Featured Talk: CSS on Secure Identity as the Key to doing IoT at Scale

Managing digital identities is one of the most vexing problems on the Internet of Things. That shouldn’t come as a surprise – managing digital identities was  a high bar to clear even for the old “Internet of machines,” where the challenges of managing PKI infrastructure often prompted application and device makers to take shortcuts, or avoid the use of strong identities altogether.

On the Internet of Things, of course, the challenges multiply. Endpoints might be small and resource constrained. Ecosystems are spread between dispersed agents and cloud-based management back ends. Deployments are far more varied and – in some cases- have far greater scale than could be found on any enterprise network. Identity on the IoT has to be secure – yes – but also  highly- scalable and cryptographically-agile. That’s a big challenge.

Judah Aspler is the Vice President of Business Development at Certified Security Solutions (CSS)

Still: strong, provable digital identity is more critical than ever. Just last week, for example, the security firm Pen Test Partners warned that their red team analysis of SatCom satellite communications systems used aboard container ships revealed a range of security flaws that could be exploited by malicious adversaries to coax the huge ships off course – possibly even sinking or grounding them. Pen Test hackers found they could hack into satcom terminal hardware via administrative interfaces that were accessible from the public Internet over the insecure Telnet and HTTP protocol. Many accepted unsigned firmware updates, as well, they found.

This can’t stand. We’ve already tasted the fruit of insecure IoT deployments with the Mirai botnet and the WannaCry and NotPetya wiper malware. As the stakes of adverse events move from bits and bytes to “flesh and blood” (as our featured speaker Josh Corman will explain), organizations that are building and deploying connected products need to do son on a foundation of trust.

That’s why we’re thrilled to welcome CSS as a Security of Things sponsor and to have Judah Aspler of CSS on our agenda on June 19th to talk about how CSS’ customers are using trusted partners – including CSS and PTC – to secure IoT deployments at scale.  In his featured talk, Judah will  discuss how organizations can use ThingWorx platform to provide a wide range of security capabilities to IoT deployments, including authentication, authorization, encryption and secure software and firmware updates.

If you’re not familiar with CSS, they provide a range of solutions that offer effective PKI operations and digital certificate management. Their tools allow firms to automate the management of digital certificates, enforce certificate security requirements and scale PKI to IoT dimensions in a way that is economically viable. You can learn more about CSS here.

We look forward to seeing you in the audience for Judah’s talk on strong identity and IoT, which takes place at 11:00 AM on Tuesday, June 19!

RSA Innovation Sandbox Finalist ReFirm Labs at Security of Things Forum

Terry Dunlap, the Chief Executive Officer and Co-Founder of ReFirm Labs will present at the June 19 Security of Things Forum in Boston.

Taking place alongside PTC LiveWorx, The Security of Things Forum is New England’s premiere IoT and security event. It brings together some of the world’s top experts, executives and entrepreneurs who are focused on the challenge of our time: securing the Internet of Things. [Use this link to register for the Forum!]

Continue reading “RSA Innovation Sandbox Finalist ReFirm Labs at Security of Things Forum”

Senrio researchers to expose risk of lateral IoT attacks

As connected devices make their way onto more enterprise networks, researchers from the cutting edge IoT security  firm Senrio will demonstrate how insecure and compromised Internet of Things endpoints can be leveraged in damaging cyber attacks.

Senrio Chief Technology Officer Stephen Ridley and VP of Research M Carlton will demonstrate how would-be attackers can exploit known vulnerabilities in the firmware (software) running on devices like IP cameras, wireless routers,  network attached storage and other devices to gain access – to and control over hardware ranging from medical devices to industrial machinery.

>> Your ticket to the Security of Things™ Forum comes with an Explorer pass to LiveWorx 2018.
Register now and get $75 off admission using this link. <<

The two will present their research at The Security of Things Forum, a one day Internet of Things and security event taking place alongside the 2018 PTC LiveWorx Conference in Boston on June 19.

Stephen Ridley Senrio
Stephen Ridley, the CTO and Founder of Senrio will present research on the danger of lateral attacks between IoT devices.

