Internet of Things Security and Data Protection (eBook)

Dr. Sébastien Ziegler is co-founder and Director General of Mandat International. He serves as President of the IoT Forum, as Vice Chair of the IEEE ComSoc Subcommittee on the IoT, and as Rapporteur at the ITU on research and emerging technologies for the IoT. He initiated several national and international research projects in the area of ICT, with a focus on Internet of Things, IPv6, multiprotocol interoperability, crowdsourcing, privacy, and cybersecurity. He is currently coordinating and associated to several ongoing European research projects and is co-directing the Master in Advanced Studies on the Internet of Things at the University of Geneva. With a multi-disciplinary academic profile, combining international law, science, and economics, he is a relentless promoter of research, innovation and international cooperation. He personally supported the creation of more than ten organizations, foundations and companies.

About this Book 6
Contents 7
List of Figures 9
List of Tables 11
Chapter 1: Internet of Things Cybersecurity Paradigm Shift, Threat Matrix and Practical Taxonomy 12
1.1 Cybersecurity Threats Taxonomy for the Internet of Things 12
1.2 Traditional Cybersecurity Threat Matrix 14
1.3 Internet of Things Cybersecurity Paradigm Shift 14
1.3.1 Internet of Things Proxy Attacks 16
1.3.2 Internet of Things Target Attacks 16
1.4 New Cybersecurity Threat Matrix 17
1.5 Conclusion 18
Chapter 2: Privacy and Security Threats on the Internet of Things 19
2.1 New Perspective on Protection of IoT Systems 19
2.2 Related Work 25
2.3 New Security and Privacy Threats in IoT 28
2.4 Cyberthreat Analysis 29
2.4.1 Life Cycle of Cyberattacks 30
2.4.2 Security Objectives for IoT/CPS 31
2.4.3 Threat Actors 31
2.4.4 Attack Patterns 32
2.4.5 Major Security Vulnerabilities 32
2.4.6 Main Threats in IoT/CPS 33
2.4.7 Security Threats on Physical Layer 35
2.4.8 Security Threats of Network Layer 38
2.4.9 Security Threats of Application Layer 40
2.5 Common Countermeasures to Mitigate Threats in IoT/ CPS 41
2.6 Major Privacy Threats in IoT 41
2.7 Related Security Frameworks 44
2.7.1 OWASP IoT 44
2.7.2 oneM2M 45
2.7.3 GSMA IoT Security Guidelines 47
2.7.4 ANASTACIA Project Security Framework 49
2.7.5 ARMOUR Project Framework 50
2.8 Conclusion 51
References 52
Chapter 3: End-Node Security 54
3.1 Introduction 54
3.2 Security Bootstrapping and Commissioning 55
3.2.1 What is Bootstrapping 55
3.2.2 IoT Device Life Cycle 55
3.2.3 Generic Bootstrapping Framework 56
3.3 Setting the Bases for Secure Communications 57
3.3.1 Authentication, Authorisation and Accounting (AAA) 57
3.3.2 Extensible Authentication Protocol (EAP) 58
3.3.3 Transporting EAP in IoT 59
Protocol for Carrying Authentication for Network Access (PANA) 60
CoAP-EAP 60
3.4 Instantiating Bootstrapping in IoT 62
3.4.1 After the Bootstrapping: The Operational Phase of the IoT Device 64
3.4.2 Enabling Security Association Protocols (SAPs) 64
3.4.3 Communication Between IoT Devices 64
3.4.4 Evaluation of EAP Lower Layers PANA and CoAP-EAP 65
Overhead as EAP Lower Layer 65
Time, Success Ratio and Energy Consumption 66
3.4.5 Conclusions About Security Bootstrapping and Commissioning 66
3.5 Intrusion Detection Systems for the Internet of Things 67
3.5.1 Introduction of the Challenge 68
3.5.2 IoT Environment and the Need for IDS 68
