Upload
vandien
View
213
Download
0
Embed Size (px)
Citation preview
How do Policy and regulatory initiatives address the topic of
IoT Security?
Dr. Florent FrederixOnline Trust and Cyber Security unit
Directorate - General for Communications Networks, Content and Technology European Commission
This document does not necessarily reflect any official position of the Commission
On IoT, Cybersecurity and Data Protection
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
• The Legal Framework in the EU Union• The General Data Protection Regulation (GDPR)• The Network Information Security Directive
• The EC Data Protection Legal framework• Working party opinion on Internet of Things• Data accessible to the user only and third parties• Privacy by design requirements
• The EC Network Information Security directive• Objectives• Essential services• Digital Service Providers• Decision tree
• Case study: Day one C-ITS use cases• The authentication challenge
Table of Content
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Leg
al I
oT f
ram
ewor
k • The Legal Framework in the EU Union• The General Data Protection Regulation (GDPR)
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88, which will be applicable as of 25 May 2018.
• Article 29 Working Party opinion on the IoT• Working Party 29 Opinion 8/2014
On Data Protection
Applies for smart objects and the Internet of Things
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
The NIS Directive: from proposal to transposition
4
Transposition
Final Adoption
Political Agreement
EC proposal COM (2013)48)
21 months after entry into force for transposition into national laws Additional 6 months to identifyOperators of essential services
June-July 2016Entry into force 20 days After publication in OJ
7 Dec 2015Sixth informaltrialogue
February2013
Network Information Directive
Leg
al I
oT f
ram
ewor
k
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
The working party 29 opinion on the Internet of Things (IoT) applies for Smart
objects
(Working Party 29 Opinion 8/2014)
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
WP29 on the Internet of Things
IoT can develop unlawful form of surveillance and raise security concerns (WP29 Opinion 8/2014)
The interaction between objects will result in hardly manageable data flows challenging the protection of the data subjects’ rights.EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Extracts of the WP29 opinion
If the data controller provides a remote platform to collect and process data, the domestic exception only applies to the actual usage by the user and does not exempt the data controller from the data protection law ( WP163, WP223).
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Extracts of the WP29 opinionIoT stakeholders qualifying as data controllers must comply with 95/46/EC and 2002/58/EC.Art. 5(3) of 2002/58/EC applies if an IoT stakeholder can access information stored on an IoT “terminal equipment “ and demands that the subscriber/user consents. This is important because it can give others access to privacy-sensitive information stored on such devices.EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Extracts of the WP29 opinion
• Privacy Impact Assessment required
• Delete raw data as soon as aggregated data is extracted
• Principles of Privacy by Design and Privacy by Default apply
• Data subjects must be “in control” of the data at any time.EU
Dat
a p
rote
ctio
n
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Extracts of the WP29 opinion for manufactures
• inform stakeholders if data subject withdraws consent
• provide granular access choices and a “do not collect” option
• prevent location trackingEU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Extracts of the WP29 opinion for manufactures
• provide tools to locally read, edit and modify the data before they are transferred to any data controller.
• inform everyone impacted by a discovered device vulnerability
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Extracts of the WP29 opinion for manufactures
• apply Security by Design and Cryptography
• limit data leaving devices and aggregate
• protect data of different individuals using same car
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
The NIS Directive: objectives
Increased national cybersecurity capabilities
EU levelcooperation
Risk management & reporting
Boosting the overall online security in
Europe
EU N
IS d
irec
tive
NIS objectives
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
14
Security and notification requirements
Operators of essential services
Energy: electricity, gas and oilTransport: air, rail, water and road
Banking: credit institutionsFinancial market infrastructure
Health: healthcare providersWater: drinking water supply and distribution
Digital infrastructure: internet exchange points, domain name system service providers,
top level domain name registersEU N
IS d
irec
tive
NIS addresses essential services
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
15
Security and notification requirements
Digital Services Providers (DSPs)
Online market places
Cloud computing services
Search engines
EU N
IS d
irec
tive
NIS addresses digital service providers
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Identification process in 6 steps
16
1. Does the entity belong to a sector/subsector &correspond to the type covered by Annex II Directive?
2. Is a lex specialis applicable?
YES NIS Directive doesn't apply
Security and/or notification requirements of the NIS Directive do not apply
NO
YESNO
EU N
IS d
irec
tive
Who is bound by NIS?
