SlideShare a Scribd company logo

Csp IoT dan hyde 18 p16 17

D
dan hyde

The Internet of Things

Law
1 of 2
Download to read offline
CYBER SECURITY PRACTITIONER16 The Secure by Design concept is persuasive, it strives for uniform cyber security protections to be built into a product or service from the outset and for these to be universally applied to better protect the consumer. This uprated cyber engineering is to be achieved through 13 carefully formulated recommended guidance measures, namely: 1. that all IoT device passwords be unique and not resettable to any universal factory default value; 2. all companies providing internet connected devices and services must provide a public point of contact as part of a vulnerability disclosure policy so that disclosed weaknesses or faults can be acted on in a timely manner; 3. all software components in internet connected devices must be securely updateable. The need for an update should be flagged up by the device to the consumer so that it is obvious and the update should be easy to implement; 4. devices should securely store credentials and security sensitive data, hard coded credentials in device software are unacceptable; 5. security sensitive data including remote management and control should be encrypted when transiting the internet and all keys should be managed securely; 6. all devices and surfaces should minimise the exposed attack surfaces; unused ports should be closed and hardware should never unnecessarily expose access so that the devices and services operate on a ‘principle of least privilege;’ 7. software must be verified using secure boot mechanisms and the device should alert the consumer to any issue and not connect to networks wider than those necessary to issue the alert; 8. devices and services must ensure any personal data is protected and processed in a way that is compliant with data protection law; 9. ensure IoT services are resilient to outages; 10.IoT services and devices should monitor system telemetry data so that security issues or unusual Securing the Internet of Things The Department for Digital, Culture Media and Sport (‘DCMS’) has produced a report on the cyber security of the consumer Internet of Things (‘IoT’)(‘Report’). The Report acknowledges both the new opportunities and increased risks for consumers in this ever expanding IoT world and seeks to promote a ‘Secure by Design’ approach to the consumer IoT. Dan Hyde, Partner at Penningtons Manches LLP, assesses the recommendations and voluntary Code of Practice proposed in the Report and argues that this does not go far enough to protect the consumer and that there ought to a compulsory system of regulation - a mandatory Code of Practice - and a labelling system, akin to that embraced within the food industry to ensure that consumers are properly protected and manufacturers and service providers do not cut corners. IOT Dan Hyde Partner dan.hyde@penningtons.co.uk Penningtons Manches LLP, London Image: Westend61 / Getty Images
A Cecile Park Media Publication | May 2018 17 circumstances are identified early; 11. devices and services should make it simple for consumers to delete their personal data, the process should be straightforward with clear instructions given to the consumer; 12. installation and maintenance of IoT devices should be minimal and usability should follow security best practices; and 13. data input for devices or services, such as via user interfaces and that are transferred via application programming interfaces or between networks, must be validated to ensure systems are not easily subverted by incorrect code or data. These measures or guidelines are in order of priority (top down) with the first three identified as being of particular importance and, together with additional explanatory notes, form a proposed Code of Practice for the industry. My own initial reaction to the Report and its Code of Practice was positive. The aims and suggested measures are laudable, well thought out and explained in plain succinct language. The objective, to instil best practices and reduce the burden on the consumer by shifting the security responsibility to the manufacturer, service provider, app developer and retailer is a sound one as is the intention that cyber security should be embedded in the product from the point of design so that consumers are better protected going forward. But my positivity faded on deeper reflection; how could this or any voluntary code of practice assist where there is negligence or hostility on the part of the manufacturer, developer, retailer or service provider? The Report makes clear that it hopes for industry cooperation rather than coercion and that take up of the Code would be voluntary. It also trumpets the UK and UK consumer as being the best protected in the world. Unfortunately the IoT and the products and services we seek to design cyber security into are global: consumers are purchasing products that are manufactured, developed or supported by actors in a plethora of countries. In order to control that process we must accept two things. Firstly, that a voluntary Code will be ignored or abused by some. Secondly that even a compulsory Code will be difficult to enforce in certain reluctant states where regulation is lax and there is resistance to what is regarded as an alien jurisdiction/ governance. There also needs to be a scheme of compulsory labelling, one that sets out the information that must be included on the product label. This way consumers would be better able to judge the design security of a product and it would potentially expose those products that do not meet best practice standards. Intuition tells me that the majority of those in the UK and other world regions that are accustomed to modern standards of consumer regulation, cyber compliance and product certification will be more likely to implement the Code, but even so a voluntary Code may not be a sufficient incentive if financial gains can be made by not doing so and taking short cuts. In short, the market cannot be trusted to regulate itself, too much is at stake. There needs to be legislation with teeth that enforces these design standards and makes labelling and service/product information compulsory. Can one imagine the food industry being left to self- regulate? Imagine food producers being politely asked to ensure their products are safe for human consumption, include correct allergen warnings or ingredient information? It is remarkable that a consumer, often blind to the cyber security of a device at the point of purchase, be offered less protection. The difficulty will be that legislation would need to snag all those involved internationally. There may be hostile states that are resistant to this. One would expect a divergence of philosophy from China (a major manufacturer and distributor), Russia and possibly the US. All three have set rather divergent courses to ours in their treatment of data protection and cyber security and globally achieving and enforcing a uniform scheme of device/service certification would be difficult if not impossible. Without global buy-in or adherence how could one ensure the success of any code or certification scheme? Local initiatives are afoot to encourage take up of voluntary certification schemes. The London Digital Security Centre has launched Secured by Design, a pilot cyber security certification scheme backed by the Mayor’s Office together with the Metropolitan and City of London Police forces. The scheme is split into two parts with two separate awards. The first is titled ‘Secure by Design - Police Preferred Specification’ and is aimed at ensuring cyber supply chains are resilient. Seven early adopters came forward to take part in the award but it remains to be seen how great the appeal of this award will ultimately be. The second award, ‘Digitally Aware - Secured by Design,’ uses a risk assessment tool to educate participants to cyber risk and increase their protection from cyber crime. Though such schemes undoubtedly add value it is hard to imagine such a piecemeal voluntary national approach being sufficient; whilst cyber products and services remain international and have input beyond our borders we can only engineer and certify security if we have a means of enforcing the implementation of industry standards extra-territorially. At the very least, on a national level there ought to a compulsory system of regulation (a mandatory Code of Practice) and a labelling system, akin to that used in the food industry, to ensure products and services sold to the UK consumer contain essential information such as ‘unique passwords used,’ ‘vulnerability disclosure supported device’ or ‘securely updateable.’ If we are going to claim we have the best protected consumers in the world let’s at least begin a program that might one day support that assertion. There needs to be legislation with teeth that enforces these design standards and makes labelling and service/product information compulsory. Can one imagine the food industry being left to self-regulate?

