TALKS
While our speakers are preparing to educate, inform and perhaps, entertain, with their presentations, take a look at their abstracts.
Jump to a speaker
¦ Sjadi Razak ¦ Phil Day ¦ Anna Maria Mandalari ¦ Michael Richardson ¦ Ian Pearson ¦ Ken Metcalf ¦ Brian Contos ¦ Naor Kalbo
Towards Continuous Assurance of IoT Cybersecurity
Paul Kearney
Birmingham City University
Paul Kearney, Birmingham City University
Paul Kearney is part-time Professor of Cybersecurity in the Networks and Cybersecurity Department at Birmingham City University (BCU). He has had a long and varied career in research and development in industry, and has previously worked for British Aerospace (BAe), Sharp and British Telecom (BT). His research interests include security and trust architectures for large-scale dynamic IoT systems, monitoring cybersecurity in the smart home, model-based security risk assessment, and application of data science and AI to cybersecurity problems. In addition to his role at BCU, Paul is a member of the Advisory Board of METCLOUD, an active contributor to the activities of the IoT Security Foundation, a visiting research fellow at EBTIC, Khalifa University, Abu Dhabi, an expert reviewer for the Horizon Europe programme, and a consultant on cybersecurity R&D.
Towards Continuous Assurance of IoT Cybersecurity
Paul Kearney is part-time Professor of Cybersecurity in the Networks and Cybersecurity Department at Birmingham City University (BCU). He has had a long and varied career in research and development in industry, and has previously worked for British Aerospace (BAe), Sharp and British Telecom (BT). His research interests include security and trust architectures for large-scale dynamic IoT systems, monitoring cybersecurity in the smart home, model-based security risk assessment, and application of data science and AI to cybersecurity problems. In addition to his role at BCU, Paul is a member of the Advisory Board of METCLOUD, an active contributor to the activities of the IoT Security Foundation, a visiting research fellow at EBTIC, Khalifa University, Abu Dhabi, an expert reviewer for the Horizon Europe programme, and a consultant on cybersecurity R&D.
Presentation: Towards Continuous Assurance of IoT Cybersecurity
Future economic prosperity requires a thriving market in IoT products featuring rapid innovation in response to end-user needs. However, this cannot be achieved at the expense of exposing stakeholders to undue cybersecurity risk. Vendors have a responsibility to provide products that are fit for purpose security-wise, with clear guidance and constraints regarding secure usage. Similarly, customers must select products with appropriate security properties, and to operate them securely, often as part of larger systems. This requires confidence in the statements from vendors about their products and development and production practices
The existing market resembles the ‘wild west’, expanding and developing rapidly, fuelled by pioneering spirit, but lawless and with many innocent casualties as a result. This situation cannot be sustained, but how can order be achieved without sacrificing innovation and dynamism? The current product certification ‘solution’ involves a static assessment of a specific product under specific conditions. The associated processes are lengthy, ‘paper heavy’, and resource and capital intensive, which acts as a disincentive to their adoption. Furthermore, the resulting products are likely to be uncompetitive by virtue of being expensive and late to market. It is unlikely that certification will command a premium, although in some niche sectors, products without certification may be excluded. So, can certification be made agile, with greatly reduced timescales and costs and increased automation, and valued by customers? Or is there a better way?
The paper explores these issues, briefly reviews related on-going initiatives, and aims to stimulate debate about fruitful ways forward.
Securing Internet of Drones
Sjadi Razak
ANGOKA Limited
Shadi Razak, ANGOKA Limited
Shadi is a cyber security and business digitisation expert, with a strong foundation in business and IT strategy. His expertise in information security management, data privacy and protection, information governance and compliance, cloud security and business digitisation has made him a sought after advisor to and coach for a number of international blue chip companies, government organisations, financial services and SME’s in the UK and the MENA region for the past 15 years.
