![Page 1: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/1.jpg)
How do Policy and regulatory initiatives address the topic of
IoT Security?
Dr. Florent FrederixOnline Trust and Cyber Security unit
Directorate - General for Communications Networks, Content and Technology European Commission
This document does not necessarily reflect any official position of the Commission
On IoT, Cybersecurity and Data Protection
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 2: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/2.jpg)
• The Legal Framework in the EU Union• The General Data Protection Regulation (GDPR)• The Network Information Security Directive
• The EC Data Protection Legal framework• Working party opinion on Internet of Things• Data accessible to the user only and third parties• Privacy by design requirements
• The EC Network Information Security directive• Objectives• Essential services• Digital Service Providers• Decision tree
• Case study: Day one C-ITS use cases• The authentication challenge
Table of Content
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 3: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/3.jpg)
Leg
al I
oT f
ram
ewor
k • The Legal Framework in the EU Union• The General Data Protection Regulation (GDPR)
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88, which will be applicable as of 25 May 2018.
• Article 29 Working Party opinion on the IoT• Working Party 29 Opinion 8/2014
On Data Protection
Applies for smart objects and the Internet of Things
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 4: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/4.jpg)
The NIS Directive: from proposal to transposition
4
Transposition
Final Adoption
Political Agreement
EC proposal COM (2013)48)
21 months after entry into force for transposition into national laws Additional 6 months to identifyOperators of essential services
June-July 2016Entry into force 20 days After publication in OJ
7 Dec 2015Sixth informaltrialogue
February2013
Network Information Directive
Leg
al I
oT f
ram
ewor
k
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 5: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/5.jpg)
The working party 29 opinion on the Internet of Things (IoT) applies for Smart
objects
(Working Party 29 Opinion 8/2014)
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 6: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/6.jpg)
WP29 on the Internet of Things
IoT can develop unlawful form of surveillance and raise security concerns (WP29 Opinion 8/2014)
The interaction between objects will result in hardly manageable data flows challenging the protection of the data subjects’ rights.EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 7: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/7.jpg)
Extracts of the WP29 opinion
If the data controller provides a remote platform to collect and process data, the domestic exception only applies to the actual usage by the user and does not exempt the data controller from the data protection law ( WP163, WP223).
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 8: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/8.jpg)
Extracts of the WP29 opinionIoT stakeholders qualifying as data controllers must comply with 95/46/EC and 2002/58/EC.Art. 5(3) of 2002/58/EC applies if an IoT stakeholder can access information stored on an IoT “terminal equipment “ and demands that the subscriber/user consents. This is important because it can give others access to privacy-sensitive information stored on such devices.EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 9: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/9.jpg)
Extracts of the WP29 opinion
• Privacy Impact Assessment required
• Delete raw data as soon as aggregated data is extracted
• Principles of Privacy by Design and Privacy by Default apply
• Data subjects must be “in control” of the data at any time.EU
Dat
a p
rote
ctio
n
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 10: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/10.jpg)
Extracts of the WP29 opinion for manufactures
• inform stakeholders if data subject withdraws consent
• provide granular access choices and a “do not collect” option
• prevent location trackingEU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 11: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/11.jpg)
Extracts of the WP29 opinion for manufactures
• provide tools to locally read, edit and modify the data before they are transferred to any data controller.
• inform everyone impacted by a discovered device vulnerability
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 12: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/12.jpg)
Extracts of the WP29 opinion for manufactures
• apply Security by Design and Cryptography
• limit data leaving devices and aggregate
• protect data of different individuals using same car
EU D
ata
pro
tect
ion
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 13: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/13.jpg)
The NIS Directive: objectives
Increased national cybersecurity capabilities
EU levelcooperation
Risk management & reporting
Boosting the overall online security in
Europe
EU N
IS d
irec
tive
NIS objectives
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 14: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/14.jpg)
14
Security and notification requirements
Operators of essential services
Energy: electricity, gas and oilTransport: air, rail, water and road
Banking: credit institutionsFinancial market infrastructure
Health: healthcare providersWater: drinking water supply and distribution
Digital infrastructure: internet exchange points, domain name system service providers,
top level domain name registersEU N
IS d
irec
tive
NIS addresses essential services
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 15: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/15.jpg)
15
Security and notification requirements
Digital Services Providers (DSPs)
Online market places
Cloud computing services
Search engines
EU N
IS d
irec
tive
NIS addresses digital service providers
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 16: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/16.jpg)
Identification process in 6 steps
16
1. Does the entity belong to a sector/subsector &correspond to the type covered by Annex II Directive?
2. Is a lex specialis applicable?
YES NIS Directive doesn't apply
Security and/or notification requirements of the NIS Directive do not apply
NO
YESNO
EU N
IS d
irec
tive
Who is bound by NIS?