Embedded devices like routers and cameras pose a variety of risks to sensitive IT environments, Ridley and Carlton say. Among them: the re-use of vulnerable code across product families. That means a software flaw found in one firmware file might exist across dozens or scores of other versions of that software running on hundreds of different types of products.

Senrio has used research to expose these risks before. Last year, for example, its researchers highlighted a flaw dubbed Devil’s Ivy, which affected hundreds of security cameras made by the firm Axis Communications. That flaw was linked to a third-party software library and would allow an attacker who could connect to an Axis camera from the public Internet to take control of it, even if she did not know the user name and password required to log into the device.

In their presentation at The Security of Things, Ridley and Carlton will demonstrate how attackers can launch lateral attacks between IoT devices using critical vulnerabilities in popular devices. Among other things, the two will show that common responses to this threat, such as segmenting networks containing IoT devices is an insufficient defense.

The two will discuss useful approaches to identify IoT devices in sensitive network environments, assess their security risk and to protect them from compromise. Get your tickets now to reserve your seat!

About the Security of Things™ Forum (SECoT)

The Security of Things™ Forum (SECoT) delivers some of the world’s leading experts and executives for a day of discussion and debate on the preeminent challenge of our time: securing the Internet of Things. Since 2014, SECoT has drawn experts, practitioners, executives and entrepreneurs from government, academia and the private sector get together to explore the practical and political challenges of securing a global population of tens of billions of connected, intelligent devices.

Past keynote speakers include Chris Valasek of Uber, Dan Geer, the Chief Information Security Officer of In-Q-Tel, Federal Trade Commissioner, Julie Brill, Raytheon CTO Michael Daniels and renowned hacker Moxy Marlinspike.

Bits and Bytes, Flesh and Blood: PTC CSO Joshua Corman to address June Forum

Josh Corman, CISO at PTC

Joshua Corman, the Chief Security Officer at PTC and co-founder of the grassroots advocacy group I Am The Cavalry will be a featured speaker at the 5th Security of Things Forum on June 19th in Boston.

Corman, formerly the Director of the Cyber Statecraft Initiative, will present a talk entitled “Bits and Bytes, Flesh and Blood: The Real Cyber Consequences of Unsafe IoT.” In it, Corman discusses the need to re-evaluate cyber risk and cyber security for the Internet of Things.

[Grab your Security of Things Tickets here.]

Josh Corman, CISO at PTC
Joshua Corman is the Chief Information Security Officer at PTC.

Our society and others have learned through hard experience to balance the convenience and public health trade offs of other technological breakthroughs. It took decades, for example, for public health and safety advocates to force basic safety features like seatbelts on the automobile industry. Four decades later, seatbelts are accompanied by front and side airbags and the safety rating of a vehicle is a big part of its value on the sales lot.

In the information security space, however, the stakes for attacks and failures have – thus far- been low: the loss of data or availability, a hit to an organization’s productivity numbers. However, that is changing. Faults in IT systems increasingly have real world consequences, as the WannaCry attack demonstrated when it crippled hospitals throughout the UK.

With cyber risk involving not just “bits and bytes” but “flesh and blood,” as Corman notes, do we need an equivalent “five star safety rating” for Internet of Things devices like connected cars, implantable medical devices or even the lowly webcam? If so, what is the best way to stand up such an oversight function and where should its authority lie?

Beyond that: what cultural changes are needed within the software development- and information security industries to address the risks posed by billions of Internet connected things? Corman gives us his thoughts and a vision of a possible future.

Join us on June 19th in Boston to hear Josh’s illuminating talk!

Cutting Edge Content & Speakers

Cory Doctorow

Since 2014, experts, practitioners and entrepreneurs from government, academia and the private sector get together to explore the practical and political challenges of securing a global population of tens of billions of connected, intelligent devices.

In SECoT 2018 our focus continues to zero in on exploring the obstacles real world IoT security implementations face in arenas such as critical infrastructure, manufacturing and healthcare. This is an event that can’t be missed!