He has been a visiting lecturer at a number of International and British universities and is currently a Board Member and President of the Information Security Group (ISG) Alumni, Technology and Finance Society and a mentor for a number of FinTech and SecurityTech start-ups in London and Dubai. Shadi lives and works in London (UK). He holds a BSc in Computer Engineering, a MSc in Information Security from Royal Holloway, University of London and an MBA from the University of Sunderland.
Securing Internet of Drones
Internet of Things (IoTs) technology is rapidly evolving and yet the security aspect of IoT networks needs to be explored in depth before adoption. One promising application of IoTs is Internet of Drones (IoDs), which can be thought of as a managed space for drones connected together. The idea of IoDs has been around for a while and is expected to expedite the efficiency of tasks in services like medical, military, transport, and others. The United Kingdom is moving forward as a global leader in building up an open framework for Unmanned Traffic Management (UTM) for drones. A recent report published by Connected Places Catapult UK highlights a global market of commercial drones worth around GBP127 billion.
Inherent properties of Unmanned Aerial Vehicles (UAVs) such as high mobility propose challenges in deployment of security primitives, thus they still rely on conventional ways of secure communication (VPN/TLS). Based on the report by Drone Association (ARPAS-UK), it could be seen that major partnerships and providers are coming alongside in building open UTM and very soon IoDs would be in action. Therefore to gear up for this IoT revolution, this presentation provides an insight on working of IoDs, threat analysis and proposal of security solution to mitigate the security risks.
A novel security solution based on the idea of Device Private Networks (DPNs) has been proposed for the IoDs framework. The idea has been backed with the design of a real-time attack scenario which would be demonstrated live as part of the presentation.
Secure by Design Configuration Interfaces
Phil Day
Configured Things
Phil Day, Configured Things
Phil is the Director of Engineering at Configured Things, a startup founded by Alumni from Hewlett Packard Labs to build solutions for Connected Places. He has more years that he cares to admit to developing and delivering complex distributed systems. He is also the lead analyst on the newly formed Agri-Tech group within the CyNam security cluster.
Configured Things design and build with security as a core design principle. We were one of just seven companies selected for the National Cyber Security Centre’s cyber accelerator’s 2018 cohort, from a pool of 180 applicants
Secure by Design Configuration Interfaces
Misconfiguration, whether by accident or malicious activity, is a major cause of security breaches.
The more actors that need to be involved in configuring a system, whether that’s people or other systems through automation, the more complex the problem both in terms of the security (more rules to configure and manage) and operationally (understanding the impact that a change from A have on an overlapping change from B).
A distributed IoT system adds a further layer of complexity to configuration management. Such systems are often mobile and frequently offline creating a weakness for configuration drift from a centralised system.
And complexity is generally the enemy of resilient and secure systems. We give resilience equal billing with security because it’s no longer enough to design against known threats: systems must also be designed to deal with, and recover easily from, compromise. AI-driven automation, for example, can be less predictable than people and has the potential to become a new class of attack vector.
Most systems present their configuration interfaces as complex API, with a correspondingly complex set of rules to control who is allowed to change what. Declarative approaches such as those employed in DevOps workflows can help in some areas, but they typically create a single authorisation body, exposed to internal threat vectors.
At Configured Things we take a different approach which both removes much of the complexity and reduces the overall attack surface. Each actor has their own interface, limiting the changes they are allowed to make and keeping their changes fully independent from those of any other actor.
Our approach is based on a “zero trust” paradigm where neither the source or transport is trusted. It does not require any inbound connections to the system, removing a large part of the system’s attack surface. Authorisation to make a change is based on policies that can require multi party approval, addressing the internal threat vector.
The key to providing resilience is to focus on managing the changes rather than the resulting configuration. We treat all changes as ephemeral, so it is possible at any time to remove one or more changes and derive a new configuration from the remaining changes. In this way the person or system requesting a change does not have to take into account the current state of the system. Neither do they have to work out how to undo a specific change, the impact of which may have subsequently been modified by other changes. If a system is found to have been misconfigured or compromised the changes from that source can simply be negated and the remaining valid changes reapplied. This is much more powerful than the simple rollback mechanism approach of other declarative approaches and is essential to supporting multi-tenancy, since it allows the different actors to act independently when making and removing changes.
