AGENDA
Click on a talk title or button to find out more about our presentations and speakers (where available)
09:00
The Future of IoT Security
Opening address by John Moor, Managing Director, IoT Security Foundation
This session will be live streamed for those who cannot make it to the event – CLICK HERE to register
The Future of IoT Security
Security constantly changes; sometimes it ebbs and flows, other times it is more dramatic.
This is due to its many moving parts – from the evolutionary and revolutionary elements in the technology stacks, innovations in systems and applications, extended and global supply chains, toolsets, adversarial interests and capability, geo-politics and legislation. IoT cyber security is a wicked challenge. This session will commence with 2 keynote talks covering the technology outlook and business perspectives. It will then move into a panel session where we will discuss what industry needs to do to ensure we are fit for the future.
KEYNOTE
09:15
Past, Present and Future, the imperative of change
Prof. John Goodacre, Challenge Director, Digital Security by Design
Past, Present and Future, the imperative of change.
John Goodacre
Digital Security by Design
As the number of different products and deployments of IoT devices explodes its clear the traditional cybersecurity approach to “react and patch” is unsustainable. While the end user will always need to be able to update their devices, the device manufactures must change the way they consider securing their products. Likewise, the manufacturers of the underpinning technology must provide capabilities and features of their components that can help protect the end product from potential vulnerabilities in its implementation while blocking subsequent cyber exploitation and the costly rush to react and patch.
In directing the UKRI Digital Security by Design programme, it’s encouraging to see rapidly increasing interest and impact the Arm Morello technology prototype is providing businesses and researchers to assess the benefits of the embedded CHERI security features in protecting their software. In increasing product resilience and providing higher assurance solutions, these technologies also make common software errors predictable failures and as such provide higher developer productivity.
This talk will reference back to the 1970’s through to the next decade when new technology must fundamentally change the way computers run software and deliver secured products by design. Touching on the CHERI approach, we’ll investigate some of the evolving new techniques to secure devices by design and ponder how the world of IoT may change.
John Goodacre, Digital Security by Design
Prof. John Goodacre is the Challenge Director for Digital Security by Design and is responsible for the programme of funded activities and associated research agenda to realise a future generation of digitally secured computers. He also holds a Professorship in Computer Architectures at the University of Manchester having transitioned from been the Director of Technology and Systems in the Research Group at ARM Ltd. His career has delivered the first scalable commodity computer telephony platform, the first online data and video conferencing tools with Microsoft, the first ARM MPCore multicore processors and associated technologies. His roles today extend across both academic, industrial and government. His research interest includes web-scale servers, exascale efficient systems and secured ubiquitous computing.
KEYNOTE
09:35
The Important Things & Future Security: A Business Perspective
Peter Davies, Thales
Biography
Peter Davies
Thales
I love what I do, approach everything with energy and enthusiasm and can always see an angle. As a Technical Director of Thales in the UK I have been their leading expert on Cryptography in the UK responsible for providing cryptography and information security direction and expertise on a variety of products and projects. Previous work includes the development and certification of flexible and interoperable commercial security solutions that are also widely used by governments; these solutions are available worldwide and support the security of both communications and infomatics in an international, multi grade environment. My specialist knowledge is at the core of the cyber defence and forensics activities that I undertake combatting existential treats against business. I can, and have, interacted on security and products at any level from Prime Minister, through Board to deep technical including Agencies, Certification Labs and partners developing and sustaining business opportunities worldwide. I have generated patents in the area of digital DNA and my research covers aspects of technical security as well as aspects of super-identities and their role in combatting human based cyber-attacks. I have lead EU security research contract and have acted as a n expert on others. As well as contributing to standards I am a frequent speaker at international conferences and deliver lectures to postgraduate information and cyber security programmes in the UK and worldwide.
PANEL
09:55
Prof. Carsten Maple (moderator); Prof. John Goodacre, Digital Security by Design; Peter Davies, Thales; Nick Allott, Nquiring Minds & Daryl Flack, BEIS
Biographies
John Goodacre, Digital Security by Design
Prof. John Goodacre is the Challenge Director for Digital Security by Design and is responsible for the programme of funded activities and associated research agenda to realise a future generation of digitally secured computers. He also holds a Professorship in Computer Architectures at the University of Manchester having transitioned from been the Director of Technology and Systems in the Research Group at ARM Ltd. His career has delivered the first scalable commodity computer telephony platform, the first online data and video conferencing tools with Microsoft, the first ARM MPCore multicore processors and associated technologies. His roles today extend across both academic, industrial and government. His research interest includes web-scale servers, exascale efficient systems and secured ubiquitous computing.
Peter Davies, Thales
I love what I do, approach everything with energy and enthusiasm and can always see an angle. As a Technical Director of Thales in the UK I have been their leading expert on Cryptography in the UK responsible for providing cryptography and information security direction and expertise on a variety of products and projects. Previous work includes the development and certification of flexible and interoperable commercial security solutions that are also widely used by governments; these solutions are available worldwide and support the security of both communications and infomatics in an international, multi grade environment. My specialist knowledge is at the core of the cyber defence and forensics activities that I undertake combatting existential treats against business. I can, and have, interacted on security and products at any level from Prime Minister, through Board to deep technical including Agencies, Certification Labs and partners developing and sustaining business opportunities worldwide. I have generated patents in the area of digital DNA and my research covers aspects of technical security as well as aspects of super-identities and their role in combatting human based cyber-attacks. I have lead EU security research contract and have acted as a n expert on others. As well as contributing to standards I am a frequent speaker at international conferences and deliver lectures to postgraduate information and cyber security programmes in the UK and worldwide.
Nick Allott, NquiringMinds
Nick is the CEO of NquiringMinds, a British company with deep commercial experience in AI, IOT and security.
NquringMinds develops the Trusted Data Exchange (TDX), a platform for fully distributed and decentralised sharing and analysis of data. The TDX has won numerous industry awards for its innovative approach to both security and analytics.
Nick’s experience includes: CTO of OMTP, a mobile standards body publishing 30+ industry specification including the Trusted Execution Environment, Director of Webinos, an international open source foundation, focusing on self sovereign data and devices. CTO of Wholesale Application Community (WAC), a multi operator joint venture for application wholesaling. CTO of FastMobile, a VC invested Push to Talk and Messaging service, acquired by RIM. Engineering Director at Motorola, leading the voice recognition, voice assistant technologies. He has also held executive positions at Shell and the Pearson Group. With a strong track record in collaborative innovation Nick has raised over £100 million across VC, joint ventures and R&D initiative
Nick has a PhD in Artificial Intelligence, and is Visiting Professor at the University of Southampton. He is a Fellow of the British Computer Society, the Institute of Analysts and Programmers and the Royal Society of Arts .
10:30
Break
11:00
Breakout Tracks
Executive
IoT Security Risk Management
IoT Security Risk Management
In an increasingly connected environment, it is vital that new IoT capabilities are secure and do not pose business or enterprise wide risks. This session explores the strategic, preventative and real time response mitigations necessary to enable the growing use of IoT.