Keynote: New York Times Bestselling Author Cory Doctorow

9:05 am – 9:45 am

Cory Doctorow

Cory Doctorow

Keynote Speaker

Cory Doctorow is a science fiction author, activist, journalist and blogger — the co-editor of Boing Boing (boingboing.net) and the author  INFORMATION DOESN’T WANT TO BE FREE, RAPTURE OF THE NERDS and MAKERS. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.


Panel: Securing Real World IoT Deployments in agriculture, aquaculture, smart city

10:00 am – 10:45 am

This panel will discuss the challenges of securing real world Internet of Things deployments in areas like manufacturing, robotics, agriculture/aquaculture and more.

Moderator

Chris Rezendes, SphericalAnalytics & Context Labs

Chris is the Chief Business Officer at SphericalAnalytics.io, a blockchain-enabled Trust Platform that ingests, proofs and ledgers the most accurate environmental data and climate analytics in the world. Chris is also Executive Staff at Context Labs BV. Prior to that, Chris was the founder of INEX Advisors and IoT Impact Labs, which brought together IoT startups with small and mid-sized businesses (SMBs) to run live field pilots and grow revenue-generating commercial programs for various IoT solutions in real-world settings.

Speaker

Christopher Cacioppo, 6 River Systems

Chris is co-founder and CTO of 6 River Systems, a Waltham-based company that is disrupting the eCommerce logistics space by utilizing autonomous robots to work in collaboration with floor level operators. Chris leads multidisciplinary teams of talented engineers, with backgrounds in mechanical, electrical, firmware, software, robotics, and cloud computing. Chris’s background is in Algorithms, Electrical Engineering, Firmware and Computer Science, with additional work in Industrial Design and Mechanical Engineering.

Speaker

Gavin Nicol, CEO Context Labs

Gavin has been a technology leader and innovator for 25+ years working at corporate research centers in Japan, and corporations and startups in the US and the Netherlands.

Through his work at EBT, a founding member of the W3C, he has broadly influenced many of the technologies underlying the modern web. He played a significant role in the development of the HTML, HTTP, XML, XSL, DOM, XPath, SVG, XQuery and XLink standards, and in building some of the earliest prototypes and implementations of the technologies. He is considered “the father of I18N on the WWW”.

His work at Context Labs focuses on scalable blockchain and distributed ledger technologies, security models, identity models, large scale data analytics, graph analytics, and on applications of these technologies within verticals.

Panelist

Chris Poulin, Booz Allen Hamilton

Chris Poulin leads the Internet of Things (IoT) security research and development activities for the Cyber Futures team at Booz Allen Hamilton. Chris filled a number of information security roles over the past three decades, most recently focusing on IoT, with a specialty in connected cars, as well as threat intelligence and cognitive computing.

Chris began his career as a software developer in the U.S. Air Force and managed global intelligence networks for the National Reconnaissance Office. After leaving the military, Chris founded FireTower Inc., an information security consulting firm, which worked for a variety of Fortune 100 clients. After selling FireTower Inc., Chris joined Q1 Labs, a startup in the security information and event management space, as chief security officer. IBM acquired Q1 Labs, where Chris spent the last 5 years researching and analyzing security trends in cybercrime, cyber warfare, corporate espionage, and hacktivism. He also spent much of his time focused on emerging threats as a research strategist for IBM’s X-Force research and development team.


Trust is the Foundation of a Cyber Security Framework

11:00 am – 11:45 am

Sponsored by CSS Security, this talk will discuss the concept of secure identity for the Internet of Things and how secure identity lays the foundation of trust on the Internet of Things: from NIST guidelines to life critical devices.


Bits and Bytes, Flesh and Blood: The Real Cyber Consequences of Unsafe IoT

1:15 pm – 2:00 pm

Information security is no longer just about securing bits and bytes. More and more, it is about protecting flesh and blood. Join PTC Chief Security Officer Josh Corman discusses the need to re-evaluate cyber risk and cyber security for the Internet of Things.

