SPEAKERS

This year we have a great line up of speakers such as Dr Stephen Pattison who is responsible for ARM’s Public Affairs, Dr. Franck Courbon, who is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge and Julie Chua, Director of Governance, Risk Management and Compliance (GRC) Division within the U.S. Department of Health and Human Services (HHS) Office of Information Security (OIS).

Click on a speaker image to find out more

Keynote Speakers

Click on a speaker image to find out more

Shadi Razak, ANGOKA Limited

Shadi is a cyber security and business digitisation expert, with a strong foundation in business and IT strategy. His expertise in information security management, data privacy and protection, information governance and compliance, cloud security and business digitisation has made him a sought after advisor to and coach for a number of international blue chip companies, government organisations, financial services and SME’s in the UK and the MENA region for the past 15 years.

He has been a visiting lecturer at a number of International and British universities and is currently a Board Member and President of the Information Security Group (ISG) Alumni, Technology and Finance Society and a mentor for a number of FinTech and SecurityTech start-ups in London and Dubai. Shadi lives and works in London (UK). He holds a BSc in Computer Engineering, a MSc in Information Security from Royal Holloway, University of London and an MBA from the University of Sunderland.

Presentation: Securing Internet of Drones

Internet of Things (IoTs) technology is rapidly evolving and yet the security aspect of IoT networks needs to be explored in depth before adoption. One promising application of IoTs is Internet of Drones (IoDs), which can be thought of as a managed space for drones connected together. The idea of IoDs has been around for a while and is expected to expedite the efficiency of tasks in services like medical, military, transport, and others. The United Kingdom is moving forward as a global leader in building up an open framework for Unmanned Traffic Management (UTM) for drones. A recent report published by Connected Places Catapult UK highlights a global market of commercial drones worth around GBP127 billion.
Inherent properties of Unmanned Aerial Vehicles (UAVs) such as high mobility propose challenges in deployment of security primitives, thus they still rely on conventional ways of secure communication (VPN/TLS). Based on the report by Drone Association (ARPAS-UK), it could be seen that major partnerships and providers are coming alongside in building open UTM and very soon IoDs would be in action. Therefore to gear up for this IoT revolution, this presentation provides an insight on working of IoDs, threat analysis and proposal of security solution to mitigate the security risks.

A novel security solution based on the idea of Device Private Networks (DPNs) has been proposed for the IoDs framework. The idea has been backed with the design of a real-time attack scenario which would be demonstrated live as part of the presentation.

Sjadi Razak

ANGOKA Limited

Simon Goda, Doulos Ltd

Simon Goda is a senior member of technical staff at Doulos, the world-renowned training provider for hardware and software design. He has been working with Linux in embedded systems for over 15 years, starting at STMicroelectronics (R&D) Ltd, supporting and training customers using Linux and RTOS on set-top box and home entertainment products. At Doulos he writes and delivers training in the embedded Linux space, including device drivers, Yocto and Linux security.

Presentation: Confining Linux Applications with LibSeccomp

In this presentation we will introduce the Linux kernel feature Seccomp and its accompanying user space library LibSeccomp and show how these can be used to confine an application to a small subset of the available system calls. We will show if the application were to be compromised in some way so that malicious code is executed then the system can stop the application running before any potential damage is done. The technical points will be illustrated with a simple example.

Simon Goda

Doulos Limited

Paul Kearney, Birmingham City University

Paul Kearney is part-time Professor of Cybersecurity in the Networks and Cybersecurity Department at Birmingham City University (BCU). He has had a long and varied career in research and development in industry, and has previously worked for British Aerospace (BAe), Sharp and British Telecom (BT). His research interests include security and trust architectures for large-scale dynamic IoT systems, monitoring cybersecurity in the smart home, model-based security risk assessment, and application of data science and AI to cybersecurity problems. In addition to his role at BCU, Paul is a member of the Advisory Board of METCLOUD, an active contributor to the activities of the IoT Security Foundation, a visiting research fellow at EBTIC, Khalifa University, Abu Dhabi, an expert reviewer for the Horizon Europe programme, and a consultant on cybersecurity R&D.

Presentation: Towards Continuous Assurance of IoT Cybersecurity (provisional)

Future economic prosperity requires a thriving market in IoT products featuring rapid innovation in response to end-user needs. However, this cannot be achieved at the expense of exposing stakeholders to undue cybersecurity risk. Vendors have a responsibility to provide products that are fit for purpose security-wise, with clear guidance and constraints regarding secure usage. Similarly, customers must select products with appropriate security properties, and to operate them securely, often as part of larger systems. This requires confidence in the statements from vendors about their products and development and production practices

A new approach – call it continuous assurance, or perhaps active certification — is required that can reduce costs, automate maintenance, be scalable, sustainable, and timely in delivery. Properties of such an approach include the following:

Meeting these conditions will need an increasing degree of automation and/or software support, which in turn requires mathematical formalisation of concepts to allow them to be represented in a form that is understandable by people and machines and can be reasoned about by both.
Claims (i.e. statements about security properties of a product) should be modular and scheme-independent, so that the same product can be certified according to additional schemes with minimal effort.
Claims should be composable in the sense that, a claim proven about a component can be used to support proof of a claim made about the system in which the component is used.
The approach needs to apply over the full product lifecycle, from requirement to retirement. In particular:
- Security by Design should be baked into the development process. It needs to be compatible with software development processes including the various flavours of agile and DevSecOps.
- Initial certification should make use of evidence gathered during Development. Such evidence should include software and hardware bills of materials (SBoM, HBoM) identifying incorporated external components and dependencies and their certification status or other evidence of trustworthiness.
- Certification should not be based on evaluations performed on a snapshot of an evolving product and operational context at a point in time. Rather, validation should be performed continuously, on-demand, or in response to events.
- Key evidence upon which certification depends should be identified and monitored. Certification status is conditional on these remaining true. If this is not the case, it may be necessary to return temporarily to the Development stage. An example is discovery of a new vulnerability that affects a library identified in the SBOM.
- If a condition invalidating certification is discovered during the operational phase then processes should be launched to remediate. Pending resolution, the product’s certification status could be downgraded, or withdrawn if remediation is not possible or will take a significant time.
- The behaviour of device instances should be monitored during Operations. Deviation from expectations could indicate e.g. exploitation of a previously-unknown vulnerability or that assumptions on which certification was based are not valid. Either of these could affect certification status.

The talk will explore these and related issues, and briefly review related on-going initiatives, with the aim of stimulating debate about fruitful ways forward.

Paul Kearney

Birmingham City University

Kevin Fu, U.S. Dept. of Health & Human Services

Kevin Fu is Acting Director of Medical Device Cybersecurity at U.S. FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). Fu is also Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.

Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing.
He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org).

He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT.

He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.

Presentation Title: TBC

This talk will provide a glimpse into the risks, benefits, technical solutions, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

Kevin Fu

U.S. Food and Drug Administration (FDA)

Paul Waller

Paul has worked in cryptography and hardware security since graduating with a degree in mathematics in 2001. He has represented the NCSC and its predecessor organisation in various standards bodies, including the Trusted Computing Group, Global Platform and FIDO. His current role as Head of Capability Research allows him to spend time with academic and industry partners learning what the future holds for security technology, and also to help user communities take advantage of new features. Outside of work (when pandemic restrictions allow!) Paul likes to cycle up small hills in summer, and ski down bigger ones in winter.

Presentation : IoT Security – what can government do?

All of us need to work together to improve the security and resilience of our connected systems. I’ll discuss some of the options for government and also some current projects

Paul Waller

National Cyber Security Centre (NCSC)

Katerina Megas

Kat leads the NIST Cybersecurity for the Internet of Things (IoT) Program at the US. National Institute of Standards and Technology (NIST), focused on advancing and accelerating the development and application of research, standards, guidelines, and technologies necessary to improve the security and privacy of ecosystem of connected devices. Before joining NIST, Kat worked in the private sector and led the development and execution of IT strategies.

Presentation : The road to IoT security: updates on the NIST IoT Cybersecurity program

NIST will present updates on the IoT Cybersecurity program, including updates on the NIST activities that support recent IoT policy stateside such as the IoT Cybersecurity Improvement Act that directs NIST to develop guidelines for federal agencies on the minimum requirements of IoT devices that the Federal government procures, as well as the recent Executive Order 14028 signed by President Biden that directs NIST to pilot a cybersecurity product label for consumer IoT devices.

Katerina Megas

NIST

Paul Kearney, Birmingham City University

Presentation: Is agile certification an oxymoron?

The existing market resembles the ‘wild west’, expanding and developing rapidly, fuelled by pioneering spirit, but lawless and with many innocent casualties as a result. This situation cannot be sustained, but how can order be achieved without sacrificing innovation and dynamism? The current product certification ‘solution’ involves a static assessment of a specific product under specific conditions. The associated processes are lengthy, ‘paper heavy’, and resource and capital intensive, which acts as a disincentive to their adoption. Furthermore, the resulting products are likely to be uncompetitive by virtue of being expensive and late to market. It is unlikely that certification will command a premium, although in some niche sectors, products without certification may be excluded. So, can certification be made agile, with greatly reduced timescales and costs and increased automation, and valued by customers? Or is there a better way?

The paper explores these issues, briefly reviews related on-going initiatives, and aims to stimulate debate about fruitful ways forward.

Paul Kearney

Birmingham City University

Simon Goda, Doulos Ltd

Presentation: Confining Linux Applications with LibSeccomp

Simon Goda

Doulos Limited

Shadi Razak, ANGOKA Limited

Presentation: Securing Internet of Drones

Shadi Razak

ANGOKA Limited

Phil Day, Configured Things

Phil is the Director of Engineering at Configured Things, a startup founded by Alumni from Hewlett Packard Labs to build solutions for Connected Places. He has more years that he cares to admit to developing and delivering complex distributed systems. He is also the lead analyst on the newly formed Agri-Tech group within the CyNam security cluster.

Configured Things design and build with security as a core design principle. We were one of just seven companies selected for the National Cyber Security Centre’s cyber accelerator’s 2018 cohort, from a pool of 180 applicants

Presentation: Secure by Design Configuration Interfaces

Misconfiguration, whether by accident or malicious activity, is a major cause of security breaches.

The more actors that need to be involved in configuring a system, whether that’s people or other systems through automation, the more complex the problem both in terms of the security (more rules to configure and manage) and operationally (understanding the impact that a change from A have on an overlapping change from B).

A distributed IoT system adds a further layer of complexity to configuration management. Such systems are often mobile and frequently offline creating a weakness for configuration drift from a centralised system.