There are so many IoT devices but how many do we have? How can we identify them and manage their vulnerabilities? What is the business approach for SMEs and large enterprises? Examples of major incidents and real time solutions are explored in this session as well as practical insights into smart devices, what these look like in the business environment and how can these be attacked. What are the privacy and security implications of high volumes of IoT data leaks and the proposed solutions? COULD a strategic teaming approach help you look at the risk and latest trends from the perspective of all your key stakeholders? What are your responsibilities and how can an effective response be ensured?
Paul Lockley
Device Authority
Paul is currently the VP of Sales EMEA at Device Authority leading both Partner /Alliance and customer engagement. He has over 25 years IT experience delivering value-based customer solutions, building GTM strategy and creating shared success. For the last 10 years Paul has focussed on building rapid growth start-up technologies and markets, working with companies such as Veeam and Device Authority. Prior to that he worked within the Enterprise solutions divisions for companies such as EMC and Computacenter focussed on the Global 500 sector.
Cameras, CACs & Clocks: Enterprise IoT Security Sucks – A Story of Two Million Interrogated Devices
Brian Contos
Phosphorus Cybersecurity
Enterprise Internet of Things (IoT) security today is analogous to IT security in the mid 1990s. It was a time when security awareness was limited, countermeasures and best practices weren’t broadly applied, and attackers explored, compromised, controlled, and exfiltrated data from systems with minimal resistance. In short, enterprise IoT security sucks as bad today as that unpatched Windows NT 3.51 server with an RS-232 connected modem that IT forgot about.
Working globally with Fortune 500 enterprises and government agencies for the past six years, we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.
Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have 3-5 IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. There are over 46 billion connected devices today and 30 billion (65%) of those devices are IoT. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know:
● What IoT devices we have – guesses based on legacy asset discovery solutions are consistently off by at least 50%
● When our firmware was last updated – in many cases the firmware is end of life and the average IoT firmware age is six years
● If our credentials follow organizational policies – passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm
● How vulnerable our IoT devices are – at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs
While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.
With two IPOs & eight acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.
How to win at playing the IIoT Security game
Ken Metcalf
Reslam Ltd
CONTEXT: The IIoT is a massive playing field with a huge number of players and multiple positions to play from. If you want to win at the IoT game when it comes to security, we’ve developed some perspectives which we’d like to share, that we’ve found helpful in positioning our company as a player within the IIoT field.
OBJECTIVES: There are some key concepts that are important to understand when it comes to security. We will be exploring:
1. A brief History of IOT/IIOT: why security is such a hot topic
2. Best Practices – what does that really mean?
3. Secure by Design – security from the inside out
4. some ideas for managing secure updates
By way of example, we will reference the high-level security product we’ve developed over many years called RESLAM: Remote Electronic Safe Lock Auditing & Management. Through our personal experiences with implementing this product within the high-security banking and financial institution environments we have an interesting story to tell on how we have been able to build trust in the online security space.
Ken Metcalf is the CTO of Reslam. Ken has holds two degrees, BSc Electrical and Electronic Engineering (UCT 1990), and BCom Information Systems and Business Economics (UNISA 1994). Ken has successfully managed many high capital value projects in the international arena with 30 years post graduate Information Systems and Financial transaction and system security experience. Ken has specialized in high volume financial, smartcard, mobile and transaction processing software systems and architecture. Ken currently serves on several global committees who focus on security (including cybersecurity) within the banking and financial industry.
Strengthening the IoT Ecosystem: Privacy Preserving IoT Security Management
Anna Maria Mandalari
Imperial College London
The consumer Internet of Things (IoT) space has experienced a significant rise in popularity in the recent years. From smart speakers, to baby monitors, and smart kettles and TVs, these devices are increasingly found in households around the world while users may be unaware of the risks associated with owning these devices. Why are they so cheap and what is the real value they give back to us? In this talk, I will explore examples of information exposure from consumer IoT devices and I will share my longer-term research vision towards building an IoT user-centered ecosystem which is privacy-aware, secure, efficient, and reliable.
Anna Maria Mandalari, Imperial College London
Anna Maria Mandalari works as research associate at Imperial College London, in September she will work as lecturer at UCL. She was a Marie Curie Early Stage Researcher affiliated with the UC3M. At Imperial, she studies privacy implications and information exposure from consumer IoT devices. She collaborated with several international institutions and companies, such as Simula Research Laboratory, in Norway and Telefonica Research in Spain. During the past years, she worked on the problem of modelling, designing, and evaluating adaptation strategies based on Internet measurements techniques. Most of her research experiences have significantly contributed to several EU funded research projects.
Patching and vulnerability mgmt. are a losing game for IoT security. What can we do differently?
Arthur Braunstein
Sternum
Attackers only need one vulnerable path, while we must find them all and patch them – or must we? Endless patching is ineffective and exhausting, and we operate from a weak vantage point. Perhaps a more sustainable paradigm exists that we should pursue — one that would bring back the advantage to defenders. But first, to truly secure the IoT we have to continuously track, analyse and learn from the other side: attackers. In this session we will explore the attackers perspective and show how and why the innovations of malicious actors enable them to bypass the status quo of controls. Veterans of Unit 8200 of the IDF’s elite cyber force will present what IOT exploitations look like, how hackers target built-in weaknesses in the defences, and why only by enabling devices autonomous self-protection and exploitation prevention, defenders can outsmart malicious actors before they gain foothold. We will review why passive approaches such as continuous patching, static analysis and SBOM leave you vulnerable in-field and how we can incorporate lessons from other industries to secure IoT edge devices at scale. We will explore use cases in medical, industry 4.0, smart cities, energy, manufacturing, and more.
Arthur Braunstein, Sternum
As Vice President of Sales and Business Development, Arthur brings to Sternum his vast experience in building hyper-growth sales and business development teams from the ground. Arthur is also on the advisory boards of two start-ups: Great Horn and Jeenie. His specialty is bringing products to market to address the gap created when new business technologies and approaches reduce the effectiveness of the security status quo. Before joining Sternum, Arthur was Morphisec’s Vice President of US Sales. Arthur has more than 25 years of executive management and sales leadership experience, including almost 20 years in the data and cybersecurity industry. He was a General Manager at Big Belly, leading their expansion from the public sector to the private sector. Prior to Big Belly, he served as Vice President of Strategic Accounts at CloudLock, a cloud cybersecurity company. CloudLock was sold to Cisco. During his long career, Arthur has had major roles at Verdasys (now known as Digital Guardian), Escort Inc., Polaroid, and AT&T.
Technical
Products and Systems Security
Products and Systems Security
Most of the home routers and small business gateways we use today are vulnerable and the devices they manage may have little or no security as well. The picture becomes more complicated when we include devices like wireless extenders, smart speakers, webcams, and applications on the network that have other pathways to the internet. What is the best way to reduce these risks in the future?
This session explores new advances in gateway and network security which consider the future and how to secure devices and systems using real time automated monitoring. We’ll be asking how devices get on the networks securely, who and what is on your network, how will you know what is happening and how can you control suspicious behaviour?
