how do policy and regulatory initiatives address the topic ... · how do policy and regulatory...

How do Policy and regulatory initiatives address the topic of

IoT Security?

Dr. Florent FrederixOnline Trust and Cyber Security unit

Directorate - General for Communications Networks, Content and Technology European Commission

This document does not necessarily reflect any official position of the Commission

On IoT, Cybersecurity and Data Protection

ETSI SECURITY WEEKJune 14, 2016 Sofia-Antipolis

• The Legal Framework in the EU Union• The General Data Protection Regulation (GDPR)• The Network Information Security Directive

• The EC Data Protection Legal framework• Working party opinion on Internet of Things• Data accessible to the user only and third parties• Privacy by design requirements

• The EC Network Information Security directive• Objectives• Essential services• Digital Service Providers• Decision tree

• Case study: Day one C-ITS use cases• The authentication challenge

Table of Content


Leg

al I

oT f

ram

ewor

k • The Legal Framework in the EU Union• The General Data Protection Regulation (GDPR)

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88, which will be applicable as of 25 May 2018.

• Article 29 Working Party opinion on the IoT• Working Party 29 Opinion 8/2014

On Data Protection

Applies for smart objects and the Internet of Things


The NIS Directive: from proposal to transposition

4

Transposition

Final Adoption

Political Agreement

EC proposal COM (2013)48)

21 months after entry into force for transposition into national laws Additional 6 months to identifyOperators of essential services

June-July 2016Entry into force 20 days After publication in OJ

7 Dec 2015Sixth informaltrialogue

February2013

Network Information Directive

Leg

al I

oT f

ram

ewor

k


The working party 29 opinion on the Internet of Things (IoT) applies for Smart

objects

(Working Party 29 Opinion 8/2014)

EU D

ata

pro

tect

ion


WP29 on the Internet of Things

IoT can develop unlawful form of surveillance and raise security concerns (WP29 Opinion 8/2014)

The interaction between objects will result in hardly manageable data flows challenging the protection of the data subjects’ rights.EU D

ata

pro

tect

ion


Extracts of the WP29 opinion

If the data controller provides a remote platform to collect and process data, the domestic exception only applies to the actual usage by the user and does not exempt the data controller from the data protection law ( WP163, WP223).

EU D

ata

pro

tect

ion


Extracts of the WP29 opinionIoT stakeholders qualifying as data controllers must comply with 95/46/EC and 2002/58/EC.Art. 5(3) of 2002/58/EC applies if an IoT stakeholder can access information stored on an IoT “terminal equipment “ and demands that the subscriber/user consents. This is important because it can give others access to privacy-sensitive information stored on such devices.EU D

ata

pro

tect

ion


Extracts of the WP29 opinion

• Privacy Impact Assessment required

• Delete raw data as soon as aggregated data is extracted

• Principles of Privacy by Design and Privacy by Default apply

• Data subjects must be “in control” of the data at any time.EU

Dat

a p

rote

ctio

n


Extracts of the WP29 opinion for manufactures

• inform stakeholders if data subject withdraws consent

• provide granular access choices and a “do not collect” option

• prevent location trackingEU D

ata

pro

tect

ion



• provide tools to locally read, edit and modify the data before they are transferred to any data controller.

• inform everyone impacted by a discovered device vulnerability

EU D

ata

pro

tect

ion



• apply Security by Design and Cryptography

• limit data leaving devices and aggregate

• protect data of different individuals using same car

EU D

ata

pro

tect

ion


The NIS Directive: objectives

Increased national cybersecurity capabilities

EU levelcooperation

Risk management & reporting

Boosting the overall online security in

Europe

EU N

IS d

irec

tive

NIS objectives


14

Security and notification requirements

Operators of essential services

Energy: electricity, gas and oilTransport: air, rail, water and road

Banking: credit institutionsFinancial market infrastructure

Health: healthcare providersWater: drinking water supply and distribution

Digital infrastructure: internet exchange points, domain name system service providers,

top level domain name registersEU N

IS d

irec

tive

NIS addresses essential services


15

Security and notification requirements

Digital Services Providers (DSPs)

Online market places

Cloud computing services

Search engines

EU N

IS d

irec

tive

NIS addresses digital service providers


Identification process in 6 steps

16

1. Does the entity belong to a sector/subsector &correspond to the type covered by Annex II Directive?

2. Is a lex specialis applicable?

YES NIS Directive doesn't apply

Security and/or notification requirements of the NIS Directive do not apply

NO

YESNO

EU N

IS d

irec

tive

Who is bound by NIS?


