In order to prevent any information loss, proper care should be given in the aggregation process to significant digits, rounding, averaging and other arithmetic operations to avoid unnecessary loss of precision.

3. Validation: Manufacturers should apply data validation processes which would recognise fake readings being produced by rogue sensors.

4. Recipients of data: Manufacturers should ensure that the data/readings from the sensors are only communicated to the intended aggregators. Tampering, theft, deletion or insecure transmission of data between various primitives should be avoided.

3. SERVICES (No relevant recommendations identified)

4. SOFTWARE/APPLICATION

1. Malware: Manufacturers should ensure protection against malware.

2. Testing: As reliability is key, manufacturers should carry out strong testing and assurance of reliability on the primitives.

3. Safety of disconnected apps: Manufacturers should ensure that applications are safe and do not crash in the event of loss of internet connection, lack of incoming data to base decisions on or other unpredicted conditions or undefined behaviour.

5. HARDWARE

1. Configuration and reliability: Ensure correct configuration of the device’s sensors to ensure correctness and consistency of the readings made and sent to aggregators. Ensure that sensors do not lose sensitivity or schedule regular check and repair mechanisms.

6. AUTHENTICATION

1. Sensor authentication: Sensors should have the capability to be authenticated as genuine to prevent being substituted by attackers’ replacement sensors to hijack the smart system.

National Institute of Standards and Technology (NIST): Networks of ‘Things’ (2016)

All rights reserved, Arthur’s Legal B.V.

Security in IoT / State of the Art (SOTA)

7. ARCHITECTURE/NETWORK

1. Cluster/Aggregator architecture: For each cluster (i.e. set of sensors) there should be an aggregator or a set of potential aggregators. Reliability of aggregators should be ensured. Redundant sensors should be disconnected since they may increase a sensor’s weight (i.e. the degree to which a particular sensor’s data will impact an aggregator’s computation) if a grouping of redundant sensor data is in agreement and produces the same result.

2. Computing power: Ensure that sufficient power is available for aggregators to collect data from sensors. Prevent aggregators from denying them the possibility of power to operate/execute.

3. Communication channels: Ensure safe and reliable communication between various primitives involved in computing, sensing and actuation via communication channels. Prevent from communication with unauthenticated primitives. Prevent overpopulation, disturbances, delays, interruptions and eavesdropping occurring to communication channels.

National Institute of Standards and Technology (NIST): Networks of ‘Things’ (2016)

All rights reserved, Arthur’s Legal B.V.

Mandatory &

(Currently) Voluntary

All rights reserved, Arthur’s Legal B.V.

From 2018, Digital & Data become Highly Regulated Domains

GDPR: 25 May 2018

NIS: 9 May 2018

PSD2: 13 Jan 2018

e-Privacy Regulation (draft)

Identifying operators of ‘Essential Services’ 9 November 2018

Trade Secrets Directive 9 June 2018

1 January 2018 All rights reserved, Arthur’s Legal B.V.

Usability, Transparency, Trust, Control & Compliance Inside =

Success By Design

Multi-Layered, Cross-Cutting

Interdisciplinary Integrated High-Level Architecture

All rights reserved, Arthur’s Legal B.V. Multi-Layered Cross-Cutting Interdisciplinary Integrated Architecture

All rights reserved, Arthur’s Legal B.V.

N-Dimensional Updatability

‘Find & Fix’ deficiencies, whether they arise from design, operation, law or

deliberate instances.

All rights reserved, Arthur’s Legal B.V.

Standardisation 4.0 & Legal 4.0 As Enablers

All rights reserved, Arthur’s Legal B.V.

Q&A: Anything

Goes!

vanderwees@arthurslegal.com

Arthurslegal.com @Arthurslegal

Man & Technology Symbiosis: Hyperconnectivity!

Arthur’s Strategic Services & Systems } Global Tech & Strategies by Design. Est. 2001 Arthur’s Legal: Arthur’s Legal a global tech and strategic x-by-design law firm. Arthur’s Legal is founded in 2001 and since its incorporation provides integrated full services, and mainly focuses on local and global private and public organizations that are active as customer, user, vendor, integrator, consultant, legislator or policy maker in the fields of IT, licensing, cloud computing, internet of things, data analytics, cybersecurity, robotics, distributed ledger (block chain) technology and artificial intelligence. Arthur’s Legal is also a leading deal making expert; it has already structured and negotiated out more than 5.000 major technology and related deals with and for global Fortune companies as well as other major organizations in the public and private sector worldwide.