We’ll look at the value of zero trust, continuous multifactor authentication, collaboration, and onboarding. We’ll explore the hardware foundations and the importance of secure boot and how to successfully deploy this. How can you effectively update the system, and comply with regulation? Finally, all these elements are brought together in a holistic and intelligence-based approach which draws on the collaborative work of established teams in the field of gateway security to provide the basis for a new standard.
Paul Kearney
Birmingham City University
Paul Kearney is part-time Professor of Cybersecurity in the Networks and Cybersecurity Department at Birmingham City University (BCU). He has had a long and varied career in research and development in industry, and has previously worked for British Aerospace (BAe), Sharp and British Telecom (BT). His research interests include security and trust architectures for large-scale dynamic IoT systems, monitoring cybersecurity in the smart home, model-based security risk assessment, and application of data science and AI to cybersecurity problems. In addition to his role at BCU, Paul is a member of the Advisory Board of METCLOUD, an active contributor to the activities of the IoT Security Foundation, a visiting research fellow at EBTIC, Khalifa University, Abu Dhabi, an expert reviewer for the Horizon Europe programme, and a consultant on cybersecurity R&D.
Secure Boot – The keystone in Secure by Design and Business Risk Mitigation
Ian Pearson
Microchip Ltd
Secure Boot is often a consideration late in the development lifecycle. Creating core product functionality often coming higher up the list of requirements. After all core functionality is what defines the product and is what people interact with and buy your product over a competitor. This often leads to security, the hidden stuff, working away in the background, being as an afterthought and being bolted on. Net result this critical function is added late in the development cycle without full consideration of the impact it has on the Secure by Design status of a product or the potential risk to an organisation and it’s client base.
Secure boot, implemented well, has a significant impact on the all areas of the business from design, procurement, manufacture, in use support and end of life management. Implemented well it becomes a business asset, implemented poorly it becomes a business risk.
Without a correctly implemented secure boot mechanism the impacts on a business may be significant, especially in the light of pending legislation and the need to provide secure firmware updates to a product in the field. Secure Boot is the keystone to ensuring the integrity of future updates to a device in the field. If it cannot be trusted then the potential for system compromise increases.
Secure boot is more than an issue for the software team. It has wide reaching impact on the whole business to ensure that trust and integrity of a product are maintained without impact on manufacture, sales, support and the need for a business to meet ever increasing legislation around privacy and security both in use and at end of life.
Join us for a whistle stop tour that will highlight some of the important factors and consdierations and potential solutions around Secure Boot.
Ian Pearson is a Principle Field Application Engineer with Microchip Technology Inc.
Router & Network Security
Nick Allott
NquiringMinds
Presentation details to follow
Nick is the CEO of NquiringMinds, a British company with deep commercial experience in AI, IOT and security.
NquringMinds develops the Trusted Data Exchange (TDX), a platform for fully distributed and decentralised sharing and analysis of data. The TDX has won numerous industry awards for its innovative approach to both security and analytics.
Nick’s experience includes: CTO of OMTP, a mobile standards body publishing 30+ industry specification including the Trusted Execution Environment, Director of Webinos, an international open source foundation, focusing on self sovereign data and devices. CTO of Wholesale Application Community (WAC), a multi operator joint venture for application wholesaling. CTO of FastMobile, a VC invested Push to Talk and Messaging service, acquired by RIM. Engineering Director at Motorola, leading the voice recognition, voice assistant technologies. He has also held executive positions at Shell and the Pearson Group. With a strong track record in collaborative innovation Nick has raised over £100 million across VC, joint ventures and R&D initiative.
Nick has a PhD in Artificial Intelligence, and is Visiting Professor at the University of Southampton. He is a Fellow of the British Computer Society, the Institute of Analysts and Programmers and the Royal Society of Arts .
Practical Device Behaviour Analytics - Spotting the Odd Stuff
John Manslow
NquiringMinds
Being able to create robust models of the normal behaviour of devices on a network is highly desirable as such models should make it possible to detect and characterise deviations in behaviour that might indicate an emerging security threat, providing valuable information for higher level systems to reason about.
One of the challenges in creating such models is the broad spectrum of normal variability between device types, from laptops to smart bulbs, and between instances of specific types, such as smart TVs, some of which arises from differences in installed applications and the behaviours of the devices’ users. The failure of models to meet such challenges can result in floods of false alarms, causing higher level systems to downrate their detections in order to maintain their own performance.
This talk will present some early work at NquiringMinds to develop robust algorithms for modelling the destinations that devices make requests to. The work was performed as part of the ManySecured project.
John Manslow is currently CTO of NquiringMinds where he leads the effort to develop data driven solutions to complex problems in cybersecurity. He has a PhD in Machine Learning from the University of Southampton and extensive experience performing commercial R&D in sectors as diverse as telecommunications, banking and insurance.
Zero Trust & Collaborative Analytics Panel Session
Since the Murai attacks on critical infrastructure in 2016, launched from poorly secured home routers and PVRs, operators have struggled to get a handle on how to improve the situation. This is a tragedy of the commons where the inactions of one group cause unprecedented risks to other entities.
This panel explores the significance and value of collaboration across industry in the development of router and network security.
Can industry work in a collaborative fashion to mitigate, or eliminate these threats?
How can we get buy-in from senior management?
What opportunities will this bring for future investment?
We will look at the benefits of security measures which have been designed in the ManySecured project and explore how this continues to evolve in the work of the IoT Security Foundation, Secure Networking by Design, Digital Security by Design Initiative, and our partners.
We will also consider the contribution of research to understanding the international context and how concrete changes in router and network protection will impact the wider industry.
Nick Allott: NQuiringMinds
Peter Shearman, CISCO UK
Michael Richardson: Sandelman Software Works (Canada)
Prof. Andrew Martin: University of Oxford
Peter Shearman
Cisco UKI
Peter is responsible for Cisco UKI’s collaborative innovation portfolio. He works with customers, partners, start-ups & universities to bring forward new ideas & technologies into Cisco. His team works across all technology areas and economic sectors of relevance to Cisco – and then some that are not (yet). Over ten years his team have worked on projects from Smart City to IoT security, via energy, healthcare, agritech and more. Prior to Cisco Peter was a Research Director in a telecommunications think tank.
Technical
Applied IoT Security Case Studies
Applied IoT Security Case Studies
IoT Security impacts connected places from buildings, vehicles and factories to airports, critical national infrastructure (CNI) and smart cities. The complexity of systems and volume of devices makes this a challenge to secure. What can be done to manage the risk and keep these environments operational and resilient?
This session explores the challenges of securing IoT in large scale settings including buildings, vehicles and critical national infrastructure. What are the challenges faced by senior management? What are the risks of applied IoT security at scale? How can these complex systems be attacked and protected? Attention will be given to the importance of collaboration across the business to understand the cyber physical risk and the need for real time automated risk management. There will also be an in-depth look at case studies including buildings and drones. Can we achieve resilience? Solutions including a new look at systems configuration and stronger protective solutions for these environments promise a resilient connected future.