Recommended

Team 2 io_t_adj0
Team 2 io_t_adj0Team 2 io_t_adj0
Team 2 io_t_adj0EVA
 
Securing io t_with_aws
Securing io t_with_awsSecuring io t_with_aws
Securing io t_with_awsMichaelRodriguesdosS1
 
#IoT for #Lifestyle
#IoT for #Lifestyle#IoT for #Lifestyle
#IoT for #LifestyleIEI GSC
 
IoT and Covid 19
IoT and Covid 19IoT and Covid 19
IoT and Covid 19Ahmed Banafa
 
Iot visualise-the-impact-aralık2016
Iot visualise-the-impact-aralık2016Iot visualise-the-impact-aralık2016
Iot visualise-the-impact-aralık2016Mustafa Kuğu
 
Internet of Things Study Acquity Group 2014
Internet of Things Study Acquity Group 2014Internet of Things Study Acquity Group 2014
Internet of Things Study Acquity Group 2014Ludovic Privat
 
IoT Insurance Observatory 2019
IoT Insurance Observatory 2019IoT Insurance Observatory 2019
IoT Insurance Observatory 2019Matteo Carbone
 
What are Broadband Solutions
What are Broadband SolutionsWhat are Broadband Solutions
What are Broadband SolutionsMahindra Comviva
 

