Dates: Tuesday, 16 April 2019, Wednesday, 17 April 2019, Thursday, 18 April 2019
Time: Tuesday, 14:00-16:00; Wednesday & Thursday, 11:00-18:30
Room: FG-042
Track Description
IoT applications and prospective solutions mandate consideration of a broad set of security and privacy requirements. The explosion in the number of connected devices poses a significant challenge, as does the diversity of end uses. The World Forum will address the component and platform implications for IoT in the context of the full life cycle for security and privacy regimes. It will also address the many security architectures and approaches that have emerged from Government organizations around the world, from the Commercial Market space, and from the Research Community. Across the wide spectrum of use cases there is a need to appropriately balance security and privacy, and it is useful to think of classifications that distinguish the levels required. As an example, these may be thought of as:
- Highly security-centric “life-and-death” applications such as: critical infrastructure; control systems for connected automobiles, railroads, or aircraft; emergency healthcare
- Intermediate security uses that include: smart home; routine monitoring of facilities; sports and physical exercise activities that involve tracking such as geolocation
- Casual uses such as: games, entertainment, public virtual reality applications, and aspects of social media and general information services
The topics that the Presentations, Panels, and Working Group discussions, for the Track on “Security and Privacy Regimes for IoT” will cover include:
- Achieving secure compose-ability of individually secure devices and components
- Scalability (for massive number of devices, and as contributors to- and consumers of- big data)
- Device-associated robustness levels that also deal with the high variations in heterogeneity (such as stationary and mobile infrastructure, smart phones and user terminals, wearables, the wide range of possible sensors and actuator types, and embedded IoT devices)
- Device ownership and component control (accounting for interoperability, regulatory compliance, governance, audit-ability and risk management)
- Remediation for the reigning confusion caused by the proliferation of standards and certification, and the realization that IoT will create new experiences and a vulnerability surface that is not accounted for
- Testing approaches and procedures that overcome the lack of efficacious and accepted practices — These include: interfacing with and leveraging legacy devices and services; containment against expansion of compromise to other units, systems or networks; effective crypto-agility; defense against advanced threats such as quantum-computing attacks. These also include testing approaches for the differing device lifetimes, and lifecycle support of IoT solutions such as over-the-air firmware and software upgrades
One of the objectives of the Track is to launch future actions and activities that continue beyond the World Forum as part of the IoT Initiative Working Group on “IoT Security and Privacy”.
Schedule
Tuesday, 16 April 2019
14:00-16:00 Session 7, Cyber Ireland
Talk 1 “IoT Kill Chain and Symbiotic Relationships”, Eoin Carroll, Senior Vulnerability Researcher, McAfee Advanced Threat Research
Talk 2 “IoT Benefits and Security Challenges”, Dr Andrew Byrne, Dell EMC Research Europe
Talk 3 “How Can Ireland Build Position Itself as a Global Cyber Security Leader?”, Dr Eoin Byrne, Cyber Ireland
Talk 4 “A Model for Detecting Malicious Activities in Cyber Physical Systems”, Dr Satyanarayana Vuppala, United Technologies Research Center, Ireland
Wednesday, 17 April 2019
11:00-13:00 Session 1, Standards for IoT Security
Talk 1 “Challenges and Opportunities for System Security”, Bruce Hecht, Analog Devices and Dermot O’Keeffe, ADI
Talk 2 “Global Leadership on IoT Security in Standards and Implementation”, David Rogers, Copper Horse Ltd.
Talk 3 “What the GSMA is Doing on IoT Security? What are the GSMAs Guidelines, Self Assessment Scheme and Privacy Policies?”, Shane Rooney, GSMA
Open Discussion
13:00-14:00 Lunch
14:00-16:00 Session 2, Trust and Protection
Talk 4 “The Role of Trust in Internet of Things Ecosystems: State-of-the-Art and Research Challenges”, Giancarlo Fortino, University of Calabria
Talk 5 Sebastian Ziegler, Mandat International
Talk 6 “IoT Security: Evolving the Foundation”, Wouter van der Beek, Cisco
Talk 7 “Secure Passive Keyless Entry with Bluetooth Devices”, Kathleen Philips, IMEC
16:00-16:30 Coffee Break
16:30-18:30 Session 3, PUFs and Beyond
Talk 8 “Using Physically Unclonable Functions (PUFs) as a Root of Trust in the IoT Network Edge”, Mikko Kiviharju, FDF
Talk 9 “Lightweight Security Solutions for IoT Using Physical Unclonable Functions”, Tolga Arul, CASED
Talk 10 “Data Privacy and Protection for Storage and Memory in the Internet of Things”, Thomas Coughlin, Coughlin Associates
Open Discussion
Thursday, 18 April 2019
11:00-13:00 Session 4, Protecting Platforms
Talk 1 “Automatic Security Analysis of the IoT App Ecosystem”, Luca Verderame, University of Genova
Talk 2 “Mitigating IoT Risks throughout the Software Development Lifecycle by Reducing Attack Vectors”, Joe Jarzombek, Synopsys
Talk 3 “IoT Penetration Testing for Security Assurance”, Shiuhpyng Shieh, NCTU
Open Discussion
13:00-14:00 Lunch
14:00-16:00 Session 5, From Access Control to Privacy
Talk 4 “The Pervasive Role of Identification in IoT Risk Assessment”, John Callahan, Veridium
Talk 5 “IOT Security and Disease Control”, Jart Armin, Cyberdefcon NL
Talk 6 “Challenges and Solutions for GDPR Compliance in Cyber Threat Intelligence Sharing”, Brian Lee, AIT
Open Discussion
16:00-16:30 Coffee Break
16:30-18:30 Session 6, Security for Hot Topics
Talk 7 “Towards a Data-Driven Society. Challenges and Research Perspectives for a Next Generation Internet Integrating Networking, Data Management and Computing”, Roberto Minerva, Telecom Sud Paris
Talk 8 “Buzzword Bingo: Blockchain, IoT, and SCRM”, Celia Paulsen, NIST
Talk 9 “Cyber Security of Intelligent Connected Electric Vehicles”, Hsiao-Ying Lin, Huawei
Closing Remarks
Track Co-Chairs
Jeff Voas, NIST
Jeffrey Voas is an innovator. He is currently a computer scientist at the US National Institute of Standards and Technology (NIST). Before joining NIST, Voas was an entrepreneur and co-founded Cigital that is now part of Synopsys (Nasdaq: SNPS). He has served as the IEEE Reliability Society President (2003-2005, 2009-2010, 2017-2018), and served as an IEEE Director (2011-2012). Voas co-authored two John Wiley books (Software Assessment: Reliability, Safety, and Testability [1995] and Software Fault Injection: Inoculating Software Against Errors [1998]. Voas received his undergraduate degree in computer engineering from Tulane University (1985), and received his M.S. and Ph.D. in computer science from the College of William and Mary (1986, 1990 respectively). Voas is a Fellow of the IEEE, member of Eta Kappa Nu, Fellow of the Institution of Engineering and Technology (IET), Fellow of the American Association for the Advancement of Science (AAAS), and member of the Washington Academy of Sciences (WAS).