Rick Chandler
Chair: Rick Chandler
Since his early career in Military Aerospace Rick has been connecting “Things” to networks for over 40 Years. The connectivity was not always wired or wireless and included satellite and sub-sea applications. He has led teams building telecommunications infrastructure in Europe and Asia and worked in several other sectors including Petrochemical, Pharma, retail and Space. He led the team at BT building what ultimately became O2 after which he worked on wireless city projects and ultimately moved to a CISO position for 720 global customer sites. He started his own IoT and Smart Cities consultancy in 2012. He is active in technology mentoring start-up companies and judges several global communications awards. He was awarded the BCS Ivinson award for voluntary service in 2021.
Rick Chairs the Communications Management Association and is Treasurer of European security association EEMA. He sits on the BSI committees for IoT and Digital Twin.
Securing Internet of Drones
Shadi Razak
ANGOKA Limited
Internet of Things (IoTs) technology is rapidly evolving and yet the security aspect of IoT networks needs to be explored in depth before adoption. One promising application of IoTs is Internet of Drones (IoDs), which can be thought of as a managed space for drones connected together. The idea of IoDs has been around for a while and is expected to expedite the efficiency of tasks in services like medical, military, transport, and others. The United Kingdom is moving forward as a global leader in building up an open framework for Unmanned Traffic Management (UTM) for drones. A recent report published by Connected Places Catapult UK highlights a global market of commercial drones worth around GBP127 billion.
Inherent properties of Unmanned Aerial Vehicles (UAVs) such as high mobility propose challenges in deployment of security primitives, thus they still rely on conventional ways of secure communication (VPN/TLS). Based on the report by Drone Association (ARPAS-UK), it could be seen that major partnerships and providers are coming alongside in building open UTM and very soon IoDs would be in action. Therefore to gear up for this IoT revolution, this presentation provides an insight on working of IoDs, threat analysis and proposal of security solution to mitigate the security risks.
A novel security solution based on the idea of Device Private Networks (DPNs) has been proposed for the IoDs framework. The idea has been backed with the design of a real-time attack scenario which would be demonstrated live as part of the presentation.
Shadi is a cyber security and business digitisation expert, with a strong foundation in business and IT strategy. His expertise in information security management, data privacy and protection, information governance and compliance, cloud security and business digitisation has made him a sought after advisor to and coach for a number of international blue chip companies, government organisations, financial services and SME’s in the UK and the MENA region for the past 15 years.
He has been a visiting lecturer at a number of International and British universities and is currently a Board Member and President of the Information Security Group (ISG) Alumni, Technology and Finance Society and a mentor for a number of FinTech and SecurityTech start-ups in London and Dubai. Shadi lives and works in London (UK). He holds a BSc in Computer Engineering, a MSc in Information Security from Royal Holloway, University of London and an MBA from the University of Sunderland.
Secure by Design Configuration Interfaces
Phil Day
Configured Things
Misconfiguration, whether by accident or malicious activity, is a major cause of security breaches.
The more actors that need to be involved in configuring a system, whether that’s people or other systems through automation, the more complex the problem both in terms of the security (more rules to configure and manage) and operationally (understanding the impact that a change from A have on an overlapping change from B).
A distributed IoT system adds a further layer of complexity to configuration management. Such systems are often mobile and frequently offline creating a weakness for configuration drift from a centralised system.
And complexity is generally the enemy of resilient and secure systems. We give resilience equal billing with security because it’s no longer enough to design against known threats: systems must also be designed to deal with, and recover easily from, compromise. AI-driven automation, for example, can be less predictable than people and has the potential to become a new class of attack vector.
Most systems present their configuration interfaces as complex API, with a correspondingly complex set of rules to control who is allowed to change what. Declarative approaches such as those employed in DevOps workflows can help in some areas, but they typically create a single authorisation body, exposed to internal threat vectors.
At Configured Things we take a different approach which both removes much of the complexity and reduces the overall attack surface. Each actor has their own interface, limiting the changes they are allowed to make and keeping their changes fully independent from those of any other actor.
Our approach is based on a “zero trust” paradigm where neither the source or transport is trusted. It does not require any inbound connections to the system, removing a large part of the system’s attack surface. Authorisation to make a change is based on policies that can require multi party approval, addressing the internal threat vector.
The key to providing resilience is to focus on managing the changes rather than the resulting configuration. We treat all changes as ephemeral, so it is possible at any time to remove one or more changes and derive a new configuration from the remaining changes. In this way the person or system requesting a change does not have to take into account the current state of the system. Neither do they have to work out how to undo a specific change, the impact of which may have subsequently been modified by other changes. If a system is found to have been misconfigured or compromised the changes from that source can simply be negated and the remaining valid changes reapplied. This is much more powerful than the simple rollback mechanism approach of other declarative approaches and is essential to supporting multi-tenancy, since it allows the different actors to act independently when making and removing changes.
The management of changes is not restricted to the external interface of the system; The same approach is also used internally to pass changes to both local subsystems and remote devices, and can manage configuration changes across security domains. Each device only needs its initial safe base state and details of how to connect to receive the current set of changes. This makes it possible for devices to recover from errors and compromise, and can ensure that devices always restart in a known and safe configuration and eliminates configuration drift.
This approach, which developed with guidance from the NCSC and other Government agencies, has been developed as part of an InnovateUK funded project and is currently part of a trial system with a Local Authority.
Phil is the Director of Engineering at Configured Things, a startup founded by Alumni from Hewlett Packard Labs to build solutions for Connected Places. He has more years that he cares to admit to developing and delivering complex distributed systems. He is also the lead analyst on the newly formed Agri-Tech group within the CyNam security cluster.
Configured Things design and build with security as a core design principle. We were one of just seven companies selected for the National Cyber Security Centre’s cyber accelerator’s 2018 cohort, from a pool of 180 applicants.
What spots should we light to assess an IoT security risk?
Naor Kalbo
Forescout
During the last few years, we researched how IoTs (and other verticals) security risk scoring should be addressed; and we have found that any connected device shares an observable common denominator. We have managed to cluster observations into three pillars, like the following:
1. Functional: what the device IS – refers to knowledge that defines the device functionality/purpose, and it is not changeable by any configuration modification.
2. Configurational: what the device HAS – refers to knowledge that defines the device current status (e.g., asset’s exposed services, unpatched to operating system or software applications), and a change to this status is usually possible.
3. Behavioural: what the device DOES -refers to knowledge gathered regarding the device’s activities (mostly network-wise), whether initiated by or in response to
Using these pillars, we can easily place any indication we received or identified regarding the device in a crystal-clear methodology within the given framework. The complementary phase, choosing the most accurate evaluating metrics combined with the framework mentioned earlier, could make the risk assessment task sound and optimal.
Naor Kalbo is the Security Research manager working at Forescout. He is specialized in network research, Internet-of-Things cyber-security, and algorithms development. Naor holds a BSc. and MSc. in Engineering and Cyber-Security from Ben-Gurion University, Israel. His research was presented at IEEE TIFS and BlackHat.
Naor’s engagement in cyber-security spans well over eight years, and prior to Forescout, He spent a few years protecting the modern smart home against IoT threats.
Smart Buildings - Guidance for Facilities Professionals
Facilities Professionals are well used to managing a wide range of building related risks, but cyber security may not be seen as a natural and key element of this portfolio. In today’s smart built environment, this is changing and must involve collaboration with IT and other specialists within the organisation or beyond.