Shortcomings of Prevention Systems in the IoT World 69
IoT-Induced Challenges for the Development of IoT-Specific IDSs 69
Limitations of the Existing Art 71
Synthesis 71
3.5.3 Architectural Solution 72
Probes Location 72
Security Enforcement 73
Detection Methods 73
Signature-Based Detection 73
Behavioural Analysis Detection 73
3.5.4 Reaction Systems 74
Passive Reaction Subsystems 74
Active Reaction Subsystems 74
3.5.5 Deployment Scenario and Validation 75
3.5.6 Conclusion 76
References 77
Chapter 4: IoT and Cloud Computing: Specific Security and Data Protection Issues 79
4.1 Introduction 79
4.2 Cloud Computing 80
4.2.1 Subjects of the Cloud Computing 80
4.2.2 Personal Data Protection in the Cloud 81
4.2.3 Lack of Control 82
4.2.4 Lack of Information on the Processing of Personal Data 83
4.3 Internet of Things 84
4.4 Critical Issues in the Interaction Between IoT and Cloud 86
Chapter 5: Network Threat Analysis 88
5.1 Introduction 88
5.2 Stakeholders of Cybercrime and Cybersecurity 89
5.2.1 Attackers 89
5.2.2 Defenders 90
5.2.3 Victims 91
5.3 Information and Markets 94
5.3.1 Cybercriminals 94
5.3.2 Potential Cybercrime Victims 95
5.3.3 Cyber-Defence Services Providers 96
5.3.4 Cybersecurity Regulatory: Law Enforcement Authorities 96
5.4 The Future of Cybersecurity in the Context of IoT 97
References 99
Chapter 6: Evolution of Data Protection Norms and Their Impact on the Internet of Things 100
6.1 Introduction 100
6.2 The European General Data Protection Regulation: A Step Change for the Protection of Personal Data in the World of the Internet of Things 101
6.2.1 Accountability 102
6.2.2 Stakeholders and Risks in the IoT 102
6.2.3 Data Protection Impact Assessment 103
6.2.4 Data Breach 104
6.2.5 Security Measures 105
6.2.6 Data Subject’s Rights 106
6.3 Internet of Things and Big Data: A Dangerous Liaison? 110
6.4 The US and UK Approaches 110
6.5 A New Perspective: “Data Protecy” 111
Chapter 7: Universal Privacy Risk Area Assessment Methodology 113
7.1 Introduction 113
7.2 Initial Requirements 114
7.3 Universal Privacy Risk Area Assessment Methodology 114
7.3.1 Comprehensive Data Protection Approach 115
7.3.2 Generic Process 117
7.3.3 Customisation 118
7.3.4 Asymmetric Access to Information 118
7.4 UPRAAM for Crowdsourcing 119
7.4.1 UPRAAM Customisation for Crowdsourcing 119
7.4.2 UPRAAM for Crowdsourcing Description 120
7.5 Privacy Flag Crowdsourcing Assessment Tools 122
7.5.1 Privacy Monitoring Agents 122
7.5.2 Privacy Flag Browser Add-On 123
7.5.3 Privacy Flag Apps 123
7.5.4 Privacy Flag Observatory 123
References 124
Chapter 8: GDPR Compliance Tools for Internet of Things Deployments 125
8.1 Complying with Data Protection Regulations 125
8.2 Normative Heterogeneity 126
8.2.1 Examples of Normative Asymmetry 126
8.3 Data Protection Risks Mitigation 128
8.3.1 UPRAAM In-Depth Evaluation 129
8.3.2 Voluntary Commitment 129
8.4 GDPR Certification Scheme 129
8.4.1 Addressing Emerging Technologies 130
8.4.2 Initial Requirements 130
8.4.3 Normative Comprehensiveness 131
8.4.4 Overcoming ISO Certification Gap Through a Hybrid Certification Scheme 132
8.4.5 Effective Application 133
8.5 Conclusion 134
References 134
Chapter 9: Towards Trustable Internet of Things Certification 135
9.1 Introduction and Problematic 135
9.2 The Framework for Data Protection Certification in the GDPR 137