Konrad Wrona, NATO
Konrad Wrona currently holds a Visiting Professor position at the Military University of Technology in Warsaw, Poland. He is also a Principal Scientist at the NATO Communications and Information Agency in The Hague, The Netherlands. Konrad Wrona has over 20 years of work experience in an industrial (Ericsson Research and SAP Research) and in an academic (RWTH Aachen University, Media Lab Europe, and Rutgers University) research and development environment. He has received his M.Eng. in Telecommunications from Warsaw University of Technology, Poland in 1998, and his Ph.D. in Electrical Engineering from RWTH Aachen University, Germany in 2005. He is an author and a co-author of over sixty publications, as well as a co-inventor of several patents. The areas of his professional interests include broad range of security issues – in communication networks, wireless and mobile applications, distributed systems, and Internet of Things. Konrad Wrona is a Senior Member of the IEEE, Senior Member of the ACM and a member of IACR.
Keynote Speaker
Giancarlo Fortino
Giancarlo Fortino (SM’12) is Full Professor of Computer Engineering at the Dept. of Informatics, Modeling, Electronics and Systems (DIMES) of the University of Calabria (Unical), Rende (CS), Italy. He has a Ph. D. degree and Laurea (MSc+BSc) degree in Computer Engineering from Unical. He is High-end Foreign Expert of China (term 2015-2018), Guest Professor at the Wuhan University of Technology (China), High-end Expert of HUST (China), and Senior Research Fellow at the Italian National Research Council – ICAR Institute. He has been also Visiting Researcher and Professor at the International Computer Science Institute (Berkeley, USA) and at the Queensland University of Technology (Australia), respectively. He is in the list of Top Italian Scientists (TIS) by VIA-academy, with h-index=37 and 5000+ citations according to GS. He is the director of the SPEME (Smart, Pervasive and Mobile Systems Engineering) Lab at DIMES, Unical and co-director of two joint-labs on IoT technologies established with Wuhan University of Technology and Shanghai Maritime University, respectively. His main research interests include Internet of Things computing and technology, agent-based computing, body area networks, wireless sensor networks, pervasive and cloud computing, multimedia networks, and mobile health systems. He participated to many local, national and international research projects and currently is the deputy coordinator and scientific & technical project manager of the EU-funded H2020 INTER-IoT project. He authored over 375 publications in journals, conferences and books. He chaired more the 90 Int’l conferences/workshops as co-chair, organized more than 40 special issues in well-known ISI-impacted Int’l Journals, and participated in the TPC of over 450 conferences. He is the founding editor of the Springer Book Series on “Internet of Things: Technology, Communications and Computing”, and currently serves (as associate editor) in the editorial board of IEEE Transactions on Affective Computing, IEEE Transactions on Human-Machine Systems, IEEE IoT Journal, Sensors Journal, IEEE Access, Journal of Networks and Computer Applications, Engineering Applications of Artificial Intelligence, Information Fusion. He is the recipient of the 2014 Andrew P. Sage SMC Transactions Paper award. He is co-founder and CEO of SenSysCal S.r.l., a spin-off of Unical, developing innovative IoT-based systems for e-health and domotics. He is the Chair of the IEEE SMC Italian Chapter, Member-at-large of the IEEE SMCS BoG, Member of the IEEE Press Board of Directors, and founding chair of the IEEE SMC Technical Committee on “Interactive and Wearable Computing and Devices”.
Talk Title: The Role of Trust in Internet of Things Ecosystems: State-of-the-Art and Research Challenges
In this talk, we will introduce fundamental concepts related to trust, such as trustworthiness and reputation, and connect them to security and privacy. The importance of trust in real world will be explained and how it could be established. A classification and explanation of trust models will be presented. Then, the talk will specifically focus on the IoT world where state-of-the-art related to Trust and IoT is presented through a taxonomy. A novel multi-agent-systems-oriented model based on reputation capital concept and implemented through blockchain to form trusted dynamic groups of IoT interacting entities is proposed. Finally, some research challenges are delineated.