Recommended

Team 2 io_t_adj0
Team 2 io_t_adj0Team 2 io_t_adj0
Team 2 io_t_adj0EVA
 
Securing io t_with_aws
Securing io t_with_awsSecuring io t_with_aws
Securing io t_with_awsMichaelRodriguesdosS1
 
#IoT for #Lifestyle
#IoT for #Lifestyle#IoT for #Lifestyle
#IoT for #LifestyleIEI GSC
 
IoT and Covid 19
IoT and Covid 19IoT and Covid 19
IoT and Covid 19Ahmed Banafa
 
Iot visualise-the-impact-aralık2016
Iot visualise-the-impact-aralık2016Iot visualise-the-impact-aralık2016
Iot visualise-the-impact-aralık2016Mustafa Kuğu
 
Internet of Things Study Acquity Group 2014
Internet of Things Study Acquity Group 2014Internet of Things Study Acquity Group 2014
Internet of Things Study Acquity Group 2014Ludovic Privat
 
IoT Insurance Observatory 2019
IoT Insurance Observatory 2019IoT Insurance Observatory 2019
IoT Insurance Observatory 2019Matteo Carbone
 
What are Broadband Solutions
What are Broadband SolutionsWhat are Broadband Solutions
What are Broadband SolutionsMahindra Comviva
 
Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018Дзвенислава Карплюк
 
IoT Insurance Observatory 2020
IoT Insurance Observatory 2020IoT Insurance Observatory 2020
IoT Insurance Observatory 2020Matteo Carbone
 
What is BLE mobile payment
What is BLE mobile paymentWhat is BLE mobile payment
What is BLE mobile paymentMahindra Comviva
 
Internet of Things (IoT) Applications and Trends Malaysia 2022
Internet of Things (IoT) Applications and Trends Malaysia 2022Internet of Things (IoT) Applications and Trends Malaysia 2022
Internet of Things (IoT) Applications and Trends Malaysia 2022Dr. Mazlan Abbas
 
DataQuest_Sairam
DataQuest_SairamDataQuest_Sairam
DataQuest_SairamSairam Vedam
 
IoT Ins Obs '19
IoT Ins Obs '19IoT Ins Obs '19
IoT Ins Obs '19Matteo Carbone
 
Internet of Things - The new Paradigmn
Internet of Things - The new ParadigmnInternet of Things - The new Paradigmn
Internet of Things - The new ParadigmnDeepu S Nath
 
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...eraser Juan José Calderón
 
IoT Innovation Fund for Business Growth
IoT Innovation Fund for Business GrowthIoT Innovation Fund for Business Growth
IoT Innovation Fund for Business GrowthAlex G. Lee, Ph.D. Esq. CLP
 
Whitepaper: From LTE Network Launch to Monetization
Whitepaper: From LTE Network Launch to MonetizationWhitepaper: From LTE Network Launch to Monetization
Whitepaper: From LTE Network Launch to MonetizationBroadSoft
 
Exciting io t trends and predictions to look out for in 2022
Exciting io t trends and predictions to look out for in 2022Exciting io t trends and predictions to look out for in 2022
Exciting io t trends and predictions to look out for in 2022ArpitGautam20
 
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationNXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationInvestorideas.com
 
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...Tata Tele Business Services
 
Patent Insights: Connected Car Innovations
Patent Insights: Connected Car InnovationsPatent Insights: Connected Car Innovations
Patent Insights: Connected Car InnovationsAlex G. Lee, Ph.D. Esq. CLP
 
Sirous Kavehercy Mobile Monday Russia 3G Services
Sirous Kavehercy Mobile Monday Russia 3G ServicesSirous Kavehercy Mobile Monday Russia 3G Services
Sirous Kavehercy Mobile Monday Russia 3G ServicesSirous Kavehercy
 
Internet of Everything: Retail’s Future
Internet of Everything: Retail’s FutureInternet of Everything: Retail’s Future
Internet of Everything: Retail’s FutureCisco Services
 