And complexity is generally the enemy of resilient and secure systems. We give resilience equal billing with security because it’s no longer enough to design against known threats: systems must also be designed to deal with, and recover easily from, compromise. AI-driven automation, for example, can be less predictable than people and has the potential to become a new class of attack vector.

Most systems present their configuration interfaces as complex API, with a correspondingly complex set of rules to control who is allowed to change what. Declarative approaches such as those employed in DevOps workflows can help in some areas, but they typically create a single authorisation body, exposed to internal threat vectors.

At Configured Things we take a different approach which both removes much of the complexity and reduces the overall attack surface. Each actor has their own interface, limiting the changes they are allowed to make and keeping their changes fully independent from those of any other actor.

Our approach is based on a “zero trust” paradigm where neither the source or transport is trusted. It does not require any inbound connections to the system, removing a large part of the system’s attack surface. Authorisation to make a change is based on policies that can require multi party approval, addressing the internal threat vector.

The key to providing resilience is to focus on managing the changes rather than the resulting configuration. We treat all changes as ephemeral, so it is possible at any time to remove one or more changes and derive a new configuration from the remaining changes. In this way the person or system requesting a change does not have to take into account the current state of the system. Neither do they have to work out how to undo a specific change, the impact of which may have subsequently been modified by other changes. If a system is found to have been misconfigured or compromised the changes from that source can simply be negated and the remaining valid changes reapplied. This is much more powerful than the simple rollback mechanism approach of other declarative approaches and is essential to supporting multi-tenancy, since it allows the different actors to act independently when making and removing changes.

The management of changes is not restricted to the external interface of the system; The same approach is also used internally to pass changes to both local subsystems and remote devices, and can manage configuration changes across security domains. Each device only needs its initial safe base state and details of how to connect to receive the current set of changes. This makes it possible for devices to recover from errors and compromise, and can ensure that devices always restart in a known and safe configuration and eliminates configuration drift.

This approach, which developed with guidance from the NCSC and other Government agencies, has been developed as part of an InnovateUK funded project and is currently part of a trial system with a Local Authority.

Phil Day

Configured Things

Anna Maria Mandalari, Imperial College London

Anna Maria Mandalari works as research associate at Imperial College London, in September she will work as lecturer at UCL. She was a Marie Curie Early Stage Researcher affiliated with the UC3M. At Imperial, she studies privacy implications and information exposure from consumer IoT devices. She collaborated with several international institutions and companies, such as Simula Research Laboratory, in Norway and Telefonica Research in Spain. During the past years, she worked on the problem of modelling, designing, and evaluating adaptation strategies based on Internet measurements techniques. Most of her research experiences have significantly contributed to several EU funded research projects.

Presentation: Best practice for building/engineering ‘secure by design’ products and/or systems

The consumer Internet of Things (IoT) space has experienced a significant rise in popularity in the recent years. From smart speakers, to baby monitors, and smart kettles and TVs, these devices are increasingly found in households around the world while users may be unaware of the risks associated with owning these devices. Why are they so cheap and what is the real value they give back to us? In this talk, I will explore examples of information exposure from consumer IoT devices and I will share my longer-term research vision towards building an IoT user-centered ecosystem which is privacy-aware, secure, efficient, and reliable.

Anna Maria Mandalari

Imperial College London

Matt Tett, Enex P/L.

Matt Tett is the Managing Director of Enex P/L. He is well known globally across industry and government as a very well connected, highly technical straight shooter. Effectively applying science to translating complex technology for the lay person, ensuring customers receive what they are paying for.

Enex TestLab’ objective is to use science to keep tech vendors honest by rigorously testing their product claims and ensuring consumer requirements are met factually. (www.testlab.com.au), Enex TestLab is an independent ISO17025 accredited testing laboratory with a 33+ year history, university heritage (RMIT), and ISO 9001 QMS Quality, ISO 27001 ISMS Security and ISO 45001 OH&S certifications.

Matt is a current board director of Communications Alliance (www.commsalliance.com.au) and a former board director of the Internet Industry Association (IIA). Matt is a current board director and Co-Chair of the Australian Women in Security Network (AWSN) (www.awsn.org.au) He is also the current chair of IoT Alliance Australia (IoTAA) (www.iot.org.au) enabler Work Stream 3 (eWS-3) – Cyber Security and Network Resilience and sits on the IoTAA Executive Council.

Matt is an Advisor and Subject Matter Expert (SME) for IoT Security Mark P/L who operate the global IoT Security Trust Mark™ (STM) Certification and voluntary cyber security labelling scheme. (www.iotsecuritytrustmark.org). He is the founder of the national Day of The Month (DOTM) clubs, which currently has over 3800+ members across the information security industry. (www.dotm.com.au) Matt is a Director of eMetric P/L (T/AS Honesty Box™) developing innovative hardware, software and systems utilised to deliver accurate independent internet performance measurement for organisations such as CHOICE. (www.honestybox.io) He also serves on the Online Safety Consultative Working Group (OSCWG) for the Office of the eSafety Commissioner, the Communications Alliance Cyber Security Reference Panel (CSRP), the CSRP Fraud subgroup and the Communications Resilience Administration Industry Group (CRAIG), the Internet Australia Cyber Security SIG, and is a member of the research advisory committee for the Internet Commerce Security Laboratory at Federation University. He is a committee member participating in the development of Standards related to IT-042-00-01 – IoT and Related Technologies.