Track Speakers
Jart Armin
Jart Armin is a leading activist, analyst, and researcher of hacker intrusion, and advances in cybercrime mechanisms and assessment. Jart gained notoriety for exposing cyber attacks on Georgia as well as cybercriminal hosts such as RBN (Russian Business Network) McColo, Atrivo, Spetsenergo, and others. More recently, Jart has been at the forefront of quantification of cybersecurity and cyber attacks, as well as advances in CTI (cyber threat intelligence), botnet, automated threat tracking, and attribution. Jart is a member of NATO’s “National Cyber Security Framework” and a member of the ENISA Threat Landscape Stakeholder Group.
Talk Title: IOT Security and Disease Control
It is a simple axiom, all cybercrime, cyber-attacks, malware, and Internet badness is hosted and trafficked, from somewhere, by someone. In tangent, all the data gained from data breaches, intrusion, malicious scanning, are trafficked and stored somewhere, again by someone and used by others for malicious purposes. It is not magic!
Noting that the recent metric shows that the minority of all Internet traffic is now human, 52% is automated, with 23% of all traffic is malicious in the form of automated threats. This is the most serious threat to the deployment and use of an estimated 20.4 billion IoT devices by 2020. Ironically many of these automated threats have been around for 5 to 10 years.
Rather than spend the estimated $134 billion annually by 2022 just on defensive cybersecurity for IoT devices. We have to start to think and act in terms of digital epidemiology (disease control). We have to find and dismantle the sources of the digital disease, allied to removing the digital garbage, that creates the environment for the disease in the first place. This is achievable, threat removal is cheaper and more effective in the long term.
Tolga Arul
Tolga Arul received his Ph.D. degree on channel switching-triggered charging for Pay-TV over IPTV in computer science from Technical University Darmstadt, Germany. He joined the Center for Advanced Security Research Darmstadt (CASED), Germany, as a research associate in the field of cyber-physical systems security in 2009. Since March 2017 he is a postdoctoral researcher in the Security Engineering Group at the Technical University Darmstadt. His current research interests include trusted computing and embedded security applied to IoT, transportation, and broadcasting environments.
Talk Title: Lightweight Security Solutions for IoT Using Physical Unclonable Functions
IoT is entering into almost every aspect of daily life and is becoming, besides all its opportunities and advantages, a ubiquitous source for cyber security threats. Fueled by the attention IoT technology has garnered, the necessity for security concepts has already been recognized. However, many IoT devices are not designed to accommodate for adequate security measures, due the conception of the devices that comprise IoT. In particular, IoT consists of everyday devices and objects that have not been connected to the Internet so far. These devices feature a lightweight nature, flexible type of use, and a limited cost framework. In this talk, we introduce applications of Physical Unclonable Functions (PUFs), which can be used to provide practical, flexible, lightweight and cost-efficient security primitives. Furthermore, we discuss the working principles of current state-of-the-art memory-based PUFs and motivate their operation in different challenging use cases that can be encountered in various topical and vertical areas.
Andrew Byrne
Andrew Byrne is a principal research scientist with Dell EMC Research Europe. His primary research areas include cyber security, key management, cryptography, access control and legal/regulatory issues for data privacy. In this role he has led Dell EMC’s role in several FP7 and H2020 EU projects. Andrew has also worked with Intel Security as a senior developer on their drive and file encryption products, and served as an adjunct lecturer in Cloud security at CIT. He received his PhD in Hardware Implementations of Cryptographic Algorithms from UCC in 2010.
Talk Title: IoT Benefits and Security Challenges
Emerging technologies in IoT, big data, and 5G promise to transform how many industries operate today. However, these new distributed, remote architectures present a variety of new security challenges that need to be understood in order to develop a practical roadmap to successful adoption.
Eoin Byrne
Dr Eoin Byrne is Cluster Manager at Cyber Ireland, an initiative to establish a national cyber security cluster in Ireland, supported by IDA Ireland and hosted at Cork Institute of Technology. Eoin is also co-founder of the V-LINC Research Group at Cork Institute of Technology. His research has examined regional economic development and industry clusters across a diverse range of sectors from agri-food to ICT, in Ireland and internationally. He also has experience working with industry on innovative technology projects at the Nimbus Research Centre, Ireland’s Leading Research Centre in Cyber-Physical Systems & Internet of Things
Talk Title: How Can Ireland Build Position Itself as a Global Cyber Security Leader?
Cyber Security is a key priority for many aspects of industry and society, with the capability of impacting every business size. How can Ireland build on its strengths to position itself as a global cyber security leader, through collaboration? Cyber Ireland brings together Industry, Academia and Government to represent the needs of the Cyber Security Ecosystem in Ireland. It aims to enhance the innovation, growth and competitiveness of the companies and organisations which are part of the cluster and will address key challenges including: skills needs, research and innovation, promotion of Ireland’s cyber security industry and cross-industry collaboration.
John Callahan
Dr. John Callahan is Chief Technology Officer (CTO) at Veridium, a leading biometric authentication company. Dr. Callahan recently served as the Associate Director for Information Dominance at the US Navy’s Office of Naval Research Global (ONRG) London UK office from 2010-2014 via an Intergovernmental Personnel Act (IPA) assignment from the Johns Hopkins University Applied Physics Laboratory (JHUAPL) in Laurel, Maryland USA. From 2000-2006, Dr. Callahan served as VP of Engineering and CTO of BDMetrics, Inc. and Sphere.com where he managed social networking systems for the world’s largest trade shows such as the Consumer Electronics Show (CES), PackExpo, and National Association of Broadcasters (NAB). Prior to 2001, he was a tenured Associate Professor in the Department of Computer Science and Electrical Engineering at West Virginia University (WVU) in Morgantown, WV USA and research director at the NASA Independent verification and Validation (IV&V) Facility in Fairmont, WV USA. He completed his PhD in Computer Science at the University of Maryland, College Park USA. Dr. Callahan has worked for Xerox Corporation in Palo Alto, CA USA, NASA Goddard Space Flight Center in Greenbelt, MD USA, and IBM Corporation.