This session will introduce a forthcoming guide from the IoTSF intended to help Facilities Professionals understand the vulnerabilities and play their part in establishing suitable governance arrangements to review and tackle the inherent risks.
Sarb Sembhi
Virtually Informed
Sarb Sembhi CISM, is the CTO for Virtually Informed and a CISO for AirEye, a technology company providing visibility, control and protection to enterprise Airspace. He started his career as a projects manager in the public sector then became a management consultant, where he enjoyed working with technology and software development. It was during this time where he first came across the importance of security in developing new products. This interest further led him into more security projects.
In 2005, Sarb explored the vulnerabilities of networked CCTV systems and he became interested in devices which sit on the network but were unattended and unmanaged – long before we used the term IoT. These security devices were the responsibility of the physical security teams where there was very little oversight or interaction with the cyber security teams – leading Sarb to work with others to provide security leaders with a converged approach to managing security from a single risk perspective.
In 2020 Sarb was recognised by IFSEC Global and shortlisted 5th in the IFSecGlobal 2020 20 Most Influential People in Cyber Security.
Sarb has written many articles, white papers and spoken at many events on most aspects of security. He was the Workstream lead for the Cyber Security Council Formation Project’s Thought Leadership Workstream. He also sits as an adviser on several startups. Most recently, Sarb has been a vice-chair on IoTSF’s Smart Built Environment Group where he has led the sub-groups to produce a series of best practice guides. His work continues on Smart Cities and privacy, and Smart Building Security.
12:30
Lunch Break
13:30
Breakout Tracks
Executive
IoT Security Policy/Compliance & Assurance
IoT Security Policy/Compliance & Assurance
This session looks at current and upcoming regulation and considers the role of certification in compliance and assurance. As legislation across the globe gains momentum and impacts the field of IoT, we explore the role of certification and compliance and whether continuous assurance is a realistic ambition.
What confidence can the end user have in the certification of products? What is the current state of play and are there more effective approaches? An overview of Global IoT Security Certifications and insight into how a global certification is developed. How can IoT Security stakeholders from Governments, Standards Organisations, Certification Bodies, Test Facilities, Manufacturers, Developers, Vendors and IoT Consumers collaborate more effectively?
The current product certification ‘solution’ involves a static assessment of a specific product under specific conditions and the associated processes are lengthy, ‘paper heavy’, and resource and capital intensive. Would a new approach – call it continuous assurance, or perhaps active certification reduce costs, and automate the risk management process?
Ian Smith
GSMA
Ian is presently Security Operations Director within the GSMA’s Fraud and Security team where he leads a team of security experts who run the GSMA’s Security Accreditations Scheme (SAS), Coordinated Vulnerability Disclosure (CVD) scheme and Telecoms Information Sharing and Analysis Centre (T-ISAC). His team also issues regular security reports that provide insight on the latest security challenges and trends within the mobile industry.
Prior to this current role Ian developed many of the GSMA’s IoT security resources including IoT SAFE which leverages the SIM as a ‘root of trust’ for IoT services, the GSMA’s IoT Security Guidelines and associated IoT Security Self-Assessment scheme. Ian also led the delivery of the GSMA IoT Connection Efficiency Guidelines and the first release of the GSMA Embedded SIM Specifications.
Before joining the GSMA, Ian has held senior technical positions within network operators including Hutchison (Three) and Orange.
Ian holds a B.Eng. with joint honours in Electronic Engineering and Computer Science from Aston University, UK.
Is agile certification an oxymoron?
Paul Kearney
Birmingham City University
Future economic prosperity requires a thriving market in IoT products featuring rapid innovation in response to end-user needs. However, this cannot be achieved at the expense of exposing stakeholders to undue cybersecurity risk. Vendors have a responsibility to provide products that are fit for purpose security-wise, with clear guidance and constraints regarding secure usage. Similarly, customers must select products with appropriate security properties, and to operate them securely, often as part of larger systems. This requires confidence in the statements from vendors about their products and development and production practices
The existing market resembles the ‘wild west’, expanding and developing rapidly, fuelled by pioneering spirit, but lawless and with many innocent casualties as a result. This situation cannot be sustained, but how can order be achieved without sacrificing innovation and dynamism? The current product certification ‘solution’ involves a static assessment of a specific product under specific conditions. The associated processes are lengthy, ‘paper heavy’, and resource and capital intensive, which acts as a disincentive to their adoption. Furthermore, the resulting products are likely to be uncompetitive by virtue of being expensive and late to market. It is unlikely that certification will command a premium, although in some niche sectors, products without certification may be excluded. So, can certification be made agile, with greatly reduced timescales and costs and increased automation, and valued by customers? Or is there a better way?
The paper explores these issues, briefly reviews related on-going initiatives, and aims to stimulate debate about fruitful ways forward.
Paul Kearney is part-time Professor of Cybersecurity in the Networks and Cybersecurity Department at Birmingham City University (BCU). He has had a long and varied career in research and development in industry, and has previously worked for British Aerospace (BAe), Sharp and British Telecom (BT). His research interests include security and trust architectures for large-scale dynamic IoT systems, monitoring cybersecurity in the smart home, model-based security risk assessment, and application of data science and AI to cybersecurity problems. In addition to his role at BCU, Paul is a member of the Advisory Board of METCLOUD, an active contributor to the activities of the IoT Security Foundation, a visiting research fellow at EBTIC, Khalifa University, Abu Dhabi, an expert reviewer for the Horizon Europe programme, and a consultant on cybersecurity R&D.
Lessons learned from building a Global federated IoT Security Certification and voluntary live Cybersecurity Labelling Scheme
Matt Tett
Enex P/L.
This presentation focuses on engaging the audience with the delivery of a fast paced, yet detailed, insight into the many pitfalls encountered, multi-stakeholder requirements navigated and lessons learned since commencing the journey in 2006 to what has ultimately become the IoT Security Trust Mark™ certification (STM) and Cybersecurity Labelling Scheme (CLS). A neutral, independent, global scheme which supports the social benefit of IoT for good. For more details please visit www.iotsecuritytrustmark.org
Matt Tett is the Managing Director of Enex P/L. He is well known globally across industry and government as a very well connected, highly technical straight shooter. Effectively applying science to translating complex technology for the lay person, ensuring customers receive what they are paying for.
Enex TestLab’ objective is to use science to keep tech vendors honest by rigorously testing their product claims and ensuring consumer requirements are met factually. (www.testlab.com.au), Enex TestLab is an independent ISO17025 accredited testing laboratory with a 33+ year history, university heritage (RMIT), and ISO 9001 QMS Quality, ISO 27001 ISMS Security and ISO 45001 OH&S certifications.
Matt is a current board director of Communications Alliance (www.commsalliance.com.au) and a former board director of the Internet Industry Association (IIA). Matt is a current board director and Co-Chair of the Australian Women in Security Network (AWSN) (www.awsn.org.au) He is also the current chair of IoT Alliance Australia (IoTAA) (www.iot.org.au) enabler Work Stream 3 (eWS-3) – Cyber Security and Network Resilience and sits on the IoTAA Executive Council.