Matt has a deep technical background in network and security systems and he holds the following security certifications in good standing for 17+ years: CISSP, CISM, CSEPS and CISA. He is a certified Government security advisor and retains State and Federal Government security clearances.
He is also a judge for a number of industries, including the Commsday “Edison” Awards, IT Journo “Lizzies” Awards, InnovationAus Awards for Excellence, IoT Impact Awards and the Australian Women in Security Networking Awards. https://www.linkedin.com/in/mtett/)

Matt Tett

Enex P/L.

Michael Richardson, Sandelman Software Works Inc

Michael Richardson is an open source and open standards consultant.

An autodidact, he wrote mail transfer agents as a teenager, and in the 1990s, after failing at high energy physics, found his calling designing and building embedded networking products, in the security sector. Michael has built multiple IPsec systems, joining the FreeS/WAN team in 2001, and founding Xelerance.com in 2003. He has operated many networks, worked on DNSSEC and root name servers, and built several boutique ISPs along the way.

Starting in 2008 Michael began to work on IoT mesh routing, eventually chairing the IETF ROLL working group for a few years. Michael has since moved on to the problem of how to securely connect and control IoT devices too small to have user interfaces. Michael now co-chairs two other IETF working while trying to make secure IoT device onboarding into a state of ubiquity. Michael is co-author of 18 RFCs, and 21 work-in-progress internet-drafts.

Presentation Title: Social and Technical metrics for Trust Anchor resilence

This talk introduces a taxonomy of methods used by manufacturers of silicon and devices
to secure private keys and public trust anchors. This deals with two related activities: how trust anchors and private keys are installed into devices during manufacturing, and how the related manufacturer held private keys are secured against disclosure.

A related Internet Draft is presented. This talk does not seek to evaluate different mechanisms or degrees of security, but rather just serves to name them in a consistent manner in order to aid in communication.

Michael Richardson

Sandelman Software Works Inc

Ian Pearson, Microchip Ltd

Ian Pearson is a Principle Field Application Engineer with Microchip Technology Inc.

Presentation : Secure Boot – The keystone in Secure by Design and Business Risk Mitigation

Secure Boot is often a consideration late in the development lifecycle. Creating core product functionality often coming higher up the list of requirements. After all core functionality is what defines the product and is what people interact with and buy your product over a competitor. This often leads to security, the hidden stuff, working away in the background, being as an afterthought and being bolted on. Net result this critical function is added late in the development cycle without full consideration of the impact it has on the Secure by Design status of a product or the potential risk to an organisation and it’s client base.

Secure boot, implemented well, has a significant impact on the all areas of the business from design, procurement, manufacture, in use support and end of life management. Implemented well it becomes a business asset, implemented poorly it becomes a business risk.

Without a correctly implemented secure boot mechanism the impacts on a business may be significant, especially in the light of pending legislation and the need to provide secure firmware updates to a product in the field. Secure Boot is the keystone to ensuring the integrity of future updates to a device in the field. If it cannot be trusted then the potential for system compromise increases.

Secure boot is more than an issue for the software team. It has wide reaching impact on the whole business to ensure that trust and integrity of a product are maintained without impact on manufacture, sales, support and the need for a business to meet ever increasing legislation around privacy and security both in use and at end of life.

Join us for a whistle stop tour that will highlight some of the important factors and consdierations and potential solutions around Secure Boot.

Ian Pearson

Microchip Ltd

Ken Metcalf, Reslam Limited

Ken Metcalf is the CTO of Reslam. Ken has holds two degrees, BSc Electrical and Electronic Engineering (UCT 1990), and BCom Information Systems and Business Economics (UNISA 1994). Ken has successfully managed many high capital value projects in the international arena with 30 years post graduate Information Systems and Financial transaction and system security experience. Ken has specialized in high volume financial, smartcard, mobile and transaction processing software systems and architecture. Ken currently serves on several global committees who focus on security (including cybersecurity) within the banking and financial industry.

Presentation : How to win at playing the IIoT Security game

CONTEXT: The IIoT is a massive playing field with a huge number of players and multiple positions to play from. If you want to win at the IoT game when it comes to security, we’ve developed some perspectives which we’d like to share, that we’ve found helpful in positioning our company as a player within the IIoT field.

OBJECTIVES: There are some key concepts that are important to understand when it comes to security. We will be exploring:

1. A brief History of IOT/IIOT: why security is such a hot topic
2. Best Practices – what does that really mean?
3. Secure by Design – security from the inside out
4. some ideas for managing secure updates

By way of example, we will reference the high-level security product we’ve developed over many years called RESLAM: Remote Electronic Safe Lock Auditing & Management. Through our personal experiences with implementing this product within the high-security banking and financial institution environments we have an interesting story to tell on how we have been able to build trust in the online security space.

Ken Metcalf

Reslam Ltd

Brian Contros, Phosphorus Cybersecurity

With two IPOs & eight acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.

Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.

Presentation : Cameras, CACs & Clocks: Enterprise IoT Security Sucks – A Story of Two Million Interrogated Devices

Enterprise Internet of Things (IoT) security today is analogous to IT security in the mid 1990s. It was a time when security awareness was limited, countermeasures and best practices weren’t broadly applied, and attackers explored, compromised, controlled, and exfiltrated data from systems with minimal resistance. In short, enterprise IoT security sucks as bad today as that unpatched Windows NT 3.51 server with an RS-232 connected modem that IT forgot about.

Working globally with Fortune 500 enterprises and government agencies for the past six years, we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.

Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have 3-5 IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. There are over 46 billion connected devices today and 30 billion (65%) of those devices are IoT. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know:

● What IoT devices we have – guesses based on legacy asset discovery solutions are consistently off by at least 50%
● When our firmware was last updated – in many cases the firmware is end of life and the average IoT firmware age is six years
● If our credentials follow organizational policies – passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm
● How vulnerable our IoT devices are – at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs

While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.

Brian Contros

Phosphorus Cybersecurity

Naor Kalbo, Forescout

Naor Kalbo is the Security Research manager working at Forescout. He is specialized in network research, Internet-of-Things cyber-security, and algorithms development. Naor holds a BSc. and MSc. in Engineering and Cyber-Security from Ben-Gurion University, Israel. His research was presented at IEEE TIFS and BlackHat.

Naor’s engagement in cyber-security spans well over eight years, and prior to Forescout, He spent a few years protecting the modern smart home against IoT threats.

Presentation : What spots should we light to assess an IoT security risk?

During the last few years, we researched how IoTs (and other verticals) security risk scoring should be addressed; and we have found that any connected device shares an observable common denominator. We have managed to cluster observations into three pillars, like the following:
1. Functional: what the device IS – refers to knowledge that defines the device functionality/purpose, and it is not changeable by any configuration modification.
2. Configurational: what the device HAS – refers to knowledge that defines the device current status (e.g., asset’s exposed services, unpatched to operating system or software applications), and a change to this status is usually possible.
3. Behavioural: what the device DOES -refers to knowledge gathered regarding the device’s activities (mostly network-wise), whether initiated by or in response to

Using these pillars, we can easily place any indication we received or identified regarding the device in a crystal-clear methodology within the given framework. The complementary phase, choosing the most accurate evaluating metrics combined with the framework mentioned earlier, could make the risk assessment task sound and optimal.

Naor Kalbo

Forescout

Alan Grau, PQShield

Alan is a proven entrepreneur and technology executive focused on cybersecurity, IoT and embedded software solutions. He is VP of Sales & Business Development for PQShield, the leading provider of Post Quantum Cryptography Solutions.

Previously he was VP of IoT, Embedded Solutions at Sectigo (formerly Comodo CA), the world’s largest commercial Certificate Authority. Alan joined Sectigo as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was President and co-founder, as well as the architect of Icon Labs’ award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.

Presentation: The New Encryption Standards from NIST & RISC-V: What do IoT developers need to know?

After 3 selection rounds, the NIST Post-Quantum Cryptography (PQC) Standardization Project has now selected new PQC algorithms to be ratified as new Federal standards for key establishment and digital signatures. It has also been announced that new NSS (Defence) cryptographic suites will be based on NIST PQC standards. PQShield cryptographers have been involved from the start; we designed some of the algorithms and have contributed to the security and performance analysis of the rest. Hardware support for older RSA and Elliptic Curve Cryptography (ECC) generally involved just “big integer” arithmetic acceleration and protection. Post-quantum algorithms use a much broader range of primitive operations and are generally more complex, requiring new cryptographic modules.

PQShield has designed a new cryptographic module utilizing a RISC-V core to support the new PQC standard algorithms while supporting previous RSA and ECC cryptographic standards as well.

This presentation will discuss the new PQC standards and what they mean for designers of IoT and connected devices. Topics covered will include:

• Implications of the new NIST standards and next steps in the NIST process
• Overview of the algorithms selected by NIST
• How engineers can begin migrating to Post Quantum Encryption
• PQC for platform security
• PQC for secure communication
• Overview of PQC solutions from PQShield including solutions for HW (including soft cores for FPGAs) & SW solutions

The PQShield Embedded SDK provides high-assurance implementations of all NIST Post-Quantum Cryptography (PQC) algorithms, together with comprehensive tests and integration tools on the RISC-V target. PQShield also provides hardware IP for use on FPGA cores or custom ASIC designs for security and performance-critical PQC applications or those that require additional non-invasive (side-channel) security guarantees. We will discuss how these components can be used together on embedded platforms to meet long-term security requirements.

Alan Grau

PQShield

Arthur Braunstein, Sternum

As Vice President of Sales and Business Development, Arthur brings to Sternum his vast experience in building hyper-growth sales and business development teams from the ground. Arthur is also on the advisory boards of two start-ups: Great Horn and Jeenie. His specialty is bringing products to market to address the gap created when new business technologies and approaches reduce the effectiveness of the security status quo. Before joining Sternum, Arthur was Morphisec’s Vice President of US Sales. Arthur has more than 25 years of executive management and sales leadership experience, including almost 20 years in the data and cybersecurity industry. He was a General Manager at Big Belly, leading their expansion from the public sector to the private sector. Prior to Big Belly, he served as Vice President of Strategic Accounts at CloudLock, a cloud cybersecurity company. CloudLock was sold to Cisco. During his long career, Arthur has had major roles at Verdasys (now known as Digital Guardian), Escort Inc., Polaroid, and AT&T.

Arthur Braunstein

Sternum

Prof. John Goodacre, Digital Security by Design

Prof. John Goodacre is the Challenge Director for Digital Security by Design and is responsible for the programme of funded activities and associated research agenda to realise a future generation of digitally secured computers. He also holds a Professorship in Computer Architectures at the University of Manchester having transitioned from been the Director of Technology and Systems in the Research Group at ARM Ltd. His career has delivered the first scalable commodity computer telephony platform, the first online data and video conferencing tools with Microsoft, the first ARM MPCore multicore processors and associated technologies. His roles today extend across both academic, industrial and government. His research interest includes web-scale servers, exascale efficient systems and secured ubiquitous computing.

Presentation: Past, Present and Future, the imperative of change

As the number of different products and deployments of IoT devices explodes its clear the traditional cybersecurity approach to “react and patch” is unsustainable. While the end user will always need to be able to update their devices, the device manufactures must change the way they consider securing their products. Likewise, the manufacturers of the underpinning technology must provide capabilities and features of their components that can help protect the end product from potential vulnerabilities in its implementation while blocking subsequent cyber exploitation and the costly rush to react and patch.

In directing the UKRI Digital Security by Design programme, it’s encouraging to see rapidly increasing interest and impact the Arm Morello technology prototype is providing businesses and researchers to assess the benefits of the embedded CHERI security features in protecting their software. In increasing product resilience and providing higher assurance solutions, these technologies also make common software errors predictable failures and as such provide higher developer productivity.

This talk will reference back to the 1970’s through to the next decade when new technology must fundamentally change the way computers run software and deliver secured products by design. Touching on the CHERI approach, we’ll investigate some of the evolving new techniques to secure devices by design and ponder how the world of IoT may change.

Prof. John Goodacre

Digital Security by Design

Peter Davies, Thales

I love what I do, approach everything with energy and enthusiasm and can always see an angle. As a Technical Director of Thales in the UK I have been their leading expert on Cryptography in the UK responsible for providing cryptography and information security direction and expertise on a variety of products and projects. Previous work includes the development and certification of flexible and interoperable commercial security solutions that are also widely used by governments; these solutions are available worldwide and support the security of both communications and infomatics in an international, multi grade environment. My specialist knowledge is at the core of the cyber defence and forensics activities that I undertake combatting existential treats against business. I can, and have, interacted on security and products at any level from Prime Minister, through Board to deep technical including Agencies, Certification Labs and partners developing and sustaining business opportunities worldwide. I have generated patents in the area of digital DNA and my research covers aspects of technical security as well as aspects of super-identities and their role in combatting human based cyber-attacks. I have lead EU security research contract and have acted as a n expert on others. As well as contributing to standards I am a frequent speaker at international conferences and deliver lectures to postgraduate information and cyber security programmes in the UK and worldwide.

Presentation: The Important Things & Future Security: A Business Perspective

Details to follow

Peter Davies

Thales

Natalia Ares, Xiaomi

Natalia is Deputy Director of Government Relations and Public Affairs in Europe. She deals with data, privacy and cybersecurity related policies and supports IoT Technology and Security Department in Europe. Natalia is leading Data Act and Cyber Resilience Act inside the company and will represent her Cybersecurity colleagues during IoTSF Conference.

Presentation: Xiaomi IoT Technology and Security Compliance

As the company with the largest IoT Product Ecosystem, Xiaomi faces great challenges in the progress of development. A growing number of users and products connected also mean that we have to bear more responsibilities. Respecting and protecting users’ security and privacy has always been among Xiaomi’s core values.

Natalia Ares

Xiaomi

James Deacon, Department for Digital, Culture, Media and Sport (DCMS)

James Deacon is the Head of International Standards, International Engagement and Enterprise IoT Policy for the UK’s Department for Digital, Culture, Media and Sport (DCMS). He is a member of standards committees working on IoT in ETSI, ISO, and ITU, a member of the World Economic Forum’s ‘Role of Government’ group for consumer IoT, and previously chaired the Agile Nations Working Group for Consumer IoT. He previously worked for DCMS on the development of the Product Security and Telecommunications Infrastructure (PSTI) Bill that will introduce baseline security requirements for consumer IoT products. James has wider experience of working at a high growth cyber security start-up and a boutique investment bank.

Presentation: The UK PSTI Bill Update

James Deacon and Rhys Duncan are both part of the IoT Product Security team within DCMS. They will provide an overview of DCMS policy work to date on IoT as well as the team’s intended future policy direction and priorities for the coming years.

James Deacon

Department for Digital, Culture, Media and Sport (DCMS)

Rhys Duncan, Department for Digital, Culture, Media and Sport (DCMS)

Rhys Duncan is a policy advisor working on Enterprise IoT policy, Standards, and International Engagement within the IoT Product Security Team for the UK’s Department for Digital, Culture, Media and Sport (DCMS). He is also a member of standards committees working on IoT in ETSI, ISO, and ITU. He previously worked as a broker in the cyber insurance sector for Marsh McLennan.

Presentation: The UK PSTI Bill Update

Rhys Duncan

Department for Digital, Culture, Media and Sport (DCMS)

Rob Dobson, Device Authority

Rob is Vice President of Technology Partners at Device Authority and has over 30 years of experience across cybersecurity, Internet Of Things, industrial OT & ICS, SaaS, Semiconductors and Software engineering. He has worked on many complex IoT projects for in the areas of Transport/Automotive, Industrial & Smart Factory and Health Care (IoMT). Rob engages key partners across the IoT & Cybersecurity Ecosystems, where he architects, markets, and brings compelling joint solutions to market. He has been involved with several successful start-ups and is also a keen event speaker who has spoken at many events on the topics of IoT and Cybersecurity.

Presentation: The use of Identity, Device context and SBOMs with Continuous Assurance to help improve securing IoT Supply chains

Details to follow.

Rob Dobson

Device Authority

Paul Dorey, CISO (CSO Confidential)

Paul Dorey is a Visiting Professor at Royal Holloway, University of London and a government advisor and cyber security consultant working in critical national infrastructure, specifically: the energy sector, civil nuclear, aviation and financial services. He has a particular interest in organisational cyber resilience and developing cyber security skills and knowledge. This includes cyber security in the supply chain through his co-leadership of the NCSC ICS COI Supply Chain Expert Group. He acts as an expert witness in civil disputes involving cyber security

Paul Dorey

CISO (CSO Confidential)

John Manslow, NquiringMinds

John Manslow is currently CTO of NquiringMinds where he leads the effort to develop data driven solutions to complex problems in cybersecurity. He has a PhD in Machine Learning from the University of Southampton and extensive experience performing commercial R&D in sectors as diverse as telecommunications, banking and insurance.

Presentation: Practical Device Behaviour Analytics – Spotting the Odd Stuff

Being able to create robust models of the normal behaviour of devices on a network is highly desirable as such models should make it possible to detect and characterise deviations in behaviour that might indicate an emerging security threat, providing valuable information for higher level systems to reason about.

One of the challenges in creating such models is the broad spectrum of normal variability between device types, from laptops to smart bulbs, and between instances of specific types, such as smart TVs, some of which arises from differences in installed applications and the behaviours of the devices’ users. The failure of models to meet such challenges can result in floods of false alarms, causing higher level systems to downrate their detections in order to maintain their own performance.

This talk will present some early work at NquiringMinds to develop robust algorithms for modelling the destinations that devices make requests to. The work was performed as part of the ManySecured project.

John Manslow

NquiringMinds

Prof. Carsten Maple, University of Warwick

Professor Carsten Maple is Professor of Cyber Systems Engineering at the University of Warwick, WMG’s Cyber Security Centre (CSC). He is the director of research in Cyber Security working with organisations in key sectors such as manufacturing, healthcare, financial services and the broader public sector to address the challenges presented by today’s global cyber environment.

Professor Maple has an international research reputation, has published over 200 peer reviewed papers, and extensive experience of institutional strategy development and interacting with external agencies.

Professor Maple is a Fellow of the British Computer Society and Vice chair of the Council of Professors and Heads of Computing, UK.

Prof. Carsten Maple

University of Warwick

Nick Allott, NquiringMinds

Nick is the CEO of NquiringMinds, a British company with deep commercial experience in AI, IOT and security.

NquringMinds develops the Trusted Data Exchange (TDX), a platform for fully distributed and decentralised sharing and analysis of data. The TDX has won numerous industry awards for its innovative approach to both security and analytics.

Nick’s experience includes: CTO of OMTP, a mobile standards body publishing 30+ industry specification including the Trusted Execution Environment, Director of Webinos, an international open source foundation, focusing on self sovereign data and devices. CTO of Wholesale Application Community (WAC), a multi operator joint venture for application wholesaling. CTO of FastMobile, a VC invested Push to Talk and Messaging service, acquired by RIM. Engineering Director at Motorola, leading the voice recognition, voice assistant technologies. He has also held executive positions at Shell and the Pearson Group. With a strong track record in collaborative innovation Nick has raised over £100 million across VC, joint ventures and R&D initiative.

Nick has a PhD in Artificial Intelligence, and is Visiting Professor at the University of Southampton. He is a Fellow of the British Computer Society, the Institute of Analysts and Programmers and the Royal Society of Arts.

Nick Allott

NquiringMinds

Paul Lockley, Device Authority

Paul is currently the VP of Sales EMEA at Device Authority leading both Partner /Alliance and customer engagement. He has over 25 years IT experience delivering value-based customer solutions, building GTM strategy and creating shared success. For the last 10 years Paul has focussed on building rapid growth start-up technologies and markets, working with companies such as Veeam and Device Authority. Prior to that he worked within the Enterprise solutions divisions for companies such as EMC and Computacenter focussed on the Global 500 sector.

Paul Lockley

Device Authority

Amyas Phillips, IoTSF Supply Chain Integrity Project

Amyas Phillips is an independent IoT consultant and security scientist at Ambotec Ltd. He chairs the IoTSF’s Supply Chain Integrity project group, whose aim is to help the IoT industry secure its supply chains so that users of connected devices can safely trust their equipment. Previously he has led research and development projects at Secure Thingz and before that Arm, where his teams’ work can now be found in TLS 1.3 and the Pelion device management service. His first job after graduating was “employee number 2” doing a bit of everything at Alertme.com, now Centrica’s Hive smart homes product. He subscribes to the view that nothing is more practical than a good theory.

Amyas Phillips

IoTSF Supply Chain Integrity Project

Peter Shearman, Cisco UKI

Peter is responsible for Cisco UKI’s collaborative innovation portfolio. He works with customers, partners, start-ups & universities to bring forward new ideas & technologies into Cisco. His team works across all technology areas and economic sectors of relevance to Cisco – and then some that are not (yet). Over ten years his team have worked on projects from Smart City to IoT security, via energy, healthcare, agritech and more. Prior to Cisco Peter was a Research Director in a telecommunications think tank.

Peter Shearman

Cisco UKI

Trevor G.R Hall, Synaptics

Trevor is a Systems Engineer and has experience in, and is responsible for all aspects of design from ASIC design, embedded software hardware design and many areas of product security.

