1 Looking through the crystal ball: Identifying future security, privacy and social risks in a prospective IoT scenario SecIoT th November 2010, Tokyo Barbara Daskala, CISSP, CISA, ENISA James Clarke, Waterford Institute of Technology, Ireland Dennis K. Nilsson, Swedish Institute of Computer Science, Sweden
2 Why a crystal ball? IoT is a prospective vision Considering a possible future IoT scenario on air travel [ENISA study] Using a risk assessment approach to identify potential risks Putting things in context: Covered many different aspects! IoT Vision Security, privacy, social, legal risks???
3 ENISA Flying 2.0 Study EC Communication Internet of Things An Action Plan for Europe Main Objective: identify and explore risks in a future air travel scenario, of emerging and future technologies and applications (IoT/ RFID, LBS ) Three different scenarios / three actors
4 ENISA Study WG Members Alessandro Bassi, Hitachi Europe SAS, France Jim Clarke, Researcher, Waterford Institute of Technology, Ireland France Charles de Couessin, Executive Partner, ID Partners, France Sotiris Ioannidis, Associate Researcher, Institute of Computer Science, Foundation for Research and Technology (FORTH), Greece Eleni Kosta, Legal Researcher, K.U.Leuven - Interdisciplinary Centre for Law & ICT (ICRI), Belgium Paul McCarthy, Research Fellow, Lancaster University, UK Huang Ming-Yuh, Program Manager, Strategic Information Assurance, The Boeing Company, US Eurico Neves, CEO, INOVA+ Serviços de Consultadoria em Inovação Tecnológica SA, Portugal Dennis Nilsson, Consultant at Syncron Japan KK, Tokyo, Japan Milan Petkovic, Philips Research, The Netherlands Pawel Rotter, AGH University of Science and Technology in Krakow, Automatics Department, Poland Markus Tiemann, Human Factors and Cabin/Cargo Operations, AIRBUS Operations, Germany David Wright, Managing Partner, Trilateral Research & Consulting LLP, UK
5 The Akira scenario When: years into the future Who: Akira, 20 year-old, a Japanese scholarship student Where: airport (London to Japan), on the way to the airport, on the aircraft, arrival What: Use of smart technologies to perform the various steps of air travel
6 The major phases in the scenario Getting to the airport the Tube, London, RFID enabled card Airport check-in RFID-enabled frequent traveler card, fingerprint check Security & border access controls Waiting to board Social networking [JP- Professionals-unite.com] Boarding seamless In flight Internet in the air [ad-hoc network], Creative Commons Arrival and transfer Frequent flyer card contains luggage tags
7 The major phases in the scenario (cont d) Boarding seamless, smart boarding process based on verifying 2D barcodes as well as biometrically authenticating passengers In flight Internet in the air Arrival and transfer Personal electronic devices and airport infrastructure guide passengers through immigration control, luggage claim, and onwards to bus, train or rental car
8 Airline servers Databases PIU Databases On-line check-in Frequent Flyer Card Number VISA RFID tags Electronic Product Code
9 The risk assessment in brief Methodology based on ISO/IEC 27005:2008 Identify and valuate assets (values, rights, systems, services ): composite asset [data & physical device] Identify and assess vulnerabilities (of assets) and threats Identify and assess major risks in the scenario Make recommendations
10 What are we trying to protect? The assets INTANGIBLE Automated reservation, checking and boarding procedure Electronic visa issuing process Luggage and goods handling Automated traffic management TANGIBLE Passports and National ID cards Mobile smart devices Health monitoring devices Travel documents (paper) RFID & barcode readers Credit Cards/Debit card/payment cards/'e-wallet' Other RFID cards Scanners & detectors Networks State databases Commercial and other databases Temporary handset airport guides Luggage and goods Check-in infrastructure Airport facilities
11 Identifying major risk areas Technical High dependency on technology... Overall computing network infrastructure failure service interruption and unavailability Severe Realisation of malicious attacks to compromise systems (e.g. social networking, DoS attacks, cloning of RFID tags, jamming, blocking, side channel attack) Electronic ID failures: identity theft Failure of vehicles and ground transportation infrastructure traffic jams, accidents etc.
12 Identifying major risk areas (cont d) Policy & organizational Reservation, check-in and boarding procedures rendered unavailable Security screening failure (e.g. scanners malfunction, failure of procedures etc.) Interoperability issues across countries Cannot issue/control electronic visas Inability to travel: loss of paper documents, other delays / failures, check-in / passenger identification Procedures / instructions, devices complex to use not followed Press the???
