Standardisation and certification of safety, security and privacy in the ‘Internet of Things’
As computers become embedded invisibly everywhere, Europe faces significant information security challenges. Emerging problem areas include autonomous vehicles, e-healthcare, smart power grids and smart meters, domestic appliances and even toys; there will be many more. These systems are starting to be known as ‘The Internet of Things’ and they contain new vulnerabilities which can be remotely exploited, with consequent risks to safety and privacy. Many regulators who previously thought only in terms of safety will have to start thinking of security as well. (Indeed, the two concepts are the... same in the languages spoken by most Europeans – sicurezza, seguridad, suˆret´e, Sicherheit, trygghet...) Yet the many applications that are acquiring online connectivity and thus exposing their security vulnerabilities to the whole Internet are certified (if at all) under a disparate range of national, industry and other schemes. Insurance underwriters’ laboratories, for example, assess burglar and car alarms, while vehicle safety and building performance are tested by other labs. What happens when we move to smart homes and self-driving cars? There are several policy objectives we wish to achieve, and available mechanisms include both general provisions, such as the Product Liability Directive, the NIS Directive and the Data Protection Regulation, and the detailed standards and regulations that govern specific industry sectors. However the existing regulators (and standards) mostly take no account of security or privacy threats. Security is complex, and na¨ıve attempts to impose existing security standard frameworks are likely to fail; we give some examples of how they have failed elsewhere. In this paper we describe the problems and set out some recommendations. The EU needs a multi-stakeholder approach where over-arching regulations on liability, transparency and privacy are coordinated with specific industry regulations on safety and testing. We identify missing institutional resources and suggest a strategy for filling the gap. Above all, the European institutions and regulatory networks need cybersecurity expertise to support safety, privacy, consumer protection and competition. This will be an essential first step towards embedding security thinking in Europe’s many safety regulators.