Emerging threats to the Smart Built Environment
EMERGING THREATS TO THE SMART BUILT ENVIRONMENT
AI and IoT technology is being integrated into business systems in the Smart Built Environment at an increasing rate. Businesses which fail to identify, validate and risk assess data, processed by AI systems, could be vulnerable to a breach, regulatory, legal or contractual obligations. CISOs face the challenges of burnout and stress.
In this session, expert speakers will explore procurement best practises for securing AI and IoT, how to review and create new AI business policies, and the implications of burn out and stress in the Smart Built Environment. The panel will consider the threats and challenges raised by the speakers and other areas of business risk management.
Host
James Willison
Project and Engagement Manager, IoTSF
James is a recognised International leader in Security Convergence and Enterprise Security Risk Management. He has more than 20 years of management experience in the physical and information security industry and is Co-Chair, Smart Built Environment Working Group, IoTSF.
Panel
Chaired by Sarb Sembhi
Our informative panel session will include Nigel Stanley, Senior Director of Cybersecurity at Jacobs and Alan Jenkins, Principal Consultant at Cyber Security Navigator Limited plus Mo Ahddoud and Kieran Byrne.
Speakers
Kieran Byrne
Lead, The Architecture & Engineering (A&E) Program, Axis Communications
A passionate security technologist specialising in innovations to improve security and optimise business performance. Kieran leads the Architecture & Engineering (A&E) Program for Axis Communications in the UK & Ireland, supporting consultants and specifiers to build world-leading security designs. Kieran also supports several industry associations, including ASIS UK and Ireland Chapters.
Mo Ahddoud
Chief Information Security Officer at Chameleon Cyber Consultants
Mo is an active contributor to the cybersecurity industry. He writes regularly in the international security journal. He is an ISACA EU Advisory Taskforce member contributing to the European Commission amendment to the Cyber Security Act.
Sarb Sembhi
CTO, Virtually Informed
Sarb is the CTO at Virtually Informed and was the Global CISO for AirEye and the Noord Group. He has previous worked as a consultant covering most issues in risk and security. Sarb’s contributions to the industry include the Executive Steering Board of the IoT Security Foundation.
Host
James Willison
Project and Engagement Manager, IoTSF
James is a recognised International leader in Security Convergence and Enterprise Security Risk Management. He has more than 20 years of management experience in the physical and information security industry and is Co-Chair, Smart Built Environment Working Group, IoTSF.
Panel
Chaired by Sarb Sembhi
Our informative panel session will include Nigel Stanley, Senior Director of Cybersecurity at Jacobs and Alan Jenkins, Principal Consultant at Cyber Security Navigator Limited.
Paul W
Cryptography and Hardware Security Expert, NCSC
Paul has worked in cryptography and hardware security since graduating with a degree in mathematics in 2001. He has represented the NCSC and its predecessor organisation in various standards bodies, including the Trusted Computing Group, Global Platform and FIDO. His current role in NCSC allows him to spend time with academic and industry partners learning what the future holds for security technology, and also to help user communities take advantage of new features. Outside of work Paul likes to cycle up small hills in summer, and ski down bigger ones in winter.
Presentation: Securing our digital foundations
Producing products and systems that are ‘secure by default’ requires us to address fundamental security issues at root cause. As well as engineering complexity this also requires us to understand and work alongside the commercial and regulatory environment in which our complex technology ecosystems develop. We have to ensure the right incentive models exist to improve resilience to cyber attack right through the technology stack.
Anna Knack
Lead Researcher, Centre for Emerging Technology and Security and Senior Research Associate, Defence and Security Programme, The Alan Turing Institute
Anna Knack is a Senior Research Associate in the Defence and Security programme and Lead Researcher of The Alan Turing Institute’s Centre for Emerging Technology and Security. Her research aims to identify solutions addressing the technical and policy challenges that inhibit the defence and security community from leveraging opportunities in artificial intelligence and emerging technology. Anna’s recent and ongoing research is focused on human-machine teaming, AI explainability, AI-augmented decision-making and cyber AI. Prior to joining the Turing, Anna was Deputy Co-ord Lead of the Technology, Disruption & Uncertainty research workstream in RAND. Her past research informed the MOD, Dstl, Strategic Command; Army HQ; the Development, Concepts and Doctrine Centre; the UK Foreign, Commonwealth and Development Office; the French Ministry of Defence; the Australian Defence Science and Technology Group; the European Defence Agency; the European Commission; the European Union Agency for Cybersecurity and Europol.
Presentation: Autonomous Cyber Defence
Scott Register
VP, Security Solutions, Keysight
Scott Register has more than 15 years of experience leading product management and go-to-market activities for global technology companies and is currently Vice President for Security Solutions for Keysight where he is tasked with bringing new security solutions to market across Keysight’s broad solution portfolio.
Prior his current role, Scott was vice president of product management leading the development of products in the areas of Security, Virtualization and Cloud. Earlier, Scott spearheaded the company’s visibility product line.
Scott brings Keysight broad experience in managing enviable growth across a diverse range of environments, from embryonic to VC-backed startup to multi-hundred-million-dollar product lines. He has previously led product lines for security vendors such as Blue Coat and CheckPoint Software.
He holds B.S. and M.S. degrees in computer science from Georgia Institute of Technology, where he also served as a member of research faculty.
Presentation: IoT Security – What You Don’t Know Can Kill You
If you’re responsible for securing a network with traditional IT devices, you’ve got the benefit of established best practices for security. You know to keep your desktop OS and antivirus up to date, which solves over 90% of your problems. You have access to threat intel feeds which talk about the latest threat campaigns and zero-days against Windows and Linux systems, and popular apps. That’s great.
But… most of the new devices you’re rolling out on your network aren’t these traditional IT devices. They’re printers, badge scanners, smart building thermostats and lighting systems, badge scanners, and webcams, plus all the wearables and personal devices your employees are cluttering your WLAN with. So what about those? How do you know if all of these new devices are expanding your attack surface? How can you conduct a meaningful bake-off to select the most secure vendor, or know what to bug your vendors about, or even how to deploy meaningful mitigation for vulnerabilities you can’t directly address? Because if you’re just hoping your IoT vendor is on top of things and testing all of this for you, you may be in for a rude awakening. You might remember that the Mirai botnet, the largest to swamp the Internet to date, was based on vulnerable IoT devices – and there are plenty of other examples out there.