13 Identifying major risk areas (cont d) Social (including privacy) Function creep / repurposing of data Loss of privacy Social sorting and social exclusion Increased surveillance Low user acceptance, user frustration data
14 Identifying major risks (cont d) Legal Lack of common or harmonized data protection legislation Legal vacuum Legislation lagging behind technological advancements Non-compliance with the data protection legislation NOTE Various risks are highly interconnected! Distinction between security, privacy risks not always very clear!
15 And now what? Addressing the risks requires considering many aspects POLICY Rethink existing business structures and introduce new business models User-friendliness of devices and procedures, include rather than exclude! RESEARCH Data protection and privacy Usability Managing trust Multi-modal person authentication Proposing standards of light cryptography protocols
16 LEGAL Reevaluate and update data protection legislation Harmonisation of data collection FOR EUROPEAN COMMISSION Enforcement and application of the European regulatory framework Alignment of research with industrial and societal needs promoting participation of industry, and in particular SMEs in research activities as FP7 Ethical limits research Recommendations (cont d) Need for impact assessment and trials of new technologies before deployment
17 Some conclusions... YES! IoT is a promising vision and may solve many problems! BUT There are important risks posed that need to be addressed SO we need to... - be proactive - weave security & privacy into IoT - work together! [existing EC initiatives on Privacy Impact Assessment framework of RFID applications and IoT Expert group and ]
18 Thank you! ありがとうございました! For the ENISA report, visit:
FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts of cybercrime D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring Deliverable
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments
EUROPEAN COMMISSION Brussels, 2.7.2014 COM(2014) 442 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE
Business Innovation Observatory Trend report Disruptive innovations and forward-looking policies towards smart value chains Internal Market, Industry, Entrepreneurship and SMEs Disruptive innovations and
ericsson White paper Uen 307 23-3230 February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in
CYBER SECURITY IN CIVIL AVIATION August 2012 This is version 1 of this report, describing the situation as of August 2012, and the intention is to update it periodically as the situation changes. We welcome
Title: Author: Editors: : Forensic Implications of Identity Management Systems WP6 Zeno Geradts (NFI, The Netherlands) Peter Sommer (LSE, UK) Reviewers: Martin Meints (ICPP, Germany) Mark Gasson (University
Could Your Security Vulnerabilities Cause Network Gridlock? A Discussion Paper for Transportation Information Technology Leaders and Executives 2 THE NEED FOR SECURITY IN THE TRANSPORT ECOSYSTEM Transportation
Security & Resilience in Governmental Clouds January 2011 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market.
Resilient e-communications Networks June 09 Good Practice Guide Network Security Information Exchanges 2 3 Acknowledgements About ENISA This report was prepared by Symantec Inc. in co-operation with Landitd
EUROPEAN COMMISSION Brussels, SEC(2011) 132 COMMISSION STAFF WORKING PAPER IMPACT ASSESSMENT Accompanying document to the Proposal for a EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE on the use of Passenger
Certified Masters in Cyber Security Certification of Masters Degrees Providing a General, Broad Foundation in Cyber Security Call for Applications Closing Date: 20 June 2014, 16:00 Briefing Meeting: 14
EUROCONTROL Manual for National ATM Security Oversight Directorate Single Sky Edition 1.0 Edition date: 10/10/2012 Reference nr: DSS/CM/SEC/DEL/12-044 DOCUMENT CHARACTERISTICS TITLE Manual for National
ISMS User s Guide for Medical Organizations Guidance on the Application of ISMS Certification Criteria (Ver.2.0) ISMS: Information Security Management System 8 November 2004 Japan Information Processing
Introduction to Online Identity Management By Thomas J. Smedinghoff 1 1. Identity Management Basics... 3 (a) Identification... 4 (1) Scope and Accuracy... 5 (2) Issuance of Credential... 6 (b) Authentication...
Could your security vulnerabilities cause network gridlock? A discussion paper for Transportation Information Technology leaders and executives 2 THE NEED FOR SECURITY IN THE TRANSPORT ECO-SYSTEM Transportation
Network and Information Security Standards Report in support of the Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee
Whitepaper Cybersecurity Trends 2015 Content 1. Compliance: Pressure on Businesses is Mounting....4 Dear Readers, Many thanks for your interest in our Cybersecurity Trends 2015 white paper. The risk of
EUROPEAN COMMISSION Brussels, 2.7.2014 SWD(2014) 214 final COMMISSION STAFF WORKING DOCUMENT Report on the Implementation of the Communication 'Unleashing the Potential of Cloud Computing in Europe' Accompanying
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Master in Cyber Security Contents 5 Introduction 6 Master in Cyber Security 7 About GCSEC 8 Information Security Group and Royal Holloway 9 Admission 10 Program Overview 12 Degree classification scheme
November 10 2 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of