Talk Title: The Pervasive Role of Identification in IoT Risk Assessment
Proper identification of devices and users is essential in the IoT landscape for secure access and user privacy. Devices can carry unique identifiers via mechanisms like Physically Unclonable Functions (PUFs) and W3C Decentralized Identifiers (DIDs) but users themselves and their mobile devices can provide a “context of use” during sessions when they are in proximity. For example, an automated teller machine (ATM) can provide cardless services to users across networks using strong authentication on user mobile devices. But an issuer needs contextual information regarding the authentication session to make a proper assessment regarding authorization of financial transactions relative to their risk and compliance policies. New standards like RFC 8485 (Vectors of Trust) and X9.117 can be used to encode authentication session context in machine-readable a format to inform the issuer regarding the mechanisms used during authentication including biometric modalities, location and other threat measures.
Eoin Carroll
Eoin Carroll is a Senior Vulnerability Researcher on the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. For the first decade of his career he worked as an Electronic Engineer in both the semiconductor and medical device industries, gaining a wealth of engineering and risk experience. Prior to joining McAfee ATR team he has also worked as a Software Security Engineer, Product Security Architect, Penetration Tester and Incident Responder, developing both defensive and offensive perspectives. During this time he has created and lead security teams as well as mentored many security engineers. He is very passionate about protecting Autonomous Vehicles and Smart Cities by combining his engineering, security and researcher experience. His work experience includes Threat Modeling and Risk, Secure Platform Design and Mitigations, Memory Forensics, Operating System Internals and Reverse Engineering.
Talk Title: IoT Kill Chain and Symbiotic Relationships
Eoin will elaborate why a security researcher, security architect and vendor symbiotic relationship is vital to securing IoT. The talk will conclude with a comparison of Desktop and Mobile security evolution, the current IoT Security trajectory and how we can engineer secure IoT devices at scale.
Tom Coughlin
Tom Coughlin, President, Coughlin Associates is a digital storage analyst as well as a business and technology consultant. He has over 37 years in the data storage industry with engineering and management positions at several companies.
Dr. Coughlin has many publications and six patents to his credit. Tom is also the author of Digital Storage in Consumer Electronics: The Essential Guide, which is now in its second edition with Springer. Coughlin Associates provides market and technology analysis as well as Data Storage Technical and Business Consulting services. Tom publishes the Digital Storage Technology Newsletter, the Media and Entertainment Storage Report, the Emerging Non-Volatile Memory Report and other industry reports. Tom is also a regular contributor on digital storage for Forbes.com and other blogs.
Tom is active with SMPTE (Journal article writer and Conference Program Committee), SNIA (including a founder of the SNIA SSSI), the IEEE, (he is past Chair of the IEEE Public Visibility Committee, Past Director for IEEE Region 6, President of IEEE USA and active in the Consumer Electronics Society) and other professional organizations. Tom was the founder and organizer of the Storage Visions Conference (www.storagevisions.com as well as the Creative Storage Conference (www.creativestorage.org). He was the general chairman of the annual Flash Memory Summit for 10 years. He is a Fellow of the IEEE and a member of the Consultants Network of Silicon Valley (CNSV). For more information on Tom Coughlin and his publications and activities go to www.tomcoughlin.com.
Talk Title: Data Privacy and Protection for Storage and Memory in the Internet of Things
Although local sensors and other connected devices are generating more and more digital content, IoT data is often stuck in isolated storage silos, often in order to protect personal privacy, and thus not used to its greatest advantage. To make this data more useful we must develop ways to share and use it while protecting individual privacy and creating aggregated anonymous data. This talk will address the evolution of digital storage for IoT applications, at the endpoints, on the edge and in data centers. Recent developments of inference engines in embedded AI devices are using high performance non-volatile memories to replace traditional volatile memory. This brings up new issues in data protection and security. Thus, this presentation will address ways to protect personal privacy and ensure data protection while providing effective sharing and storage of data, including ways to insure privacy protection where persistent memory (such as MRAM, RRAM, PCM, etc.) replaces volatile memory (such as DRAM and SRAM) in future IoT applications.
Bruce Hecht
Bruce Hecht is with Analog Devices Global Operations & Technology focused on the intersection of design, learning, and leadership. He has over 25 years’ experience in successfully growing new product portfolios in instrumentation and industrial products, healthcare devices and systems, and automotive applications. Originally from Montreal, Quebec, Canada, Bruce studied at the University of Waterloo, earning his BASc/MASc focused on EE, Math, Design & Systems. He holds a Certified Achievement in Alliance Management from the Association of Strategic Alliance Professionals and a Certified Six Sigma Black Belt through the American Society for Quality. Bruce is a member of the Corporate Advisory Board for INCOSE and serves on several working groups including Product Line Engineering, Systems Security Engineering, and Systems Science. He has served in many conference roles, including the launch of the IEEE Future Leaders Forum, and serving as the Technical Program Committee Chair and General Chair of local and international conferences, including Bipolar/BiCMOS Technical Meeting (BCTM) in Boston and Bordeaux. Bruce was the guest editor for the Journal of Solid-State Circuits special issue on BCTM, and since 2014 he serves as the SSCS steering committee rep for the IEEE Design & Test Magazine. He is on the AdCom boards for the IEEE EMBS, SSCS, Biometrics Council, and the IEEE Sensors Council. In 2017, Bruce achieved the Executive Certificate in Management & Leadership in the Greater Boston Leadership Program at MIT. He is a mentor and advisor for participants in the MIT Systems Design and Management program connecting systems engineering, systems architecture, and methodology for safety and security engineering. This year, Bruce is working towards becoming an Associate Certified Coach through the Brown University / ACT program in Coaching for Leadership and Performance. He shares curiosity-driven design with his family and 3 children in Brookline, Massachusetts and at opportunities to learn around the globe.
