Legal considerations on the Internet of things: 2015 and beyond - part 6:Cybersecurity

09 March 2015

Roberto Camilli

Cybersecurity of IOT devices will be another central issue to address, and, as already mentioned by the Article 29 Working Party, security should be at the centre of any IOT projects from their start.

IOT devices will likely be outside protected networks and corporate systems, and may end up being standalone devices abandoned in unsecured locationss, accessible by any type of user, including ill-intentioned hackers and organised criminals.

In addition, simple sensors and IOT connected devices will operate using simple software embedded systems that may not be constantly updated or sufficiently protected. A recent and very real example of the cyber security risk that could menace IOT devices is the Heartbleed virus that attacks the OpenSSL cryptographic software library commonly used to provide secure internet communication.

Like every virus it is possible to identify and eliminate it from affected systems, but this would prove more difficult for devices and systems that are not routinely monitored or updated and that are not sufficiently protected. These devices have the potential to be infected and remain so for a long period of time, posing a threat after most users would think they are safe.

Devices used for industrial or infrastructure connectivity might be hacked with potentially catastrophic consequences; just think about large public infrastructure, essential services, important private networks or computing systems, and the potential scenarios are easy to imagine.

Consider the risk of terrorists hacking an implanted medical device of a target, or essential public systems, a plane, a train or a ship.

As with Data Protection, it is therefore essential to plan cybersecurity protocols, protections and disaster recovery plans from the beginning, at the start of any IOT project, using encryption and virus protection technology when possible, even for the simplest connected tools and products.

An example of this would be an alert mechanism that could immediately exclude a device affected by an attack from any connection and send a warning message to the user or to a central control system.

Another is aa shared tracking and updating system which could crawl the internet in search of connected devices, regularly scanning them for viruses or other threats and dispose of them.


Read the rest of the series

Follow us at @TwobirdsTech to keep up to date with the series and more legal insights from Bird & Bird.