The management of changes is not restricted to the external interface of the system; The same approach is also used internally to pass changes to both local subsystems and remote devices, and can manage configuration changes across security domains. Each device only needs its initial safe base state and details of how to connect to receive the current set of changes. This makes it possible for devices to recover from errors and compromise, and can ensure that devices always restart in a known and safe configuration and eliminates configuration drift.
This approach, which developed with guidance from the NCSC and other Government agencies, has been developed as part of an InnovateUK funded project and is currently part of a trial system with a Local Authority.
The keystone in Secure by Design and Business Risk Mitigation
Ian Pearson
Microchip Ltd
Ian Pearson, Microchip Ltd
Ian Pearson is a Principle Field Application Engineer with Microchip Technology Inc.The keystone in Secure by Design and Business Risk Mitigation
Secure boot, implemented well, has a significant impact on the all areas of the business from design, procurement, manufacture, in use support and end of life management. Implemented well it becomes a business asset, implemented poorly it becomes a business risk.
Without a correctly implemented secure boot mechanism the impacts on a business may be significant, especially in the light of pending legislation and the need to provide secure firmware updates to a product in the field. Secure Boot is the keystone to ensuring the integrity of future updates to a device in the field. If it cannot be trusted then the potential for system compromise increases.
Secure boot is more than an issue for the software team. It has wide reaching impact on the whole business to ensure that trust and integrity of a product are maintained without impact on manufacture, sales, support and the need for a business to meet ever increasing legislation around privacy and security both in use and at end of life.
Join us for a whistle stop tour that will highlight some of the important factors and consdierations and potential solutions around Secure Boot.
The key to providing resilience is to focus on managing the changes rather than the resulting configuration. We treat all changes as ephemeral, so it is possible at any time to remove one or more changes and derive a new configuration from the remaining changes. In this way the person or system requesting a change does not have to take into account the current state of the system. Neither do they have to work out how to undo a specific change, the impact of which may have subsequently been modified by other changes. If a system is found to have been misconfigured or compromised the changes from that source can simply be negated and the remaining valid changes reapplied. This is much more powerful than the simple rollback mechanism approach of other declarative approaches and is essential to supporting multi-tenancy, since it allows the different actors to act independently when making and removing changes.
The management of changes is not restricted to the external interface of the system; The same approach is also used internally to pass changes to both local subsystems and remote devices, and can manage configuration changes across security domains. Each device only needs its initial safe base state and details of how to connect to receive the current set of changes. This makes it possible for devices to recover from errors and compromise, and can ensure that devices always restart in a known and safe configuration and eliminates configuration drift.
This approach, which developed with guidance from the NCSC and other Government agencies, has been developed as part of an InnovateUK funded project and is currently part of a trial system with a Local Authority.
What spots should we light to assess an IoT security risk?
Naor Kalbo
Forescout
Naor Kalbo, Forescout
Naor Kalbo is the Security Research manager working at Forescout. He is specialized in network research, Internet-of-Things cyber-security, and algorithms development. Naor holds a BSc. and MSc. in Engineering and Cyber-Security from Ben-Gurion University, Israel. His research was presented at IEEE TIFS and BlackHat.
Naor’s engagement in cyber-security spans well over eight years, and prior to Forescout, He spent a few years protecting the modern smart home against IoT threats.
What spots should we light to assess an IoT security risk?
1. Functional: what the device IS – refers to knowledge that defines the device functionality/purpose, and it is not changeable by any configuration modification.
2. Configurational: what the device HAS – refers to knowledge that defines the device current status (e.g., asset’s exposed services, unpatched to operating system or software applications), and a change to this status is usually possible.
3. Behavioural: what the device DOES -refers to knowledge gathered regarding the device’s activities (mostly network-wise), whether initiated by or in response to
Using these pillars, we can easily place any indication we received or identified regarding the device in a crystal-clear methodology within the given framework. The complementary phase, choosing the most accurate evaluating metrics combined with the framework mentioned earlier, could make the risk assessment task sound and optimal.
