European Union Agency for Network and Information Security

IoT vs PrivacyEuropean Vision for Devellopment Paulo Empadinhas| Head of AdministrationCyber Law Research Centre (Faculdade de Direito de Lisboa)| Lisbon | 4 Jan 2016

2

Internet of Things

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

3

Network of interconnected objects for data processing

- Cyber physical

- Self-Configuration

Specialized & Embedded

- Seamless integration

- Reduced Human–computer interaction (HCI)

Multiple stake holders

- For common or individual goals

Integrated and Legacy Systems vs Independent infrastructure

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

What is the Internet of Things (IoT)

4

The Internet of Things (IoT) is introducing billions of embedded sensors, smart

machines, wearable devices and connected industrial equipment. Businesses

are beginning to interconnect these “things” to enable the delivery of intelligent

products and services through the digital ecosystem.

Key actions:

• Protection of devices

• Infrastructure security

• Security by design

Autonomy Era

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

5

IoT grows fast, society will use data passed between interconnected devices, applications

and processes to determine customer context, and then collaborate through platforms to

provide the intelligent products and services that customers desire.

A connected digital ecosystem, combined with remote / autonomous computing and the

ability of M2M communications.

Risks of compromise the data integrity / Data-Driven Decisions

Data Integrity

6

Connections, exchange of information for business and private are experiencing

exponential growth in data as more devices get deployed

We are a small dote in the global network!

Big Data Issues

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

7

IoT Today Scenario

http://uk.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2?r=US&IR=T

8A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

Individuals as Data Cluster

Wearable devices collect a huge amount of personal data as well as surrounding environment information

Significant impact on privacy rights of these technologies will require a careful review.

Great concern for Health-related sensitive data (i.e. Medical devices and fitness apps).

Confidential information and easily disclose it to third parties.

9

Current challenges of IoT

• Capacity-limited devices

• Data exchange with other devices and remote services

• No regulation on data ownership

• Interaction with the physical life (cyber-physical systems)

Threats and risks of IoT devices and services

• Threats are diverse and evolve rapidly

• Several IoT manufacturers are not expert in security

• Data collection and processing may be unclear to users

• Impact on citizens’ health, safety and privacy

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

IoT at the heart of Smart Infrastructures

CyberSystem

PhysicalSystem

10

ENISA studies Security and Privacy for:

• Devices

• Data exchange (including network infrastructure)

• Local and remote services (e.g. Cloud, etc.)

ENISA develops expertise to secure IoT

• Evaluation of threats

• Promotion of security and privacy good practices

• Stakeholders engagement

• Awareness raising

• Community expert groups

• Liaison with policy makers

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

ENISA and IoT security

11

In 2015:

• Smart Cities and Intelligent Public Transport

• Smart Homes

In 2016:

• Smart Cars

• eHealth and Smart Hospitals

• Smart Airports

• Industry 4.0

Target audience:

• Operators and end-users

• Manufacturers, developers and solution vendors

• Policy makers and supervision bodies (DPAs, NRAs, etc.)

• But also: academy, standardisation bodies…

Domains of activities

Smart Homes

IntelligentTransportation Systems

Smart Cities

SCADAand Industry 4.0

eHealth

12

Smart Homes

• Need to secure the entire lifecycle of devices and services

• Security and privacy measures adapted to the devices

• Manufacturers should integrate privacy and security by design and provide security updates

Intelligent Public Transport and Smart Cities

• Need to secure data exchange and ensure privacy

• Need to develop security for safety and privacy by design

• Need for harmonised security framework

• Operators and municipalities need to define security requirements and associated Key Performance Indicators

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

First Results

13

Cars rely on ICT and data exchange

• Threats on safety (e.g. UConnect hack)

• Privacy can be impacted (e.g. knowledge of location)

• Provide guidance to manufacturers, third-party providers

• Protect safety and privacy of citizens

ENISA aims at promoting good practices to secure:

• Critical assets in the car

• Data exchanges with an impact on safety and privacy

Collaboration with DG Connect (H5) and DG MOVE (C-ITS)

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

Smart Cars

Securing Smart Cars today shall help “self-driving cars” to be secure

14

Healthcare is a critical sector using ICT

• Cloud computing supporting healthcare institutions

• Security in health information systems (hospitals)• Critical assets in healthcare institutions• ENISA study on eHealth in 2015

ENISA objectives:

• Secure IoT usage by the healthcare sector• Promote security and privacy of devices, systems

and infrastructure• Ensure security and privacy by design for new

devices and systems

Smart Hospitals

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

15

Address the current awareness on ICT interdependencies

Identify, at European level, the lessons learnt regarding good practices

Issue high level recommendations to operators

Smart Airports

Buildings:Data Networks

Voice Radio

CellularTV

CCTVMonitors

SCADA

Security:Border controlData Networks

Surveillance

IT Infrastructure:E ticketing

Passenger and Baggage management

Catering Logistics

Passenger management:Public transportCommunications

RetailHospitality

Entertainment

Internal Coordination:Airport Infrastructure Management

Passenger and Baggage management

Ground Staff:Mobility

Maintenance Fuel Refill

Cleaning and catering services

AIRSIDELANDSIDE

TERMINAL

External Coordination:Air Traffic Management

Ramp ServicesCargo and Flight

Resources Management

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

16

Reminder:

• Security and Privacy are basic needs• They can be inscribed in legal frameworks• Requirements need to consider both security and

privacy (e.g. define personal data to protect)• Careful: these two concepts are interdependent as

a weakness on one side can lead to a breach on both sides.

The term “by design” integrates:

• Security and Privacy in all phases of product development

• Aim at protecting the end-user• Bring an advantage to the industry (e.g. limit

product recalls, loss of trust)

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

Security and Privacy by Design

concept

analysis

design

implementation

testing

evaluation

17

IoT security and privacy is important

• Threats are real and evolve rapidly

• Impact on privacy and health and safety

• Lack of harmonisation in existing security and privacy measures

ENISA work to enhance IoT security

• Deliverables

• Expert groups

• Awareness rising

• Collaborations with the European Commission and stakeholders

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

Conclusion

All stakeholders must collaborate to enhance IoT security and privacy

18

Trust

A Internet das coisas (IoT) vs Privacidade | Paulo EMPADINHAS

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you

paulo.empadinhas@enisa.europa.eu