Evolution of Internet of Things (IoT) Ecosystem - Potential in India
Evolution of Internet of Things (IoT) Ecosystem - Potential in IndiaEvolution of Internet of Things (IoT) Ecosystem - Potential in India
Evolution of Internet of Things (IoT) Ecosystem - Potential in IndiaJayanth Kolla
 
Integrated killer applications for connected insurance
Integrated killer applications for connected insurance Integrated killer applications for connected insurance
Integrated killer applications for connected insurance Andrea Silvello
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrptAndrey Apuhtin
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrptmadhu ck
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptMarket Engel SAS
 

More Related Content

What's hot

IoT Insurance Observatory 2020
IoT Insurance Observatory 2020IoT Insurance Observatory 2020
IoT Insurance Observatory 2020Matteo Carbone
 
What is BLE mobile payment
What is BLE mobile paymentWhat is BLE mobile payment
What is BLE mobile paymentMahindra Comviva
 
Internet of Things (IoT) Applications and Trends Malaysia 2022
Internet of Things (IoT) Applications and Trends Malaysia 2022Internet of Things (IoT) Applications and Trends Malaysia 2022
Internet of Things (IoT) Applications and Trends Malaysia 2022Dr. Mazlan Abbas
 
Internet of Things - The new Paradigmn
Internet of Things - The new ParadigmnInternet of Things - The new Paradigmn
Internet of Things - The new ParadigmnDeepu S Nath
 
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...eraser Juan José Calderón
 
Whitepaper: From LTE Network Launch to Monetization
Whitepaper: From LTE Network Launch to MonetizationWhitepaper: From LTE Network Launch to Monetization
Whitepaper: From LTE Network Launch to MonetizationBroadSoft
 
Exciting io t trends and predictions to look out for in 2022
Exciting io t trends and predictions to look out for in 2022Exciting io t trends and predictions to look out for in 2022
Exciting io t trends and predictions to look out for in 2022ArpitGautam20
 
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationNXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationInvestorideas.com
 
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...Tata Tele Business Services
 
Sirous Kavehercy Mobile Monday Russia 3G Services
Sirous Kavehercy Mobile Monday Russia 3G ServicesSirous Kavehercy Mobile Monday Russia 3G Services
Sirous Kavehercy Mobile Monday Russia 3G ServicesSirous Kavehercy
 
Internet of Everything: Retail’s Future
Internet of Everything: Retail’s FutureInternet of Everything: Retail’s Future
Internet of Everything: Retail’s FutureCisco Services
 
Evolution of Internet of Things (IoT) Ecosystem - Potential in India
Evolution of Internet of Things (IoT) Ecosystem - Potential in IndiaEvolution of Internet of Things (IoT) Ecosystem - Potential in India
Evolution of Internet of Things (IoT) Ecosystem - Potential in IndiaJayanth Kolla
 
Integrated killer applications for connected insurance
Integrated killer applications for connected insurance Integrated killer applications for connected insurance
Integrated killer applications for connected insurance Andrea Silvello
 

What's hot (18)

Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018
 
IoT Insurance Observatory 2020
IoT Insurance Observatory 2020IoT Insurance Observatory 2020
IoT Insurance Observatory 2020
 
What is BLE mobile payment
What is BLE mobile paymentWhat is BLE mobile payment
What is BLE mobile payment
 
Internet of Things (IoT) Applications and Trends Malaysia 2022
Internet of Things (IoT) Applications and Trends Malaysia 2022Internet of Things (IoT) Applications and Trends Malaysia 2022
Internet of Things (IoT) Applications and Trends Malaysia 2022
 
DataQuest_Sairam
DataQuest_SairamDataQuest_Sairam
DataQuest_Sairam
 
IoT Ins Obs '19
IoT Ins Obs '19IoT Ins Obs '19
IoT Ins Obs '19
 
Internet of Things - The new Paradigmn
Internet of Things - The new ParadigmnInternet of Things - The new Paradigmn
Internet of Things - The new Paradigmn
 
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
Covid-19 and IoT: Some Perspectives on the Use of IoT Technologies in Prevent...
 