![Page 17: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/17.jpg)
Identification process in 6 steps
17
3. Is the operator providing an “essential service” within the meaning of the Directive?
4. Does the service depend on network and information systems?
NIS Directive doesn't apply
NIS Directive doesn't apply
YES NO
YES NO
EU N
IS d
irec
tive
Who is bound by NIS?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 18: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/18.jpg)
Identification process in 6 steps
18
5. Would a cyber incident have a significant disruptive effect?
NIS Directive doesn't apply
Cross-sectoral factors (specified in the Directive)• number of users relying on the services• dependency of other essential sectors on
the service• impact that incidents could have on economy
and societal activities or public safety• possible geographic spread• importance of the entity for maintaining a
sufficient level of the service
Sector-specific factors (not specified - examples)• Energy: volume or proportion of
national power generated• Transport: proportion of national
traffic volume & number of operations per year
• Health: number of patients under the provider’s care per year.
YES NO
EU N
IS d
irec
tive
Who is bound by NIS?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 19: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/19.jpg)
Identification process in 6 steps
19
6. Is the operator concerned providing essential services in other Member States?
Adoption of national measures (e.g. list of operators of essential services, policy and legal measures).
YES NO
Mandatory consultation with the MS(s) concerned
EU N
IS d
irec
tive
Who is bound by NIS?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 20: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/20.jpg)
And the IoT?EU
NIS
dir
ecti
ve
NIS directive
Operators essential services
IoT applications and smart objects
Energy: electricity, gas and oilTransport: air, rail, water and road
Banking: credit institutionsFinancial market infrastructure
Health: healthcare providersWater: drinking water supply and distribution
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 21: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/21.jpg)
Case study: Day-one C-ITS use case
www.etsi.org/images/files/membership/ETSI_ITS_09_2012.jpg
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 22: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/22.jpg)
Day-one C-ITS use cases
• Case study: Day-one C-ITS* use cases
• What is C-ITS• Some day-one use case scenario's• The need for identification• Protect privacy while identifying
* C-ITS: Cooperative Intelligent Transport Systems
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 23: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/23.jpg)
EuropeanCooperation
Coordination
Results
Monitoring
ITS Coordination Group
Cooperation
Global
Inte
rnat
iona
lC
oope
ratio
n
Validation& Feedback
ITSsV6
2
EU and national funded projects
M/ 453
HTG
Stakeholders Groups
What is C-ITS ?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 24: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/24.jpg)
Day one C-ITS use cases
Vehicle to Vehicle traffic safety messages• Emergency breaking light• Slow or stationary vehicle• Emergency vehicle approaching• Road accident ahead• Vehicle approaching crossing
Vehicle to Infrastructure communication• Green Light Optimal Speed Advisory• Traffic light priority request• Traffic works aheadCas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 25: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/25.jpg)
C-ITS cooperative awareness messages
8th ETSI ITS workshop, 10th March 2016. Dr. T. Buburuzan, Volkswagen Research
CAM: Cooperative awareness messages
All use cases demand trustworthy unique identification
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 26: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/26.jpg)
Authenticate Vehicles & Infrastructure
All use cases demand trustworthy unique identification
Trustworthy identification? Yes
But what about Privacy and Personal Data Protection?
ETSI ITS Trust Model ®2014
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 27: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/27.jpg)
Authenticate & protect Privacy?
All use cases demand trustworthy unique identification
ETSI ITS Trust Model ®2014
Short term authorization certificates (AT) to ensure Privacy and Data Protection
Cas
e st
ud
y
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 28: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/28.jpg)
Sacrificing liberty, privacy and data security for cruise control?
No – but a technical challenge
Questions?
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis
![Page 29: How do Policy and regulatory initiatives address the topic ... · How do Policy and regulatory initiatives address the topic of ... applications and smart objects Energy: ... Cooperative](https://reader036.vdocuments.site/reader036/viewer/2022070612/5b366b7f7f8b9a3a6d8e5aef/html5/thumbnails/29.jpg)
References• Dir. 95/46/EC on Privacy and Data Protection• Dir. 2002/58/EC on e-Privacy• Art. 29 Working Party Opinion 8/2014 on Recent Developments on the Internet of Things• Article 29 WP opinion on anonymisation(http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf )• COM(2013) 48 final: Directive on Network and Information Security• Dutch ITS security round table on May 10 2016 (http://www.ditcm.eu/images/ITS_Ronde_tafel_/Security/meeting_100516 )
ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis