The IoT Security Foundation Conference
The world’s longest-running conference dedicated to IoT cybersecurity.
IET, London | 23rd October 2024
This year’s one-day event takes place on 23rd October and we return to the modern majesty of the IET, London.
The Annual IoTSF Conference has built a loyal global following from the IoT stakeholder communities and is renowned for delivering high-quality conference programmes and this is the 10th Annual Conference.
Advances in quantum computing and the democratisation of AI/ML in recent years have added more threats, yet have also given us more tools to use in our defences. New approaches such as zero trust and continuous assurance processes continue to evolve. Getting the basics right with training, certifications and audits continue to be trusted staples.
Our theme is therefore…
IoT Security: Past, Present and Future.
Register for the 10th Annual IoT Security Foundation Conference
We’re pleased you’ve decided to join us
Here are a few details about your registration for this event…
Frequently asked questions
What’s included with the ticket?
Ticket price includes a full conference day pass, refreshments, buffet lunch and drinks reception.
Member ticket: What if I’m unable to attend?
We know that plans can change! If you cant make it to an event – to help manage our costs – please let us know as soon as possible, no less than 7 days in advance. If you fail to attend the event without prior notice, we reserve the right to invoice your company for the full cost of a non-member ticket. Thank you for understanding.
Non-Member / Professional Member ticket: Refund Policy
Refunds will be given for cancelled tickets up until 7 days before the event. Refund amount will be the original ticket price minus administration fees. Tickets purchased within 7 days of the event are non-refundable.
If I cant attend, can someone go in my place?
Yes, just email us the details to [email protected].
Terms and Conditions / Privacy Policy
By signing up to this event you are agreeing to our Privacy Policy and our Terms and Conditions.
Register on Eventbrite HERE
SPEAKER
AI Risks and Rewards: Calculus for the Future
Apostol Vassilev
Research Manager, Computer Security Division, NIST
SPEAKER
Reading the R-IoT act – responding to an IoT incident
Jennifer Williams
Director of IT and Operations, Secarma
SPEAKER
Securing the Decentralized Future: Open and Auditable Hardware
Security for IoT Ecosystems and Web3
John Sirianni
CEO, Tropic Square
SPEAKER
Hardware based security for advanced threat detection and mitigation
Rasadhi Attale
Senior Hardware Engineer, Siemens
SPEAKER
What Things Are Really on Your Network?
Trusted IoT Onboarding and Lifecyle Management
Paul Watrobski
IT Security Specialist, NIST
SPEAKER
IoT Tech Abuse – Protecting At-Risk Communities
Dr Leonie Maria Tanczer
Associate Professor, University College London (UCL)
SPEAKER
Securing the Future: Harnessing the Power of Ecosystems in IoT Security
Darron Antill
CEO, Device Authority
SPEAKER
Evolving Threats and Evolving Defenses for XIoT in Critical Infrastructure
Toby Wilmington
CEO, qomodo
SPEAKER
From Risk to Return: A Two-Part Framework for Prioritising and Measuring Security Investment Returns
Kay Ng
Managing Director, CyberAnalytics
SPEAKER
International: Key lessons and takeaways from Internet of Things Cybersecurity Standards, Legislation, Product Certifications and Cybersecurity Labelling Schemes (CLS)
Matt Tett
Subject Matter Expert (SME), IoT Security Mark P/L
SPEAKER
How We Talk About IoT Matters: The Case of Technologies in Public Spaces
Rebecca Hartley
PhD Researcher, Royal Holloway, University of London
SPEAKER
What’s the Emergency? Public Safety in a world of IoT and cybersecurity, digital critical infrastructure, climate change, quantum computing, AI, drones, and high-end threats
David Ihrie
Chief Technology Officer, Virginia Innovation Partnership Corporation (VIPC)
SPEAKER
Building Secure IoT Products from the Ground Up
Zahra Khani
Principal Product Manager for IoT Security Assessment, Keysight Technologies
SPEAKER
Why does my TV still think it is a fridge?
Jonathan Marshall
Founder, SafeShark
SPEAKER
Implementing Cross Domain Security Patterns for IoT
Phil Day
Director of Engineering, Configured Things
SPEAKER
How secure is your IoT device? – Indispensable ingredients for a secure IoT product!
Andrew Bott
Principal Security Architect, IAR Systems AB
SPEAKER
10 Rules to Build Unsecure Embedded Systems
Stephan Janouch
Technical Marketing Director, EMEA, Green Hills Software GmbH
SPEAKER
The Critical Role of Randomness in IoT Security: From the Past to the Present and into a Post-Quantum Future
Dr. Ramy Shelbaya
CEO & Co-Founder, Quantum Dice Ltd
SPEAKER
Securing the AI supply chain
Xander Heemskerk
Director Product Security, Royal Philips
PANELIST
Prof. Anna Marie Mandalari
Assistant Professor, Information and Communications Engineering research group, Dept. Electrical and Electronic Engineering, University College London
PANELIST
Antoinette Hodes
Global Solution Architect & Evangelist, Check Point Software Technologies
SPEAKER
Where is your weakest link? Observations from teaching Embedded System Security
Dr Des Howlett
Senior Member Technical Staff , Doulos Ltd
PANEL COORDINATOR
Dr Stephen Pattison
Chairman, IoT Security Foundation & VP Public Affairs, ARM
As a not-for-profit organisation, we welcome your interest and support for the conference. We have a number of sponsorship opportunities on offer which help us to cover our costs.
Sponsoring IoTSF’s 2024 Conference will deliver a number of promotional benefits for your organisation whilst contributing to our shared mission to build secure, buy secure and be secure.
Why Sponsor?
The IoTSF Annual Conference attracts a wide range of stakeholder groups and decision-makers throughout the event lifecycle – in the build-up, during the event itself, and once the event has taken place and provides the perfect environment to not only promote your brand, but to build lasting relationships with customers and get to know other businesses:
- Build reputation & increase brand visibility
- Unique access to our IoT Security community and stakeholders
- Lead generation & sales
- New business partnerships
- Strengthen relationships with existing customers – most of our packages include guest passes and can be added to other sponsorship options on request
- Post-conference networking – a drinks reception accompanies the conference.
Agenda
We are currently building our agenda but, for the moment, click on an image to find out more about our speakers. Note that details are subject to change.
08:30 | Registration / Exhibition | ||||
09:30 | Opening Plenary Session: IoT Security: Past, Present, Future | ||||
The opening plenary session sets the stage for the rest of the day, exploring the cutting edge of IoT cybersecurity, AI and emerging themes. Following the welcome address, we will have two keynote talks that look at the emerging innovation and technology future. We will also take a look at what is in store for the IoTSF and its members with insights from the Executive Steering Board via a panel session taking the theme of the conference: IoT security – past, present and future. This plenary session promises to equip attendees with a comprehensive understanding of the cybersecurity landscape, setting the context for the specialized tracks that follow. Attendees will not want to miss this opportunity to gain valuable insights from industry leaders and connect with fellow professionals at the forefront of IoT security. |
|||||
11:00 | Break | ||||
Kelvin Lecture Theatre | Turing Lecture Theatre | Watson-Watt Room | |||
11:30 | Track 1 | 11:30 | Track 2 | 11:30 | Track 3 |
The Future of IoT Security: Embracing Collaborative Approaches and Comprehensive Frameworks | IoT Foundations of Trust: Secure by Design | The CISO Journey: From Coax to Resilience | |||
This session explores the evolving landscape of IoT security through keynote talks from leading business and technical experts. On the business side, we discuss the shift from isolated security solutions to collaborative, ecosystem-based approaches in securing IoT devices. Attendees will also learn about supply chain integrity for IoT and AI systems, including innovations for creating operational and trusted bills of materials.
New developments in the evolution of the IoT Security Foundation’s popular security assurance framework will be announced and we will explain its transformation from a developer checklist to a corporate reference for automating audits and certification. We also highlight the recent and important work from NIST on IoT Device Onboarding and Lifecycle Management which addresses real-world trust challenges across enterprise, industrial and consumer networks. Join us to understand the collaborative future of IoT security and its practical implications. |
This session explores contemporary cutting-edge approaches to building security into IoT devices and systems from the ground up. Experts will outline the essential elements for secure IoT products and also look at solutions for decentralized and autonomous IoT applications, examining how to leverage hardware security modules to protect vehicle-to-everything (V2X) communications. We will also delve into the critical role of true randomness in cryptography with a focus on preparing for emerging AI and quantum computing threats. Attendees will gain practical insights into implementing robust security measures at the hardware and system level to create resilient IoT systems. |
In this session, we look at how cyber security has changed over the last 20+ years from the CISO perspective. Where once upon a time all they worried about were operating systems, printers, memory sticks and shadow IT. But soon every new technology became shadow IT, with mobile phones, ipads, social media, cloud services, etc. This session will explore how CISOs started from overseeing information security, which included computers, users, the network, etc. to today, where they have to view things from an enterprise cyber resilience perspective. Does this really mean that there is nothing that they can rule out from having to provide guidance on or be responsible for? These and many other questions will be explored with our expert panel who will provide perspectives of what cyber resilience means to them in their daily world view for an enterprise. |
|||
13:00 | Lunch / Exhibition / Networking | ||||
14:00 | Track 4 | 14:00 | Track 5 | 14:00 | Track 6 |
The Practice of IoT Security: From Breach Response to Threat Anticipation | The Business of IoT Security: Mastering the Economics | Securing IoT: Lessons from the Past, Laughs in the Present, Leaps to the Future | |||
This illuminating session equips IoT security practitioners with actionable strategies to tackle current and emerging challenges. Attendees will learn effective breach response protocols for when things go wrong, techniques for anticipating threats in newly connected OT domains like critical infrastructure and healthcare, and methods for applying cross-domain architectural principles to enhance security in the industrial Internet of Things (IIoT). The session also includes best practices for comprehensive testing of products with diverse supply chain components. Through expert-led talks and interactive discussions, participants will gain valuable insights to strengthen their organization’s IoT security posture. |
In this session we look at security through the economics lens – how can security help us win in business? What do we need to know beyond the technical requirements, how do we weigh up risk and reward – how can the approach be used to underpin, even boost business objectives? IoT technology has many commercial applications, and the resilience to attack of the connected systems is essential for business success. Context is king when determining security features, yet the business case dominates the feasibility of any successful, sustainable, security posture. |
This engaging IoT security session will equip attendees with valuable insights and practical strategies to enhance their IoT defences. We’ll examine historical patterns, extracting crucial lessons to fortify future IoT implementations. Prepare yourself for a humorous yet eye-opening journey through the “10 Rules to Build Unsecure Embedded Systems” highlighting common pitfalls and misguided practices that compromise security. We’ll also explore the cutting-edge world of eSIMs, uncovering their unique security properties and how they can future-proof IoT device protection. This session blends historical analysis, satirical reflection, and emerging technology insights to provide a comprehensive view of IoT security challenges and solutions. |
|||
15:30 | Break | ||||
16:00 | Track 7 | 16:00 | Track 8 | 16:00 | Track 9 |
IoT Security Compliance: Navigating the Regulatory Landscape | Memory Safety: The Pernicious Challenge | The Human Side of IoT Security: Protecting People, Spaces, and Systems | |||
As connected devices become ubiquitous in our homes, businesses, and cities, the need for security oversight has never been more critical. Yet, the path to regulation is fraught with challenges. This session illuminates the complex reality of IoT security regulation and compliance, where innovation and protection must coexist. We’ll explore the global regulatory landscape, focusing on Europe’s CRA and RED, the UK’s PSTI, NIST CSF 2 and NIS2. Our expert speakers will dissect the delicate balance between fostering innovation and ensuring user safety, addressing the concerns of compliance professionals grappling with legal uncertainties and potential penalties. Whether you’re an IoT manufacturer, policymaker, developer, consultant, or security professional, this session will equip you with the knowledge and insights needed to navigate the evolving regulatory landscape. Don’t miss this opportunity to stay ahead of the curve and contribute to a more secure and innovative IoT future. |
What is the memory safety challenge? How big an issue is it and what can be done? Join this session to learn about the complexities of memory safety, explore current solutions, and glimpse into the future of secure IoT systems. Whilst memory safety in computing has been identified as a challenge since the 1970’s, it became a significantly bigger problem with the growth of connected and distributed systems – such as the IoT. Solutions to the memory safety challenge are beginning to emerge from the research labs toward real-world applications underpinned by a range of hardware and software technologies. This session dives into the critical world of memory safety and its implications for secure IoT systems. Beginning with an academic exploration of memory safety fundamentals, we progress to cutting-edge industry solutions. We’ll examine the UK government-backed CHERI project, discuss the role of memory-safe languages like Rust, and explore industry efforts to popularize these technological advances This session is intended for designers, developers, manufacturers, and users of IoT technology, providing them with the knowledge and tools needed to improve the security and reliability of connected systems. |
This session explores critical aspects of IoT security, focusing on protecting vulnerable communities and public spaces while addressing technical challenges in embedded systems. Experts will discuss how IoT technologies can be misused to target at-risk groups and strategies to mitigate these threats. We’ll examine the importance of language and framing when discussing IoT deployments in public areas, emphasizing transparency and community engagement. The session will also delve into common vulnerabilities in embedded systems, sharing insights from hands-on security education. A guest speaker will highlight the crucial role of cross-sector collaboration in building a more secure IoT landscape. Attendees will gain a wider view of IoT security challenges and practical approaches to address them. |
|||
17:30 | Closing Remarks followed by Drinks Reception |
Agenda
We are currently building our agenda but, for the moment, click on a title to find out more. Note that details are subject to change.
09:30
Kelvin Lecture Theatre
11:00-11:30 Break
Kelvin Lecture Theatre
Turing Lecture Theatre
Watson-Watt Room
13:00-14:00 Lunch / Exhibition / Networking
Kelvin Lecture Theatre
Turing Lecture Theatre
Watson-Watt Room
15:30-16:00 Break
Kelvin Lecture Theatre
Turing Lecture Theatre
Watson-Watt Room
17:30-19:00 Closing remarks followed by drinks reception
The IET
The Institution of Engineering and Technology (IET) is a prestigious and globally recognized professional organization dedicated to advancing the field of engineering and technology. Established in the United Kingdom in 1871, the IET has a rich history of promoting excellence in engineering and supporting innovation in various technological domains. With a diverse membership of engineers, technologists, and professionals from around the world, the IET provides a platform for knowledge sharing, networking, and collaboration. The organization actively fosters the development of engineering and technology skills through educational programs, publications, and events.
Travel
There are a number of different options for travelling to The IET. There are a number of underground lines providing easy access, the best stations being Covent Gardens, Embankment, London Charing Cross and Temple. If arriving by train, Liverpool Street, Euston, Kings Cross, Victoria and Waterloo either have direct links to one of the underground stations or provide access to the tube system.
Location
Accommodation
There are a number of hotels near the venue and the IET has setup some special room rates.
The IoT Security Foundation Conference
The world’s longest-running conference dedicated to IoT cybersecurity.
IET, London | 23rd October 2024
This year’s one-day event takes place on 23rd October and we return to the modern majesty of the IET, London.
The Annual IoTSF Conference has built a loyal global following from the IoT stakeholder communities and is renowned for delivering high-quality conference programmes and this is the 10th Annual Conference.
Advances in quantum computing and the democratisation of AI/ML in recent years have added more threats, yet have also given us more tools to use in our defences. New approaches such as zero trust and continuous assurance processes continue to evolve. Getting the basics right with training, certifications and audits continue to be trusted staples.
Our theme is therefore…
IoT Security: Past, Present and Future.
Register for the 10th Annual IoT Security Foundation Conference
We’re pleased you’ve decided to join us
Here are a few details about your registration for this event…
Frequently asked questions
What’s included with the ticket?
Ticket price includes a full conference day pass, refreshments, buffet lunch and drinks reception.
Member ticket: What if I’m unable to attend?
We know that plans can change! If you cant make it to an event – to help manage our costs – please let us know as soon as possible, no less than 7 days in advance. If you fail to attend the event without prior notice, we reserve the right to invoice your company for the full cost of a non-member ticket. Thank you for understanding.
Non-Member / Professional Member ticket: Refund Policy
Refunds will be given for cancelled tickets up until 7 days before the event. Refund amount will be the original ticket price minus administration fees. Tickets purchased within 7 days of the event are non-refundable.
If I cant attend, can someone go in my place?
Yes, just email us the details to [email protected].
Terms and Conditions / Privacy Policy
By signing up to this event you are agreeing to our Privacy Policy and our Terms and Conditions.
Present at the IoT Security Foundation Conference
If you’ve got something important to say on a whole range of subjects related to improving the status of IoT, now or in the future, we’d like to hear it and invite you to submit a talk proposal.
If you would like to guarantee a speaking slot, we would encourage you to take one of our limited sponsorship packages – they’re very cost-effective (see our sponsorship guide).
Talk Themes
Our attendees will be interested in business, technical, operational, standards, regulatory, educational and policy-related themes. Some of those themes may include (but are not limited to):
- New or emerging themes in IoT security
- All themes related to the defence against AI/automated attacks
- Using AI/ML to improve IoT security
- Zero trust environments
- Cryptography
- Standards and certification
- We are keen to hear practical examples of effective (cost and efficacy) third-party certification schemes
- The economics of IoT security
- Automation and continuous assurance
- Updates on the latest threat landscape, attacks and how to avoid them.
- Best practice for building/engineering ‘secure by design’ and/or ‘secure by default’ products and/or systems
- Testing IoT products (hardware and software) – against common and emerging attacks
- How to’ specify fit for purpose security when purchasing
- Securing the supply chain
- Software bill of materials and open source
- Maintaining security and/or achieving resilience throughout the lifecycle
- Emerging research or intelligence
- Ethical hacking of IoT systems
- Ethical design for security and privacy
- Use cases: application specific examples of cyber security best practice in context e.g.:
- Automotive
- Critical Infrastructure
- Healthcare
- Industrial/Industry 4.0/Manufacturing
- Smart Buildings / Smart Cities / Connected Places
- Practical “How To’s” (or how not to…) – e.g.
- How to manage secure updates
- How to build a secure and agile development culture
- Respond to a security breach
- Build an effective vulnerability and/or bug-bounty program
- Assess your liability and risk
- Threat modelling
- Real life experiences/war stories/lessons learned
Submitting a Talk Proposal
To submit a paper presentation to be considered for the IoTSF Conference, please complete the submission form with the following details:
- Presentation Theme
- Presentation Title
- Presentation Abstract
- Speaker Biography & Photo
- Key audience takeaways
Presentations are to be made in English.
Regular speaking slots are nominally 20 minutes in duration (inclusive of Q&A) however if you prefer a ‘lightening talk’ slot, these are nominally allocated as 10 minutes. Slot duration will be confirmed as part of the acceptance process.
- Once received, we will acknowledge receipt.
- Submissions will be reviewed by representatives of IoTSF at regular intervals and assessed on the content’s merit and relevance to the conference.
- Once reviewed and concluded, applicants will be notified.
- Successful applicants should confirm their availability for the day.
Guidance for Speakers
It’s great that you have something to say, however be clear about your message to the audience – your talk may be good but if the audience is left with a feeling of “so what?” then we’ve collectively failed. When submitting make sure you spell out the key takeaways that you intend to leave with the audience and what will make it worth their while listening to you. This also helps our talk assessors when selecting talks for the conference hence we encourage you to consider this carefully.
- Abstracts must clearly detail the nature, scope, content, key points and significance of the proposed presentation to aid the assessment process.
- The audience has come to hear a talk about a subject that is of interest to them. Direct or overt sales presentations are unwelcome at this event and will not be accepted. It is acceptable to position where the talk is coming from – i.e. the company / individual and the area of interest you have, generally one slide at the beginning usually suffices.
- It is standard practice to record talks at the IoTSF conference and, at our discretion, publish after the event. Should you prefer not to have your talk published you must inform us with written instruction (email) before or on the conference day. We will confirm your preference.
If you have any queries regarding the submission process, please contact us – [email protected]
As a not-for-profit organisation, we welcome your interest and support for the conference. We have a number of sponsorship opportunities on offer which help us to cover our costs.
Sponsoring IoTSF’s 2024 Conference will deliver a number of promotional benefits for your organisation whilst contributing to our shared mission to build secure, buy secure and be secure.
Why Sponsor?
The IoTSF Annual Conference attracts a wide range of stakeholder groups and decision-makers throughout the event lifecycle – in the build-up, during the event itself, and once the event has taken place and provides the perfect environment to not only promote your brand, but to build lasting relationships with customers and get to know other businesses:
- Build reputation & increase brand visibility
- Unique access to our IoT Security community and stakeholders
- Lead generation & sales
- New business partnerships
- Strengthen relationships with existing customers – most of our packages include guest passes and can be added to other sponsorship options on request
- Post-conference networking – a drinks reception accompanies the conference.
Conference Agenda
08:30-09:30
Registration / Exhibition
09:30-11:00
Opening ‘Plenary’ Session:
IoT Security: Past, Present, Future
11:00-11:30
Break
Kelvin Lecture Theatre
11:30 |
Track 1 |
---|
Turing Lecture Theatre
11:30 |
Track 1 |
---|
13:00-14:00
Lunch / Exhibition / Networking
Kelvin Lecture Theatre
14:00 |
Track 2 |
---|
Turing Lecture Theatre
14:00 |
Track 2 |
---|
15:30-16:00
Break
Kelvin Lecture Theatre
16:00 |
Track 3 |
---|
Turing Lecture Theatre
16:00 |
Track 3 |
---|
17:15-17:30
Closing Remarks
17:30-19:00
Drinks Reception
Agenda
We are currently building our agenda but, for the moment, click on an image to find out more about our speakers. Note that details are subject to change.
08:30 | Registration / Exhibition | ||||
09:30 | Opening Plenary Session: IoT Security: Past, Present, Future | ||||
The opening plenary session sets the stage for the rest of the day, exploring the cutting edge of IoT cybersecurity, AI and emerging themes. Following the welcome address, we will have two keynote talks that look at the emerging innovation and technology future. We will also take a look at what is in store for the IoTSF and its members with insights from the Executive Steering Board via a panel session taking the theme of the conference: IoT security – past, present and future. This plenary session promises to equip attendees with a comprehensive understanding of the cybersecurity landscape, setting the context for the specialized tracks that follow. Attendees will not want to miss this opportunity to gain valuable insights from industry leaders and connect with fellow professionals at the forefront of IoT security. |
|||||
11:00 | Break | ||||
Kelvin Lecture Theatre | Turing Lecture Theatre | Watson-Watt Room | |||
11:30 | Track 1 | 11:30 | Track 2 | 11:30 | Track 3 |
The Future of IoT Security: Embracing Collaborative Approaches and Comprehensive Frameworks | IoT Foundations of Trust: Secure by Design | The CISO Journey: From Coax to Resilience | |||
This session explores the evolving landscape of IoT security through keynote talks from leading business and technical experts. On the business side, we discuss the shift from isolated security solutions to collaborative, ecosystem-based approaches in securing IoT devices. Attendees will also learn about supply chain integrity for IoT and AI systems, including innovations for creating operational and trusted bills of materials.
New developments in the evolution of the IoT Security Foundation’s popular security assurance framework will be announced and we will explain its transformation from a developer checklist to a corporate reference for automating audits and certification. We also highlight the recent and important work from NIST on IoT Device Onboarding and Lifecycle Management which addresses real-world trust challenges across enterprise, industrial and consumer networks. Join us to understand the collaborative future of IoT security and its practical implications. |
This session explores contemporary cutting-edge approaches to building security into IoT devices and systems from the ground up. Experts will outline the essential elements for secure IoT products and also look at solutions for decentralized and autonomous IoT applications, examining how to leverage hardware security modules to protect vehicle-to-everything (V2X) communications. We will also delve into the critical role of true randomness in cryptography with a focus on preparing for emerging AI and quantum computing threats. Attendees will gain practical insights into implementing robust security measures at the hardware and system level to create resilient IoT systems. |
In this session, we look at how cyber security has changed over the last 20+ years from the CISO perspective. Where once upon a time all they worried about were operating systems, printers, memory sticks and shadow IT. But soon every new technology became shadow IT, with mobile phones, ipads, social media, cloud services, etc. This session will explore how CISOs started from overseeing information security, which included computers, users, the network, etc. to today, where they have to view things from an enterprise cyber resilience perspective. Does this really mean that there is nothing that they can rule out from having to provide guidance on or be responsible for? These and many other questions will be explored with our expert panel who will provide perspectives of what cyber resilience means to them in their daily world view for an enterprise. |
|||
13:00 | Lunch / Exhibition / Networking | ||||
14:00 | Track 4 | 14:00 | Track 5 | 14:00 | Track 6 |
The Practice of IoT Security: From Breach Response to Threat Anticipation | The Business of IoT Security: Mastering the Economics | Securing IoT: Lessons from the Past, Laughs in the Present, Leaps to the Future | |||
This illuminating session equips IoT security practitioners with actionable strategies to tackle current and emerging challenges. Attendees will learn effective breach response protocols for when things go wrong, techniques for anticipating threats in newly connected OT domains like critical infrastructure and healthcare, and methods for applying cross-domain architectural principles to enhance security in the industrial Internet of Things (IIoT). The session also includes best practices for comprehensive testing of products with diverse supply chain components. Through expert-led talks and interactive discussions, participants will gain valuable insights to strengthen their organization’s IoT security posture. |
In this session we look at security through the economics lens – how can security help us win in business? What do we need to know beyond the technical requirements, how do we weigh up risk and reward – how can the approach be used to underpin, even boost business objectives? IoT technology has many commercial applications, and the resilience to attack of the connected systems is essential for business success. Context is king when determining security features, yet the business case dominates the feasibility of any successful, sustainable, security posture. |
This engaging IoT security session will equip attendees with valuable insights and practical strategies to enhance their IoT defences. We’ll examine historical patterns, extracting crucial lessons to fortify future IoT implementations. Prepare yourself for a humorous yet eye-opening journey through the “10 Rules to Build Unsecure Embedded Systems” highlighting common pitfalls and misguided practices that compromise security. We’ll also explore the cutting-edge world of eSIMs, uncovering their unique security properties and how they can future-proof IoT device protection. This session blends historical analysis, satirical reflection, and emerging technology insights to provide a comprehensive view of IoT security challenges and solutions. |
|||
15:30 | Break | ||||
16:00 | Track 7 | 16:00 | Track 8 | 16:00 | Track 9 |
IoT Security Compliance: Navigating the Regulatory Landscape | Memory Safety: The Pernicious Challenge | The Human Side of IoT Security: Protecting People, Spaces, and Systems | |||
As connected devices become ubiquitous in our homes, businesses, and cities, the need for security oversight has never been more critical. Yet, the path to regulation is fraught with challenges. This session illuminates the complex reality of IoT security regulation and compliance, where innovation and protection must coexist. We’ll explore the global regulatory landscape, focusing on Europe’s CRA and RED, the UK’s PSTI, NIST CSF 2 and NIS2. Our expert speakers will dissect the delicate balance between fostering innovation and ensuring user safety, addressing the concerns of compliance professionals grappling with legal uncertainties and potential penalties. Whether you’re an IoT manufacturer, policymaker, developer, consultant, or security professional, this session will equip you with the knowledge and insights needed to navigate the evolving regulatory landscape. Don’t miss this opportunity to stay ahead of the curve and contribute to a more secure and innovative IoT future. |
What is the memory safety challenge? How big an issue is it and what can be done? Join this session to learn about the complexities of memory safety, explore current solutions, and glimpse into the future of secure IoT systems. Whilst memory safety in computing has been identified as a challenge since the 1970’s, it became a significantly bigger problem with the growth of connected and distributed systems – such as the IoT. Solutions to the memory safety challenge are beginning to emerge from the research labs toward real-world applications underpinned by a range of hardware and software technologies. This session dives into the critical world of memory safety and its implications for secure IoT systems. Beginning with an academic exploration of memory safety fundamentals, we progress to cutting-edge industry solutions. We’ll examine the UK government-backed CHERI project, discuss the role of memory-safe languages like Rust, and explore industry efforts to popularize these technological advances This session is intended for designers, developers, manufacturers, and users of IoT technology, providing them with the knowledge and tools needed to improve the security and reliability of connected systems. |
This session explores critical aspects of IoT security, focusing on protecting vulnerable communities and public spaces while addressing technical challenges in embedded systems. Experts will discuss how IoT technologies can be misused to target at-risk groups and strategies to mitigate these threats. We’ll examine the importance of language and framing when discussing IoT deployments in public areas, emphasizing transparency and community engagement. The session will also delve into common vulnerabilities in embedded systems, sharing insights from hands-on security education. A guest speaker will highlight the crucial role of cross-sector collaboration in building a more secure IoT landscape. Attendees will gain a wider view of IoT security challenges and practical approaches to address them. |
|||
17:30 | Closing Remarks followed by Drinks Reception |
Agenda
We are currently building our agenda but, for the moment, click on a title to find out more. Note that details are subject to change.
09:30
Kelvin Lecture Theatre
11:00-11:30 Break
Kelvin Lecture Theatre
Turing Lecture Theatre
Watson-Watt Room
13:00-14:00 Lunch / Exhibition / Networking
Kelvin Lecture Theatre
Turing Lecture Theatre
Watson-Watt Room
15:30-16:00 Break
Kelvin Lecture Theatre
Turing Lecture Theatre
Watson-Watt Room
17:30-19:00 Closing remarks followed by drinks reception
Agenda
We are currently building our agenda but, for the moment, click on an image to find out more about our speakers.
08:30 | Registration / Exhibition | ||||
Kelvin Lecture Theatre | |||||
09:30 | Opening Plenary Session: IoT Security: Past, Present, Future | ||||
Alex Mouzakitis – JLR | Title TBC | ||||
Apostol Vassilev – Research Manager, NIST | AI Risks and Rewards: Calculus for the Future | ||||
11:00 – 11:30 | Break | ||||
Sessions 1-3 / 11:30 – 13:00 | |||||
Kelvin Lecture Theatre | Turing Lecture Theatre | Another Theatre | |||
Advancing Security Practice Session Host TBC |
Security by Design Session Host TBC |
The CISO Journey Session Host TBC |
|||
Darron Antill, CEO, Device Authority | Securing the Future: Harnessing the Power of Ecosystems in IoT Security | Andrew Bott, Principal Security Architect, IAR Systems AB | How secure is your IoT device? – Indispensable ingredients for a secure IoT product! | David Ihrie, CTO, Virginia Innovation Partnership Corporation (VIPC) | What’s the Emergency? Public Safety in a world of IoT and cybersecurity, digital critical infrastructure, climate change, quantum computing, AI, drones, and high-end threats |
Ian Pearson, IoTSF AFWG | Assuring IoT Security | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Nick Allott, CEO, Nquiring Minds | SBoM, TAIBoM etc. | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Paul Watrobski, NIST CCCoE | On-boarding High Level Architecture | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
13:00-14:00 | Lunch / Exhibition / Networking | ||||
Sessions 4-6 / 14:00 – 15:30 | |||||
Kelvin Lecture Theatre | Turing Lecture Theatre | Another Theatre | |||
Advancing Security Practice Session Host TBC |
Security by Design Session Host TBC |
The CISO Journey Session Host TBC |
|||
Ian Pearson, IoTSF AFWG | Assuring IoT Security | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Nick Allott, CEO, Nquiring Minds | SBoM, TAIBoM etc. | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
put name here | Securing the Future: Harnessing the Power of Ecosystems in IoT Security | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Paul Watrobski, NIST CCCoE | On-boarding High Level Architecture | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
15:00 – 15:30 | Break | ||||
Sessions 7-9 / 16:00 – 17:15 | |||||
Kelvin Lecture Theatre | Turing Lecture Theatre | Another Theatre | |||
Advancing Security Practice Session Host TBC |
Security by Design Session Host TBC |
The CISO Journey Session Host TBC |
|||
Ian Pearson, IoTSF AFWG | Assuring IoT Security | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Nick Allott, CEO, Nquiring Minds | SBoM, TAIBoM etc. | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Darron Antill, CEO, Device Authority | Securing the Future: Harnessing the Power of Ecosystems in IoT Security | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
Paul Watrobski, NIST CCCoE | On-boarding High Level Architecture | Turing Lecture Theatre | Turing Lecture Theatre | TBCTheatre | TBCTheatre |
17:15 – 17:30 | Closing Remarks | ||||
17:30 – 19:00 | Drinks Reception | ||||
19:00 | Close |
Speakers
The IoT Security Foundation 2024 Conference features an impressive line-up of accomplished speakers who bring their knowledge and experience to the event. Our carefully curated talks from practitioners, industry leaders, academic researchers, and technical visionaries make the IoTSF Annual Conference both high-quality and insightful.
Apostol Vassilev
Research Manager, Computer Security Division, NIST
Apostol Vassilev is a research manager in the Computer Security Division at NIST. His group’s research agenda covers topics in Trustworthy and Responsible AI, with a focus on Adversarial Machine Learning and Robust AI for Autonomous Vehicles. Vassilev works closely with academia, industry and government agencies on the development and adoption of standards in AI. He holds a Ph.D. in mathematics. Vassilev has been awarded a bronze medal by the U.S. Commerce Department and his work has been profiled in the Wall Street Journal, Politico, VentureBeat, Fortune, Forbes, the Register, podcasts, and webinars. Apostol frequently speaks at conferences.
Dr Leonie Maria Tanczer
Associate Professor, University College London (UCL)
Dr Leonie Maria Tanczer is an Associate Professor in International Security and Emerging Technologies at University College London’s (UCL) Department of Computer Science (CS) and grant holder of the prestigious UKRI Future Leaders Fellowship (FLF).
She is part of UCL’s Information Security Research Group (ISec) and initiated and heads the “Gender and Tech” research efforts at UCL. Tanczer is also member of the Advisory Council of the Open Rights Group (ORG), a Steering Committee member for the Offensive Cyber Working Group, and a voting member of the IEEE Working Group P2987 “Recommended Practice for Principles for Design and Operation Addressing Technology-Facilitated Inter-personal Control”.
She was formerly an Association of British Science Writers (ABSW) Media Fellow at The Economist and a Fellow at the Alexander von Humboldt Institute for Internet and Society (HIIG) in Berlin. Her research focuses on questions related to Internet security and she is specifically interested in the intersection points of technology, security and gender.
Matt Tett
Subject Matter Expert (SME), IoT Security Mark P/L
Matt Tett is an Advisor and Subject Matter Expert (SME) for IoT Security Mark P/L who operate the global IoT Security Trust Mark™ (STM) Certification and voluntary Cybersecurity Labelling Scheme (CLS). (www.iotsecuritytrustmark.org).
Matt is the Managing Director of Enex TestLab (Enex Pty Ltd). He is well known globally across industry and government as a very well connected, highly technical straight shooter. Effectively applying science to translating complex technology for the lay person, ensuring customers receive what they are paying for.
Matt has a deep technical background in network and security systems and he holds the following security certifications in good standing for 17+ years: CISSP, CISM, CSEPS and CISA. He is a certified Government security advisor and retains State and Federal Government security clearances.
He is also a judge for a number of industries, including the Commsday “Edison” Awards, IT Journo “Lizzies” Awards, InnovationAus Awards for Excellence, IoT Impact Awards and the Australian Women in Security Awards.
Toby Wilmington
CEO, qomodo
Toby Wilmington has spent the last decade building and managing some of the world’s most sophisticated cyber security defences. With a career that spans institutes like BAE Systems, Recorded Future, and NATO, Toby has been a go-to advisor for government departments,
critical infrastructure, and military forces, crafting robust strategies and resilient security controls for the world’s most targeted networks.
Now leading qomodo, Toby is tackling one of the pressing cyber challenges of our time: safeguarding the rapidly expanding Internet of Things. As IoT devices infiltrate sensitive networks and bring previously isolated areas online, they become prime targets for cyber attackers. The inadequate security and control measures in these newly connected spaces present a golden opportunity for nation-states and cybercriminals alike.
SPEAKER
AI Risks and Rewards: Calculus for the Future
Apostol Vassilev
Research Manager, Computer Security Division, NIST
SPEAKER
Reading the R-IoT act – responding to an IoT incident
Jennifer Williams
Director of IT and Operations, Secarma
SPEAKER
Securing the Decentralized Future: Open and Auditable Hardware
Security for IoT Ecosystems and Web3
John Sirianni
CEO, Tropic Square
SPEAKER
Hardware based security for advanced threat detection and mitigation
Rasadhi Attale
Senior Hardware Engineer, Siemens
SPEAKER
What Things Are Really on Your Network?
Trusted IoT Onboarding and Lifecyle Management
Paul Watrobski
IT Security Specialist, NIST
SPEAKER
IoT Tech Abuse – Protecting At-Risk Communities
Dr Leonie Maria Tanczer
Associate Professor, University College London (UCL)
SPEAKER
Securing the Future: Harnessing the Power of Ecosystems in IoT Security
Darron Antill
CEO, Device Authority
SPEAKER
Evolving Threats and Evolving Defenses for XIoT in Critical Infrastructure
Toby Wilmington
CEO, qomodo
SPEAKER
From Risk to Return: A Two-Part Framework for Prioritising and Measuring Security Investment Returns
Kay Ng
Managing Director, CyberAnalytics
SPEAKER
International: Key lessons and takeaways from Internet of Things Cybersecurity Standards, Legislation, Product Certifications and Cybersecurity Labelling Schemes (CLS)
Matt Tett
Subject Matter Expert (SME), IoT Security Mark P/L
SPEAKER
How We Talk About IoT Matters: The Case of Technologies in Public Spaces
Rebecca Hartley
PhD Researcher, Royal Holloway, University of London
SPEAKER
What’s the Emergency? Public Safety in a world of IoT and cybersecurity, digital critical infrastructure, climate change, quantum computing, AI, drones, and high-end threats
David Ihrie
Chief Technology Officer, Virginia Innovation Partnership Corporation (VIPC)
SPEAKER
Building Secure IoT Products from the Ground Up
Zahra Khani
Principal Product Manager for IoT Security Assessment, Keysight Technologies
SPEAKER
Why does my TV still think it is a fridge?
Jonathan Marshall
Founder, SafeShark
SPEAKER
Implementing Cross Domain Security Patterns for IoT
Phil Day
Director of Engineering, Configured Things
SPEAKER
How secure is your IoT device? – Indispensable ingredients for a secure IoT product!
Andrew Bott
Principal Security Architect, IAR Systems AB
SPEAKER
10 Rules to Build Unsecure Embedded Systems
Stephan Janouch
Technical Marketing Director, EMEA, Green Hills Software GmbH
SPEAKER
The Critical Role of Randomness in IoT Security: From the Past to the Present and into a Post-Quantum Future
Dr. Ramy Shelbaya
CEO & Co-Founder, Quantum Dice Ltd
SPEAKER
Securing the AI supply chain
Xander Heemskerk
Director Product Security, Royal Philips
PANELIST
Prof. Anna Marie Mandalari
Assistant Professor, Information and Communications Engineering research group, Dept. Electrical and Electronic Engineering, University College London
PANELIST
Antoinette Hodes
Global Solution Architect & Evangelist, Check Point Software Technologies
SPEAKER
Where is your weakest link? Observations from teaching Embedded System Security
Dr Des Howlett
Senior Member Technical Staff , Doulos Ltd
PANEL COORDINATOR
Dr Stephen Pattison
Chairman, IoT Security Foundation & VP Public Affairs, ARM
The IET
The Institution of Engineering and Technology (IET) is a prestigious and globally recognized professional organization dedicated to advancing the field of engineering and technology. Established in the United Kingdom in 1871, the IET has a rich history of promoting excellence in engineering and supporting innovation in various technological domains. With a diverse membership of engineers, technologists, and professionals from around the world, the IET provides a platform for knowledge sharing, networking, and collaboration. The organization actively fosters the development of engineering and technology skills through educational programs, publications, and events.
Travel
There are a number of different options for travelling to The IET. There are a number of underground lines providing easy access, the best stations being Covent Gardens, Embankment, London Charing Cross and Temple. If arriving by train, Liverpool Street, Euston, Kings Cross, Victoria and Waterloo either have direct links to one of the underground stations or provide access to the tube system.
Location
Accommodation
There are a number of hotels near the venue and the IET has setup some special room rates.
Dr Leonie Maria Tanczer
Associate Professor, University College London (UCL)
Dr Leonie Maria Tanczer is an Associate Professor in International Security and Emerging Technologies at University College London’s (UCL) Department of Computer Science (CS) and grant holder of the prestigious UKRI Future Leaders Fellowship (FLF).
She is part of UCL’s Information Security Research Group (ISec) and initiated and heads the “Gender and Tech” research efforts at UCL. Tanczer is also member of the Advisory Council of the Open Rights Group (ORG), a Steering Committee member for the Offensive Cyber Working Group, and a voting member of the IEEE Working Group P2987 “Recommended Practice for Principles for Design and Operation Addressing Technology-Facilitated Inter-personal Control”.
She was formerly an Association of British Science Writers (ABSW) Media Fellow at The Economist and a Fellow at the Alexander von Humboldt Institute for Internet and Society (HIIG) in Berlin. Her research focuses on questions related to Internet security and she is specifically interested in the intersection points of technology, security and gender.
Presentation: IoT Tech Abuse – Protecting At-Risk Communities
The proliferation of smart, Internet-connected devices in homes has introduced new avenues for intimate partner violence.
Drawing on research conducted at UCL’s Gender and Tech Lab, this presentation will explore the growing problem of technology-facilitated domestic violence and stalking, focusing on the ways perpetrators exploit Internet of Things (IoT) technologies to monitor, control, and terrorise victims and survivors. The talk will examine the unique challenges affected parties face when trying to document abuse, seek help, and regain control of their digitally-enabled environment. The session will also highlight emerging approaches to combat this form of abuse, including technological safeguards, legislative reforms, and victim/survivor support. The goal is to raise awareness of this critical issue and equip the tech sector with the knowledge to address the intimate partner violence threat model proactively and to effectively respond to instances where their systems are being misused in domestic abuse and stalking cases.
Apostol Vassilev
Research Manager, Computer Security Division, NIST
Apostol Vassilev is a research manager in the Computer Security Division at NIST. His group’s research agenda covers topics in Trustworthy and Responsible AI, with a focus on Adversarial Machine Learning and Robust AI for Autonomous Vehicles. Vassilev works closely with academia, industry and government agencies on the development and adoption of standards in AI. He holds a Ph.D. in mathematics. Vassilev has been awarded a bronze medal by the U.S. Commerce Department and his work has been profiled in the Wall Street Journal, Politico, VentureBeat, Fortune, Forbes, the Register, podcasts, and webinars. Apostol frequently speaks at conferences.
Presentation: AI Risks and Rewards: Calculus for the Future
Artificial intelligence (AI) systems have been on a global expansion trajectory for several years. The pace of development and adoption of AI systems has been accelerating worldwide.
These systems are being widely deployed into the economies of numerous countries, leading to the emergence of AI-based services for people to use in many spheres of their lives, both real and virtual. There are two broad classes of AI systems, based on their capabilities: Predictive AI (PredAI) and Generative AI (GenAI). Although the majority of industrial applications of AI systems are still dominated by PredAI systems, we are starting to see adoption of GenAI systems in business. When adopted responsibly, GenAI systems can also improve the productivity of workers and quality of service.
As these systems permeate the digital economy and become inextricably essential parts of daily life, the need for their secure, robust, and resilient operation grows.
However, despite the significant progress that AI has made, these technologies are also vulnerable to attacks that can cause spectacular failures with dire consequence. In this talk we will provide an overview of the main sources of risk and categories of attacks on AI systems and propose directions for increasing their robustness.
Toby Willmington
CEO, Quomodo
Toby Wilmington has spent the last decade building and managing some of the world’s most sophisticated cyber security defences. With a career that spans institutes like BAE Systems, Recorded Future, and NATO, Toby has been a go-to advisor for government departments, critical infrastructure, and military forces, crafting robust strategies and resilient security controls for the world’s most targeted networks.
Now leading qomodo, Toby is tackling one of the pressing cyber challenges of our time: safeguarding the rapidly expanding Internet of Things. As IoT devices infiltrate sensitive networks and bring previously isolated areas online, they become prime targets for cyber attackers. The inadequate security and control measures in these newly connected spaces present a golden opportunity for nation-states and cybercriminals alike.
Presentation: Evolving Threats and Evolving Defences for XIoT in Critical Infrastructure
The convergence of information technology (IT) and operational technology (OT) within the Extended Internet of Things (XIoT) is transforming the landscape of connectivity.
Devices and systems that were once isolated, such as industrial control systems, vehicles, energy grids and medical equipment, are now internet-connected, vastly expanding the attack surface and presenting new cybersecurity challenges.
In this presentation, Toby Wilmington, CEO of qomodo, will explore the evolving threat landscape facing XIoT environments. We will examine how cybercriminals and nation-state actors exploit vulnerabilities in connected devices to target critical infrastructure. From weak authentication mechanisms to legacy system vulnerabilities, this session will provide a comprehensive overview of the current risks that organisations face.
Looking forward, we will discuss emerging threat trends, such as the increasing use of artificial intelligence by attackers to conduct more sophisticated and automated attacks. As threat actors continue to innovate, organisations must evolve their security strategies to stay ahead of these challenges.
To help executives and managers navigate this complex landscape, the presentation hopes to offer actionable insights and defensive measures for enhancing XIoT security.
By understanding the current threat landscape and anticipating future challenges, organisations can develop robust security frameworks that protect their critical XIoT assets, challenge the expectations of security for IoT and ensure operational resilience in an increasingly connected world.
Darron Antill
CEO, Device Authority
Darron has extensive experience in leading and growing companies that specialise in IoT, Cybersecurity, Enterprise Software and SaaS. Prior to his role as CEO at Device Authority, Darron was CEO of AppSense, a global software company where is guided the company to a 270% revenue increase, expansion into new markets, strategic acquisitions, successful investment and through significant product innovation. Darron is also a member of IoTSF’s Executive Steering Board.
Presentation: Securing the Future: Harnessing the Power of Ecosystems in IoT Security
In the rapidly expanding world of IoT, securing connected devices has never been more critical—or more complex. Gone are the days when a single solution could adequately protect the intricate networks of connected devices that define today’s IoT landscape. In this talk, “Stronger Together: The Power of Collaboration in Securing the IoT Ecosystem,” we delve into the transformative shift towards a collaborative approach to IoT security.
As the industry evolves, so too must our strategies for protection. This presentation will explore how the integration of best-in-class vendors, each bringing unique strengths to the table, forms a more resilient and adaptable defence system. We will discuss the significant benefits of this ecosystem approach, including enhanced security for both new and legacy devices, and how it enables more effective responses to the ever-evolving threat landscape. We will also hear about some examples of a successful ecosystem in action as well as the role that open-source communities can play in advancing security solutions.
Attendees will gain practical insights into building and maintaining a secure IoT ecosystem, with real-world examples of successful implementations. Whether you’re securing new deployments or retrofitting brownfield devices, this talk will provide the knowledge and tools to make informed decisions and strengthen your IoT security posture through collaboration. Join us to learn why the future of IoT security is not about going it alone, but about building stronger defences together.
Matt Tett
Adviso / Subject Matter Expert (SME), Cyber Trust Mark
Matt Tett is an Advisor and Subject Matter Expert (SME) for IoT Security Mark P/L who operate the global IoT Security Trust Mark™ (STM) Certification and voluntary Cybersecurity Labelling Scheme (CLS). (www.iotsecuritytrustmark.org).
Matt is the Managing Director of Enex TestLab (Enex Pty Ltd). He is well known globally across industry and government as a very well connected, highly technical straight shooter. Effectively applying science to translating complex technology for the lay person, ensuring customers receive what they are paying for.
Enex TestLab’ objective is to use science to keep tech vendors honest and the leaders leading by rigorously testing their product claims and ensuring consumer requirements are met factually.
(www.testlab.com.au), Enex TestLab is an independent ISO17025 accredited testing laboratory with a 35+ year history, university heritage (RMIT), and ISO 9001 QMS Quality, ISO 27001 ISMS Security and ISO 45001 OH&S certifications.
Matt is a current board director and Co-Chair of the Australian Women in Security Network (AWSN) (www.awsn.org.au)
He also serves on the Communications Alliance Cyber Security Reference Panel (CSRP), the CSRP Fraud subgroup and the Communications Resilience Administration Industry Group (CRAIG) and is a member of the research advisory committee for the Internet Commerce Security Laboratory (ICSL) at Federation University.
Matt has a deep technical background in network and security systems and he holds the following security certifications in good standing for 17+ years: CISSP, CISM, CSEPS and CISA. He is a certified Government security advisor and retains State and Federal Government security clearances.
He is also a judge for a number of industries, including the Commsday “Edison” Awards, IT Journo “Lizzies” Awards, InnovationAus Awards for Excellence, IoT Impact Awards and the Australian Women in Security Awards.
He has served on the Online Safety Consultative Working Group (OSCWG) for the Office of the eSafety Commissioner, as a committee member participating in the development of Standards related to IT-042-00-01 – IoT and Related Technologies and participated in the Internet Australia Cyber Security SIG. He is former chair of IoT Alliance Australia (IoTAA) enabler Work Stream 3 (eWS-3) – Cyber Security and Network Resilience and sits on the IoTAA Executive Council.
https://www.linkedin.com/in/mtett/
Presentation: International: Key lessons and takeaways from Internet of Things Cybersecurity Standards, Legislation, Product Certifications and Cybersecurity Labelling Schemes (CLS)
The presentation theme is around connected product security conformance assessment, certification and labelling around the world.
Including:
• The current landscape of IoT product cybersecurity standards internationally
• The current landscape of IoT/Smart/Connected product legislation in each country
• The current landscape of the global vs domestic IoT security certifications and CLS including pros and cons from various stakeholders perspectives
• Lessons learned over the past seven years; developing, applying for, and obtaining international Certification Trade Marks for a Global connected device certification and labelling scheme
• Effects for device consumers/users – including private sector and critical infrastructure
• Effects for device manufacturers – including distributers and retailers
• Effects for government departments and agencies
• What’s next, what does the future hold?
Rasadhi Attale
Senior Hardware Engineer, Siemens
A Senior hardware engineer working for the Embedded Analytics team at Siemens for 6 years. Previously worked at arm prior to joining Siemens. Is currently studying for a masters in cybersecurity at University of Oxford.
Presentation: Hardware based security for advanced threat detection and mitigation
Today’s modern Software Defined Vehicles are essentially an IoT device or several Iot Devices on wheels and are vulnerable to various different types of security threat. V2X communication attacks are the more common and the most impactful of them. We will be presenting a suit of hardware IP that can help mitigate various V2X communication attacks and help monitor the health of a fleet.
Mike Eftimakis
Founding Director, CHERI Alliance
Mike Eftimakis has an extensive background in the semiconductor and electronics industry with 30 years in senior technical and business roles. He has a rich history of innovation with companies like VLSI Technology, NewLogic, and Arm, and he started-up and led his own company. where he played pivotal roles in advancing technology and business strategies. His expertise ranges from chip design engineering and system architecture to product management, marketing and strategy, making him a key contributor to the growth and success of microelectronics organizations.
Currently, Mike is the VP Strategy and Ecosystem at Codasip, where he drives the long-term vision and its day-to-day implementation. His leadership at Codasip focuses on positioning the company to differentiate in a highly competitive market, while fostering strategic partnerships and enhancing the company’s market position. Mike’s blend of technical acumen and strategic insight are key in this engineering-led environment.
In parallel, he is a Founding Director of the CHERI Alliance, an industry association dedicated to promoting CHERI technology. This technology addresses the root causes of most current cyberattacks, contributing to a safer and more trustworthy World.
John Sirianni
CEO, Tropic Square
John Sirianni has led and grown companies that specialize in semiconductor security, communications security, Post-Quantum Cryptography and Critical Infrastructure Cybersecurity.
In his previous role, John provided strategic advisory services to Blockchain, AI, and Quantum security companies. His involvement in IoT security led him to collaborate with the IoTSF in Silicon Valley from its founding in 2015.
John now leads Tropic Square, a company that develops auditable and open hardware secure semiconductor chips for the next generation of crypto-secure infrastructure systems.
Presentation: Securing the Decentralized Future: Open and Auditable Hardware Security for IoT Ecosystems and Web3
As IoT devices become more decentralized and self-sufficient, they are gaining the ability to operate with increasing levels of autonomy and independence. This shift is enabling new capabilities like instant transactions, negotiations and settlements directly between intelligent devices.
These advancements offer high value targets for attackers – challenging the traditional approaches to physical hardware protection. A new hardware
security paradigm is urgently needed to address the requirements of autonomous IoT devices and Web3.
This session provides insights into protecting increasingly autonomous and decentralized device ecosystems. Attend to learn about:
Emerging Security Challenges
● The new attack vectors arising in autonomous IoT and Web3 devices
The impact on endpoint device security and sovereignty
New Security Approaches
● Transparency over obscurity: Why open, transparent, and auditable
security elements are more effective against advanced attacks than
closed approaches
● “Zero-trust” implemented in silicon to enable a new level of
cryptographic key protection and management
● How Kerckhoffs’ principle, when applied to secure element IC
development, enables novel design approaches for hardware root of
trust
Future Outlook
● How community-driven innovation is shaping hardware security
Phil Day
Director of Engineering, Configured Things
Phil is the Director of Engineering at Configured Things, a startup founded by Alumni from Hewlett Packard Labs to build solutions that can operate across security domains. He has more years that he cares to admit to developing and delivering complex distributed systems.
He spoke at the IOTSF 2022 conference on the subject of Secure by Design Configuration interfaces, and is a member of the CyberASAP review panel for IoT.
Presentation: Implementing Cross Domain Security Patterns for IoT
IoT networks typically consist of low cost sensors over which the operator has little control of the security implementation, deployed in locations that are often difficult to secure. The data from these sensors needs to be passed data into protected high trust networks, which requires that only essential and
verified data is admitted.
One of the key challenges for IIoT is that data is not constrained by the traditional Purdue hierarchies. Data from SCADA systems and PLCs needs to be shared with a wider range of IT systems, which in turn need to send data and configuration information to the control layer.
In both cases the data paths between these two trust domains introduce attack routes that can only be partially mitigated by traditional IT protections such as firewalls and intrusion detection, which do not meet the higher levels of assurance required for safety critical systems such as IIoT.
The NCSC publishes a set of thirteen design principles for implementing high assurance Cross Domain Solutions, along with architectural patterns for the safe import and export of data. These include the use of protocol breaks, and for high levels of assurance flow control elements such as data diodes, to mitigate the threats from classes of attack that are embedded in the payloads.
These architectural patterns are typically perceived as only applying to classification boundaries such as those found in government and military organisations; preventing malicious data from being imported and maintaining a strict control on what data can be exported. However they can also be applied to many other contexts to provide a much reduced attack surface.
In this talk I will describe a solution which applies those patterns to the IoT space, allowing telemetry to be safely imported and equally importantly remote systems securely configured and managed. I will describe the key challenges in designing such a system, illustrated with an example based on a LoRaWAN deployment.
I will also cover our work within the Digital Security by Design (DSbD) program to create cost effective alternatives to the high end “hardsec” devices used at the classification boundary.
Jennifer Williams
Director of IT and Operations, Secarma
Jen has nearly a decade of experience in helping businesses to defend themselves against cyber attack. With the vast majority of her career spent in the legal sector, she understands the unique challenges faced by this industry.
Presentation: Reading the R-IoT act – responding to an IoT incident
Users of connected devices rely on manufacturers to keep their data secure. But what happens when it all goes wrong? How should a business respond to ensure that damage to their reputation is minimised. During this session we’ll examine
– Real world experience of being in an incident response crisis
– The importance of being prepared
– Why communications can make or break your response to a disaster
– How to recover well.
Jonathan Marshall
Founder, SafeShark
Jonathan is an experienced cybersecurity professional with a proven track record of leading information security initiatives for over 8 years, currently serving as Chief Information Security Officer at ScreenHits. As a partner at The Hawk Media Partnership, Jonathan provides expert cybersecurity consulting and tailored solutions to broadcasters, safeguarding their critical infrastructure and operations.
A serial entrepreneur with a passion for innovation, he has co-founded multiple successful ventures, including SafeShark, a cutting-edge cybersecurity company, and TVA Group, a revolutionary audience measurement platform. Jonathan’s unique blend of technical expertise and business acumen is complemented by his strong academic foundation, holding an M.Eng. in European Management in Engineering from the University of Glasgow. He is deeply committed to protecting businesses from evolving cyber threats and leveraging data intelligence to drive growth and success.
Presentation: Why does my TV still think it is a fridge?
SafeShark has been working with manufacturers (including LG, Panasonic, Arcelik) of consumer electronic equipment since 2020 and as a result we have gained a unique perspective of the trends in cyber security compliance and issues. We use a unique automated testing platform allowing us to test compliance against the standards.
As a result of testing dozens of products we would like to share some of our unique findings across a range of devices from Smart Showers to Televisions that think they are a fridge.
Key insights will be shared allowing our audience to understand how to help manufacturers comply with the best practice for building ‘secure by design’ products and ensure that consumers are given clear information at the point of sale.
Andrew Bott
Principal Security Architect, IAR Systems AB
Andrew Bott is a Chartered Engineer who has been working in security of embedded systems for more than twenty years and previously worked in software development and project management in embedded software and backhaul systems for telecommunications from DECT, GSM, 3G, LTE at Symbionics, Anritsu, and ip.access. He has architected security on multiple hardware platforms and is knowledgeable in PKI, setting up and operating several certificate authorities using HSMs. He currently has 19 patents on secure supply chain though Secure Thingz Ltd where he worked as the Senior Security Architect.
In 2021 he contributed to the peer review of the IoTSF Assurance Framework v3.0 and the Vulnerability Disclosure Best Practice Guidelines v2.0. He is now Principal Security Architect for IAR Systems.
Presentation: How secure is your IoT device? – Indispensable ingredients for a secure IoT product!
What is needed in an IoT device and its supply chain to assure its security? This presentation addresses key aspects of security and how they can be addressed at every stage in the product development process.
It explores how to establish and authenticate a device’s identity, wherever it is, protecting it from cloning or counterfeiting, from its inception during the manufacturing process throughout the lifetime of the product, thereby establishing a secure Root of Trust in the device.
It goes on to explain core features such as secure booting so that sensitive data is securely locked down and cannot be modified when the software is running. Also, the importance of using a device that is capable of lock down.
From device conception, each device needs to be provisioned with a unique identity that cannot be cloned and a device certificate from within the company’s own public key infrastructure. Information will be given on how to achieve this, enabling authentication, confidentiality and non-repudiation.
The speaker will address how to overcome common challenges around debugging and vulnerability patches with anti-rollback, permitting software updates without compromising security.
No device is guaranteed to be 100% secure, but implementing best practice to minimize risks is both desirable and achievable.
Kay Ng
Managing Director, CyberAnalytics
Global Cybersecurity Strategist | Bridging East & West | Securing the Connected Future
Kay Ng is a force to be reckoned with in the world of cybersecurity. Her expertise? Transforming complex threats into strategic opportunities. Her advantage? A truly global perspective.
As a dual national of Britain and China, Kay bridges Eastern and Western approaches to security, offering unparalleled insights into today’s interconnected risk landscape. She’s advised Fortune 500 giants and government agencies, tackling everything from IoT vulnerabilities to critical infrastructure protection.
Her secret weapon? A rare ability to connect the dots between data, technology, and business impact.
Kay’s credentials speak for themselves: A Master’s degree in Software and Systems Security from the University of Oxford, a track record of leadership roles in multinational corporation and global consulting firms, and a passion for empowering the next generation of cybersecurity leaders.
Presentation: From Risk to Return: A Two-Part Framework for Prioritising and Measuring Security Investment Returns
In today’s hyper-connected world, securing the Internet of Things is no longer optional—it’s a business imperative particularly if you’re supplying to Critical National Infrastructure.
But with limited resources and evolving threats, how can executives prioritise investments and ensure a tangible return on their security spend?
This presentation introduces a two-part to solve the problem of investing with the biggest impact, and how to communicate it so that it resonates at the Boardroom. First, we’ll explore a risk-based approach to prioritising security investments. Second, we’ll delve into practical methods for measuring the effectiveness of your security program, demonstrating how to quantify ROI and communicate the value of your efforts to key stakeholders.
Through real-world case studies and actionable insights, this presentation equips executives with the knowledge and tools they need to move from risk to return, transforming IoT security from a cost center to a strategic driver of business value.
David Ihrie
CTO, Virginia Innovation Partnership Corporation (VIPC)
Mr. Ihrie has over 40 years industry experience as a direct innovator in the fields of satellite and terrestrial communication, computing, and information science, and has been a principal in seven startup companies. In addition to his entrepreneurial activities, Mr. Ihrie has helped build four national scale business accelerators for the Intelligence Community, for DHS, and in the areas of cybersecurity and smart cities.
In addition to the CTO role, Mr. Ihrie is VP, Strategic Initiatives for the Commonwealth, focused on transitioning promising leading-edge technologies into practice for state and local government. The Virginia Strategic Initiatives portfolio includes Smart Communities, the Virginia Unmanned Systems Center at VIPC, the VIPC Public Safety Innovation Center, and the SCITI Labs program with DHS Science & Technology focused on public safety capabilities. Active areas of technology focus and experimental pilot projects in the Virginia network of Living Laboratories, centered at the Virginia Smart Community Testbed, include:
– IoT devices and sensors
– Advanced Air Mobility and the supporting ground-based infrastructure for Airspace Awareness
– Cybersecurity
– Smart Buildings
– Quantum computing
– Immersive Environments (AR/VR)
Mr. Ihrie has a Master of Science degree in Business from MIT, specializing in the Management of Technological Innovation, and a B.S. from MIT in Electrical Engineering/Computer Science.
Presentation: What’s the Emergency? Public Safety in a world of IoT and cybersecurity, digital critical infrastructure, climate change, quantum computing, AI, drones, and high-end threats
As a CIO/CISO, the world has changed dramatically over the last decade, from worrying about script kiddies in their mothers’ basement attacking our firewall, to now a fully distributed network of devices which we may no longer physically control. Data is king in a world where everything is connected, and our entire economy is online. Both the natural world and human threats present ever-increasing challenges, and the pace of technology change continues to increase.
As a public sector CISO supporting adoption of emerging technologies for the Commonwealth of Virginia in areas such as emergency management, incorporation of drones into the national airspace, and protection of critical infrastructure, real-time situational awareness from a large network of distributed IoT sensors, users, and applications is essential. Security by design, incorporating the principles of zero trust is a critical element to ensure the secure, reliable flow of information necessary for our modern world.
Stephan Janouch
Technical Marketing Director, EMEA, Green Hills Software GmbH
Stephan Janouch is the Director of Technical Marketing EMEA for Green Hills Software, based in Munich. He holds a German diploma in Electronic/Electrical engineering from the University of Applied Sciences in Landshut, Germany and has been working in the automotive and semiconductor industries for more than 25 years. During this time, he helped solving problems in applications engineering, business development as well as marketing, and along the way also served as the editor-in-chief for professional magazine on automotive electronics.
Presentation: 10 Rules to Build Unsecure Embedded Systems
This paper/presentation will outline the basic rules for building secure embedded systems with a focus on the software architecture. However, instead speaking with a moralising undertone, which typically leads to a “we know” or “we do this already” reaction, we will provide a not-to-be-taken-too-seriously approach of educating the audience in building a complete unsecure, easy-to-hack system. The rules we will touch on will be the following:
• Make it work, then make it secure: no need to worry about security when you start the project. You can make any system secure enough by adding a firewall at the end of the development process.
• Use only open-source software (OSS): OSS is typically very well maintained and crowd-tested. Also, the community wouldn’t give everyone source code access to look for potential attack surfaces.
• Hire great engineers, then success will follow automatically. They can do magic even if all you give them are simple tools you just downloaded from the internet for free.
• All operating systems are the same, hence, just go for the cheapest. Differences in architecture, separation options, support are neglectable. After all, it’s just about a few low-level software services, right?
• Certifications are just a rip-off! They were invented to generate additional revenue for suppliers of complex products. Just go with something non-certified and do the certification on your own. Typically, this is just a bunch of documentation.
• AI is a geek’s thing (and a myth): AI probably will never fly, so you don’t have to worry about how a hacker may or may not use AI to find a hole in your firewall or have AI code malware to infiltrate your system.
• Modularization is making things more complicated. While people claim that software components should be small, simple, tested and isolated, this is also adding unnecessary complexity. Just consolidate all components and make sure they work. It is very unlikely anyway that you may have to change something later…
• Consolidation: Some parts of your system may contain critical code (or data). However, as your system is secured by a firewall you can easily consolidate all functions on one processor core (or a multicore entity), this makes best use of the hardware and allows for easy data/information transmission between various software functions/tasks.
• Social engineering: Only stupid people fall for phishing emails or social media scams using fake profiles. You know you have a great team (even the guy that started just recently…), all are digital natives with full understanding the latest trends in social engineering.
• Updates: Updates are in most cases completely unnecessary. You have tested your system before deploying it into the field, so, if something isn’t working it is not your fault. Maybe the system needs a hardware upgrade?
A short summary at the end will be shown to lift the curtain and explain the background of this talk, i.e. that it was derived by issues observed in various development projects over the years.
Paul Watrobski
IT Security Specialist, NIST
Paul Watrobski is an IT Security Specialist at the National Institute of Standards and Technology (NIST) where he helped develop the Profile of the IoT Core Baseline for Consumer IoT Products among other guidance from the NIST Cybersecurity for IoT Program. He has also taken part in several projects at NIST’s National Cybersecurity Center of Excellence (NCCoE). Paul is a principal investigator for the Trusted IoT Device Network-Layer Onboarding and Lifecycle Management project and the upcoming Software Supply Chain and DevOps Security Practices project, and previously developed an open-source tool, MUD-PD, in support of device-intent enforcement for the Mitigating IoT-Based DDoS project.
Prior to NIST, Paul studied electrical and computer engineering at Binghamton University and the University of Maryland – College Park (UMD). Today, he is pursuing a doctorate in reliability engineering at UMD, researching firmware update-vulnerability lifecycles in IoT under the advisement of Dr. Michel Cukier.
Presentation: What Things Are Really on Your Network? Trusted IoT Onboarding and Lifecyle Management
The U.S. National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) recently published practice guide NIST SP 1800–36, addressing challenges with establishing and maintaining trust of IoT devices on home, enterprise, and industrial networks at scale. The NCCoE worked hand-in-hand with industry stakeholders to develop and describe five protocol-specific reference implementations of trusted network-layer onboarding based on Wi-Fi Easy Connect (DPP), Bootstrapping Remote Key Infrastructure (BRSKI), and Thread, as well as one agnostic reference implementation of factory provisioning of credentials. The practice guide progresses deep into the details starting from a high-level Executive Summary (Volume A) of the challenges and proposed solutions; to the Approach, Architecture, and Security Characteristics (Volume B) of the project; to step-by-step How-To Guides (Volume C) for implementing each build; to Functional Demonstrations (Volume D) of each build’s cybersecurity capabilities; and lastly, to mappings to relevant standards related to Risk and Compliance Management (Volume E). No matter where you fit in the process of developing a secure IoT product, at least one of the volumes of this practice guide will benefit you.
Come by to hear from and meet one of the project’s principal investigators and learn how you may be able to implement trusted network-layer onboarding for your devices.
Dr Des Howlett
Senior Member Technical Staff, Doulos Ltd
Doulos Senior Member, Technical Staff, EUR ING Dr Des Howlett joined Doulos in 2017. He has worked in the past as a Senior Field Applications Engineer for Microchip Technology and Silicon Laboratories, all over the EMEA region.
Immediately prior to Doulos, he was Technical Marketing Manager, EMEA, for Software at Avnet Silica and was responsible for liaising between processor manufacturers and customers to ensure that supplied software was suitable for market needs.
Des has previously taught embedded C programming and Verilog logic design at the University of Reading and now is an instructor for Embedded C and C++, Python, Embedded System Security as well as FPGA courses at Doulos.
Presentation: Where is your weakest link? Observations from teaching Embedded System Security
Everybody wants their product to be secure and it is now, rightly, a legal requirement for it to be so. People often think of security as encryption or protecting data, but it extends far beyond that.
There are important questions to ask, that are frequently overlooked, such as: Did you leave a secret test mode open, or did you fail to check statuses and user data? Do your product tests go beyond a pure check for functionality and ensure that bad inputs are also rejected?
It is surprising how many vulnerabilities are left in products in the rush to get something out the door. It is also amazing how engineers focus on securing one part, while leaving glaring holes that can be easily circumvented. Even the most experienced pilots follow checklists, but are you following a logical process or security framework in your designs?
Do you spend time, before starting the design, thinking about the possible problems that could befall your product? Do you write defensive code, looking at areas where bad data could have disastrous consequences? Do you realise that something as simple as an unchecked data string could let somebody execute code and do practically anything they choose?
It is common to look at security as a separate discipline, although many secure design practices will also give you a more reliable and higher-quality end product. Most security flaws are bugs in their own right, so fixing one will often help with the other.
This talk will include examples of some of the points we teach, that have triggered engineers to think twice about how they approach security.
Zahra Khani
Principal Product Manager for IoT Security Assessment, Keysight Technologies
Zahra is a seasoned cybersecurity professional with a passion for innovation in OT/IoT security. Her tech journey began at the age of 15, ultimately leading her to earn a degree in software engineering in 2009. After gaining several years of hands-on experience as a security engineer, Zahra founded Firmalyzer in 2016, a pioneering cybersecurity company specializing in the development of the first automated OT/IoT firmware security analysis platform. During her time at Firmalyzer, she combined her technical expertise with product management and business strategy, driving significant growth in the company’s solutions. This platform was designed to address the growing need for securing connected devices in the rapidly expanding IoT ecosystem. At the end of 2023, Firmalyzer’s technology was acquired by Keysight Technologies, a global leader in electronics and testing equipment. Following the acquisition, Zahra transitioned to the role of Product Manager for the IoT Security Assessment product at Keysight, where she continues to drive innovation in IoT security. In her current role, she combines global customer feedback with her vision to refine and enhance the product. Zahra is passionate about turning complex challenges into opportunities and improving digital security to make the online world safer.
Presentation: Building Secure IoT Products from the Ground Up
Building a secure IoT product typically involves a fairly complex supply chain of hardware and software components, and a flaw in any one level can have allow compromise of the entire device and pose dire consequences for overall system integrity. In this presentation, I’ll provide an overview of security testing techniques starting at the chip level and working up through application level, describing the kinds of issues that can be found at each and how they can interact with each other. Although we’ll touch on technical topics, the goal here is not doing a deep-dive on any particular technique or technology; the point of the discussion is convincing those ultimately responsible for the security and integrity of IoT systems that security flaws are real and should be found proactively before someone else does that for you. The presentation will provide multiple examples of IoT security flaws we’ve discovered in the course of our work and how they were discovered including hardware testing, network protocol fuzzing and firmware analysis. For example, I’ll show how we were able to extract the encryption key from a post-quantum crypto implementation because the CPU itself wasn’t hardened, and our analysis of an industrial-grade PLC device with multiple vulnerabilities, ranging from the design level to the upper application layers, including vulnerable third-party components. And because this forum is interested in certification efforts around the world, I’ll talk briefly about my involvement with the US Cyber Trust Mark and how it’s incorporating multi-level security testing.
Antoinette Hodes
Global Solution Architect & Evangelist, Check Point Software Technologies
Antoinette Hodes is a global cybersecurity solutions architect and evangelist with Check Point Software Technologies Office of the CTO. A professional with 26+ years in IT, OT and cybersecurity. Antoinette writes cybersecurity articles for Cybertalk.org and speaks at events regarding cybersecurity for IT, IoT and OT environments, AI & ML in cybersecurity, the global threat landscape, shares strategic and tactical aspects such as experience, insight, knowledge, recommendations and best practices.
Prof. Alex Mouzakitis
Programme Director, Cyber Security, Jaguar Land Rover
Prof Alex Mouzakitis is the Programme Director for Cyber Security at Jaguar Land Rover and Industrial Professor of Automotive Systems at WMG, University of Warwick. Prof Mouzakitis has over 20 years of technological and leadership experience especially in the area of automotive systems. In his current role is responsible for the delivery of the Cyber Security Programme across all Jaguar Land Rover functions.
In his previous positions within JLR, Prof Mouzakitis served as the Chief Technical Specialist for Systems Engineering, Head of Vehicle Engineering, Infotainment and Connectivity Research, Head of the Electrical, Electronics and Software Engineering Research and prior to that as the Head of Model-based Product Engineering.
Prof Mouzakitis is a Chartered Engineer and a Fellow of the IET and InstMC engineering institutions. He is a member of the Industrial Advisory Panel of several international conferences, member of the InstMC System and Control Technology Panel, member of the InstMC National Council and a member of the InstMC Accreditation Panel. He has published over 130 scientific papers in international journals, book chapters and international conferences.
Prof Mouzakitis holds a BSc (Hons) in Integrated Manufacturing Technology and a PhD in Machine Learning and Artificial Intelligence for Autonomous Vehicles from the University of Wales, an MSc in Systems and Control from Coventry University and an EngD in Automotive Embedded Software Development from The University of Warwick.
Prof. Anna Marie Mandalari
Assistant Professor, Information and Communications Engineering research group, Dept. Electrical and Electronic Engineering, University College London
Anna Maria Mandalari works as Assistant Professor in the Information and Communications Engineering research group, Dept. Electrical and Electronic Engineering, University College London. She is Honorary Research Fellow at the Institute for Security Science and Technology at Imperial College London and expert fellow of the UK SPRITE+ Hub.
Anna Maria Mandalari has been nominated Member of the Italian Technical Secretariat of the Committee for strategies on the use of AI. She obtained her PhD within the framework of the METRICS project, part of the Marie Skłodowska-Curie action, intended for excellent researchers, affiliated with the Carlos III University of Madrid. Her research interests are Internet of Things (IoT), privacy, security, networking and Internet measurement techniques. She studies privacy implications and information exposure from IoT devices. She works on the problem of modelling, designing, and evaluating adaptation strategies based on Internet measurements techniques. In addition to her research, Anna gives invited talks all around the world to promote research and create awareness on security, privacy, and ethical AI. Most of her research experiences have significantly contributed to several EU-funded research projects and have had a significant influence on media and policymaking. Anna Maria Mandalari is also committed to promoting the interest of young women in STEM subjects.
Haydn Povey
Founder and CEO, SCI Semiconductor
Haydn is the Founder & CEO of SCI Semiconductor, a company focused on developing and delivering next generation security IP and devices. The company is a leading advocate of CHERI technology, with its ability to resolve over 70% of critical vulnerabilities through enhance Memory Safe technology, compartmentalisation, and integrated component management. The company works closely with governmental and commercial entities to introduce CHERI technology and to solve many of the biggest issues in critical infrastructure and industry today.
Haydn has been in senior management at leading global technology companies for over 30 years, including as Chief Strategy Officer at IAR, through the successful acquisition of Secure Thingz Ltd. He additionally held senior marketing and business development roles at ARM Holdings, the leading Microprocessor IP (Intellectual Property) company. Haydn headed ARMs strategy and product roadmaps for Security within IoT and M2M marketplaces where he worked with critical groups within the US and UK government responsible for the development and deployment of security frameworks, alongside many leading silicon vendors, OEMs and system integrators and software solutions.
Previously Haydn was Director Security Products & Technologies within the ARM Processor Division where he owned a broad array of products including TrustZone, which delivers security foundations in the majority of global mobiles and tablets, and SecurCore, which is the foundations for the majority of 32-bit SmartCards and SIMS. Prior to owning security at ARM Haydn led the development and introduction of the Cortex-M microprocessor family which has led to the rapid adoption of 32-bit microcontroller technology around the globe and underpins the majority of Internet of Things devices.
Rebecca Hartley
PhD Researcher, Royal Holloway, University of London
Rebecca Hartley is a PhD Researcher at the Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway, University of London. Her research is funded by the Engineering and Physical Sciences Research Council and supervised by Dr Andrew Dwyer and Professor Lizzie Coles-Kemp. Taking a socio-technical approach, Rebecca has conducted several years of research in smart cities and technology in public spaces. The goal of her research is to understand the factors shaping security for technologies in public spaces. She is particularly interested in the way in which we communicate about technology and how this impacts cyber security. Rebecca has presented her research to a government department, including providing a policy paper. She has advised the Department for Science, Innovation and Technology on secure connected places through their External Advisory Group. Rebecca was selected as a speaker for Soapbox Science 2024, where she presented her research to the public.
Rebecca has a BA(Hons) in History and Politics from the University of Oxford and previously worked in the Information Technology Sector as a Project Manager. She was a recipient of the FS-ISAC Women in Cyber Scholarship 2023. In April 2022 she received Honorary Mention in the Growing Thought Leadership Award, issued by International Forum of Terrorism Risk (Re) Insurance Pools (IFTRIP) and was an Atlantic Council’s Cyber 9/12 Semi-finalist in 2022.
Presentation: How We Talk About IoT Matters: The Case of Technologies in Public Spaces
The research I will present investigates the factors shaping cyber security in the process of integrating technology into public spaces. Many of these technologies are IoT, such as sensors and smart bins. These devices are increasingly integrated into public spaces for efficiency, savings, and environmental reasons. Research data has been collected via international interviews with the public and private sectors as well as observations from events covering technologies in public spaces. The research contributes significant findings: it shows that how we communicate to each other about these technologies matters for security. Common narratives on technologies in public spaces mix with specific aspects of these IoT technologies to influence security. For example, the small size of IoT devices and common ideas about experimentation both influence procurement processes. Importantly, the influence on security is often negative. I will demonstrate ways in which the IoT industry can contribute to communication on technology which has more successful consequences for security.
John Moor
Managing Director, IoT Security Foundation / COO, TechWorks
John Moor is co-founder and Managing Director of the IoT Security Foundation.
He has more than 30 years experience in electronic systems and microelectronics industries and holds executive leadership and general manager responsibilities for IoTSF. Previously John served as a vice-president at the National Microelectronics Institute (NMI) where he was tasked with formulating strategy and leading the implementation of key innovation initiatives including creating a portfolio of technical engineering networks, establishing the UK Electronics Skills Foundation, running the Future World Symposium and participating in overseas trade missions.
Prior to NMI, John was one of the founders of Bristol-based start-up ClearSpeed Technology (formerly PixelFusion Ltd). During this time he led engineering operations at vice-president level and was responsible for technology acquisitions, establishing international supply chain operations and acquiring capability in the UK, USA and Taiwan.
John holds an MA (Distinction) in Strategic Marketing Management from Kingston University London and a Master of Business Administration from the University of Leicester. John’s formative embedded systems engineering career centred on leading-edge microprocessor based systems (substantially parallel systems) and used in data communications, high performance computing, graphics and virtual reality applications.
Dr. Stephen Pattison
Chairman, IoT Security Foundation & VP Public Affairs, ARM
Stephen spent twelve years as Global Head of Public Affairs at Arm, a leading high tech company. He was responsible for contributions to public policy thinking across the world on a wide range of tech issues, including cybersecurity, data protection, AI Ethics, STEM policies and semiconductor growth strategies. He focussed on London, Brussels, Washington and Beijing. He is currently a Senior Adviser at Hanover Communications.
Prior to joining ARM, Stephen was CEO, International Chamber of Commerce UK, where he represented the interests of a range of companies and focussed on various policy and international trade issues. Before that he worked for James Dyson (Vacuum cleaners etc) as Head, International Business Development, where he introduced new products into new markets as well as accelerating growth in existing markets. He was once a British Diplomat and worked at the British Embassy in Washington, and on UN issues in London, New York and Geneva.
Stephen has a Master’s Degree from Cambridge University, and a Doctorate from Oxford. In 2003-4 he spent a year at Harvard as Fellow in International Affairs at the Weatherhead Center.
Peter Davies
Technical Director, Thales
I love what I do, approach everything with energy and enthusiasm and can always see an angle. As a Technical Director of Thales in the UK I have been their leading expert on Cryptography in the UK responsible for providing cryptography and information security direction and expertise on a variety of products and projects. Previous work includes the development and certification of flexible and interoperable commercial security solutions that are also widely used by governments; these solutions are available worldwide and support the security of both communications and infomatics in an international, multi grade environment. My specialist knowledge is at the core of the cyber defence and forensics activities that I undertake combatting existential treats against business. I can, and have, interacted on security and products at any level from Prime Minister, through Board to deep technical including Agencies, Certification Labs and partners developing and sustaining business opportunities worldwide. I have generated patents in the area of digital DNA and my research covers aspects of technical security as well as aspects of super-identities and their role in combatting human based cyber-attacks. I have lead EU security research contract and have acted as a n expert on others. As well as contributing to standards I am a frequent speaker at international conferences and deliver lectures to postgraduate information and cyber security programmes in the UK and worldwide.
Richard Marshall
Founder and Director, Xitex
Richard is founder and director at Xitex, a secure product development consultancy, supporting customers developing secure products and the wider standards communityHaving worked for global organisations such as AT&T, Cisco and Sony, to be being part of the founding team for more than one start-up, Richard has been involved with a variety of secured products from Set Top Boxes to Cellular Small Cells over the last 20 years. At the start-up Ubiquisys, he founded the hardware and secure software delivery team, going on to become the Product Manager for the global secure software and PKI delivery system CloudBase. Cloudbase was a key component in Cisco’s acquisition of Ubiquisys in 2013. On IoT security, Richard was the Internet of Things Security Foundation’s founding Plenary Chair for five years and currently sits on its Executive Steering Board. Richard is one of the lead authors for the foundation’s Assurance Framework which has recently been internationally recognized by the EU’s ETSI and US NIST standards bodies, as a point of reference for IoT security. He was also a contributor/reviewer for the UK’s ‘Code of Practice for Consumer IoT Security’, ETSI’s technical standard TS 103 645 and harmonized standard EN 303 645 on IoT Security. He is currently a member of CENELEC’s JTC13 WG8 RED and JTC13/WG9 CRA harmonised standards cyber-security working groups.
Ramy Shelbaya
CEO & Co-Founder, Quantum Dice Ltd
Physicist by background, Ramy co-founded Quantum Dice right after completing his DPhil in Atomic and Laser Physics at the University of Oxford.
Having previously worked on a wide variety of applications in quantum technologies ranging from computing to communications and sensing, Ramy has a passion for the communication and the commercialisation of scientific breakthroughs.
Ramy has been leading the company ever since its original inception focusing on ensuring the alignment between the technology development and the needs of the market while ensuring Quantum Dice’s continued growth.
Presentation: The Critical Role of Randomness in IoT Security: From the Past to the Present and into a Post-Quantum Future
In an increasingly connected world, the security of our digital communications and data has never been more critical. This talk explores the key role high-quality randomness plays in cybersecurity, focusing on the evolution of randomness and its applications in IoT security. Attendees will understand how true randomness is essential for securing the more connected and data-intensive IoT. They will also discover what can happen when there is insufficient randomness and the risks and consequences that arise.
The Past: A Look at Randomness and Its Role in IoT Security
IoT devices and their supporting infrastructure use Random Number Generators (RNGs) for generating their security keys. Traditionally, IoT devices have relied on True Random Number Generators (TRNGs) to produce the randomness necessary for encryption. TRNGs utilise physical processes, such as electronic noise, to generate random numbers. These methods have served the IoT sector well, providing sufficient entropy for past security needs.
The Present: Challenges with Current RNG Solutions
However, there are examples of where current RNG methods have proved inadequate. We highlight what can go wrong when there is insufficient randomness and the necessity of higher quality and verifiable sources for producing robust keys capable of withstanding present and future threats, including those arising from developments in AI and quantum technologies.
The Future: The Threat of Emerging Technologies
While quantum computing poses a significant threat to current encryption methods used in IoT sectors, there are other quantum-enabled technologies that offer solutions to mitigate this threat.
Key IoT sectors such as critical infrastructure, automotive, healthcare, manufacturing, and smart devices will particularly need the security offered by advanced, reliable RNG solutions. Attendees will learn about the strategic importance of high-quality randomness and the role of advanced standards in shaping a secure post-quantum IoT future.
Xander Heemskerk
Director Product Security, Royal Philips
Xander Heemskerk is the Director Product Security – Personal Health, Digital Pathology & Brand Licensing in the Product and Services Security Office (PSSO) at Philips. In this role he drives the Product Security programs and initiatives for Medical Devices, in vitro diagnostics (IVDs) and Wellness solutions worldwide. IOT, Mobile Apps, Cloud IAAS, PAAS , SAAS , Big data and AI are crucial parts of the Products and Services delivered by Personal Health.
Prior to Philips Xander was the Corporate Security Officer (CSO) at TomTom and the Corporate Information Security Officer (CISO) at oldest company in the world Royal Vopak. He has been responsible for Corporate Security, Enterprise Information Security, Information Risk Management and Product Security on strategical, tactical and operational level.
Xander has over 30 years of experience in all aspects of Information Technology ranging from Consulting, Security, Architecture, Performance tuning, Design, Development, Coding, Testing and Operations in different roles and positions at Oracle, Orient Overseas Container Lines (OOCL) Ltd, Hong Kong Government, Everett, Ricoh and at 50+ companies in consulting roles. For Oracle University he has taught training classes on Architecture, Security, Performance design and tuning, High Availability and Identity Management for both internal and external audiences.
Xander holds a bachelor’s degree in Higher Informatics from The Hague University of applied sciences, is a Certified Information System Security Professional (CISSP) since 2002, is a PECB Certified ISO/IEC 27001 Lead Implementer and has Certified Cloud Security Knowledge (CCSK) since 2013.
Presentation: The Security Problem of Past, Present and probably also the future
- Philips the medical company
- Introduction to Philips solutions that uses AI
- Different type of AI solutions
- The threats to AI
- Processes used to assess the risks of solutions
- AI specific processes to assess the risks
- Security governance
- Conclusions
- Open points
Ian Pearson
Principle Embedded Solutions Engineer, Microchip Technology Inc.
Ian is a Principle Embedded Solutions Engineer at Microchip Technology Inc. He has held roles in MCU and MPU applications and also led the EU Wireless team for many years introducing Wi-Fi and Bluetooth into the embedded product lines. He has been involved with IoT since it’s inception and is an advocate of enhancing security in Connected Embedded Systems. To aid this he is active on several working groups in the IoT Security Foundation and has presented on security topics at several conferences. More recently he has returned to the FPGA space and supports Microchip clients on FPGA, SoC and Security needs across multiple market segments.
Nick Allott
CEO, NquiringMinds
Nick is the CEO of NquiringMinds, a company with deep experience in AI, IOT and security.
Nick was formerly the CTO of OMTP, which published over 30 mobile industry technical specifications including TR0/TR1 Trusted Execution Environment, which forms the security basis of many of PC and mobile technologies we use today. Nick is also the Director of the Webinos Foundation a secure IOT open source collaboration including W3C, Sony, Samsung, BMW, Deutsche Telekom, Telefonica and 20 other international organisation’s. In a independent peer review webinos was deemed to be the most secure of 22 reviewed IOT middleware frameworks. Nick is on the part of DCMS Secure by Default Expert Group and a founding member of IOTSF.
NquiringMinds develops two products: TDX Cloud (Trusted Data Exchange) a cloud based data sharing and analytics platform and TDX Edge a highly secure edge based analytics platform. NQM has won numerous industry awards for its innovative use of AI and security technologies
Nick has held number or executive positions in FastMobile, Motorola, Shell, and the Pearson Group. He has a PhD in Artificial Intelligence.
Mo Ahddoud
Chief Information Security Officer, Chameleon Cyber Consultants
Mo Ahddoud CISM. Chief Information Security Officer at Chameleon Cyber Consultants.
Mo is an active contributor to the cybersecurity industry. He writes regularly in the international security journal. He is an ISACA EU Advisory Taskforce member contributing to the European Commission amendment to the Cyber Security Act.
Mo was recognised in 2017 by the British Computer Society for Security programme of the year. In 2018, he was recognised as a cyber security innovator at the CA awards in Las Vegas. His recent interests include AI and Smart Cities.
Paul W
Cryptography and hardware security expert, NIST
Paul has worked in cryptography and hardware security since graduating with a degree in mathematics in 2001. He has represented the NCSC and its predecessor organisation in various standards bodies, including the Trusted Computing Group, Global Platform and FIDO. His current role in NCSC allows him to spend time with academic and industry partners learning what the future holds for security technology, and also to help user communities take advantage of new features. Outside of work Paul likes to cycle up small hills in summer, and ski down bigger ones in winter.
Florian Lukavsky
CTO, ONEKEY
Florian Lukavsky started his hacker career in early ages, bypassing parental control systems. Since then, he has reported numerous zero-day vulnerabilities responsibly to software vendors and has conducted hundreds of pentests and security reviews of connected devices as a CREST certified, ethical hacker. After building offensive cyber-security teams in Singapore, Malaysia, Thailand, and Switzerland, he founded ONEKEY.
Today, Florian Lukavsky aids organizations with SBOM, security & compliance automation for connected devices as CTO of ONEKEY, the leading European product security platform.
Opening Plenary Session: IoT Security: Past, Present, Future
The opening plenary session sets the stage for the rest of the day, exploring the cutting edge of IoT cybersecurity, AI and emerging themes. Following the welcome address, we will have two keynote talks that look at the emerging innovation and technology future. We will also take a look at what is in store for the IoTSF and its members with insights from the Executive Steering Board via a panel session taking the theme of the conference: IoT security – past, present and future.
This plenary session promises to equip attendees with a comprehensive understanding of the cybersecurity landscape, setting the context for the specialized tracks that follow. Attendees will not want to miss this opportunity to gain valuable insights from industry leaders and connect with fellow professionals at the forefront of IoT security.
The Future of IoT Security: Embracing Collaborative Approaches and Comprehensive Frameworks
New developments in the evolution of the IoT Security Foundation’s popular security assurance framework will be announced and we will explain its transformation from a developer checklist to a corporate reference for automating audits and certification. We also highlight the recent and important work from NIST on IoT Device Onboarding and Lifecycle Management which addresses real-world trust challenges across enterprise, industrial and consumer networks. Join us to understand the collaborative future of IoT security and its practical implications
IoT Foundations of Trust: Secure by Design
This session explores contemporary cutting-edge approaches to building security into IoT devices and systems from the ground up. Experts will outline the essential elements for secure IoT products and also look at solutions for decentralized and autonomous IoT applications, examining how to leverage hardware security modules to protect vehicle-to-everything (V2X) communications.
We will also delve into the critical role of true randomness in cryptography with a focus on preparing for emerging AI and quantum computing threats.
Attendees will gain practical insights into implementing robust security measures at the hardware and system level to create resilient IoT systems.
The CISO Journey: From Coax to Resilience
In this session, we look at how cyber security has changed over the last 20+ years from the CISO perspective. Where once upon a time all they worried about were operating systems, printers, memory sticks and shadow IT. But soon every new technology became shadow IT, with mobile phones, ipads, social media, cloud services, etc.
This session will explore how CISOs started from overseeing information security, which included computers, users, the network, etc. to today, where they have to view things from an enterprise cyber resilience perspective. Does this really mean that there is nothing that they can rule out from having to provide guidance on or be responsible for? These and many other questions will be explored with our expert panel who will provide perspectives of what cyber resilience means to them in their daily world view for an enterprise.
The Practice of IoT Security: From Breach Response to Threat Anticipation
The session also includes best practices for comprehensive testing of products with diverse supply chain components. Through expert-led talks and interactive discussions, participants will gain valuable insights to strengthen their organization’s IoT security posture.
The Business of IoT Security: Mastering the Economics
In this session we look at security through the economics lens – how can security help us win in business? What do we need to know beyond the technical requirements, how do we weigh up risk and reward – how can the approach be used to underpin, even boost business objectives?
IoT technology has many commercial applications, and the resilience to attack of the connected systems is essential for business success. Context is king when determining security features, yet the business case dominates the feasibility of any successful, sustainable, security posture.
Securing IoT: Lessons from the Past, Laughs in the Present, Leaps to the Future
This engaging IoT security session will equip attendees with valuable insights and practical strategies to enhance their IoT defences. We’ll examine historical patterns, extracting crucial lessons to fortify future IoT implementations.
Prepare yourself for a humorous yet eye-opening journey through the “10 Rules to Build Unsecure Embedded Systems” highlighting common pitfalls and misguided practices that compromise security. We’ll also explore the cutting-edge world of eSIMs, uncovering their unique security properties and how they can future-proof IoT device protection. This session blends historical analysis, satirical reflection, and emerging technology insights to provide a comprehensive view of IoT security challenges and solutions.
IoT Security Compliance: Navigating the Regulatory Landscape
As connected devices become ubiquitous in our homes, businesses, and cities, the need for security oversight has never been more critical. Yet, the path to regulation is fraught with challenges. This session illuminates the complex reality of IoT security regulation and compliance, where innovation and protection must coexist.
We’ll explore the global regulatory landscape, focusing on Europe’s CRA and RED, the UK’s PSTI, NIST CSF 2 and NIS2. Our expert speakers will dissect the delicate balance between fostering innovation and ensuring user safety, addressing the concerns of compliance professionals grappling with legal uncertainties and potential penalties.
Whether you’re an IoT manufacturer, policymaker, developer, consultant, or security professional, this session will equip you with the knowledge and insights needed to navigate the evolving regulatory landscape. Don’t miss this opportunity to stay ahead of the curve and contribute to a more secure and innovative IoT future.
Memory Safety: The Pernicious Challenge
What is the memory safety challenge? How big an issue is it and what can be done? Join this session to learn about the complexities of memory safety, explore current solutions, and glimpse into the future of secure IoT systems.
Whilst memory safety in computing has been identified as a challenge since the 1970’s, it became a significantly bigger problem with the growth of connected and distributed systems – such as the IoT. Solutions to the memory safety challenge are beginning to emerge from the research labs toward real-world applications underpinned by a range of hardware and software technologies. This session dives into the critical world of memory safety and its implications for secure IoT systems. Beginning with an academic exploration of memory safety fundamentals, we progress to cutting-edge industry solutions.
We’ll examine the UK government-backed CHERI project, discuss the role of memory-safe languages like Rust, and explore industry efforts to popularize these technological advances
This session is intended for designers, developers, manufacturers, and users of IoT technology, providing them with the knowledge and tools needed to improve the security and reliability of connected systems.
The Human Side of IoT Security: Protecting People, Spaces, and Systems
This session explores critical aspects of IoT security, focusing on protecting vulnerable communities and public spaces while addressing technical challenges in embedded systems. Experts will discuss how IoT technologies can be misused to target at-risk groups and strategies to mitigate these threats.
We’ll examine the importance of language and framing when discussing IoT deployments in public areas, emphasizing transparency and community engagement. The session will also delve into common vulnerabilities in embedded systems, sharing insights from hands-on security education. A guest speaker will highlight the crucial role of cross-sector collaboration in building a more secure IoT landscape. Attendees will gain a wider view of IoT security challenges and practical approaches to address them.