But these vulnerabilities aren’t always introduced by the manufacturer with their logo on the box. In many cases, there are inherent vulnerabilities in the integrated communication controller (System on Chip, or SOC) which handles the Ethernet, WiFi, Bluetooth, and even cellular communication (such as the Sweyntooth and Braktooth series of Bluetooth vulnerabilities). Whether you’re the device manufacturer or the deployer, if you’re on the hook for the security of these indispensable gadgets, you should really understand what kinds of vulnerabilities may be baked in that can enable crashes, reboots, data leakage, or even escalation of privilege.
In this discussion, we’ll present two significant testing regimes you can add to your arsenal with reasonable effort:
1. Protocol fuzzing – to discover previously unknown flaws in L2/3 protocol stack implementations
2. Vulnerability assessment – to search for known CVEs and uncover issues such as weak encryption, susceptibility to brute-force attacks, and exposure of unnecessary services.
We’ll also present a brief summary of a few relevant standards for securing various types of connected devices including consumer and industrial IoT and connected vehicles.
And, because no one likes Death by PowerPoint, I’ll show a few brief yet cool demos of IoT hacking.
Anna Maria Mandalari
Assistant Professor, UCL
Anna Maria Mandalari works as Assistant Professor at University College London (UCL). She is member of the UCL’s Academic Center of Excellence in Cyber Security Research (ACE-CSR). She is Honorary Research Fellow at the ISST at Imperial College London. She obtained her PhD as part of the Marie Skłodowska-Curie action, intended for excellent researchers, affiliated with the Carlos III University of Madrid. Her research interests are Internet of Things (IoT), privacy, security, networking and Internet measurement techniques. In addition to her research, Anna is Co-Founder & CTO of a startup providing privacy and security solutions for consumer IoT devices. She gives invited talks all around the world to promote research and create awareness on security, privacy, and ethical AI. Most of her research experiences have also significantly contributed to several EU-funded research projects and have had a strong media impact.
Presentation: Protected or Porous: A Comparative Analysis of Threat Detection Capability of IoT Safeguards
Consumer Internet of Things (IoT) devices are increasingly common, from smart speakers to security cameras, in homes. Along with their benefits come potential privacy and security threats. To limit these threats a number of commercial services have become available (IoT safeguards). The safeguards claim to provide protection against IoT privacy risks and security threats.
However, the effectiveness and the associated privacy risks of these safeguards remains a key open question. In this presentation, we investigate the threat detection capabilities of IoT safeguards.
We develop and release an approach for automated safeguards experimentation to reveal their response to common security threats and privacy risks.
We perform thousands of automated experiments using popular commercial IoT safeguards when deployed in a large IoT testbed.
Our results indicate not only that these devices may be ineffective in preventing risks, but also their cloud interactions and data collection operations may introduce privacy risks for the households that adopt them.
Nick Allott
CEO, NquiringMinds
Nick is CEO of NquiringMinds, an AI analytics company founded on robust cyber security principles. He has been developing and deploying AI technologies for almost 30 years, and is a recognised cyber security expert.
Nick was formally, CTO of OMTP, a security focussed, international mobile standards organisation responsible for many technologies now widely deployed. Significant among OMTP deliveries, is the Trusted Execution Environment, (TEE) the security core of most CPUs and SIM technology. TEEs now ship a the rate of 1 billion per year. Nick is also a Director of the Webinos Open Source Foundation: a collaborative initiative for secure IOT interaction based on PKI.
For Shell, Nick helped develop their data mining products (later acquired by Accenture). And as Technology Director for Motorola, Nick had responsibility for their speech recognition and voice Personal Assistant products. Nick Joined start-up Fastmobile (multimodal speech recognition) as their CTO in 2000 until their acquisition by RIM. His first full time job was developing neural networks for Neural Computer Sciences, followed by a stint at the part Microsoft owned Dorling Kindersley Multimedia, where he worked on search technology and 3D graphics platforms.
NquiringMinds was selected by DCMS to develop an innovative, secure data sharing platform for Smart Cities, which forms the basis of the current product line. Nick has advised the UK Government on the Secure by Default Program and was among a handful of technology CEOs selected by, the then Prime Minister, Theresa May, to accompany on her first trade mission to India. Nick is a Fellow of the British Computer Society, the Institute of Analysts and Programmers and the Royal Society of Arts.
Nick has a degree in Cognitive Science, a PhD in Artificial Intelligence and is a Visiting Professor and the University of Southampton.
Presentation: Monitoring and managing trustworthy systems from IOT to AI
This talk looks at the concept of continuous assurance. How do we practically monitor and mange connected systems, using a dynamic, multi factor notion of trustworthiness.
What does it mean to say a device is trusted? Can we measure it? Can we tell if its changed?
We will delve into the practical details, that determine trustworthiness: Device identities, manufacturer certificates, trusted boot, software components, vulnerability analysis, vulnerability resilient techniques, device behaviours, device owners all the way though to purchase records. We will look at the technologies that underpin these notions: iDevID , SBOM, CVE analysis, MUD descriptors through to new CHERI instructions sets. We will review the recent NIST work on Trusted Onboarding and Lifecyle management and explore the role this could play going forward.
We will look at the continuum from simple IOT systems with monolithic hardware, to complex enterprise software to fully distributed trained AI systems.
Michael Skurla
Chief Product Officer, Radix IoT, LLC
As Chief Product Officer of Radix IoT––Michael Skurla (LEED AP O+M & BD+C, MIES, ASHRAE, IoTSF) has over 25 years of experience in control automation and building technology product design with Fortune 500 companies. He is a contributing member of CABA, ASHRAE, IES Education, and USGBC and a frequent lecturer on the developing use of analytics and emerging IT technologies to foster efficiency within commercial facility design focusing on the intersection of software and hardware that emphasizes data aggregation and analytics for mission-critical industries. As a well-recognized thought leader, Skurla’s contributed articles and interviews have appeared in such top industry publications as Smart Buildings Magazine, Energies Magazine, IoT Evolution, Network World, RTInsights, RFID Journal, LEDs Magazine, Critical Facilities, Oilman Magazine, IoT Playbook, IoT News, Digitalisation World (UK), LD+A, among others.