Confining Linux Applications with LibSeccomp
Simon Goda
Doulos Ltd
Simon Goda, Doulos Ltd
Simon Goda is a senior member of technical staff at Doulos, the world-renowned training provider for hardware and software design. He has been working with Linux in embedded systems for over 15 years, starting at STMicroelectronics (R&D) Ltd, supporting and training customers using Linux and RTOS on set-top box and home entertainment products. At Doulos he writes and delivers training in the embedded Linux space, including device drivers, Yocto and Linux security.Confining Linux Applications with LibSeccomp
In this presentation we will introduce the Linux kernel feature Seccomp and its accompanying user space library LibSeccomp and show how these can be used to confine an application to a small subset of the available system calls. We will show if the application were to be compromised in some way so that malicious code is executed then the system can stop the application running before any potential damage is done. The technical points will be illustrated with a simple example.
Patching and vulnerability managment. are a losing game for IoT security. What can we do differently?
Arthur Braunstein
Sternum
Arthur Braunstein, Sternum
As Vice President of Sales and Business Development, Arthur brings to Sternum his vast experience in building hyper-growth sales and business development teams from the ground. Arthur is also on the advisory boards of two start-ups: Great Horn and Jeenie. His specialty is bringing products to market to address the gap created when new business technologies and approaches reduce the effectiveness of the security status quo. Before joining Sternum, Arthur was Morphisec’s Vice President of US Sales. Arthur has more than 25 years of executive management and sales leadership experience, including almost 20 years in the data and cybersecurity industry. He was a General Manager at Big Belly, leading their expansion from the public sector to the private sector. Prior to Big Belly, he served as Vice President of Strategic Accounts at CloudLock, a cloud cybersecurity company. CloudLock was sold to Cisco. During his long career, Arthur has had major roles at Verdasys (now known as Digital Guardian), Escort Inc., Polaroid, and AT&T.
Prior to founding Sternum, Natali held several cybersecurity related roles, including leading different R&D and research teams at two global cyber intelligence market leaders. Having identified critical gaps in the IoT security market with life-saving consequences, Natali now leads all aspects of Sternum’s vision and mission execution both technologically and commercially.
Patching and vulnerability mgmt. are a losing game for IoT security. What can we do differently?
Attackers only need one vulnerable path, while we must find them all and patch them – or must we? Endless patching is ineffective and exhausting, and we operate from a weak vantage point. Perhaps a more sustainable paradigm exists that we should pursue — one that would bring back the advantage to defenders. But first, to truly secure the IoT we have to continuously track, analyse and learn from the other side: attackers. In this session we will explore the attackers perspective and show how and why the innovations of malicious actors enable them to bypass the status quo of controls. Veterans of Unit 8200 of the IDF’s elite cyber force will present what IOT exploitations look like, how hackers target built-in weaknesses in the defences, and why only by enabling devices autonomous self-protection and exploitation prevention, defenders can outsmart malicious actors before they gain foothold. We will review why passive approaches such as continuous patching, static analysis and SBOM leave you vulnerable in-field and how we can incorporate lessons from other industries to secure IoT edge devices at scale. We will explore use cases in medical, industry 4.0, smart cities, energy, manufacturing, and more.
Best practice for building/engineering ‘secure by design’ products and/or systems
Anna Maria Mandalari
Imperial College London
Anna Maria Mandalari, Imperial College London
Anna Maria Mandalari works as research associate at Imperial College London, in September she will work as lecturer at UCL. She was a Marie Curie Early Stage Researcher affiliated with the UC3M. At Imperial, she studies privacy implications and information exposure from consumer IoT devices. She collaborated with several international institutions and companies, such as Simula Research Laboratory, in Norway and Telefonica Research in Spain. During the past years, she worked on the problem of modelling, designing, and evaluating adaptation strategies based on Internet measurements techniques. Most of her research experiences have significantly contributed to several EU funded research projects.Best practice for building/engineering ‘secure by design’ products and/or systems
The consumer Internet of Things (IoT) space has experienced a significant rise in popularity in the recent years. From smart speakers, to baby monitors, and smart kettles and TVs, these devices are increasingly found in households around the world while users may be unaware of the risks associated with owning these devices. Why are they so cheap and what is the real value they give back to us? In this talk, I will explore examples of information exposure from consumer IoT devices and I will share my longer-term research vision towards building an IoT user-centered ecosystem which is privacy-aware, secure, efficient, and reliable.