IoT Innovation Fund for Business Growth
IoT Innovation Fund for Business GrowthIoT Innovation Fund for Business Growth
IoT Innovation Fund for Business Growth
 
Whitepaper: From LTE Network Launch to Monetization
Whitepaper: From LTE Network Launch to MonetizationWhitepaper: From LTE Network Launch to Monetization
Whitepaper: From LTE Network Launch to Monetization
 
Exciting io t trends and predictions to look out for in 2022
Exciting io t trends and predictions to look out for in 2022Exciting io t trends and predictions to look out for in 2022
Exciting io t trends and predictions to look out for in 2022
 
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationNXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
 
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
DoBig Webinar - How #IoT can transform your business - Omkar Malage, Frost & ...
 
Patent Insights: Connected Car Innovations
Patent Insights: Connected Car InnovationsPatent Insights: Connected Car Innovations
Patent Insights: Connected Car Innovations
 
Sirous Kavehercy Mobile Monday Russia 3G Services
Sirous Kavehercy Mobile Monday Russia 3G ServicesSirous Kavehercy Mobile Monday Russia 3G Services
Sirous Kavehercy Mobile Monday Russia 3G Services
 
Internet of Everything: Retail’s Future
Internet of Everything: Retail’s FutureInternet of Everything: Retail’s Future
Internet of Everything: Retail’s Future
 
Evolution of Internet of Things (IoT) Ecosystem - Potential in India
Evolution of Internet of Things (IoT) Ecosystem - Potential in IndiaEvolution of Internet of Things (IoT) Ecosystem - Potential in India
Evolution of Internet of Things (IoT) Ecosystem - Potential in India
 
Integrated killer applications for connected insurance
Integrated killer applications for connected insurance Integrated killer applications for connected insurance
Integrated killer applications for connected insurance
 

Similar to Csp IoT dan hyde 18 p16 17

FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrptmadhu ck
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptMarket Engel SAS
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Andy-Bridden-IoMT-Canterburyv1.pptx
Andy-Bridden-IoMT-Canterburyv1.pptxAndy-Bridden-IoMT-Canterburyv1.pptx
Andy-Bridden-IoMT-Canterburyv1.pptxsafsda1
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesWavestone
 
CH_004_APPLICATIONS_OF_IOT.pptx
CH_004_APPLICATIONS_OF_IOT.pptxCH_004_APPLICATIONS_OF_IOT.pptx
CH_004_APPLICATIONS_OF_IOT.pptxvidhanPoddar1
 
IoT - Insurance Industry Adoption
IoT - Insurance Industry Adoption IoT - Insurance Industry Adoption
IoT - Insurance Industry Adoption Ashwani Kumar
 
IoT - RTD WHITE PAPER SquaredOnline
IoT - RTD WHITE PAPER SquaredOnlineIoT - RTD WHITE PAPER SquaredOnline
IoT - RTD WHITE PAPER SquaredOnlineFranceschiniLaura
 
The Singapore FinTech Consortium - Introduction to InsurTech
The Singapore FinTech Consortium - Introduction to InsurTechThe Singapore FinTech Consortium - Introduction to InsurTech
The Singapore FinTech Consortium - Introduction to InsurTechFinTech Consortium
 
DATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best PracticesDATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best PracticesDataSecretariat
 
ico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfyashapnt
 
The Tools of Industry 4.0
The Tools of Industry 4.0The Tools of Industry 4.0
The Tools of Industry 4.0Osama Shahumi
 
Security and privacy issues with io t healthcare devices
Security and privacy issues with io t healthcare devicesSecurity and privacy issues with io t healthcare devices
Security and privacy issues with io t healthcare devicesZoe Gilbert
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOThe Economist Media Businesses
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1Clay Melugin
 

Similar to Csp IoT dan hyde 18 p16 17 (20)

150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrpt
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
 
Andy-Bridden-IoMT-Canterburyv1.pptx
Andy-Bridden-IoMT-Canterburyv1.pptxAndy-Bridden-IoMT-Canterburyv1.pptx
Andy-Bridden-IoMT-Canterburyv1.pptx
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devices
 
CH_004_APPLICATIONS_OF_IOT.pptx
CH_004_APPLICATIONS_OF_IOT.pptxCH_004_APPLICATIONS_OF_IOT.pptx
CH_004_APPLICATIONS_OF_IOT.pptx
 
IoT - Insurance Industry Adoption
IoT - Insurance Industry Adoption IoT - Insurance Industry Adoption
IoT - Insurance Industry Adoption
 
Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)
 
IoT - RTD WHITE PAPER SquaredOnline
IoT - RTD WHITE PAPER SquaredOnlineIoT - RTD WHITE PAPER SquaredOnline
IoT - RTD WHITE PAPER SquaredOnline
 
The Singapore FinTech Consortium - Introduction to InsurTech
The Singapore FinTech Consortium - Introduction to InsurTechThe Singapore FinTech Consortium - Introduction to InsurTech
The Singapore FinTech Consortium - Introduction to InsurTech
 
DATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best PracticesDATA Working Group - Consumer Best Practices
DATA Working Group - Consumer Best Practices
 
ico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdf
 
The Tools of Industry 4.0
The Tools of Industry 4.0The Tools of Industry 4.0
The Tools of Industry 4.0
 
Security and privacy issues with io t healthcare devices
Security and privacy issues with io t healthcare devicesSecurity and privacy issues with io t healthcare devices
Security and privacy issues with io t healthcare devices
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEO
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
 

Recently uploaded

Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Rich Bergeron
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseRich Bergeron
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Rich Bergeron
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 

Recently uploaded (20)

Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 

Csp IoT dan hyde 18 p16 17

  • 1. CYBER SECURITY PRACTITIONER16 The Secure by Design concept is persuasive, it strives for uniform cyber security protections to be built into a product or service from the outset and for these to be universally applied to better protect the consumer. This uprated cyber engineering is to be achieved through 13 carefully formulated recommended guidance measures, namely: 1. that all IoT device passwords be unique and not resettable to any universal factory default value; 2. all companies providing internet connected devices and services must provide a public point of contact as part of a vulnerability disclosure policy so that disclosed weaknesses or faults can be acted on in a timely manner; 3. all software components in internet connected devices must be securely updateable. The need for an update should be flagged up by the device to the consumer so that it is obvious and the update should be easy to implement; 4. devices should securely store credentials and security sensitive data, hard coded credentials in device software are unacceptable; 5. security sensitive data including remote management and control should be encrypted when transiting the internet and all keys should be managed securely; 6. all devices and surfaces should minimise the exposed attack surfaces; unused ports should be closed and hardware should never unnecessarily expose access so that the devices and services operate on a ‘principle of least privilege;’ 7. software must be verified using secure boot mechanisms and the device should alert the consumer to any issue and not connect to networks wider than those necessary to issue the alert; 8. devices and services must ensure any personal data is protected and processed in a way that is compliant with data protection law; 9. ensure IoT services are resilient to outages; 10.IoT services and devices should monitor system telemetry data so that security issues or unusual Securing the Internet of Things The Department for Digital, Culture Media and Sport (‘DCMS’) has produced a report on the cyber security of the consumer Internet of Things (‘IoT’)(‘Report’). The Report acknowledges both the new opportunities and increased risks for consumers in this ever expanding IoT world and seeks to promote a ‘Secure by Design’ approach to the consumer IoT. Dan Hyde, Partner at Penningtons Manches LLP, assesses the recommendations and voluntary Code of Practice proposed in the Report and argues that this does not go far enough to protect the consumer and that there ought to a compulsory system of regulation - a mandatory Code of Practice - and a labelling system, akin to that embraced within the food industry to ensure that consumers are properly protected and manufacturers and service providers do not cut corners. IOT Dan Hyde Partner dan.hyde@penningtons.co.uk Penningtons Manches LLP, London Image: Westend61 / Getty Images
  • 2. A Cecile Park Media Publication | May 2018 17 circumstances are identified early; 11. devices and services should make it simple for consumers to delete their personal data, the process should be straightforward with clear instructions given to the consumer; 12. installation and maintenance of IoT devices should be minimal and usability should follow security best practices; and 13. data input for devices or services, such as via user interfaces and that are transferred via application programming interfaces or between networks, must be validated to ensure systems are not easily subverted by incorrect code or data. These measures or guidelines are in order of priority (top down) with the first three identified as being of particular importance and, together with additional explanatory notes, form a proposed Code of Practice for the industry. My own initial reaction to the Report and its Code of Practice was positive. The aims and suggested measures are laudable, well thought out and explained in plain succinct language. The objective, to instil best practices and reduce the burden on the consumer by shifting the security responsibility to the manufacturer, service provider, app developer and retailer is a sound one as is the intention that cyber security should be embedded in the product from the point of design so that consumers are better protected going forward. But my positivity faded on deeper reflection; how could this or any voluntary code of practice assist where there is negligence or hostility on the part of the manufacturer, developer, retailer or service provider? The Report makes clear that it hopes for industry cooperation rather than coercion and that take up of the Code would be voluntary. It also trumpets the UK and UK consumer as being the best protected in the world. Unfortunately the IoT and the products and services we seek to design cyber security into are global: consumers are purchasing products that are manufactured, developed or supported by actors in a plethora of countries. In order to control that process we must accept two things. Firstly, that a voluntary Code will be ignored or abused by some. Secondly that even a compulsory Code will be difficult to enforce in certain reluctant states where regulation is lax and there is resistance to what is regarded as an alien jurisdiction/ governance. There also needs to be a scheme of compulsory labelling, one that sets out the information that must be included on the product label. This way consumers would be better able to judge the design security of a product and it would potentially expose those products that do not meet best practice standards. Intuition tells me that the majority of those in the UK and other world regions that are accustomed to modern standards of consumer regulation, cyber compliance and product certification will be more likely to implement the Code, but even so a voluntary Code may not be a sufficient incentive if financial gains can be made by not doing so and taking short cuts. In short, the market cannot be trusted to regulate itself, too much is at stake. There needs to be legislation with teeth that enforces these design standards and makes labelling and service/product information compulsory. Can one imagine the food industry being left to self- regulate? Imagine food producers being politely asked to ensure their products are safe for human consumption, include correct allergen warnings or ingredient information? It is remarkable that a consumer, often blind to the cyber security of a device at the point of purchase, be offered less protection. The difficulty will be that legislation would need to snag all those involved internationally. There may be hostile states that are resistant to this. One would expect a divergence of philosophy from China (a major manufacturer and distributor), Russia and possibly the US. All three have set rather divergent courses to ours in their treatment of data protection and cyber security and globally achieving and enforcing a uniform scheme of device/service certification would be difficult if not impossible. Without global buy-in or adherence how could one ensure the success of any code or certification scheme? Local initiatives are afoot to encourage take up of voluntary certification schemes. The London Digital Security Centre has launched Secured by Design, a pilot cyber security certification scheme backed by the Mayor’s Office together with the Metropolitan and City of London Police forces. The scheme is split into two parts with two separate awards. The first is titled ‘Secure by Design - Police Preferred Specification’ and is aimed at ensuring cyber supply chains are resilient. Seven early adopters came forward to take part in the award but it remains to be seen how great the appeal of this award will ultimately be. The second award, ‘Digitally Aware - Secured by Design,’ uses a risk assessment tool to educate participants to cyber risk and increase their protection from cyber crime. Though such schemes undoubtedly add value it is hard to imagine such a piecemeal voluntary national approach being sufficient; whilst cyber products and services remain international and have input beyond our borders we can only engineer and certify security if we have a means of enforcing the implementation of industry standards extra-territorially. At the very least, on a national level there ought to a compulsory system of regulation (a mandatory Code of Practice) and a labelling system, akin to that used in the food industry, to ensure products and services sold to the UK consumer contain essential information such as ‘unique passwords used,’ ‘vulnerability disclosure supported device’ or ‘securely updateable.’ If we are going to claim we have the best protected consumers in the world let’s at least begin a program that might one day support that assertion. There needs to be legislation with teeth that enforces these design standards and makes labelling and service/product information compulsory. Can one imagine the food industry being left to self-regulate?