Presentation: The Risks and Rewards of the Emerging Synergistic Building Portfolio
According to MarketsandMarkets, the building automation market is projected to reach a staggering $148.6 billion in revenue by 2027, growing at a notable CAGR of 11.4% from 2022 to 2027. This growth is driven by the rise of IoT-enabled building automation, which has introduced new products and technologies. Building technologies have not always followed the most secure path, leaving security until recently as an afterthought in both product and industry standards within the building automation space. Given this, it is crucial to understand both the risks and rewards associated with this emerging technology as it pertains to the expectations of building owners and operations to both meet the system objectives as well as meet fast-moving I.T. security requirements.
While IoT devices hold the promise of data, products used in buildings have often overlooked the critical aspect of security, leaving the burden on the network to deal with finding a solution to the products’ shortcomings. It is essential to shift the focus to building system designs that foster a “secure by design” philosophy, which is complex as the average expected lifespan of building technologies far exceeds that of I.T. equipment (Often 20+ years).
Buildings typically are comprised of a several dozen subsystems that have historically dealt with vast amounts of siloed data, primarily used for diagnostics and fault detection. This siloed approach however has in recent years moved to more of a synergistic approach where subsystems have joined I.T. networks to both exchange information but allow for the use of the information in more beneficial ways such as preventative and predictive maintenance, and asset life cycle management (to name just a few).
In general, IoT platforms and next-generation BMS platforms have taken on addressing the security challenges on these mixed networks to allow for seamlessly unifying systems for actionable business intelligence while ensuring interoperability and full data exchange with existing systems. These unified platforms (born traditionally out of I.T., not building systems) have the additional benefit of integration through APIs to help connect to third-party microservice analytics, data lakes, work order management, and other integrated solutions. All of this contributes to what is a network of networks and consequently typically a solution with a fairly large surface area of attack.
However, the building market has embraced IoT-enabled building portfolios and the associated advantages. It is essential to understand the facets required to best design these projects and prioritize security throughout the engineering process. The presentation: The Risks and Rewards of the Emerging Synergistic Building Portfolio will delve into the critical aspects of securing IoT systems used in the built world of facility management for building portfolios, through industry insights, practical examples, and best practices to help you implement secure engineering principles
Florian Lukavsky
CTO, ONEKEY
Florian Lukavsky started his hacker career in early ages, bypassing parental control systems. Since then, he has reported numerous zero-day vulnerabilities responsibly to software vendors and has conducted hundreds of pentests and security reviews of connected devices as a CREST certified, ethical hacker. After building offensive cyber-security teams in Singapore, Malaysia, Thailand, and Switzerland, he founded ONEKEY.
Today, Florian Lukavsky aids organizations with SBOM, security & compliance automation for connected devices as CTO of ONEKEY, the leading European product security platform.
Presentation: Mining for relevant vulnerabilities in connected devices
Vulnerability management is a tedious challenge – digging through hundreds, sometimes thousands of potential vulnerabilities, just to find a dozen applicable issues is not an effective way to handle this topic.
In this talk, we will discuss strategies to automatically generate Software Bill of Materials (SBOM) of connected devices as a foundation for effective vulnerability management. SBOMs provide a comprehensive list of all software components and their dependencies in a given system – a prerequisite to identifying vulnerabilities and their potential impact. Additionally, we will delve into some intricacies and challenges when dealing with SBOM.
To avoid alert-fatigue, we will further demonstrate effective strategies to automate impact assessments of vulnerabilities to filter false-positives and increase the relevance of reported vulnerabilities using both open-source solutions as well as commercial services.
Jason Blake
IoT Certification Scheme Manager, The IASME Consortium Ltd
In my mid 30’s with a diverse and truly unique background, having worked in the Education sector, I then moved into physical security and then operations management including the IT department, my first brush with IT. After several years in that role, I left to chase my childhood dream of being a prison officer and after 5 years that dream ended and I moved out of the Civil Service and into IoT.
Presentation: UK PSTI: The Legal Requirements and How to Satisfy Them
– PSTI: The scope of Part One
– Understanding “Internet or Network connectable devices” and exemptions
– Understanding your duties and the statement of compliance
– Understanding the enforcement of the act and its penalties
Dr Carolina Adaros
Product Security Expert, Bosch Security Systems
Dr. Carolina Adaros is an electronics engineer, MSc in analytics and risk management, and PhD in cybersecurity. Previous to becoming a Cybersecurity professional, she accumulated experience in industrial automation, software quality management, process improvement, and technological solutions. This experience was successfully transferred to her current role in the field of Product Security.
In 2017 she started her PhD, in Birmingham, UK, with focus on cyber-risk management on Industrial Control Systems and Industrial IoT (IIoT). In 2019, while still undertaking PhD studies, she joined the Bosch Group in Germany as part of the Bosch PSIRT (Product Security Incident Response Team) and since 2022 she works in Bosch Building Technologies as product security expert.
Her current role includes being the proxy of the Product Security Officer, maintain the product security processes and policies, do internal consultancy and trainings, and coordinate the vulnerability management and incident response processes at Bosch Building Technologies.
Presentation: Product Security – challenges, successes, and learnings
Bosch Building Technologies and Security Systems (Bosch BT, for short) is a division of the Bosch Group whose portfolio includes access control and intrusion detection, video surveillance, fire detection, audio, and communications systems and also integration and operation of such systems. To handle cybersecurity assurance within its product lines, Bosch BT adheres to the Bosch Security Engineering Process, which indicates that products should be developed with a level of security that is equal or greater to the state-of-the-art. The Security Engineering Process (SEP) is integrated in our product engineering and covers the entire product lifecycle until decommission.
Since its introduction on 2015, the Bosch SEP has evolved and matured, becoming eventually the “central mandatory process for cyber security (CS) engineering for Bosch products”. Bosch Building Technologies has also tailored this process to the needs of the different product lines and services. However, while we are well-aligned with security industry best practices, we still have pending challenges to make sure that processes are followed adequately, in every instance, for each product and by all the involved stakeholders.