Talk Title: Challenges and Opportunities for System Security
Joe Jarzombek
Joe Jarzombek is Director for Government, Aerospace & Defense Programs in Synopsys, Inc. He guides efforts to focus Synopsys’ global leadership in electronic design automation (EDA), silicon IP, and software security and quality solutions in addressing needs of the public sector and aerospace and defense communities. Jarzombek has over 30 years focused on software security, safety and quality in embedded and networked systems and enterprise IT. He participates in industry consortia; test and certification organizations, standards bodies, and public sector collaboration forums to address software assurance and supply chain challenges and to assist in accelerating technology adoption. Jarzombek is a US Air Force retired Lt Colonel and a Department of Homeland Security retired civilian having led the software assurance and supply chain risk management programs. He is a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional with an MS in Computer Information Systems, a BA in Computer Science and a BBA in Data Processing and Analysis.
Talk Title: Mitigating IoT Risks throughout the Software Development Lifecycle by Reducing Attack Vectors
As the cyber threat landscape evolves and external dependencies grow more complex, managing risks to enterprises and connected embedded systems requires more than reactive measures. Many organizations are proactively reducing their attack surfaces both in their cyber supply chain and IoT assets being targeted for exploitation. IoT asset management should leverage automated means for detecting weaknesses and vulnerabilities in software. Addressing cyber supply chain dependencies enables enterprises to harden their attack surface by: comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive mitigations. Security automation tools and services, testing and certification programs now provide means for organizations to reduce risk exposures attributable to exploitable software. This presentation addresses means for using information to prioritize mitigation efforts focused on reducing exploitable attack vectors; thus enabling organizations to proactively harden their attack surface and become more resilient in the face of growing threats and asymmetric attacks.
Mikko Kiviharju
Dr. Mikko Kiviharju works as a principal scientist and cryptographer in the Finnish Defence Research Agency (FDRA). He has wide background in cyber defence lasting some 15 years now, and ranging from tactical principles in cyber operations to hardware security and theoretical cryptography. He is involved in both national and international governmental cryptographic standardization efforts. Currently, his research interests involve quantum-resistant cryptography, and cryptographic solutions intended for sparsely connected, heterogenous networks in high-risk environments.
Kiviharju holds an MSc in computer science and a PhD in cryptology. His dissertation on cryptology addressed access control models enforced with next-generation public-key cryptography. This line of work can also be used for a concept called data-centric security, which is one proposed solution to tackle IoT security.
Talk Title: Using Physically Unclonable Functions (PUFs) as a Root of Trust in the IoT Network Edge
Typical problems in enforcing IoT security are connected to sensor node and network edge communications security. One of the key concepts here is remote attestation, which – while possible – may require expensive high-end solutions such as Trusted Platform Modules (TPMs). This talk will focus on the feasibility and applicability of using Physical Unclonable Functions (PUFs) in IoT end node and network edge security. PUFs are a type of “hardware fingerprint”, whose main ability is to be able to produce unpredictable challenge-response-behavior from minor physical deviations inherently present in some types of standard manufacturing processes of ICT hardware. Independent research of PUFs, both in implementations and applications, has increased ten-fold in the past decade, and a solid theory of using PUFs in cryptography is beginning to emerge. Many PUFs are cheap to produce and use (measured with a variety of resource types), which makes them an ideal candidate to use in IoT environments. Good PUF implementations would, for example, naturally solve the remote attestation problem for a wider application space than is currently possible or feasible with TPMs.
Brian Lee
Dr Brian Lee is the Director of the Software Research Institute in Athlone Institute of Technology where he conducts research in network security, programmable networking and network management. Dr Lee has also worked in the networking industry for many years in a variety of technical, managerial and research roles. Currently he is a Funded Investigator in cybersecurity at the SFI funded Smart Manufacturing centre , CONFIRM, hosted by the University of Limerick. He is also coordinator of the H2020 security project PROTECTIVE – Proactive Risk Management through Improved Cyber Situational Awareness.
Talk Title: Challenges and Solutions for GDPR Compliance in Cyber Threat Intelligence Sharing
After the Mirai DDoS event enterprise security postures will never be quite the same again for Internet of Things (IoT) applications. In this post-Mirai era of increasing growth in IoT cyber attacks, sharing high-quality cyber threat intelligence becomes ever more important for CSIRTS in their battle to counter threats and improve situational awareness. However, sharing threat intelligence raises its own challenges to ensure that personal data is protected and that cyber threat sharing stays compliant with measures such as GDPR. This talk examines the approach taken to this challenge in the context of the H2020 project PROTECTIVE – Proactive Risk Management through Improved Cyber Situational Awareness”
Hsiao-Ying Lin
Hsiao-Ying Lin, a senior researcher in Shield Lab, conducts connected car security research in Huawei International, a firm aiming at building a better connected world. Her research interests include embedded system security, applied cryptography and security issues in automotive areas. Before devoting her work fulltime to Huawei International, Hsiao-Ying served as a senior engineer focusing on smartphone platform security in MediaTek Inc. (a fabless semiconductor company), and an assistant research fellow in Intelligent Information and Communications Research Center in National Chiao Tung University. She received the MS and PhD degrees in computer science from National Chiao Tung University, Taiwan, in 2005 and 2010, respectively.
Talk Title: Cyber Security of Intelligent Connected Electric Vehicles
Electrification, intelligentization, connectivity and sharing are four major trends reshaping car industry for providing a more comfortable and safe driving environment. Connectivity of cars is the essential technology for accelerating intelligentization and car sharing services. It also brings notable cyber security requirements into car industry. As more communication technologies are deployed in vehicles to provide various connectivity, more external interfaces expose vehicles in publicly accessible networks. Those interfaces include various sensors, Bluetooth, DSRC (dedicated short-range communications), 3/4G and OBD (on-board diagnostics) interfaces. As a result, there are multiple potential ways for attackers remotely getting access into vehicles to take control over them. Designing and deploying security mechanisms for connected vehicles is critical for not only security but also safety reasons. This talk will introduce the attack surface of intelligent connected electric vehicles, challenges and potential mitigations.
Roberto Minerva
Roberto Minerva. Roberto holds a Ph.D in Computer Science and Telecommunications from Telecom Sud Paris, France, and a Master Degree in Computer Science from Bari University, Italy. He is Maitre de Conference at Institut Mine-Telecom, Telecom Sud Paris. His research topics are: edge computing and 5G, virtualization and SDN, Internet of Things and Artificial Intelligence and Machine Learning. He was the Chairman of the IEEE IoT Initiative, an effort to nurture a technical community and to foster research in IoT. Roberto has been for several years in TIMLab, involved in activities on SDN/NFV, 5G, Big Data, architectures for IoT. He is authors of several papers published in international conferences, books and magazines.
Talk Title: Towards a Data-Driven Society. Challenges and Research Perspectives for a Next Generation Internet Integrating Networking, Data Management and Computing
Data are becoming more and more important for the digital world and the plethora of services and applications. The networks and especially the upcoming Next Generation Internet need to fully support the communication needs and flowing of data.
The speech will focus on some of the technical challenges that will be posed by the increased usage of data over the network such as:
- predicting the IoT flood, but really how much data will be transported
- different interaction paradigms beyond Client-Server and the role of network services
- the NGI network will be transactional for providing security, privacy and data usage fairness
- the edge computing will cooperate or will compete with the cloud? How much edge processing?
These challenges have also important business and social impacts that may determine whether a new fairer Internet capable of being an open environment will be built.
Dermot O’Keeffe
Dermot O’Keeffe graduated for University College Cork Ireland in 1998 with a BE in Electrical and Microelectronic Engineering. Joining ADI on graduation Dermot worked in the communications Business group. He subsequently spent 8 years with Motorola Freescale where we worked in a variety of roles in radio handset transceiver development. For the past 10 years Dermot is with ADI in Cork and Limerick. Dermot is currently a design manager with the Industrial Platforms and Networking group. Dermot graduated a certificate in System Design and Management at MIT in 2016-17. Dermot’s interests are in system design, architecture and cybersecurity.
Talk Title: Challenges and Opportunities for System Security
Celia Paulsen
Celia Paulsen is a cybersecurity researcher at the National Institute of Standards and Technology (NIST). Her current research focuses on cyber-supply chain risk management and the intersection with tools such as blockchain and additive manufacturing. She has researched and written many documents related to supply chain risk management, metrics and measures for security, cybersecurity-related definitions, password usability, cybersecurity for small businesses, and related topics. In addition, she has served on and provided expertise to projects such as the National Initiative for Cybersecurity Education where she was the acting industry coordinator. Prior to joining NIST, Celia was an analyst for the National Security Agency in the US Army. She has an MBA in information security from California State University, San Bernardino, and bachelor’s degrees in information technology and business management.
Talk Title: Buzzword Bingo: Blockchain, IoT, and SCRM
Kathleen Philips
Dr. Kathleen Philips is a director at imec, The Netherlands, leading R&D programs on next-generation IoT technologies for Cognitive Sensing. The research includes roadmaps on state-of-the-art IC design for RF-sensing and radar, as well as design of new electro-chemical sensors for environmental monitoring, all the way to analytics, AI and neuromorphic chip design. She is responsible for the roadmap definition, the multi-site and multi-region implementation, as well as the business aspects of the Cognitive Sensing R&D programs.
Kathleen has joined imec in 2007 and has held positions as director IoT, program director for Perceptive Systems, program manager for ULP Wireless and as a principal scientist. Before that time, she was a research scientist at the Philips Research Labs for over 12 years. She holds a Ph. D in electrical engineering, has authored and co-authored over 80 papers and holds various patents.
Talk Title: Secure Passive Keyless Entry with Bluetooth Devices
High-end vehicles are mostly equipped with a Passive Keyless Entry (and start) (PKE) system. These PKE systems allow to unlock and start the vehicle based on the physical proximity of a paired key fob; no user interaction is required. The PKE system relies on an accurate calculation of the key proximity, using RF transceivers. Today’s systems typically suffer from poor distance accuracy, and even poorer security.
New ultra-wideband systems are being developed to improve on these aspects, but have limited market supply and add significant infrastructure cost.
In this slot, we present world’s first secure passive keyless entry solution on standard Bluetooth parts. It uses a combination of phase-based distance estimation, and advanced algorithmic approaches to combat multi-path effects. Moreover, security features have been co-designed into the physical layer to create a secure distance measurement between two Bluetooth-enabled communication devices. The technology is compliant with standard Bluetooth parts, as already being deployed in the car for control, audio and tyre pressure monitoring, and therefore can leverage on the available Bluetooth infrastructure.
This technology enables a seamless car access experience where a BLE device, such as a mobile phone, acts as a digital car key. Apart from the lifestyle aspect, the concept of digital keys, with the ability of key distribution over the internet, simplifies car sharing and opens the road to a massive sharing economy.
David Rogers
David Rogers Founder & CEO, Copper Horse and Mobile Technology, Cyber Security & Standards Adviser, Department for Digital, Culture, Media & Sport (DCMS), UK David is an adviser to DCMS in the UK on a number of technology and cyber security topics. He is the founder and CEO of Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on security and privacy research for the Internet of Things. David chairs the Fraud & Security Group at the GSM Association and sits on the Executive Board of the Internet of Things Security Foundation. He is a Visiting Professor in Cyber Security and Digital Forensics at York St John University and teaches Mobile Systems Security at the University of Oxford. He has worked in the mobile industry for 20 years in security and engineering roles. Prior to this he worked in the semiconductor industry. Most recently he authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues. David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He blogs from https://mobilephonesecurity.org and tweets https://twitter.com/drogersuk @drogersuk
Talk Title: Global Leadership on IoT Security in Standards and Implementation
The UK has become a hub for expertise in IoT security. In October 2018, the UK Department for Digital, Culture, Media & Sport (DCMS) published the Code of Practice for Consumer IoT Security. This work was subsequently promoted up to a European standard with the publication of ETSI Technical Specification 103 645, ‘Cyber Security for Consumer Internet of Things’ in February 2019.
The Secure by Design initiative covers many different areas of improving IoT security from manufacturers, through to retailers. As the lead author, David Rogers explains the Code of Practice, its associated work and explains the next steps for government and industry.
Shane Rooney
Dr. Shane Rooney is an Executive Director at the GSMA on the IoT Programme. Bringing together strategies and synergies across the M2M verticals and the wider IoT ecosystems. Shane had previously led the GSMA’s initiative in developing mobile solutions in Smart Cities and collaborating with cities like Barcelona, Dubai and Shanghai. His team has developed a wider range of Smart City Indicators, Case Studies and Business Cases demonstrating the importance of mobile technology. His team also have developed enablers in IoT Security and embedded SIM. He has led the launch of Cellular LPWA Networks Technology (NB-IOT & LTE-M) initiative globally and now promoting Cellular V2X technology. Previously he has been a Group Vice President with Etisalat , developing solutions for Energy, Security and Transport IoT solutions for Middle East, Africa and Asia. Before that he has worked with other Mobile Operators, Vodafone, Hutchison and 3 UK as well as launching and divesting of his own M2M company. Shane pioneered early telematics and connected car solutions for Ford Motor Company in the USA and Europe. He has extensive Global experience. He holds a PhD in Communications Systems specialising in Location Based Services and studied Business Marketing at IMD Switzerland
Talk Title: What the GSMA is Doing on IoT Security? What are the GSMAs Guidelines, Self Assessment Scheme and Privacy Policies?
Shiuhpyng Winston Shieh
Shiuhpyng Winston Shieh is currently a University Chair Professor of Computer Science Department and the Director of Taiwan Information Security Center at National Chiao Tung University (NCTU). Being actively involved in IEEE, he has served as Reliability Society VP, Editor of IEEE Trans. on Reliability, IEEE Trans. on Dependable and Secure Computing, Steering Committee member of IEEE IoT Magazine, and Associate Editor of ACM Trans on Information and System Security. He has been on the organizing committees of many conferences, such as the founding Steering Committee Chair and Program Chair of ACM Symposium on Information, Computer and Communications Security (AsiaCCS), Founding Steering Committee Chair of IEEE Conference on Dependable and Secure Computing, Program Chair of IEEE Conference on Security and Reliability. Along with Virgil Gligor of Carnegie Mellon University, he invented the first US patent in the intrusion detection field, and has published over 200 technical papers, patents, and books. Dr. Shieh is an IEEE Fellow, and ACM Distinguished Scientist. His research interests include network security, intrusion detection, penetration test, and malware behavior analysis. Contact him at ssp@cs.nctu.edu.tw.
Talk Title: IoT Penetration Testing for Security Assurance
With fast growth of IoT technology, ubiquitous devices and services gradually take part in our daily life. These devices bring us not only convenience but also new security threats. An IoT ecosystem is composed of IoT devices, gateways, on-line services running on the cloud, and the network infrastructure connecting them. In the ecosystem, an IoT device are often connected to the cloud through a gateway, and they may be all under cyber attacks. In contrast to a conventional cloud where attacks are mainly from the Internet, the IoT cloud may be also exposed to both compromised IoT devices and apps it serves. In addition to defensive mechanisms used to protect the ecosystem, penetration testing has been widely used to offensively discover its vulnerabilities. Due to the complexity and heterogeneity of IoT environments, new penetration test techniques are desirable to cope with three types of penetration tests: interface test, transportation test, and system test. In this talk, we introduce the challenges and opportunities of IoT penetration testing. Case studies for penetration testing against the ecosystem will be also given. Our experiments and analysis showed that offensive methods like penetration testing can complement, not replace, defensive mechanisms in the life cycle of system development for security assurance.
Wouter van der Beek
Wouter is a senior architect at the IOT office of the CTO at Cisco Systems.
He is working on various standards related to IOT, for example Open Connectivity Foundation, Fairhair and Thread Group. The CTO group evaluates future trends, emerging standards, technologies, and architectures that drive and influence Cisco’s market portfolio relating to IoT.
Wouter has more than 25 years of experience and the last 15 years heavily involved in various standards. These standards include : CEA, DLNA, DVB, HbbTV, OIPF oneM2M and UPnP. In OCF he is chairing the technical steering commitee, alliging specification, implemenation and certification work. His many and various contributions in OCF are now standardized in releases of the OCF (ISO/IEC 30118-1:2018) standards.