Arthur’s Global Digital Strategies: The counsels of Arthur’s Legal are legal experts, strategists, technologists, standardization specialists and frequent speakers worldwide, with in-depth experience and are well-connected in the world of technology, combinatoric innovation, data, digital, cybersecurity, (personal) data protection, standardization, risk management & global business. On these topics, its managing director Arthur van der Wees LLM is expert advisor to the European Commission, Dutch government as well as other public and private sector organizations and institutes worldwide.

Trust, Digital Data, Cybersecurity, Algorithms, AI, Robotics & Internet of Things: Arthur’s Legal is Founding Member of European Commission’s (EC) Alliance of IoT Innovation (AIOTI), Co-Chair of AIOTI WG4 (Policy), Project Leader of both the AIOTI Security in IoT and Privacy in IoT taskforces, co-author of EC’s Cloud SLA Standardisation Guidelines, co-author of Cloud Security Alliance’s Privacy Level Agreement (PLA) 2.0, co-contributor to ISO standards such as ISO/IEC 19086 (Cloud Computing), co-author of the IERC Handbooks 2016 (Strategic & Legal Challenges in IoT) and 2017 (Security & Privacy in IoT), member of ESCO and co-author of the Dutch National Smart Cities Strategy. Arthur’s Legal is co-founder of CloudQuadrants on the maturity of cloud offerings, the Cyberchess Institute that landscapes the real-life cybersecurity arena, the Cyber Trust Institute that sets trust trajectories and orbital requirements and parameters for technology-as-a-service, the Institute for Next Generation Compliance that promotes the restructuring and automation of compliance and related procurement, and the Institute for Data and Evidence Based Trust that aims to build and enhance trust and data protection in open, decentralized digital, cyber-physical and virtual ecosystems. Furthermore, Arthur’s Legal is EC H2020 project IoT CREATE consortium partner and activity group leader on trust, security, safety, privacy, legal and compliance topics in IoT in five EU large scale pilots on smart healthcare, smart cities, wearables, smart farming, food safety and autonomous vehicles with EUR 250M of accrued EC and other funding. Together with IDC Arthur’s Legal is also doing research and policy making for the Commission on data portability & application portability. One can build it’s own AI with Zapplied.

Connected & Hyper-connected: Arthur's Legal has an unique interdisciplinary 3D-angle & x-by-design approach, connecting vital topics such as usability, security, data management, (personal) data protection, compliance with technology, infrastructure, architecture and global standardization thereof, with the capability and ability to connect those components in hyper-connected ecosystems much earlier (read: pro-active, preventative) than the traditional policy-making, legal and compliance practice does. For upcoming events, key notes and other activities, please check out website, stay up to date via its social media channels, or contact us.

www.arthurslegal.com | vanderwees@arthurslegal.com

All rights reserved, Arthur’s Legal B.V.

Trusted Key

Partners

Trusted Partners

Customers

The Multiplicity Approach

Symbiotic combination of diverse groups of people that work together with diverse groups of machines, algorithms and capabilities to identify, address & solve problems, and make & execute decisions.

Digital Technology changes the World at a fast pace

Yet, Humans are underrated. Build, Enhance & Retain Trust with the combination of Human Brain Power, Purpose & Passion, and Machines, Algorithms & APIs.

Core Team: Attorneys at law, senior legal counsels, EC advisors, technologists, innovation, policy & standardisation experts, all well-connected in the world of technology, digital data & global business. Daily Domains: Applied Innovation, Smart Everything, Next Generation Ecosystems, Trust, Transformation, Technology, Digital Data, Computing, Cloud Edge, Internet of Things, Distributed Ledgers, Robotics, (Personal) Data Protection, Cybersecurity, Risk, Impact, Compliance & Convenience.

Zapplied

Organisational

Systems

Arthur’s Legal

Core Team

Arthur’s Legal, Strategies &

Systems:

Handpicked Experts + Ability to Execute +

Algorithms =

Interdisciplinary, Living & Learning Systems

Legal Notices All rights reserved, Arthur’s Legal B.V. The content of this document is provided ‘as-is’ and for general information purposes only; it does not constitute strategic, legal or any other professional advice. The content or parts thereof may not be complete, accurate or up to date. Notwithstanding anything contained in this document, Arthur’s Legal disclaims responsibility (including where Arthur’s Legal or any of its officers, employees or contractors have been negligent) for any direct or indirect loss, damage, claim, or liability any person, company, organisation or other entity or body may incur as a result, this to the maximum extent permitted by law.