iot vs privacy european vision for devellopment · a internet das coisas (iot) vs privacidade |...
TRANSCRIPT
European Union Agency for Network and Information Security
IoT vs PrivacyEuropean Vision for Devellopment Paulo Empadinhas| Head of AdministrationCyber Law Research Centre (Faculdade de Direito de Lisboa)| Lisbon | 4 Jan 2016
3
Network of interconnected objects for data processing
- Cyber physical
- Self-Configuration
Specialized & Embedded
- Seamless integration
- Reduced Human–computer interaction (HCI)
Multiple stake holders
- For common or individual goals
Integrated and Legacy Systems vs Independent infrastructure
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
What is the Internet of Things (IoT)
4
The Internet of Things (IoT) is introducing billions of embedded sensors, smart
machines, wearable devices and connected industrial equipment. Businesses
are beginning to interconnect these “things” to enable the delivery of intelligent
products and services through the digital ecosystem.
Key actions:
• Protection of devices
• Infrastructure security
• Security by design
Autonomy Era
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
5
IoT grows fast, society will use data passed between interconnected devices, applications
and processes to determine customer context, and then collaborate through platforms to
provide the intelligent products and services that customers desire.
A connected digital ecosystem, combined with remote / autonomous computing and the
ability of M2M communications.
Risks of compromise the data integrity / Data-Driven Decisions
Data Integrity
6
Connections, exchange of information for business and private are experiencing
exponential growth in data as more devices get deployed
We are a small dote in the global network!
Big Data Issues
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
7
IoT Today Scenario
http://uk.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2?r=US&IR=T
8A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
Individuals as Data Cluster
Wearable devices collect a huge amount of personal data as well as surrounding environment information
Significant impact on privacy rights of these technologies will require a careful review.
Great concern for Health-related sensitive data (i.e. Medical devices and fitness apps).
Confidential information and easily disclose it to third parties.
9
Current challenges of IoT
• Capacity-limited devices
• Data exchange with other devices and remote services
• No regulation on data ownership
• Interaction with the physical life (cyber-physical systems)
Threats and risks of IoT devices and services
• Threats are diverse and evolve rapidly
• Several IoT manufacturers are not expert in security
• Data collection and processing may be unclear to users
• Impact on citizens’ health, safety and privacy
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
IoT at the heart of Smart Infrastructures
CyberSystem
PhysicalSystem
10
ENISA studies Security and Privacy for:
• Devices
• Data exchange (including network infrastructure)
• Local and remote services (e.g. Cloud, etc.)
ENISA develops expertise to secure IoT
• Evaluation of threats
• Promotion of security and privacy good practices
• Stakeholders engagement
• Awareness raising
• Community expert groups
• Liaison with policy makers
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
ENISA and IoT security
11
In 2015:
• Smart Cities and Intelligent Public Transport
• Smart Homes
In 2016:
• Smart Cars
• eHealth and Smart Hospitals
• Smart Airports
• Industry 4.0
Target audience:
• Operators and end-users
• Manufacturers, developers and solution vendors
• Policy makers and supervision bodies (DPAs, NRAs, etc.)
• But also: academy, standardisation bodies…
Domains of activities
Smart Homes
IntelligentTransportation Systems
Smart Cities
SCADAand Industry 4.0
eHealth
12
Smart Homes
• Need to secure the entire lifecycle of devices and services
• Security and privacy measures adapted to the devices
• Manufacturers should integrate privacy and security by design and provide security updates
Intelligent Public Transport and Smart Cities
• Need to secure data exchange and ensure privacy
• Need to develop security for safety and privacy by design
• Need for harmonised security framework
• Operators and municipalities need to define security requirements and associated Key Performance Indicators
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
First Results
13
Cars rely on ICT and data exchange
• Threats on safety (e.g. UConnect hack)
• Privacy can be impacted (e.g. knowledge of location)
• Provide guidance to manufacturers, third-party providers
• Protect safety and privacy of citizens
ENISA aims at promoting good practices to secure:
• Critical assets in the car
• Data exchanges with an impact on safety and privacy
Collaboration with DG Connect (H5) and DG MOVE (C-ITS)
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
Smart Cars
Securing Smart Cars today shall help “self-driving cars” to be secure
14
Healthcare is a critical sector using ICT
• Cloud computing supporting healthcare institutions
• Security in health information systems (hospitals)• Critical assets in healthcare institutions• ENISA study on eHealth in 2015
ENISA objectives:
• Secure IoT usage by the healthcare sector• Promote security and privacy of devices, systems
and infrastructure• Ensure security and privacy by design for new
devices and systems
Smart Hospitals
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
15
Address the current awareness on ICT interdependencies
Identify, at European level, the lessons learnt regarding good practices
Issue high level recommendations to operators
Smart Airports
Buildings:Data Networks
Voice Radio
CellularTV
CCTVMonitors
SCADA
Security:Border controlData Networks
Surveillance
IT Infrastructure:E ticketing
Passenger and Baggage management
Catering Logistics
Passenger management:Public transportCommunications
RetailHospitality
Entertainment
Internal Coordination:Airport Infrastructure Management
Passenger and Baggage management
Ground Staff:Mobility
Maintenance Fuel Refill
Cleaning and catering services
AIRSIDELANDSIDE
TERMINAL
External Coordination:Air Traffic Management
Ramp ServicesCargo and Flight
Resources Management
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
16
Reminder:
• Security and Privacy are basic needs• They can be inscribed in legal frameworks• Requirements need to consider both security and
privacy (e.g. define personal data to protect)• Careful: these two concepts are interdependent as
a weakness on one side can lead to a breach on both sides.
The term “by design” integrates:
• Security and Privacy in all phases of product development
• Aim at protecting the end-user• Bring an advantage to the industry (e.g. limit
product recalls, loss of trust)
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
Security and Privacy by Design
concept
analysis
design
implementation
testing
evaluation
17
IoT security and privacy is important
• Threats are real and evolve rapidly
• Impact on privacy and health and safety
• Lack of harmonisation in existing security and privacy measures
ENISA work to enhance IoT security
• Deliverables
• Expert groups
• Awareness rising
• Collaborations with the European Commission and stakeholders
A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS
Conclusion
All stakeholders must collaborate to enhance IoT security and privacy
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you