The New Encryption Standards from NIST & RISC-V: What do IoT developers need to know?
Alan Grau
PQShield
Alan Grau, PQShield
Alan is a proven entrepreneur and technology executive focused on cybersecurity, IoT and embedded software solutions. He is VP of Sales & Business Development for PQShield, the leading provider of Post Quantum Cryptography Solutions.
Previously he was VP of IoT, Embedded Solutions at Sectigo (formerly Comodo CA), the world’s largest commercial Certificate Authority. Alan joined Sectigo as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was President and co-founder, as well as the architect of Icon Labs’ award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.
The New Encryption Standards from NIST & RISC-V: What do IoT developers need to know?
After 3 selection rounds, the NIST Post-Quantum Cryptography (PQC) Standardization Project has now selected new PQC algorithms to be ratified as new Federal standards for key establishment and digital signatures. It has also been announced that new NSS (Defence) cryptographic suites will be based on NIST PQC standards. PQShield cryptographers have been involved from the start; we designed some of the algorithms and have contributed to the security and performance analysis of the rest. Hardware support for older RSA and Elliptic Curve Cryptography (ECC) generally involved just “big integer” arithmetic acceleration and protection. Post-quantum algorithms use a much broader range of primitive operations and are generally more complex, requiring new cryptographic modules.
PQShield has designed a new cryptographic module utilizing a RISC-V core to support the new PQC standard algorithms while supporting previous RSA and ECC cryptographic standards as well.
This presentation will discuss the new PQC standards and what they mean for designers of IoT and connected devices. Topics covered will include:
• Implications of the new NIST standards and next steps in the NIST process
• Overview of the algorithms selected by NIST
• How engineers can begin migrating to Post Quantum Encryption
• PQC for platform security
• PQC for secure communication
• Overview of PQC solutions from PQShield including solutions for HW (including soft cores for FPGAs) & SW solutions
The PQShield Embedded SDK provides high-assurance implementations of all NIST Post-Quantum Cryptography (PQC) algorithms, together with comprehensive tests and integration tools on the RISC-V target. PQShield also provides hardware IP for use on FPGA cores or custom ASIC designs for security and performance-critical PQC applications or those that require additional non-invasive (side-channel) security guarantees. We will discuss how these components can be used together on embedded platforms to meet long-term security requirements.
Social and Technical metrics for Trust Anchor resilence
Michael Richardson
Sandelman Software Works Inc
Michael Richardson, Sandelman Software Works Inc
Michael Richardson is an open source and open standards consultant.
An autodidact, he wrote mail transfer agents as a teenager, and in the 1990s, after failing at high energy physics, found his calling designing and building embedded networking products, in the security sector. Michael has built multiple IPsec systems, joining the FreeS/WAN team in 2001, and founding Xelerance.com in 2003. He has operated many networks, worked on DNSSEC and root name servers, and built several boutique ISPs along the way.
Starting in 2008 Michael began to work on IoT mesh routing, eventually chairing the IETF ROLL working group for a few years. Michael has since moved on to the problem of how to securely connect and control IoT devices too small to have user interfaces. Michael now co-chairs two other IETF working while trying to make secure IoT device onboarding into a state of ubiquity. Michael is co-author of 18 RFCs, and 21 work-in-progress internet-drafts.
Social and Technical metrics for Trust Anchor resilence
to secure private keys and public trust anchors. This deals with two related activities: how trust anchors and private keys are installed into devices during manufacturing, and how the related manufacturer held private keys are secured against disclosure.
A related Internet Draft is presented. This talk does not seek to evaluate different mechanisms or degrees of security, but rather just serves to name them in a consistent manner in order to aid in communication.
Secure Boot – The keystone in Secure by Design and Business Risk Mitigation
Ian Pearson
Microchip Ltd.
Ian Pearson, Microchip Ltd
Ian Pearson is a Principle Field Application Engineer with Microchip Technology Inc.
Secure Boot – The keystone in Secure by Design and Business Risk Mitigation
Secure Boot is often a consideration late in the development lifecycle. Creating core product functionality often coming higher up the list of requirements. After all core functionality is what defines the product and is what people interact with and buy your product over a competitor. This often leads to security, the hidden stuff, working away in the background, being as an afterthought and being bolted on. Net result this critical function is added late in the development cycle without full consideration of the impact it has on the Secure by Design status of a product or the potential risk to an organisation and it’s client base.
Secure boot, implemented well, has a significant impact on the all areas of the business from design, procurement, manufacture, in use support and end of life management. Implemented well it becomes a business asset, implemented poorly it becomes a business risk.
Without a correctly implemented secure boot mechanism the impacts on a business may be significant, especially in the light of pending legislation and the need to provide secure firmware updates to a product in the field. Secure Boot is the keystone to ensuring the integrity of future updates to a device in the field. If it cannot be trusted then the potential for system compromise increases.
Secure boot is more than an issue for the software team. It has wide reaching impact on the whole business to ensure that trust and integrity of a product are maintained without impact on manufacture, sales, support and the need for a business to meet ever increasing legislation around privacy and security both in use and at end of life.
Join us for a whistle stop tour that will highlight some of the important factors and consdierations and potential solutions around Secure Boot.
How to win at playing the IIoT Security game
Ken Metcalf
Reslam Ltd
Ken Metcalf, Reslam Limited
Ken Metcalf is the CTO of Reslam. Ken has holds two degrees, BSc Electrical and Electronic Engineering (UCT 1990), and BCom Information Systems and Business Economics (UNISA 1994). Ken has successfully managed many high capital value projects in the international arena with 30 years post graduate Information Systems and Financial transaction and system security experience. Ken has specialized in high volume financial, smartcard, mobile and transaction processing software systems and architecture. Ken currently serves on several global committees who focus on security (including cybersecurity) within the banking and financial industry.How to win at playing the IIoT Security game
CONTEXT: The IIoT is a massive playing field with a huge number of players and multiple positions to play from. If you want to win at the IoT game when it comes to security, we’ve developed some perspectives which we’d like to share, that we’ve found helpful in positioning our company as a player within the IIoT field.
OBJECTIVES: There are some key concepts that are important to understand when it comes to security. We will be exploring:
1. A brief History of IOT/IIOT: why security is such a hot topic
2. Best Practices – what does that really mean?
3. Secure by Design – security from the inside out
4. some ideas for managing secure updates
By way of example, we will reference the high-level security product we’ve developed over many years called RESLAM: Remote Electronic Safe Lock Auditing & Management. Through our personal experiences with implementing this product within the high-security banking and financial institution environments we have an interesting story to tell on how we have been able to build trust in the online security space.
Xiaomi IoT Technology and Security Compliance
Natalia Ares
Xiaomi
Natalia Ares, Xiaomi
Natalia is Deputy Director of Government Relations and Public Affairs in Europe. She deals with data, privacy and cybersecurity related policies and supports IoT Technology and Security Department in Europe. Natalia is leading Data Act and Cyber Resilience Act inside the company and will represent her Cybersecurity colleagues during IoTSF Conference.
Xiaomi IoT Technology and Security Compliance
As the company with the largest IoT Product Ecosystem, Xiaomi faces great challenges in the progress of development. A growing number of users and products connected also mean that we have to bear more responsibilities. Respecting and protecting users’ security and privacy has always been among Xiaomi’s core values.
Cameras, CACs & Clocks: Enterprise IoT Security Sucks – A Story of Two Million Interrogated Devices
Brian Contos
Phosphorus Cybersecurity
Brian Contros, Phosphorus Cybersecurity
With two IPOs & eight acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.
Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.
Cameras, CACs & Clocks: Enterprise IoT Security Sucks – A Story of Two Million Interrogated Devices
Working globally with Fortune 500 enterprises and government agencies for the past six years, we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.
Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have 3-5 IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. There are over 46 billion connected devices today and 30 billion (65%) of those devices are IoT. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know:
● What IoT devices we have – guesses based on legacy asset discovery solutions are consistently off by at least 50%
● When our firmware was last updated – in many cases the firmware is end of life and the average IoT firmware age is six years
● If our credentials follow organizational policies – passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm
● How vulnerable our IoT devices are – at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs
While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.
Lessons learned from building a Global federated IoT Security Certification and voluntary live Cybersecurity Labelling Scheme
Matt Tett
Enex P/L.
Matt Tett, Enex P/L.
Matt Tett is the Managing Director of Enex P/L. He is well known globally across industry and government as a very well connected, highly technical straight shooter. Effectively applying science to translating complex technology for the lay person, ensuring customers receive what they are paying for.
Enex TestLab’ objective is to use science to keep tech vendors honest by rigorously testing their product claims and ensuring consumer requirements are met factually. (www.testlab.com.au), Enex TestLab is an independent ISO17025 accredited testing laboratory with a 33+ year history, university heritage (RMIT), and ISO 9001 QMS Quality, ISO 27001 ISMS Security and ISO 45001 OH&S certifications.
Matt is a current board director of Communications Alliance (www.commsalliance.com.au) and a former board director of the Internet Industry Association (IIA). Matt is a current board director and Co-Chair of the Australian Women in Security Network (AWSN) (www.awsn.org.au) He is also the current chair of IoT Alliance Australia (IoTAA) (www.iot.org.au) enabler Work Stream 3 (eWS-3) – Cyber Security and Network Resilience and sits on the IoTAA Executive Council.
Matt is an Advisor and Subject Matter Expert (SME) for IoT Security Mark P/L who operate the global IoT Security Trust Mark™ (STM) Certification and voluntary cyber security labelling scheme. (www.iotsecuritytrustmark.org). He is the founder of the national Day of The Month (DOTM) clubs, which currently has over 3800+ members across the information security industry. (www.dotm.com.au) Matt is a Director of eMetric P/L (T/AS Honesty Box™) developing innovative hardware, software and systems utilised to deliver accurate independent internet performance measurement for organisations such as CHOICE. (www.honestybox.io) He also serves on the Online Safety Consultative Working Group (OSCWG) for the Office of the eSafety Commissioner, the Communications Alliance Cyber Security Reference Panel (CSRP), the CSRP Fraud subgroup and the Communications Resilience Administration Industry Group (CRAIG), the Internet Australia Cyber Security SIG, and is a member of the research advisory committee for the Internet Commerce Security Laboratory at Federation University. He is a committee member participating in the development of Standards related to IT-042-00-01 – IoT and Related Technologies.
Matt has a deep technical background in network and security systems and he holds the following security certifications in good standing for 17+ years: CISSP, CISM, CSEPS and CISA. He is a certified Government security advisor and retains State and Federal Government security clearances.
He is also a judge for a number of industries, including the Commsday “Edison” Awards, IT Journo “Lizzies” Awards, InnovationAus Awards for Excellence, IoT Impact Awards and the Australian Women in Security Networking Awards. https://www.linkedin.com/in/mtett/)
Lessons learned from building a Global federated IoT Security Certification and voluntary live Cybersecurity Labelling Scheme
This presentation focuses on engaging the audience with the delivery of a fast paced, yet detailed, insight into the many pitfalls encountered, multi-stakeholder requirements navigated and lessons learned since commencing the journey in 2006 to what has ultimately become the IoT Security Trust Mark™ certification (STM) and Cybersecurity Labelling Scheme (CLS). A neutral, independent, global scheme which supports the social benefit of IoT for good. For more details please visit www.iotsecuritytrustmark.org