It is also worth to mention that our journey on improving cybersecurity in products is part of the overall challenge of being traditionally a hardware company, which had to adapt to a software-oriented world. One of our main challenges is to get all relevant stakeholders to develop a good understanding of security risks. We also face several difficulties on dealing with legacy products, which are still in the field, many of which have long-time reached their end-of-life period and are not currently supported, but are still used by customers. This means that, if not connected in a secure environment, they can constitute a security risk, since they use older technologies and were not designed taking into consideration the current cyber-threat landscape. Supply chain security is also a big topic since our systems can be only as secure as their components are. For this reason, we have controls in place that enable us to select suppliers that can fulfil our security requirements. In this topic, we also have successes, thanks to our ongoing engagement with the purchasing department and the integration of our security processes within the purchasing processes.
Another success that we can name is having an internal Pentesting team. Not only have they reported findings that outsourced pentesters previously missed, but they also help providing recommendations to the development teams on the implementation of fixes and identifying needs for further support on security related activities. Last to mention but not less important is our product security community that helps us promoting security best practices and identifies opportunities of improvement. We have regular meetings, a yearly workshop that involves a strongly motivated group of people that continuously share knowledge, identify potential solutions to different pain points and engages in security-related initiatives.
We are aware that the market demands for more agility, technological innovation and integration, and the intelligent use of data to improve the quality of our lives. That is the purpose of our business. However, it is an essential part of the Bosch Quality Promise that we provide product security and protect our customers’ privacy throughout the entire product life cycle. Hence, as security professionals, our purpose is to procure that business goals and security risks are properly balanced.
Ian Pearson
Pr. Embedded Solutions Engineer, Microchip Technology Inc.
Ian Pearson is a Principal Embedded Solutions Engineer at Microchip Technology Inc. currently focussed on FPGA, Security and IoT applications. He is active on the IoTSF Assurance Framework, Supply Chain and Many Secured working groups.
Presentation: Designing IoT Devices in the AI Era
- Designing Secure IoT Devices can be a challenge
- Constantly evolving threat and legislative environment
- Shortage of Skilled Engineers
- Time to market and time in market pressure
- Does the advent of AI make this challenge easier or increasingly more difficult?
- Join us for a discussion on some of the challenges we currently face in designing IoT devices.
- Look at what is available to ease this process today and a consideration of where AI ‘may’ help or hinder this process in the future
Çağatay Büyüktopçu
Head of IoT Cyber Security, Arçelik Global
As Head of IoT Cyber Security of Arcelik Group, Cagatay is responsible from cyber security design infrastructures of IoT based home appliances(edge devices), mobile application that is for controlling&monitoring to these devices, and finally related cloud services that are responsible for those devices and mobile apps. So in one team, they are applying both individually and also end to end IoT cyber security principles for these embedded, mobile and cloud domains. He is managing all different IoT product groups’ cyber security infrastructure and policies used in more than 150 countries globally. It is not enough to make them compliant with upcoming IoT security regulations, but also requires to create an upper level of security to protect the customers.
Alan Jenkins
Principal Consultant, Cyber Security Navigator
Alan Jenkins has been a practitioner for over 30 years across all 3 pillars of security, with particular focus on cyber, convergence, resilience and business benefit. He spent his formative years in the RAF and has had a variety of corporate and consulting rules since leaving in 2006, including spells as UK CSO at 2 multinational MSPs, Group CISO at a FTSE 100 engineering services business and Associate Partner at IBM Security in Financial Services. He is currently an independent consultant http://linkedin.com/in/alanjenkins
Professor Andrew Martin
Professor of Systems Security, Department of Computer Science, University of Oxford
Andrew Martin is Professor of Systems Security in the Department of Computer Science at the University of Oxford. His main interest is in how hardware-software co-design can enhance the security of networked distributed systems. He has also led a range of cross-disciplinary efforts across the University and beyond – with a particular interest in how human factors can enhance or confound the best security technologies. He thinks that the key to progress is strong rigorous foundations, mixed with a great degree of pragmatism
Presentation: Secure Networking by Design
While IoT presents many novel threats and vulnerabilities, many are best considered as network-centric issues, and this perspective also offers the best prospect of defence. Attacks against public-facing interfaces, particularly on routers and gateways, are potentially hyper-scaling events with devastating consequences. In this talk we explain some experimental approaches we are taking to mitigate and prevent such attacks through hardware-based approaches to memory safety.
Mo Ahddoud
Chief Information Security Officer, Chameleon Cyber Consultants
Mo is an active contributor to the cybersecurity industry. He writes regularly in the international security journal. He is an ISACA EU Advisory Taskforce member contributing to the European Commission amendment to the Cyber Security Act.
Mo was recognised in 2017 by the British Computer Society for Security programme of the year. In 2018, he was recognised as a cyber security innovator at the CA awards in Las Vegas. His recent interests include AI and Smart Cities.
Presentation: AI Policy Challenges to Security Processes
AI technology is being integrated into business systems at an increasing rate. Businesses which fail to identify, validate and risk assess data being processed by AI systems could be vulnerable to a breach of regulatory, legal or contractual obligations. This session will explore how to review and create new AI policies and review them from a secure, focused procurement process in line with other security policies and regulations.
Nigel Stanley
Senior Director of Cybersecurity, Jacobs
Nigel is a specialist in cybersecurity with over 30 years’ international experience in the industry.
Nigel has in-depth knowledge of operational technology cybersecurity, information security, business risk, threat intelligence, cyber warfare, cyber terrorism, systems engineering, regulations, functional safety, security operations, SCADA and industrial control systems (and applying standards such as NIST, NISR, IEC 61508 and IEC 62443 across these domains.) He has significant mechanical and electronic engineering experience in multiple engineering sectors including light and heavy rail, power transmission, maritime, aviation and communications systems cybersecurity. Nigel’s work in operational technology cybersecurity also includes industrial automation, CNI, robotics, rail, maritime, smart cities, smart buildings, control systems, safety critical systems and applying regulatory standards across these domains to achieve safety and security objectives.
Nigel is a Chartered Engineer and Fellow of the Institution of Engineering and Technology and member of the Institute of Electrical and Electronic Engineers. He has an MSc in Information Security from Royal Holloway, University of London.
Tyler Gannon
Vice President, Product Marketing and Strategic Alliances, Device Authority
Tyler has more than 20 years’ experience in enterprise technology focusing on identity and compliance across a number of industries including Public Sector, Healthcare, and Manufacturing. Over a 12-year career with Microsoft in a variety of roles he managed global strategic partners, led business development teams, and focused on technology integration for joint sales initiatives. Most recently he served as VP of Business Development and Strategy for eCare Vault, an early-stage SaaS company providing privacy-compliant collaboration services for Public Sector and Healthcare customers, and spent time with PTC as Director of Microsoft Alliance for the Americas. He’s also a tech founder, having built an identity-provisioning service, bridging the gap between on-premise and cloud-based authentication platforms, which was acquired in 2016.
Presentation: Operationalising Zero Trust in the era of AI
This talk will look at the 9 core pillars of Zero Trust, the challenges in operationalising this approach and how to overcome them. It will also look at the proliferation of AI and automation, their benefits for security and the importance of device security in establishing all-important trust in AI.
Dr. Syed Zia
Security Engineer and Cryptographer, ANGOKA
Dr. Zia is Security Engineer and Cryptographer at ANGOKA. He is a certified cyber security analyst and cybersecurity professional with more than five years of experience in industry, academia and knowledge transfer partnerships. He has authored several patents and research papers focused on improving cryptographic methods in intelligent systems. He holds a PhD from Ulster University with specialization in developing cryptographic solutions for the Internet of Things. His fields of expertise include information security management, data privacy and protection, cryptography, zero knowledge proofs, threat analysis and risk assessment.
Presentation: Device Private Networks – Zero Trust is the way forward!
The evolution of new technologies has revolutionised the cybersecurity world. Back in the day, traditional perimeter-based approaches worked well. However, in the present day world the way information is handled has drastically changed and cyber threat actors have grown smarter. Traditional schemes based on walled garden concepts can not provide sufficient security for data flowing across the Internet of Things (IoT) connected world. To cope with the changing needs of the smart world, a global scale transition towards Zero Trust Architecture (ZTA) can be seen. Despite plenty of guidance and recommendations available, adoption of ZTA is not a straightforward task for complex network architectures.
In this talk, we introduce the concept of Device Private Networks (DPNs), proposed to ease ZTA adoption for IoT and Industrial IoT use cases. DPN is a security principle based on ZTA core concepts, that could allow users to achieve cybersecurity resilience as per the global security standards. Moreover, a threat landscape and comparison of DPNs with existing secure communication protocols (like VPN and TLS) will also be presented.
Xander Heemskerk
Director Product Security, Royal Philips
Xander Heemskerk is the Director Product Security – Personal Health, Digital Pathology & Brand Licensing in the Product and Services Security Office (PSSO) at Philips. In this role he drives the Product Security programs and initiatives for Medical Devices, in vitro diagnostics (IVDs) and Wellness solutions worldwide. IOT, Mobile Apps, Cloud IAAS, PAAS , SAAS , Big data and AI are crucial parts of the Products and Services delivered by Personal Health.
Prior to Philips Xander was the Corporate Security Officer (CSO) at TomTom and the Corporate Information Security Officer (CISO) at oldest company in the world Royal Vopak. He has been responsible for Corporate Security, Enterprise Information Security, Information Risk Management and Product Security on strategical, tactical and operational level.
Xander has over 30 years of experience in all aspects of Information Technology ranging from Consulting, Security, Architecture, Performance tuning, Design, Development, Coding, Testing and Operations in different roles and positions at Oracle, Orient Overseas Container Lines (OOCL) Ltd, Hong Kong Government, Everett, Ricoh and at 50+ companies in consulting roles. For Oracle University he has taught training classes on Architecture, Security, Performance design and tuning, High Availability and Identity Management for both internal and external audiences.
Xander holds a bachelor’s degree in Higher Informatics from The Hague University of applied sciences, is a Certified Information System Security Professional (CISSP) since 2002, is a PECB Certified ISO/IEC 27001 Lead Implementer and has Certified Cloud Security Knowledge (CCSK) since 2013.
Presentation: Securing the AI supply chain
The Philips IOT solutions ecosphere contain a potpourri of all the latest technology available. This includes AI based feedback for parents on the safety of their child or even what babies are (might be) thinking.
These AI solutions are sometime developed/hosted and maintained internally, but can also be cloud offering from third parties.
All types of AI integrations must secure enough to fall within the risk appetite of Philips and its customers.
To assure this Philips has a number of processes that are part of the life cycle of the solutions.
Tim Snape
Founder, Artificial Intelligence Group Ltd
Tim has 40 years designing & developing software for a large range of companies. This includes companies in the medical, telecommunication, finance, utility & retail sectors.
He has been involved in many other activities including training, project management & support.
For 9 years he has undertaken regulatory work for the Internet Industry. This has been based in the UK, working with UK government agencies on the formulation of regulatory policy & legislation. I spent many years working as the UK Industry representative for the Internet Industry in Brussels.
Recent activities include forensic computing & acting as an expert witness in high profile Internet Crime cases.
He developed a number of innovative web based support products for IBM UK & was responsible for supporting 5,000 OEM customers in the EMEA region.
Specialties: security, computer forensics, hardware/software design
Kieran Byrne
Leader of Architecture & Engineering (A&E) Program, Axis Communications
A passionate security technologist specialising in innovations to improve security and optimise business performance. Kieran leads the Architecture & Engineering (A&E) Program for Axis Communications in the UK & Ireland, supporting consultants and specifiers to build world-leading security designs. Kieran also supports several industry associations, including ASIS UK and Ireland Chapters.
Presentation: Cybersecurity – Shared Responsibility
Cybersecurity is becoming increasingly important to us within the security technology sector every day and is a shared responsibility. Join us to learn more about the shared responsibilities of different stakeholders, why we should acknowledge the associated risks and the importance of supply chain due diligence.
Veena Dholiwar
Michael Sawyer, Head of Enforcement for Product Regulation at the Office for Product Safety and Standards (OPSS), Department for Business and Trade (DBT)
Michael is Head of Enforcement for Product Regulation at the Office for Product Safety and Standards (OPSS), which sits with the Department for Business and Trade (DBT). He has worked in enforcement at OPSS and its predecessors for over 10 years, covering various areas of legislation, including eco-design, energy labelling and product safety. OPSS will be the Enforcement Authority for the PSTI regime when it comes into force in 2024.
Veena Dholiwar, Enforcement of Enforcement of Product Security Legislation, DSIT
Veena leads on the enforcement of the product security legislation at the Department for Science, Innovation and Technology. Veena has contributed to the design and the development of the UK’s new consumer connectable product security regime, and now leads on the operational enforcement approach alongside the enforcement authority, OPSS.
Presentation: An overview of the Enforcement Approach for PSTI Product Security Regime
The UK’s Product Security and Telecommunications Act (PSTI) comes into force on 29 April 2024. There are penalties and potentially significant fines for companies who do not comply. In this talk, Veena will provide a status update and signpost to existing resources, and Michael will outline OPSS’ enforcement approach.
Paul Kearney
Cybersecurity Expert
Paul Kearney has recently retired from the position of Professor of Cybersecurity at Birmingham City University. Previously, he worked in R&D roles for British Aerospace, Sharp Laboratories of Europe, and British Telecommunications. He retains an active interest in cybersecurity research, undertaking freelance consultancy, contributing to activities of the IoT Security Foundation, acting as an expert evaluator and reviewer for research programmes and serving on the advisory boards of research projects. He holds a BSc from the University of Liverpool and a PhD from the University of Durham, both in theoretical physics and is a Full Member of the Chartered Institute of Information Security.
Jennifer Williams
Director of IT and Operations, Secarma
Jen has nearly a decade of experience in helping businesses to defend themselves against cyber attack. With the vast majority of her career spent in the legal sector, she understands the unique challenges faced by this industry.
Presentation: Security is more effective and efficient if embedded into culture
This talk will look at practical methods and established frameworks that allow manufacturers and businesses that consume IoT to create a security mindset. From Threat modelling techniques to security awareness training, help you clients by delivering a more robust product developed by those who have security in their heart.
Sarb Sembhi
CTO, Virtually Informed
Sarb is the CTO at Virtually Informed and was the Global CISO for AirEye and the Noord Group. He has previous worked as a consultant covering most issues in risk and security. Sarb’s contributions to the industry include the Executive Steering Board of the IoT Security Foundation.
Other contributions include: Past President of the ISACA London Chapter, Chair of ISACA International GRA Region 3 Sub-Committee, Chair of ISACA International GRA Committee, ISSA UK Advisory Group member, InfoSecurity Magazine Editorial Group member. Sarb has also served on several Security Standards Groups, and continues to write for several publications and speak at risk and security events around the world.
Rohan Panesar
Cyber Security Standards and Policy Specialist, Copper Horse Ltd
Rohan is a Cyber Security Standards and Policy Specialist at Copper Horse Ltd. He has worked with the company since 2021, following a completion of a degree in Economics. His dissertation focussed on ‘The Economics of Vulnerability Disclosure’.
While at Copper Horse, Rohan has worked on projects including the annual report into the state of vulnerability disclosure and standards mapping websites for IoT and application security. He has also conducted varied research into topics including automotive cyber security standards, virtual kidnapping and insecurity in third-party automotive head units.
Presentation: Connected but at Risk: IoT Stakeholders and Looming Vulnerability Disclosure Regulation
Regulation on IoT security is heading towards businesses across the world. The 6th iteration of our annual report into the state of vulnerability disclosure in consumer IoT examines the state of manufacturers when it comes to adopting one of the core requirements for the security of consumer IoT devices. It is easier than ever to implement a policy, but many companies still don’t bother and retailers still stock their products. This talk will break down the findings of this year’s report, observations captured along the way and what this all means with regulation so close.
David Rogers and Rohan Panesar
David Rogers – CEO, Copper Horse Ltd
David is a mobile telecoms and security specialist who runs Copper Horse Ltd, a software and security company based in Windsor, UK. He engages internationally on a number of telecoms, internet, future technology, engineering and policy topics. His company is currently focusing on product security for the Internet of Things as well as future automotive cyber security.
David chairs the Fraud and Security Group at the GSMA. He authored the UK’s ‘Code of Practice for Consumer IoT Security’, in collaboration with UK government and industry colleagues and is a member of the UK’s Telecoms Supply Chain Diversification Advisory Council.
From 2015-2022 he sat on the Executive Board of the Internet of Things Security Foundation. He has worked in the mobile industry for over twenty years in security and engineering roles. Prior to this he worked in the semiconductor industry.
David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University
He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019. He blogs from https://mobilephonesecurity.org and tweets @drogersuk.
Rohan Panesar – Cyber Security Standards and Policy Specialist, Copper Horse Ltd
Rohan is a Cyber Security Standards and Policy Specialist at Copper Horse Ltd. He has worked with the company since 2021, following a completion of a degree in Economics. His dissertation focussed on ‘The Economics of Vulnerability Disclosure’.
While at Copper Horse, Rohan has worked on projects including the annual report into the state of vulnerability disclosure and standards mapping websites for IoT and application security. He has also conducted varied research into topics including automotive cyber security standards, virtual kidnapping and insecurity in third-party automotive head units.
Presentation: Connected but at Risk: IoT Stakeholders and Looming Vulnerability Disclosure Regulation
Regulation on IoT security is heading towards businesses across the world. The 6th iteration of our annual report into the state of vulnerability disclosure in consumer IoT examines the state of manufacturers when it comes to adopting one of the core requirements for the security of consumer IoT devices. It is easier than ever to implement a policy, but many companies still don’t bother and retailers still stock their products. This talk will break down the findings of this year’s report, observations captured along the way and what this all means with regulation so close.
David Rogers
CEO, Copper Horse Ltd
David is a mobile telecoms and security specialist who runs Copper Horse Ltd, a software and security company based in Windsor, UK. He engages internationally on a number of telecoms, internet, future technology, engineering and policy topics. His company is currently focusing on product security for the Internet of Things as well as future automotive cyber security.