9.2.1 Electronic Certificates as Trust Services Regulated by the eIDAS Regulation 139
9.3 Conventional Approach to Certification 143
9.4 Electronic Privacy Certification 145
9.5 Dynamic Security and Privacy Seal (DSPS) 146
9.6 EuroPrivacy Certification Synthesis 147
9.6.1 Overcoming Cybersecurity: Data Protection Hiatus 147
9.6.2 Addressing IoT Technology Requirements 148
9.6.3 Enabling Real-Time Surveillance Integration 148
9.7 Conclusion 148
Chapter 10: Voluntary Compliance Commitment Tool for European General Data Protection Regulation 149
10.1 European Data Protection Framework 149
10.1.1 Data Protection Obligations’ Evolution Towards GDPR 149
GDPR Obligations 150
10.1.2 Impact on IoT Data Processors and Controllers 151
10.2 Voluntary Compliance Commitment Tool 151
10.3 Legal Foundation and Impact of the VCT 153
10.4 Conclusion 154
Chapter 11: IoT Privacy and Security in Smart Cities 155
11.1 Introduction 155
11.1.1 Large-Scale Pilot on IoT Deployment for Smart Cities 156
11.2 IoT Interoperability for Smart Cities 157
11.2.1 Open API for IoT in Smart Cities 158
11.3 Reference Architecture for IoT in Smart Cities 159
11.3.1 Snapshot of SynchroniCity Architecture: Gateway to the Future of Internet of Things 160
Setting the Context 160
A Sneak Peak of SynchroniCity 160
11.4 Ensuring IoT Data Protection in Smart Cities 163
11.4.1 Data Protection Officer 164
11.4.2 Dual Data Protection Officer Organisation 164
11.5 Data Protection Impact Assessment for Smart Cities 165
11.5.1 DPIA Characteristics 165
11.5.2 Applicability and Benefits of a DPIA for a Smart City Project 166
11.5.3 DPIA Methodology and Target of Evaluation 167
11.5.4 Stakeholders in a Smart City DPIA 168
11.5.5 Outcome of the DPIA 170
11.6 Privacy App 171
11.7 Conclusion 172
11.8 Complementary Consideration on the Applicability of a DPIA 172
11.8.1 Key Criteria in Determining DPIA Applicability 173
11.8.2 Exemptions to the DPIA Obligation 175
Reference 177
Chapter 12: End-User Engagement, Protection and Education 178
12.1 Introduction 178
12.2 Methods of Engagement 179
12.2.1 Online Resources and Toolkits 179
12.3 Crowdsourcing 180
12.4 Workshops 181
12.5 Privacy Game 182
12.6 Art, Creativity and Public Participation 183
12.6.1 Art and Creativity in the European IoT Large-Scale Pilots 184
12.7 Privacy and Social Care 185
12.8 The General Framework: EU GDPR and ePrivacy Directive/Regulation 185
12.8.1 The ePrivacy Directive and the Upcoming ePrivacy Regulation 189
12.8.2 Data Protection Impact Assessments 190
12.9 Ethics 192
12.10 Conclusion 193
References 194
Chapter 13: User-Centric Privacy 195
13.1 Introduction 195
13.2 Mechanisms and Technologies to Empower Users’ Consent in the IoT 197
13.3 MyData Model 197
13.4 eXtensible Access Control Markup Language (XACML) 199
13.5 Distributed Capability-Based Access Control (DCapBAC) 200
13.5.1 DCapBAC Basic Scenario 201
13.5.2 DCapBAC Extended Scenario 202
13.6 Ciphertext-Policy Attribute-Based Encryption (CP-ABE) 203
13.7 Integrating Contextual Data for Dynamic User Consent 204
13.8 SMARTIE: User-Centric Security and Privacy for the IoT 206
13.8.1 Security and Privacy Requirements for a User-Centric IoT 206
13.8.2 SMARTIE Architecture 207
13.8.3 SMARTIE Components for Security and Privacy 208
13.8.4 Applying SMARTIE Components in the Internet of Energy 210
13.9 Conclusions 212
References 212
Index 214