Trust by Design: The Internet of Things · Security and privacy of smart -home devices and services Trust by Design: The Internet of Things Kevin G. Chege ISOC African Chapters Workshop

Security and privacy of smart-homedevices and services

Trust by Design: The Internet of Things

Kevin G. Chege

ISOC

African Chapters WorkshopAddis Ababa, 2018

The number of IoT devices and systemsconnected to the Internet will be more than2.5x the global populationby 2020 (Gartner).

As more and more devices are connected, privacy and security risks increase.

And most consumers don’t even know it.

New devices, new vulnerabilities

4

• Device Cost/Size/Functionality

• Volume of identical devices (homogeneity)

• Long service life (often extending far beyond supported lifetime)

• No or limited upgradability or patching• Physical security vulnerabilities

• Access

• Limited user interfaces (UI)

• Limited visibility into, or control over, internal workings

• Embedded devices

• Unintended uses• BYOIoT

The attributes of many IoT devices present new and unique security challenges compared to traditional computing systems.

What type of risks?

Unlocking doors, turning on cameras, shutting down critical systems and theft of personal property.

People’s safety or the safety of their family might even be at risk.

Large IoT-based attacks, such as the Mirai botnet in 2016, have crippled global access to high-profile Internet services for several hours.

2

A connected world offers the promise of convenience, efficiency and insight, but creates a

platform for shared risk.

Many of today’s IoT devices are rushed to market with little consideration for basic security and

privacy protections.

The challenges we face

Who is responsible?

Developers and users of IoT devices and systems have a collective obligation to ensure they do not expose others and the Internet itself to potential harm.

We need a collective approach, addressing security challenges on all fronts.

7

• We want manufacturers and suppliers of consumer IoT devices and services to adopt security and privacy guidelinesto protect the Internet and consumers from cyber threats.

• We want to educate users on the importance of secure IoTdevices and work with stakeholders involved in technology and security to better inform their communities on IoT.

The Internet Society is working for a better Internet.

IoT Trust by Design

Work with manufacturers and suppliers to adopt and implement

the OTA IoT Trust Framework

Mobilize consumers to drive demand for security and privacy

capabilities as a market differentiator

Encourage policy and regulations to push for better security and

privacy features in IoT

9

Online Trust Alliance (OTA) IoT Trust Framework

• Provides a set of actions and principles to raise the level of security for IoT devices and related services to protect consumers and the privacy of their data

• More than 100+ stakeholders from industry, government and consumer advocates contributed to the Framework

• Stands apart from other IoT-related Frameworks with its comprehensive focus on security, privacy and lifecycle issues, as well as a holistic view of the entire system

10

https://otalliance.org/iot/

Actionable principles in the Guidelines in eight categories for manufacturers, developers and

service providers

Authentication

11

CommunicationsControlDisclosuresPrivacy

UpdatesSecurityEncryption

IoT Framework Principles: It is a collective responsibility

IoT vendors and their supply chain

12

Distribution channels

Policymakers and governments

Consumer testing and product

review organizations

Consumers and enterprises

IoT Security and Policy Makers

13

Work with Policymakers

We want policymakers to create a policy environment that favors strong security and privacy features in IoTproducts and services.We need smart regulation that strengthens trust and enables innovation.

ISOC can help in this process

2

Actions for Policymakers

Governments have the opportunity to guide the IoT marketplace:• Stimulate security and privacy best practice adoption• Strengthen accountability through well-defined responsibilities and clear

consequences• Support industry adoption of the best practice principles from the IoT Trust

framework

15

Data Gathering: IoT in the African Region

- We are working via ISOC Chapters and other partners in the region to gather information on IoT development, IoT related policies and use in the region

- This info will help us coordinate efforts in IoT and know what types of IoT devices are being developed in the region and Policies that are working in our environment.

- This will allow us to better advise policy makers, users and ISPs on IoTsecurity

- If you are aware of any IoT research/development IoT Policy development in the region, please let us know through our chapters or ISOC staff 16

V is it u s a twww .in te rnetsoc ie ty .o rgF o llo w u s@ in te rn e tso c ie ty

G a le rie Je a n -M a lb u isso n 15 , C H -120 4 G e n e v a , S w itze rla n d .+ 4 1 22 8 0 7 14 4 4

1775 W ie h le A v e n u e , S u ite 20 1 , R e sto n , V A 20 19 0 -5 10 8 U S A . + 1 70 3 4 39 2 120

Thank you.

chege@isoc.org