David chairs the Fraud and Security Group at the GSMA. He authored the UK’s ‘Code of Practice for Consumer IoT Security’, in collaboration with UK government and industry colleagues and is a member of the UK’s Telecoms Supply Chain Diversification Advisory Council.
From 2015-2022 he sat on the Executive Board of the Internet of Things Security Foundation. He has worked in the mobile industry for over twenty years in security and engineering roles. Prior to this he worked in the semiconductor industry.
David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University
He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019. He blogs from https://mobilephonesecurity.org and tweets @drogersuk.
Presentation: Connected but at Risk: IoT Stakeholders and Looming Vulnerability Disclosure Regulation
Regulation on IoT security is heading towards businesses across the world. The 6th iteration of our annual report into the state of vulnerability disclosure in consumer IoT examines the state of manufacturers when it comes to adopting one of the core requirements for the security of consumer IoT devices. It is easier than ever to implement a policy, but many companies still don’t bother and retailers still stock their products. This talk will break down the findings of this year’s report, observations captured along the way and what this all means with regulation so close.
Richard Marshall
Founder and Director at Xitex
Richard is founder and director at Xitex, a secure product development consultancy, supporting customers developing secure products and the wider standards community.
Having worked for global organisations such as AT&T, Cisco and Sony, to be being part of the founding team for more than one start-up, Richard has been involved with a variety of secured products from Set Top Boxes to Cellular Small Cells over the last 20 years. At the start-up Ubiquisys, he founded the hardware and secure software delivery team, going on to become the Product Manager for the global secure software and PKI delivery system CloudBase. Cloudbase was a key component in Cisco’s acquisition of Ubiquisys in 2013.
On IoT security, Richard was the Internet of Things Security Foundation’s founding Plenary Chair for five years and currently sits on its Executive Steering Board. Richard is one of the lead authors for the foundation’s Assurance Framework which has recently been internationally recognized by the EU’s ETSI and US NIST standards bodies, as a point of reference for IoT security. He was also a contributor/reviewer for the UK’s ‘Code of Practice for Consumer IoT Security’, ETSI’s technical standard TS 103 645 and harmonized standard EN 303 645 on IoT Security. He is currently a member of CENELEC’s JTC13 WG8 RED and JTC13/WG9 CRA harmonised standards cyber-security working groups.
Presentation: Radio Equipment Directive Cyber regulation and what you need to know
With the European Commission adopting the RED Delegated Act activating Article 3.3 (d), 3.3 (e) and 3.3 (f) for both consumer and professional/industrial products (C(2021) 7672 1), significant changes are coming to RED compliance. The delegated act activates these three articles and originally compliance was to become mandatory on 1st August 2024 but is expected to be formally announced shortly that the deadline will be extended to August 2025. Article 3 of the RED mandates that radio equipment shall not harm network function, incorporates personal data and privacy protection safeguards and certain functions to protect from financial fraud. In this talk Richard will provide an update for manufacturers on routes to compliance for Article 3.3, the development of the related Harmonised Standard and the relevance of the IoTSF Assurance Framework.
Ben Azvine
Distinguished Engineer and Global head of security research, BT Group
Ben leads the global cyber security research programme in BT. He is responsible for setting direction and strategy for Security research, identifying innovation opportunities and leading a strong international team of researcher to develop new capabilities in collaboration with industrial and academic partners.
Ben is a BT distinguished engineer with 30 years’ experience in both academia and industry. His previous roles included leading the IT research centre and head of business intelligence & customer analytics research at BT Group Chief Technology Office. He holds a BSc in Mechanical Engineering, an MSc in Control Engineering, a PhD in Intelligent Control Systems from Manchester University and an Exec. MBA from Imperial College, London. Having held research fellowship and lectureship posts in several universities, he joined BT in 1995 to lead a research programme to develop and exploit novel Artificial Intelligence technology to support next generation IT systems. Since then he has held senior, principal, chief research scientist posts at BT’s global R&D headquarters in Adastral Park, Ipswich where he is currently based.
He has edited two books and published more than 100 scientific articles on novel application of AI. He is an inventor of 50 patent applications, has won 4 BCS and an IET gold medals for IT innovation, holds visiting professorship positions at the Universities of Bristol, Suffolk and Bournemouth. Ben is a current fellow of Institute of Telecom Engineers (FITP) and Institute of Engineering and Technology (FIET) and is on the board of IoT Security Foundation. His current research interests include the application Artificial Intelligence and Machine Learning to Cyber security to protect networks as a critical national infrastructure. His current projects include Future home security, Automated detection and response for Cyber security, Crypto-agility including Post quantum crypto, and continuous authentication.
Richard Gisenthwaite
Executive Vice President and Chief Architect, Arm
Richard is responsible for the long-term evolution of the Arm architecture and has led its development for more than 20 years, beginning with Armv6. He is currently leading development on Armv9 to ensure its specialized processing unlocks new markets and opportunities across the full spectrum of compute. In his early days at Arm, Richard worked on Arm720T, Arm940T, and Arm1136EJF-S. Prior to Arm, Richard worked for Analog Devices on fixed-function DSP, and at Inmos/ST on the Transputer. Richard is an Arm fellow, has a BA in Electrical and Information Sciences from the University
Presentation: Iot Security Foundations for an AI world
Arm believes that security is the greatest challenge computing needs to address to meet its full potential, and the growth of the importance for AI reemphasizes this point. As is common with new technologies, AI offers both opportunities and threats to the computing world, and its security – we anticipate more autonomy in our computing systems with ever more sensitive data being held and interpreted. This will provide tremendous opportunities for interconnecting computing systems and really delivering increasing benefits for humanity, but also will bring in even greater opportunities for cyber-criminals and other bad actors. This talk will look at the various tools available to help secure computing systems. It will consider how AI can help both the creator of future systems and also the attackers, and what can be done to better defend against the impact of AI in the hands of the attackers of computer systems
Luke Griffiths
ISM Consultant / ISO 27001 Lead Auditor / IoT Assured Assessor, Secarma
Luke is an ISM consultant, ISO 27001 lead auditor and IoT Assured assessor for Secarma. He has a first-class undergraduate degree in law and has recently achieved a distinction in his master’s degree in legal practice. In his spare time, Luke enjoys failing at being a musician, a basketball player and a Muay Thai practitioner.
Presentation: UK PSTI: The Legal Requirements and How to Satisfy Them
– PSTI: The scope of Part One
– Understanding “Internet or Network connectable devices” and exemptions
– Understanding your duties and the statement of compliance
– Understanding the enforcement of the act and its penalties
John Moor
Managing Director, IoT Security Foundation
John Moor is co-founder and Managing Director of the IoT Security Foundation.
He has more than 30 years experience in electronic systems and microelectronics industries and holds executive leadership and general manager responsibilities for IoTSF. Previously John served as a vice-president at the National Microelectronics Institute (NMI) where he was tasked with formulating strategy and leading the implementation of key innovation initiatives including creating a portfolio of technical engineering networks, establishing the UK Electronics Skills Foundation, running the Future World Symposium and participating in overseas trade missions.
Prior to NMI, John was one of the founders of Bristol-based start-up ClearSpeed Technology (formerly PixelFusion Ltd). During this time he led engineering operations at vice-president level and was responsible for technology acquisitions, establishing international supply chain operations and acquiring capability in the UK, USA and Taiwan.
John holds an MA (Distinction) in Strategic Marketing Management from Kingston University London and a Master of Business Administration from the University of Leicester. John’s formative embedded systems engineering career centred on leading-edge microprocessor based systems (substantially parallel systems) and used in data communications, high performance computing, graphics and virtual reality applications.
Shahram Mossayebi
CEO and Co-Founder, Crypto Quantique
Shahram holds an MSc in Information Security and a PhD in Post-Quantum Cryptography, both from Royal Holloway, University of London. Before founding Crypto Quantique, Shahram worked as a self-employed cybersecurity consultant for a few years before spotting a large gap in the market around IoT cybersecurity. Commenting on the pivot from academia and consultancy to a CEO, he says, “After years working in the cybersecurity industry, I have seen how companies are continually choosing between expensive and complex security or highly scaled systems without meaningful protection. Recognising the need for a holistic solution that is easy to use at scale yet delivers robust and reliable security for everything from connected cars to high-end consumer goods, I founded Crypto Quantique.”
Jeff Day
Voice Security Lead – Network Services, BT Group
Jeff Day is former Chair of the IoTSF Best Practice Working Group where he drafted the set of Best Practice Guides. He has worked in security at British Telecom for some 20 or so years, including security lead for their IoT programme, and has authored several internal security specifications and standards. For the past five years Jeff has been Security Lead for all BT’s fixed-line voice services across the globe.
Dr Stephen Pattison
Chairman, IoT Security Foundation, VP Public Affairs, ARM
Stephen is responsible for ARM’s Public Affairs, including contributions to public policy thinking across the world. His focus is London, Brussels, Washington and, increasingly, China. He was the first person to be appointed to a Public Affairs role at ARM, in 2012. Key issues on which he is working include Internet of Things, Smart Cities, Data Protection, Energy Efficiency, and Security. He also oversees ARM’s Corporate Responsibility Programme.
Prior to joining ARM, Stephen was CEO, International Chamber of Commerce UK, where he represented the interests of a range of companies and focussed on various policy and international trade issues. Before that he worked for James Dyson (Vacuum cleaners etc) as Head, International Business Development, where he introduced new products into new markets as well as accelerating growth in existing markets. He was once a British Diplomat and worked at the British Embassy in Washington, and on UN issues in London, New York and Geneva.
Stephen has a Master’s Degree from Cambridge University, and a Doctorate from Oxford. In 2003-4 he spent a year at Harvard as Fellow in International Affairs at the Weatherhead Center.
Hadyn Povey
CEO & Founder, Secure Thingz Ltd
Haydn is the Founder & CEO of Secure Thingz Limited, a company focused on developing and delivering next generation security technology into the Internet of Things (IoT) and other connected systems. The company is focused on developing secure gateway technology and also has products supporting secure device production. Secure Thingz additionally has a broad consultancy base encompassing AsiaPac, North America and EMEA.
Haydn has been in senior management at leading global technology companies for over 20 years, with the last 10 years in senior marketing and business development roles at ARM Holdings, the leading Microprocessor IP (Intellectual Property) company. Haydn most recently headed ARMs strategy and product roadmaps for Security within IoT and M2M marketplaces where he worked with critical groups within the US and UK government responsible for the development and deployment of security frameworks, alongside many leading silicon vendors, OEMs and system integrators and software solutions.
Previously Haydn was Director Security Products & Technologies within the ARM Processor Division where he owned a broad array of products including TrustZone, which delivers security foundations in the majority of global mobiles and tablets, and SecurCore, which is the foundations for the majority of 32-bit SmartCards and SIMS.
Prior to owning security at ARM Haydn led the development and introduction of the Cortex-M microprocessor family which has led to the rapid adoption of 32-bit microcontroller technology around the globe and underpins the majority of Internet of Things devices.
Earlier in his career Haydn held positions as Global Head of Sales and Marketing with various early stage technology compa
Michael Sawyer
Michael Sawyer, Head of Enforcement for Product Regulation at the Office for Product Safety and Standards (OPSS), Department for Business and Trade (DBT)
Michael is Head of Enforcement for Product Regulation at the Office for Product Safety and Standards (OPSS), which sits with the Department for Business and Trade (DBT). He has worked in enforcement at OPSS and its predecessors for over 10 years, covering various areas of legislation, including eco-design, energy labelling and product safety. OPSS will be the Enforcement Authority for the PSTI regime when it comes into force in 2024.
Veena Dholiwar, Enforcement of Enforcement of Product Security Legislation, DSIT
Veena leads on the enforcement of the product security legislation at the Department for Science, Innovation and Technology. Veena has contributed to the design and the development of the UK’s new consumer connectable product security regime, and now leads on the operational enforcement approach alongside the enforcement authority, OPSS.
Presentation: An overview of the Enforcement Approach for PSTI Product Security Regime
The UK’s Product Security and Telecommunications Act (PSTI) comes into force on 29 April 2024. There are penalties and potentially significant fines for companies who do not comply. In this talk, Veena will provide a status update and signpost to existing resources, and Michael will outline OPSS’ enforcement approach.