Identification process in 6 steps
17
3. Is the operator providing an “essential service” within the meaning of the Directive?
4. Does the service depend on network and information systems?
NIS Directive doesn't apply
NIS Directive doesn't apply
YES NO
YES NO
EU N
IS d
irec
tive
Who is bound by NIS?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Identification process in 6 steps
18
5. Would a cyber incident have a significant disruptive effect?
NIS Directive doesn't apply
Cross-sectoral factors (specified in the Directive)• number of users relying on the services• dependency of other essential sectors on
the service• impact that incidents could have on economy
and societal activities or public safety• possible geographic spread• importance of the entity for maintaining a
sufficient level of the service
Sector-specific factors (not specified - examples)• Energy: volume or proportion of
national power generated• Transport: proportion of national
traffic volume & number of operations per year
• Health: number of patients under the provider’s care per year.
YES NO
EU N
IS d
irec
tive
Who is bound by NIS?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Identification process in 6 steps
19
6. Is the operator concerned providing essential services in other Member States?
Adoption of national measures (e.g. list of operators of essential services, policy and legal measures).
YES NO
Mandatory consultation with the MS(s) concerned
EU N
IS d
irec
tive
Who is bound by NIS?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
And the IoT?EU
NIS
dir
ecti
ve
NIS directive
Operators essential services
IoT applications and smart objects
Energy: electricity, gas and oilTransport: air, rail, water and road
Banking: credit institutionsFinancial market infrastructure
Health: healthcare providersWater: drinking water supply and distribution
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Case study: Day-one C-ITS use case
www.etsi.org/images/files/membership/ETSI_ITS_09_2012.jpg
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Day-one C-ITS use cases
• Case study: Day-one C-ITS* use cases
• What is C-ITS• Some day-one use case scenario's• The need for identification• Protect privacy while identifying
* C-ITS: Cooperative Intelligent Transport Systems
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
EuropeanCooperation
Coordination
Results
Monitoring
ITS Coordination Group
Cooperation
Global
Inte
rnat
iona
lC
oope
ratio
n
Validation& Feedback
ITSsV6
2
EU and national funded projects
M/ 453
HTG
Stakeholders Groups
What is C-ITS ?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Day one C-ITS use cases
Vehicle to Vehicle traffic safety messages• Emergency breaking light• Slow or stationary vehicle• Emergency vehicle approaching• Road accident ahead• Vehicle approaching crossing
Vehicle to Infrastructure communication• Green Light Optimal Speed Advisory• Traffic light priority request• Traffic works aheadCas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
C-ITS cooperative awareness messages
8th ETSI ITS workshop, 10th March 2016. Dr. T. Buburuzan, Volkswagen Research
CAM: Cooperative awareness messages
All use cases demand trustworthy unique identification
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Authenticate Vehicles & Infrastructure
All use cases demand trustworthy unique identification
Trustworthy identification? Yes
But what about Privacy and Personal Data Protection?
ETSI ITS Trust Model ®2014
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Authenticate & protect Privacy?
All use cases demand trustworthy unique identification
ETSI ITS Trust Model ®2014
Short term authorization certificates (AT) to ensure Privacy and Data Protection
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
Sacrificing liberty, privacy and data security for cruise control?
No – but a technical challenge
Questions?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
References• Dir. 95/46/EC on Privacy and Data Protection• Dir. 2002/58/EC on e-Privacy• Art. 29 Working Party Opinion 8/2014 on Recent Developments on the Internet of Things• Article 29 WP opinion on anonymisation(http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf )• COM(2013) 48 final: Directive on Network and Information Security• Dutch ITS security round table on May 10 2016 (http://www.ditcm.eu/images/ITS_Ronde_tafel_/Security/meeting_100516 )
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis