Balancing requirements of Security, Usability and

Functionality within IoT

Alexander R CadzowC3L

alex@cadzow.com

About Me

• Background from Archaeology, Anthropology and Forensic Sciences, with further development and focus on Anthropology specifically Biological Anthropology and Human Skeletal Analysis. • Sidewise move into Cybersecurity and Human Factors. With a focus

on to bridge the gap between technology and the human user. • Which fits nicely with the systems engineering approach that must

equally address and integrate these three key elements: hardware, software and human systems integration.

Introduction• Based on the work of ETSI User-Group and how their work links to the

world of IoT. It will also be based on previous work that has been carried out by the ETSI Cyber-Group. Part of this presentation will focus on the areas of security, privacy, GDPR, data protection and single-sign-on technologies. These areas will be presented from the User-Group perspective. • The other part will focus on usability and functionality of IoT devices with

how design choices can impact security and vice versa. Along, with how standards have the potential to aid in balancing these three elements.

Problem Space

• The majority of IoT devices coming onto the market are designed to be low-cost and simple to use as possible. But this leads to a compromised design with security and privacy protections often being neglected. Therefore, we need to able to develop guidelines and requirements for IoT devices which have security designed into them while also maintain the ease of usability and functionality that business and consumer users have come to expect. While we are already heading in this direction with the advent of the mass-market rollout of 5G within the next few years will most likely lead to an explosion in the number of IoT devices. Therefore, I will argue that we need to update guidelines to ensure that security is not pushed aside but also that when security is implemented it doesn’t affect the usability or functionality of IoT devices.

Perfect Security

Usability vs Functionality

Sunbeam Toaster Talkie Toaster

Relationships• A holistic approach combining human factors, technology and design.• The balance between security, usability and functionality also has to

satisfy privacy and data protection legalisation.

Security

Usability

IoTDevice

Functionality

GDPR, Cybersecurity Act, ePrivacy Act

Human-System Interaction

Relationship between the User and the Service Provider

Security Usability Paradox

• Any method must provide the level of security that the user feels is appropriate for that application, and it must do so in a manner that is as natural as possible to the user. If ease of use is not considered, users are likely either to consider dropping a service or to adopt insecure workarounds. Security is not just about technology; it is about the users who want to access that technology. Applications must get the balance right between security and usability.• There are instances within which security and usability can be

synergistically improved. The perceived antagonism of security and usability can be scaled back or eliminated by revising the underlying designs on which systems are conceived. The errors in system design, computer user interfaces, and interaction design can lead to common errors during insecure operation. By identifying and correcting these errors, users can naturally and automatically experience more secure operation. IoT devices can benefit hugely from an established set of design frameworks which are optimized for security operations.

Stand Alone Complex of Cybersecurity• Definition: “Elements who, with no coordination or knowledge of

others actions, act as though they're working together toward a common goal”.• This seems to come from a checklist mentality or adding on

cybersecurity elements to product and services at the end of the design process.• The implementation needs to focus on people, processes and

technology. One guide is the Confidentially (protecting data from unauthorised access), Integrity (preventing unauthorised change to data) and Availability (data is available when and where it is needed) (CIA) model. There needs' to be sufficient means in place to provide cybersecurity, data protection and maintain the privacy of sensitive information either their own or their customers' data.

Systems Engineering • The definition of systems engineering includes the human element, "a

system is the combination of elements that function together to produce the capability required to meet a need. The elements include all hardware, software, equipment, facilities, personnel, processes, and procedures needed for this purpose." • For example, the mindset from safety and testing in the aviation industry.

When mishaps involving aerospace vehicles, in which human factors played a significant role. Including, engineers, leaders, managers, and the operators (e.g., pilots). Such accidents and incidents rarely resulted from a single cause but were the outcome of a chain of events in which altering at least one element might have prevented disaster. • The areas we need to have knowledge or awareness of include; design,

psychological and organisational factors which are often the causes of cybersecurity failures. Taking lessons from other engineering areas is a vital step if we are ever going to reduce the rates of successful cyberattacks.

Role of ETSI?• Areas include the creation and maintaining of standards,

education/awareness, testing of devices, how safe they are etc.• Cyber-0048 (EN 303 645) “Securing Consumer IoT”. Provides requirements

on; Accessibility and usability; User security; Privacy and Safety• Draft WID Security Assessment for Mobile Device. Proposed requirements;

Accessibility and/or Usability; Control of devices through a user interface; Control of services; User security; Privacy and Safety.• Guide to Identity Based Cryptography. A survey and explainer for IBC –

technologies, use-cases, properties. The report describes the key management issues, the cryptography that underpins IBE, the threats and mitigations surrounding IBE.• Proposal for Trusted Home Gateway Development Guidance: Proposal on

trust verification for routers partially comes under the remit of HF and User.

Work of the USER-Group

• Their remit covers Users of ICT products and services.• The goals are to produce reports on users' requirements on topics

previously defined by either the User Group or other relevant ETSI body for recommendation to the ETSI Board and General Assembly. Such reports will analyse the users' requirements under a functional approach to improve the standardisation work. They are the interface with the policy and priority setting bodies in ETSI to transmit users' concerns and viewpoints on subjects of relevance.

Security as a Service (SaaS)• In the always-connected world, cybersecurity providers must offer a

catalogue of services, adaptable to each case, pooling skills and defences, at prices that meet the different expectations of companies. • By providing SaaS for end-user there are key challenges which include big

data, IoT privacy and IoT Security. • A key recommendation is Secure by Default: No default passwords; Keep

software updated; Securely store credentials and security-sensitive data; Communicate securely; Minimise exposed attack surfaces; Ensure software integrity; Ensure that personal data is protected; Make systems resilient to outages; Monitor system telemetry data; Make it easy for consumers to delete personal data. These have to be implemented by the device manufactories and the service providers.

Single Sign-On (SSO)• SSO is an authentication

process that allows a user to access multiple applications or services with one set of login credentials. • Enables composition of

services for providers by automating or simplifying the user access or login process.

GDPR • Breach Notification - Within 72 hours of first having become aware of the

data breach. Companies will have to notify their customers, the controllers.• Right to Access – Users can obtain from companies confirmation as to

whether or not personal data concerning them are being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. • Right to be Forgotten - entitles the user to have companies erase their

personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. • Data Portability - the right for a user to receive the personal data

concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another company. • Privacy by Design (Data Protection by Design) - calls for companies to hold

and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection and Privacy• Requires a company to have the means to protect data throughout its life

cycle. Meaning the moment data is created, processed, stored and destroyed.• Achieved by protecting the data in transit, at rest, when it resides on the

IoT device along with companies own servers and finally the means to ensure the secure disposal of the data.• Four principal methods for ensuring data protection include regular

backups of data, encryption, pseudonymisation and access controls. • Defined as freedom from damaging publicity, public scrutiny, secret

surveillance, or unauthorised disclosure of one’s personal data or information, as by a government, corporation, or an individual. • Privacy is linked to the confidentially of personal data between the user

and the service provider. The user expects confidentially to mean having another's trust or confidence when entrusting companies with private information.

Conclusion• The is No silver bullet to balancing requirements of security, usability and

functionality for IoT devices. IoT device can be better optimised for security, usability and functionality if the relationship between them is clearly understood.• Ideally, the majority of cybersecurity measures should be invisible to the

user with access control and verification being their interaction with cybersecurity measures. Also, ease of usability and functionality doesn’t just apply to the design of the IoT device but also the highlighted points under GDPR. • Vital to challenge and solve these problems of implementing security,

ensuring usability and functionality in IoT devices before they evolve into the Internet of Everything.

Q&A