Prior joining the IOT group in Cisco Wouter was a software architect in Cisco’s Service Provider Video Software and Solutions group. In that role was responisible for the connectivy in the home between set top boxes (STB) and their controlling applications. In that role he represented Cisco in the UPnP forum and OIC. In the UPnP forum he acted as amont other roles as UPnP Board Member, UPnP (Certification) Compliance Chair and UPnP AV vice chair. Wouter was also instrumental in merging the UPnP forum into OIC.
Wouter started his career in Philips at the Physics Labs, where he worked on simulation applications for cathode ray tubes. Later he migrated to Applied Technologies, also a department of Royal Philips Electronics. Among one of the many topics that he tackled, he worked on are Super Audio CD, standardizing the DSD file format and home network connectivity (UPnP/DLNA). Later he moved to the Television department where he functioned as technology leader in home connectivity.
Talk Title: IoT Security: Evolving the Foundation
IoT has been one of the most anticipated technology waves for the past decade. The forecasts call for over 100 Billion devices or more by 2025. This growth calls for security across all the components of the IoT spectrum- from thing to cloud. It also calls for a more scalable way to handle the large amount devices connecting to the Internet per second in 2025.
Also IOT Security is needed to avoid DDoS and ransomware attacks. These attacks are the top concern of IT professionals as they consider their investment in IoT. The reality is that both the variety and volume of devices that will be part of the IoT storm have a wide diversity when it comes to manufacturers, SW/FW/HW capabilities, vertical specific needs, as well as other factors.
The main question is: how do we get to a secure, scalable Internet of Things? First, security is not just the thing-makers problem to solve. Everyone in the eco-system has a play in securing the IoT Devices. The key is to focus on a core set of baseline capabilities that go across all devices, verticals and are common, standards based or “open” based. This talk will focus on four foundational pillars of IoT: secure by design, device/network intent capability, secure/scalable onboarding, and lifecycle management. The industry is collaborating with a number of standards and government bodies to set common baselines. This talk will address the evolving IoT security capabilities and how they will provide the basis to secure the IoT.
Luca Verderame
Luca Verderame is a post-doc research fellow at the Computer Security Laboratory (CSEC Lab) of the University of Genoa (Italy), and the CEO and Co-founder of Talos, a cybersecurity startup and university spin-off.
In 2016 Luca obtained his Ph.D. in Electronic, Information, Robotics and Telecommunication Engineering at the University of Genoa. During his master thesis in 2012, Luca found a severe security vulnerability in the Android operating system and worked with the Android Security Team to develop a patch.
His current research interests mainly cover information security applied, in particular, to mobile and IoT environments.
Talk Title: Automatic Security Analysis of the IoT App Ecosystem
Satyanarayana Vuppala
Dr. Satyanarayana Vuppala (M. Tech, Ph.D, MIEEE) is currently Senior Research Scientist at United Technologies Research Center, Ireland. Prior joining at UTRC, he held various positions at the Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, University of Edinburgh and Jacobs University. He received the Bachelor of Technology degree with distinction in Computer Science and Engineering from JNTU Kakinada, India, in 2009, and the Master of Technology degree in Information Security from the National Institute of Technology, Durgapur, India, in 2011. He received the Ph.D. degree in Electrical Engineering from Jacobs University Bremen, Germany in Jan, 2015. He has authored more than 60 publications in refereed international journals and conferences. His research interests are on cyber physical security, internet of things, content delivery networks, wireless communications with particular focus on 5G. He also works on physical, access, and network layer aspects of wireless security.
Talk Title: A Model for Detecting Malicious Activities in Cyber Physical Systems
Advances in computing, communications, sensors, and cloud computing has resulted in the proliferation of Internet of Things (IoT) which forms a foundation for Cyber-Physical Systems (CPS). Cyber-physical attacks can cause tangible effects in the physical world. The attacker’s goal is to disrupt the normal operations of the CPS for example: equipment overstress, safety limits violation, damage to the product quality, safety compliance violation etc. The continued rise of cyber-attacks together with the evolving skills of the attackers, and the inefficiency of the traditional security algorithms to defend against advanced and sophisticated attacks such as Distributed Denial of service (DDoS), slow DoS and zero-day, necessitate the development of novel defense and resilient detection techniques compared to traditional approaches like signature and behavior-based methods. To deal with this, in this talk, a novel approach for learning detection model that includes operational, system, and network data to detect advanced attacks is discussed. More precisely, this approach is able to learn a relational network that connects events at different system layers so that attacks can be identified with higher confidence level. Specifically, a behavioral detection model by learning a set of constraints/relations from the data that conjunctively defines the normal operation of a CPS is proposed.
Sébastien Ziegler
Dr Sébastien Ziegler is a founder and the Director general of Mandat International. He serves as President of the IoT Forum and IoT Lab, as Chair of the EuroPrivacy international board of experts, as Vice Chair of the IEEE ComSoc Subcommittee on the IoT, and as Rapporteur on Emerging Technologies for the IoT and for smart cities at the ITU (SG20). Sébastien has a PhD in Management with a specialization in Information Systems at the Faculty of Economy and Management of the University of Geneva. He graduated in International Relations at the Graduate Institute of International Studies, followed by a Master in Environment, a MBA in international administration (HEC Geneva), and complementary executive courses at Harvard Business School in Boston, Stanford University, UC Berkeley and EPFL. He is an expert in data protection accredited for EuroPrivacy, EuroPriSe and ISO 27001 certifications. Sébastien founded several foundations, organizations and companies, and he initiated several international research projects in the area of ICT, with a focus on the Internet of Things, IPv6, and privacy. He is currently coordinating and associated to several ongoing European research projects and is co-directing the Master in Advanced Studies on the Internet of Things at the University of Geneva. With a multi-disciplinary academic profile, combining international law, science, and economics, he is a relentless promoter of research, innovation and international cooperation.