Many yeas of managing secrets in silicon including content protection keys (DVD, Blu-ray, HDCP etc) and secure /anti tamper operation.

Chairs the Security team in DisplayLink/Synaptics which provides governance and consultancy on making product releases of silicon, software, and services secure.

In his (copious 😉 spare time! is the Centre Manager of a Scout training base in Richmond upon Thames concentrating on training the trainers and leaders in supervising teams of young people boating on the waterways of the UK (primarily the Thames)

Trevor G.R Hall

Synaptics

Nigel Stanley, CISO (Jacobs)

Nigel is a specialist in cybersecurity with over 30 years’ international experience in the industry.

Nigel has in-depth knowledge of operational technology cybersecurity, information security, business risk, threat intelligence, cyber warfare, cyber terrorism, systems engineering, regulations, functional safety, security operations, SCADA and industrial control systems (and applying standards such as NIST, NISR, IEC 61508 and IEC 62443 across these domains.) He has significant mechanical and electronic engineering experience in multiple engineering sectors including light and heavy rail, power transmission, maritime, aviation and communications systems cybersecurity. Nigel’s work in operational technology cybersecurity also includes industrial automation, CNI, robotics, rail, maritime, smart cities, smart buildings, control systems, safety critical systems and applying regulatory standards across these domains to achieve safety and security objectives.

Nigel Stanley

CISO (Jacobs)

Sarb Sembhi , Virtually Informed

Sarb Sembhi CISM, is the CTO for Virtually Informed and a CISO for AirEye, a technology company providing visibility, control and protection to enterprise Airspace. He started his career as a projects manager in the public sector then became a management consultant, where he enjoyed working with technology and software development. It was during this time where he first came across the importance of security in developing new products. This interest further led him into more security projects.

In 2005, Sarb explored the vulnerabilities of networked CCTV systems and he became interested in devices which sit on the network but were unattended and unmanaged – long before we used the term IoT. These security devices were the responsibility of the physical security teams where there was very little oversight or interaction with the cyber security teams – leading Sarb to work with others to provide security leaders with a converged approach to managing security from a single risk perspective.

In 2020 Sarb was recognised by IFSEC Global and shortlisted 5th in the IFSecGlobal 2020 20 Most Influential People in Cyber Security.

Sarb has written many articles, white papers and spoken at many events on most aspects of security. He was the Workstream lead for the Cyber Security Council Formation Project’s Thought Leadership Workstream. He also sits as an adviser on several startups. Most recently, Sarb has been a vice-chair on IoTSF’s Smart Built Environment Group where he has led the sub-groups to produce a series of best practice guides. His work continues on Smart Cities and privacy, and Smart Building Security.

Sarb Sembhi

Virtually Informed

Rick Chandler

Since his early career in Military Aerospace Rick has been connecting “Things” to networks for over 40 Years. The connectivity was not always wired or wireless and included satellite and sub-sea applications. He has led teams building telecommunications infrastructure in Europe and Asia and worked in several other sectors including Petrochemical, Pharma, retail and Space. He led the team at BT building what ultimately became O2 after which he worked on wireless city projects and ultimately moved to a CISO position for 720 global customer sites. He started his own IoT and Smart Cities consultancy in 2012. He is active in technology mentoring start-up companies and judges several global communications awards. He was awarded the BCS Ivinson award for voluntary service in 2021.

Rick Chairs the Communications Management Association and is Treasurer of European security association EEMA. He sits on the BSI committees for IoT and Digital Twin.

Rick Chandler

Alan Jenkins

I am a highly confident, effective and adaptable leader, manager & team player, with some 30 years experience in all facets of security, particularly cyber and enterprise security risk management, with a focus on ‘value-at-risk’.

During my career as a senior RAF Police officer, I accrued extensive operational exposure in the UK & overseas, in both multi-national & multi-agency environments, against the backdrop of a broad threat spectrum & across all 3 of the so-called physical, personnel & information security pillars. My ‘hard’ experience is complemented by softer skills & broad general management experience, incl corporate governance, strategic planning, programme management, business continuity, cyber resilience & crisis/disaster/incident response activities.
Since leaving the RAF in 2006, I have added management consulting plus business development, delivery & pre-sales experience in both Public & Private sectors in the role of a Trusted Advisor & SME. After spells at CSC & T-Systems as UK Chief Security Officer, responsible for end-end security governance, operations and risk, I joined Babcock International Group as their first CISO in Apr ‘13. I led the delivery of significant improvements in the Group’s cyber security capabilities to the benefit of the wider business & its customers. After a year as an Independent, I joined IBM Security in Nov ‘15 as an Associate Partner leading activities in the UK’s FinSvces Sector; I also led the delivery of a £multi-million security workstream as part of a £1.2 billion contract with a Tier 1 Bank. I returned to freelancing in Aug ‘18, working through Cybercorre & then joined a start-up, Guardian Cyber Services, in Jan ‘19, before landing an all-too-brief role @ 2-Sec Consulting. I’ve been on contract to Hitachi Europe’s Security Business Group since Oct ‘19. I have also been CISO-in-Residence at CyLon Labs since Mar ‘19 supporting 2 Cohorts of startup/scale ups and supporting a CyLon Spark workshop in Oman in Feb ‘20.

I possess an unusual portfolio of skills & experience across the breadth of security & broader business risk management issues. I champion better alignment of security to the needs of business as an enabling strategy, with emphasis on the benefits & value-add that result from a converged security approach.