Matt is an Advisor and Subject Matter Expert (SME) for IoT Security Mark P/L who operate the global IoT Security Trust Mark™ (STM) Certification and voluntary cyber security labelling scheme. (www.iotsecuritytrustmark.org). He is the founder of the national Day of The Month (DOTM) clubs, which currently has over 3800+ members across the information security industry. (www.dotm.com.au) Matt is a Director of eMetric P/L (T/AS Honesty Box™) developing innovative hardware, software and systems utilised to deliver accurate independent internet performance measurement for organisations such as CHOICE. (www.honestybox.io) He also serves on the Online Safety Consultative Working Group (OSCWG) for the Office of the eSafety Commissioner, the Communications Alliance Cyber Security Reference Panel (CSRP), the CSRP Fraud subgroup and the Communications Resilience Administration Industry Group (CRAIG), the Internet Australia Cyber Security SIG, and is a member of the research advisory committee for the Internet Commerce Security Laboratory at Federation University. He is a committee member participating in the development of Standards related to IT-042-00-01 – IoT and Related Technologies.
Matt has a deep technical background in network and security systems and he holds the following security certifications in good standing for 17+ years: CISSP, CISM, CSEPS and CISA. He is a certified Government security advisor and retains State and Federal Government security clearances.
He is also a judge for a number of industries, including the Commsday “Edison” Awards, IT Journo “Lizzies” Awards, InnovationAus Awards for Excellence, IoT Impact Awards and the Australian Women in Security Networking Awards. https://www.linkedin.com/in/mtett/)
Xiaomi IoT Technology and Security Compliance
Natalia Ares
Xiaomi
As the company with the largest IoT Product Ecosystem, Xiaomi faces great challenges in the progress of development. A growing number of users and products connected also mean that we have to bear more responsibilities. Respecting and protecting users’ security and privacy has always been among Xiaomi’s core values.
Natalia is Deputy Director of Government Relations and Public Affairs in Europe. She deals with data, privacy and cybersecurity related policies and supports IoT Technology and Security Department in Europe. Natalia is leading Data Act and Cyber Resilience Act inside the company and will represent her Cybersecurity colleagues during IoTSF Conference.
The UK PSTI Bill Update
Rhys Duncan
DCMS
James Deacon and Rhys Duncan are both part of the IoT Product Security team within DCMS. They will provide an overview of DCMS policy work to date on IoT as well as the team’s intended future policy direction and priorities for the coming years.
Rhys Duncan is a policy advisor working on Enterprise IoT policy, Standards, and International Engagement within the IoT Product Security Team for the UK’s Department for Digital, Culture, Media and Sport (DCMS). He is also a member of standards committees working on IoT in ETSI, ISO, and ITU. He previously worked as a broker in the cyber insurance sector for Marsh McLennan.
James Deacon
DCMS
James Deacon is the Head of International Standards, International Engagement and Enterprise IoT Policy for the UK’s Department for Digital, Culture, Media and Sport (DCMS). He is a member of standards committees working on IoT in ETSI, ISO, and ITU, a member of the World Economic Forum’s ‘Role of Government’ group for consumer IoT, and previously chaired the Agile Nations Working Group for Consumer IoT. He previously worked for DCMS on the development of the Product Security and Telecommunications Infrastructure (PSTI) Bill that will introduce baseline security requirements for consumer IoT products. James has wider experience of working at a high growth cyber security start-up and a boutique investment bank.
Technical
Securing the IoT Supply Chain
Securing the IoT Supply Chain
With globalisation, IoT products and services have an expansive attack surface. Supply chain attacks have been increasing in recent years as they are high value targets that attract the interests of adversaries with varying intent. Do you know if you are vulnerable or how important these risks are to your business?
It is essential that manufacturers and purchasers of connected products have an understanding of the risk associated with supply. How can the technology industry and businesses ensure the security of their supply networks? Is the supply chain transparent or opaque? Is it well managed or not at all? What impact will new legislation on SBoMs have in ensuring businesses identify and remediate vulnerabilities in product software to deliver better IoT security?
In this session we break the IoT security supply chain down and bring greater clarity to each of the elements; we look at the big picture, and we also look at the anatomy of a connected device (IoT) – including the hardware(s), the software(s), roots of trust, cryptographic functions, production data, software keys, certificates and more. Are you creating products or managing risk within your organisation? We will also discuss a new report on Software Bill of Materials. How will the US legislation affect the global supply chain?
Dr. Franck Courbon
University of Cambridge
Chair: Dr. Franck Courbon, University of Cambridge
Dr Franck Courbon, has obtained 3 Master degrees (Telecom St-Etienne, INSA Lyon, University of Glasgow) and a Phd. in Microelectronics in 2015 (Ecole des Mines de St-Etienne). He has been working 3.5 years within the evaluation team of a French leader in digital security, Gemalto (now Thales DIS) before joining the University of Cambridge in October 2015. He has worked on the security evaluation (common criteria scheme) of smart cards (banking cards, e-passports), the optimization of attack platforms (laser fault attacks) and the development of a new methodology to ensure product authenticity at chip/Silicon level (hardware trojan detection/supply chain security). Franck has also developed hardware-based methods to extract contents from non-volatile memories at scale and have been the sole initiator of enhanced image acquisition and processing techniques at the University of Cambridge for hardware security purposes. Dr Franck Courbon has published to top security (CARDIS, HOST, COSADE, HaSS), computer design (DATE) and failure analysis (ISTFA) venues. He has reviewed for ICM, HOST, VLSI-SoC and been PC member for PAINE workshop and has the opportunity to use various tools (e.g., XRAYs, FIBs, SEMs, AFMs…and hardware specific tools).Dr Franck Courbon has taken initiatives for cross-School vision and development. For instance, he provided an article on “Empowering trust and security from the hardware” for the launch of the Cambridge Trust and Technology initiative and he has been the first project advisor and supervisor from the Department of Computer Science and Technology for the ESPRC CDT in Nanoscience and Nanotechnology (NanoDTC). He has supervised undergraduate and postgraduate students within the Department of Physics, Department of Engineering and the Department of Computer Science and Technology. He is the sole initiator of the first MPhil. on Hardware Security at the Department of Computer Science and Technology.
He is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge Department of Computer Science and Technology. He has been the recipient of an EPSRC Impact Acceleration Account Partnership Development Award (£47.7k) co-sponsored by an industry partner (£47.7k) for which he is project and team lead.
He is leading an industry forum bringing technical solutions for secure and efficient electronics happening December 2021 in Churchill College, Cambridge, co-sponsored by IEEE. He is currently bringing his innovative mindset to the creation of meaningful solutions for the good of all. He has been sponsored to take part in several entrepreneur programs: Cambridge Judge Business School EnterpriseTECH 2020, Department of Physics Impulse program 2021 and IECT Herman Hauser Summer School 2021. Finally, he has been semi-finalist of the Chris Abell Postdoc Business Plan Competition 2021.
The use of Identity, Device context and SBOMs with Continuous Assurance to help improve securing IoT Supply chains
Rob Dobson
Device Authority
Presentation details to follow.
