SCOTT:IoT-Cloud Certification Apr2018

= Venue = ECP, Overgoo 13, 2260 AG Leidschendam, The Netherlands Route descriptions Overgoo 13 in Leidschendam

Goal of Meeting

 * Information on topics, open issues and future challenges
 * Building a partnership for the different domains
 * Support the discussion on more secure and safe hardware, software, devices and services
 * identify who takes the lead, such that the common interest get's promoted

Attendance

 * Jelle Attema
 * Josef Noll
 * Lukasz Kulas
 * Bianca Smit
 * Michiel Steltman
 * Michael Karner
 * Roman Volf
 * Ad Reuijl (UWV)
 * Ewout Brandsma
 * Werner Rom
 * Bert Tuinsma (Zeker Online)
 * Ramiro Robles
 * Thomas Niessen
 * Wim Rullens

= Agenda =
 * 09:00 Registration
 * 09:30 Welcome (Jelle Attema)
 * 09:40 Table Round incl update of Agenda
 * 10:00 Introduction - 10 min each
 * Partnering Trust (NL, Michiel Steltman)
 * Trusted Cloud (DE, Thomas Niessen)
 * Zeker-OnLine (NL, Bert Tuinsma, Bianca Smit)
 * SCOTT (EU, Michael Karner)
 * Safe-IoT reporting (NL, Michiel Steltman)
 * 10:50 Session A: Security classes, what does it mean for cloud services
 * Intro Security classes (Josef Noll)
 * 11:00 coffee
 * 11:20 Discussion:
 * if you have some comments, please contributes with a short intro (max 3 min, 2 slides), then discussion
 * ordering of IT infrastructure (can levels help?)
 * SW development, is agile killing security?
 * impact of IoT on cloud security
 * mapping Partnering Trust to security classes
 * enhancing security through monitoring and other mechanisms
 * Results from IT week Den Haag, 17-20Apr2018
 * 12:00 lunch
 * 12:45 Session B: Privacy label - more than GDPR compliance
 * Trust framework applied to Privacy label (A-F)
 * 13:50 coffee
 * 14:00 continuation of discussion privacy label
 * 14:30 Session C: European Perspective - discussion the approach for Europe
 * European Trust Label (DigitalEurope.org)
 * Our recommendations: software development
 * Network, our ambition
 * 15:15	Opportunities for cooperation / way forward
 * 15:45 Wrap up
 * Action Items, follow up: who
 * 16:00 End of Meeting

Protocols used for accounting and audit (provided by Jelle)
 * https://www.zeker-online.nl/wp-content/uploads/2018/03/framework-of-standards-zeker-online-english-version-3.1-legal-infra-and-generic-and-specific-accounting-application.pdf
 * https://www.zeker-online.nl/wp-content/uploads/2018/03/audit-protocol-3.1-en_final.pdf
 * https://www.zeker-online.nl/wp-content/uploads/2018/03/attachment-3-community.pdf

= Background = The physical meeting in Leidschendam is the follow up of the phone Meeting phone meeting on Certification, Security, Trust and Privacy in Jan2018. During the meeting, we identified topics for further discussion:

Work done by “Zeker Online” / “Partnering Trust” and the parties involved. "Partnering trust" and the "multi-layer framework" allows for trusted partner relations on different levels.
 * 1.1 Future discussions might address to what degree IoT will put different requirements on the framework
 * 1.2 One of the discussions on future developments is the need for continuous monitoring to elaborate potential security risks. Through SCOTT we collaborate with F-Secure (FI) on a monitoring service for the home, converting the F-Sense device into an SaaS.
 * 1.3 we also discussed briefly the monitoring of traffic in the Norwegian Smart Grid network

is mapped into Session A

SCOTT and its key objectives in this field. Security aspects are mapped into Session A, privacy issues are mapped into Session B Identify opportunities for further cooperation, especially regarding the European perspective.
 * SCOTT is about secured connected and trustable things. About 25 demonstrators and use case mainly address the increase of security in wireless communications in the selected domains. In addition, SCOTT has introduced the following new concepts, as presented in [[Media:201801SCOTT-Privacy_Label.pdf]]
 * Measurable Security and Security Classes, addressing exposure and impact as compared to frequency and impact as in traditional risk analysis. The main reason is that IoT devices might only be attacked once (thus low frequency), but the risk remains all the time. Future discussions might address
 * Trust framework, combining technical and sociological parameters for enhancing trust. The trust framework is going to be applied to selected use cases.
 * Regarding Privacy Label (A-F), the idea is to make privacy visible to customers, and thus it part of the decision process when buying devices or services. Current discussions are on the understanding what the specific privacy labels address (see ongoing discussions in the presentation). Future discussions might address the understanding of the label (A-F), as well as the technical implementation and the audit regarding the devices.
 * Topics in security, trust and privacy build the basis for a higher perspective
 * SCOTT addresses potential solutions, the path to market and certification issues might be part of the future collaborations.
 * In addition, the alliance of projects working with the same objectives should be pursued.

some of the topics we discussed

 * “ordering of IT” - what kind of security level do I need
 * SW development: agile way in development - security needs to part of discussion on development
 * needs for requirements for development (time horizons)
 * What does security class mean (engineering, IT, political,…)
 * different tracks: consumer equipment, medical, automated cars,….
 * SOC2 - https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/infoformanagementofsvcorg.pdf
 * Using SIL methodology to adapt for security methodology