17

3. Is the operator providing an “essential service” within the meaning of the Directive?

4. Does the service depend on network and information systems?

NIS Directive doesn't apply


YES NO

YES NO

EU N

IS d

irec

tive




18

5. Would a cyber incident have a significant disruptive effect?


Cross-sectoral factors (specified in the Directive)• number of users relying on the services• dependency of other essential sectors on

the service• impact that incidents could have on economy

and societal activities or public safety• possible geographic spread• importance of the entity for maintaining a

sufficient level of the service

Sector-specific factors (not specified - examples)• Energy: volume or proportion of

national power generated• Transport: proportion of national

traffic volume & number of operations per year

• Health: number of patients under the provider’s care per year.

YES NO

EU N

IS d

irec

tive




19

6. Is the operator concerned providing essential services in other Member States?

Adoption of national measures (e.g. list of operators of essential services, policy and legal measures).

YES NO

Mandatory consultation with the MS(s) concerned

EU N

IS d

irec

tive



And the IoT?EU

NIS

dir

ecti

ve

NIS directive

Operators essential services

IoT applications and smart objects

Energy: electricity, gas and oilTransport: air, rail, water and road

Banking: credit institutionsFinancial market infrastructure

Health: healthcare providersWater: drinking water supply and distribution


Case study: Day-one C-ITS use case

www.etsi.org/images/files/membership/ETSI_ITS_09_2012.jpg

Cas

e st

ud

y


Day-one C-ITS use cases

• Case study: Day-one C-ITS* use cases

• What is C-ITS• Some day-one use case scenario's• The need for identification• Protect privacy while identifying

* C-ITS: Cooperative Intelligent Transport Systems

Cas

e st

ud

y


EuropeanCooperation

Coordination

Results

Monitoring

ITS Coordination Group

Cooperation

Global

Inte

rnat

iona

lC

oope

ratio

n

Validation& Feedback

ITSsV6

2

EU and national funded projects

M/ 453

HTG

Stakeholders Groups

What is C-ITS ?


Day one C-ITS use cases

Vehicle to Vehicle traffic safety messages• Emergency breaking light• Slow or stationary vehicle• Emergency vehicle approaching• Road accident ahead• Vehicle approaching crossing

Vehicle to Infrastructure communication• Green Light Optimal Speed Advisory• Traffic light priority request• Traffic works aheadCas

e st

ud

y


C-ITS cooperative awareness messages

8th ETSI ITS workshop, 10th March 2016. Dr. T. Buburuzan, Volkswagen Research

CAM: Cooperative awareness messages

All use cases demand trustworthy unique identification

Cas

e st

ud

y


Authenticate Vehicles & Infrastructure


Trustworthy identification? Yes

But what about Privacy and Personal Data Protection?

ETSI ITS Trust Model ®2014

Cas

e st

ud

y


Authenticate & protect Privacy?


ETSI ITS Trust Model ®2014

Short term authorization certificates (AT) to ensure Privacy and Data Protection

Cas

e st

ud

y


Sacrificing liberty, privacy and data security for cruise control?

No – but a technical challenge

Questions?


References• Dir. 95/46/EC on Privacy and Data Protection• Dir. 2002/58/EC on e-Privacy• Art. 29 Working Party Opinion 8/2014 on Recent Developments on the Internet of Things• Article 29 WP opinion on anonymisation(http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf )• COM(2013) 48 final: Directive on Network and Information Security• Dutch ITS security round table on May 10 2016 (http://www.ditcm.eu/images/ITS_Ronde_tafel_/Security/meeting_100516 )


how do policy and regulatory initiatives address the topic ... · how do policy and regulatory...

Documents