Rob is Vice President of Technology Partners at Device Authority and has over 30 years of experience across cybersecurity, Internet Of Things, industrial OT & ICS, SaaS, Semiconductors and Software engineering. He has worked on many complex IoT projects for in the areas of Transport/Automotive, Industrial & Smart Factory and Health Care (IoMT). Rob engages key partners across the IoT & Cybersecurity Ecosystems, where he architects, markets, and brings compelling joint solutions to market. He has been involved with several successful start-ups and is also a keen event speaker who has spoken at many events on the topics of IoT and Cybersecurity.
The Attackers Eye View of Device Supply Chains
Amyas Phillips
IoTSF Supply Chain Integrity
Project
ICT supply chains are complex and often opaque. They are highly trusted but tend to be lightly defended. Many highly effective cyber attacks are launched via their targets’ supply chains. This talk is for operators of IoT devices, their immediate OEM suppliers, and their upstream network of component and service vendor suppliers. I’ll give you an attackers’-eye view of IoT supply chains look like and what attacks on IoT them look most interesting. Then I’ll show you how the IoTSF Assurance Framework and NIST CSF have both been recently updated to help you secure against these attacks.
Amyas Phillips is an independent IoT consultant and security scientist at Ambotec Ltd. He chairs the IoTSF’s Supply Chain Integrity project group, whose aim is to help the IoT industry secure its supply chains so that users of connected devices can safely trust their equipment. Previously he has led research and development projects at Secure Thingz and before that Arm, where his teams’ work can now be found in TLS 1.3 and the Pelion device management service. His first job after graduating was “employee number 2” doing a bit of everything at Alertme.com, now Centrica’s Hive smart homes product. He subscribes to the view that nothing is more practical than a good theory.
Managing Security in the Supply Chain Panel
Trevor G.R Hall
Synaptics
Trevor G.R Hall, Synaptics
Trevor is a Systems Engineer and has experience in, and is responsible for all aspects of design from ASIC design, embedded software hardware design and many areas of product security.
Many yeas of managing secrets in silicon including content protection keys (DVD, Blu-ray, HDCP etc) and secure /anti tamper operation.
Chairs the Security team in DisplayLink/Synaptics which provides governance and consultancy on making product releases of silicon, software, and services secure.
In his (copious 😉 spare time! is the Centre Manager of a Scout training base in Richmond upon Thames concentrating on training the trainers and leaders in supervising teams of young people boating on the waterways of the UK (primarily the Thames)
Rob Dobson
Design Authority
Rob Dobson, Device Authority
Rob is Vice President of Technology Partners at Device Authority and has over 30 years of experience across cybersecurity, Internet Of Things, industrial OT & ICS, SaaS, Semiconductors and Software engineering. He has worked on many complex IoT projects for in the areas of Transport/Automotive, Industrial & Smart Factory and Health Care (IoMT). Rob engages key partners across the IoT & Cybersecurity Ecosystems, where he architects, markets, and brings compelling joint solutions to market. He has been involved with several successful start-ups and is also a keen event speaker who has spoken at many events on the topics of IoT and Cybersecurity.
Prof. Carsten Maple
University of Warwick
Prof. Carsten Maple, University of Warwick
Professor Carsten Maple is Professor of Cyber Systems Engineering at the University of Warwick, WMG’s Cyber Security Centre (CSC). He is the director of research in Cyber Security working with organisations in key sectors such as manufacturing, healthcare, financial services and the broader public sector to address the challenges presented by today’s global cyber environment.
Professor Maple has an international research reputation, has published over 200 peer reviewed papers, and extensive experience of institutional strategy development and interacting with external agencies.
Professor Maple is a Fellow of the British Computer Society and Vice chair of the Council of Professors and Heads of Computing, UK.
Ian Pearson
Microchip Ltd
Ian Pearson, Microchip Ltd
Ian Pearson is a Principle Field Application Engineer with Microchip Technology Inc.
Technical
IoT Security Expert Workshops
IoT Security Expert Workshops
Are you fascinated by the world of quantum computing, cryptography, operating systems and network security? What are the implications for IoT Security? We have several leading experts in these fields who will guide you through complex disciplines to equip you for future challenges and secure your business!
The impact of quantum computing has led NIST to develop new cryptographic algorithms. Come and hear from one of the leading contributors to this project and learn about the new Post Quantum Encryption standard. Then we consider Public Key Infrastructure. Can we improve key management and how do we measure this? Or are we making it too easy for anyone to break into our networks? The next session considers the Linux operating system, how can we secure the kernel from attack? Lastly, we explore IoT Security risk methodologies. How can you effectively identify an IoT device, its current status, characteristics and behaviour? How can you choose accurate evaluation metrics to measure them? The session will provide a high level of education but will not assume deep technical knowledge and so be of value to all who want to learn more.
Dr. David Long
Doulos
Chair: Dr. David Long, Doulos
Dr David Long is the Principal Member of Technical Staff at Doulos, where he has worked since 2001, developing and presenting training courses for professional engineers. During that time, he has trained several thousand engineers in more than 20 different countries, in subjects ranging from
HDL-based design and verification of digital and mixed-signal hardware through to virtual prototypes, embedded software and security.
He is also the co-author of the IEEE 1666 SystemC Language Reference Manual. Prior to joining Doulos, David worked for over 15 years in both industry and academia. He has an MSc in VLSI Design and a PhD in Mixed-Signal Simulation.
Confining Linux Applications with LibSeccomp
Simon Goda
Doulos Ltd
In this presentation we will introduce the Linux kernel feature Seccomp and its accompanying user space library LibSeccomp and show how these can be used to confine an application to a small subset of the available system calls. We will show if the application were to be compromised in some way so that malicious code is executed then the system can stop the application running before any potential damage is done. The technical points will be illustrated with a simple example.
Simon Goda is a senior member of technical staff at Doulos, the world-renowned training provider for hardware and software design. He has been working with Linux in embedded systems for over 15 years, starting at STMicroelectronics (R&D) Ltd, supporting and training customers using Linux and RTOS on set-top box and home entertainment products. At Doulos he writes and delivers training in the embedded Linux space, including device drivers, Yocto and Linux security.
Social and Technical metrics for Trust Anchor resilence
Michael Richardson
Sandelman Software Works Inc
Remote Attestation, Supply Chain Security, Birth Certificates and Firmware updates all depend upon sets of asymmetric keys installed into devices at manufacturing time. Backing these keys and trust anchors are public key infrastructures which must be managed. The whole thing falls apart if a cleaner can just cook up a few certificates after hours, or if a security guard can be bribed to allow access.
Hardware Security Modules are necessary, and key ceremonies are needed. Keys need to be split, multiple people should be required to resign things. But how many? What if someone dies, or what if travel becomes impossible during a pandemic? What about business continuity? There are standards for this, aren’t there? Asking around, it seems it’s all under NDA, and it’s impossible to know if one is doing enough, or too much.
This talk is not about the standards, any common censensus about the right amount, but rather about the metrics by which one should measure any such specification. The right amount of security vs resilience is very specific to the products, services and assurances being offered. Regulators will get involved, but when they do, how will they measure?
Michael Richardson is an open source and open standards consultant.
An autodidact, he wrote mail transfer agents as a teenager, and in the 1990s, after failing at high energy physics, found his calling designing and building embedded networking products, in the security sector. Michael has built multiple IPsec systems, joining the FreeS/WAN team in 2001, and founding Xelerance.com in 2003. He has operated many networks, worked on DNSSEC and root name servers, and built several boutique ISPs along the way.
Starting in 2008 Michael began to work on IoT mesh routing, eventually chairing the IETF ROLL working group for a few years. Michael has since moved on to the problem of how to securely connect and control IoT devices too small to have user interfaces. Michael now co-chairs two other IETF working while trying to make secure IoT device onboarding into a state of ubiquity. Michael is co-author of 18 RFCs, and 21 work-in-progress internet-drafts.
The New Encryption Standards from NIST & RISC-V: What do IoT developers need to know?
Alan Grau
PQShield
After 3 selection rounds, the NIST Post-Quantum Cryptography (PQC) Standardization Project has now selected new PQC algorithms to be ratified as new Federal standards for key establishment and digital signatures. It has also been announced that new NSS (Defence) cryptographic suites will be based on NIST PQC standards. PQShield cryptographers have been involved from the start; we designed some of the algorithms and have contributed to the security and performance analysis of the rest. Hardware support for older RSA and Elliptic Curve Cryptography (ECC) generally involved just “big integer” arithmetic acceleration and protection. Post-quantum algorithms use a much broader range of primitive operations and are generally more complex, requiring new cryptographic modules.
PQShield has designed a new cryptographic module utilizing a RISC-V core to support the new PQC standard algorithms while supporting previous RSA and ECC cryptographic standards as well.
This presentation will discuss the new PQC standards and what they mean for designers of IoT and connected devices. Topics covered will include:
• Implications of the new NIST standards and next steps in the NIST process
• Overview of the algorithms selected by NIST
• How engineers can begin migrating to Post Quantum Encryption
• PQC for platform security
• PQC for secure communication
• Overview of PQC solutions from PQShield including solutions for HW (including soft cores for FPGAs) & SW solutions
The PQShield Embedded SDK provides high-assurance implementations of all NIST Post-Quantum Cryptography (PQC) algorithms, together with comprehensive tests and integration tools on the RISC-V target. PQShield also provides hardware IP for use on FPGA cores or custom ASIC designs for security and performance-critical PQC applications or those that require additional non-invasive (side-channel) security guarantees. We will discuss how these components can be used together on embedded platforms to meet long-term security requirements.
Alan is a proven entrepreneur and technology executive focused on cybersecurity, IoT and embedded software solutions. He is VP of Sales & Business Development for PQShield, the leading provider of Post Quantum Cryptography Solutions.
Previously he was VP of IoT, Embedded Solutions at Sectigo (formerly Comodo CA), the world’s largest commercial Certificate Authority. Alan joined Sectigo as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was President and co-founder, as well as the architect of Icon Labs’ award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.
15:00
Break
15:30
A Hard Look at Security Standards, Regulations & Frameworks; What Have They Ever Done For Us?
This session will be live streamed for those who cannot make it to the event – CLICK HERE to register
KEYNOTE
15:30
Analysis of 4 Well Known Security Standards
Sarb Sembhi, CISO Virtually Informed
Biography
Sarb Sembhi
Virtually Informed
Sarb Sembhi CISM, is the CTO for Virtually Informed and a CISO for AirEye, a technology company providing visibility, control and protection to enterprise Airspace. He started his career as a projects manager in the public sector then became a management consultant, where he enjoyed working with technology and software development. It was during this time where he first came across the importance of security in developing new products. This interest further led him into more security projects.
In 2005, Sarb explored the vulnerabilities of networked CCTV systems and he became interested in devices which sit on the network but were unattended and unmanaged – long before we used the term IoT. These security devices were the responsibility of the physical security teams where there was very little oversight or interaction with the cyber security teams – leading Sarb to work with others to provide security leaders with a converged approach to managing security from a single risk perspective.
In 2020 Sarb was recognised by IFSEC Global and shortlisted 5th in the IFSecGlobal 2020 20 Most Influential People in Cyber Security.
Sarb has written many articles, white papers and spoken at many events on most aspects of security. He was the Workstream lead for the Cyber Security Council Formation Project’s Thought Leadership Workstream. He also sits as an adviser on several startups. Most recently, Sarb has been a vice-chair on IoTSF’s Smart Built Environment Group where he has led the sub-groups to produce a series of best practice guides. His work continues on Smart Cities and privacy, and Smart Building Security.
PANEL
16:15
CISO Cyber Security Resilience: The Role of Tools & Ideal Solutions
Paul Dorey, CISO (CSO Confidential), Nigel Stanley, CISO (Jacobs), Allan Jenkins, CISO (DCC Partners)
Biographies
Paul Dorey, CISO (CSO Confidential)
Paul Dorey is a Visiting Professor at Royal Holloway, University of London and a government advisor and cyber security consultant working in critical national infrastructure, specifically: the energy sector, civil nuclear, aviation and financial services. He has a particular interest in organisational cyber resilience and developing cyber security skills and knowledge. This includes cyber security in the supply chain through his co-leadership of the NCSC ICS COI Supply Chain Expert Group. He acts as an expert witness in civil disputes involving cyber security.
Nigel Stanley, CISO (Jacobs)
Nigel is a specialist in cybersecurity with over 30 years’ international experience in the industry.
Nigel has in-depth knowledge of operational technology cybersecurity, information security, business risk, threat intelligence, cyber warfare, cyber terrorism, systems engineering, regulations, functional safety, security operations, SCADA and industrial control systems (and applying standards such as NIST, NISR, IEC 61508 and IEC 62443 across these domains.) He has significant mechanical and electronic engineering experience in multiple engineering sectors including light and heavy rail, power transmission, maritime, aviation and communications systems cybersecurity. Nigel’s work in operational technology cybersecurity also includes industrial automation, CNI, robotics, rail, maritime, smart cities, smart buildings, control systems, safety critical systems and applying regulatory standards across these domains to achieve safety and security objectives.
Nigel is a Chartered Engineer and Fellow of the Institution of Engineering and Technology and member of the Institute of Electrical and Electronic Engineers. He has an MSc in Information Security from Royal Holloway, University of London.
17:00
A Hard Look at Security Standards, Regulations & Frameworks; What Have They Ever Done For Us?
What good are tools which take years to negotiate, are often watered down to keep everyone happy, and frequently out of date shortly after they are launched?
This session begins by presenting a straight forward analysis of four well known security standards: NIST Cybersecurity Framework, HIPAA, PCI-DSS, ISO 27002:2022. Many practitioners and critics have voiced concerns over the usefulness of standards – the number of them and some saying that even the better ones are virtually irrelevant for mitigating today’s threats organisations have to deal with. We’ll then introduce four respected security leaders voicing their take on the role of such important tools against their needs and what their ideal solutions would look like. We’ll be rounding off with views and questions from the floor – you’re invited to bring your experience and opinions as we seek better answers.