Joshua Corman, CSO at PTC

Joshua Corman, CSO at PTC

Speaker

Joshua Corman is the CSO at PTC. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to increasing dependence on technology. Corman’s unique approach to security in the context of human factors, adversary motivations and social impact has positioned him as one of the most trusted names in security.


Panel: IoT Standards – missing in action

2:15 pm – 3:00 pm

Sponsored by UL LLC, this animated discussion will address of the challenges in using IoT security frameworks. Among the topics discussed: identifying existing standards and best practices and addressing gaps in existing IoT security standards.

Moderator

Rob Black, Fractional CISO

Rob Black, CISSP is the Founder and Managing Principal of Fractional CISO. Rob has extensive experience in cyber security, anti-fraud, Internet of Things (IoT), web services and cloud solutions. He has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. Rob received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP). Rob is the inventor of three security patents. He regularly speaks at conferences and blogs about IoT security.

Panelist

Ken Modeste, UL

Ken Modeste is Director, Connected Technologies and the Cybersecurity Technical Lead for UL’s Commercial & Industrial Business Unit (C&I). His global responsibilities cover cybersecurity, interoperability and protocol compliance. Ken works to ensure the security and interoperability of C&I programs, and is its principal technical leader, and the primary technical lead for UL’s Cybersecurity Assurance Program (UL CAP). Ken is responsible for building capabilities within UL to service Manufacturers and Asset Owners by providing testing, advisory capabilities and certification for connected equipment and IoT.

For UL CAP, Ken led the effort in creating UL 2900 series of standards that addresses security concerns in network-connectable products and systems(IoT). He leads the test, compliance and advisory efforts of application software, embedded software, firmware, drivers, middleware, cloud and mobile apps and operating systems for industrial control systems, building automation, building security, commercial lighting, smart home and commercial & residential applications of appliances.

Ken participates in several global standards committees on security in multiple disciplines and as the global leader for cybersecurity, continues to drive thought leadership for cybersecurity assurance in the new IoT world

Email:Ken.Modeste@ul.com

Speaker

Brian Russell, Cloud Security Alliance

Brian Russell is a strategic advisor at VDOO, Chair of the Cloud Security Alliance (CSA) Internet of Things Working Group and an Adjunct Professor at the University of San Diego. He has served on the Editorial Panel for the 20 Critical Security Controls for Effective Cyber Defense, supported the Federal Communications Commission IoT Security Advisory Group, and is a regular contributor to the Securing Smart Cities initiative. Brian’s past experience includes the design and implementation of a Security Operations Center, engineering of high assurance IP security protocols, cryptographic modernization for the Navy, the design and development of Key Management Systems for the Department of Defense, and security architectures for unmanned aerial systems and connected vehicles operating within the United States.

Speaker

William Brown, Johnson Controls

Will Brown leads the product security team responsible for the line of physical security products from Johnson Controls. He has over fifteen years of experience in the testing and certification of products as well as the development of standards and the auditing of test labs. Recently he has been working closely with UL and their development of the UL 2900 suite of cybersecurity standards and today has the only product certified to UL 2900-2-3.


Presentation: Lateral Attacks Between Connected Devices

Researchers from Senrio discuss the findings of research that shows how attackers can move laterally on IoT networks.

Speaker

Stephen Ridley, CTO Senrio

Stephen is the founder and CTO at Senrio. Stephen has more than 10 years of experience in software development, software security, and reverse engineering. His original research on embedded device vulnerabilities has been featured on NPR, SecurityWeek, Wired and numerous other publications. Prior to his current work at Senrio, Mr. Ridley was Principal Researcher at Xipiter and served as the Chief Information Security Officer of a financial services firm. Prior to that, various information security researcher/consultant roles (Matasano Security, et al), Senior Security Architect at McAfee. Earlier in his career, Stephen was a founding member of the Security and Mission Assurance (SMA) group at a major U.S. Defense contractor where he did vulnerability research and reverse engineering in support of the U.S. Defense and Intelligence community.

Speaker

M. Carlton. Senrio

M. Carlton leads the research team at Senrio, focusing on connected device security. After graduating from MIT, she worked in software security before joining the embedded security team at Draper Laboratory. Her recent work at Senrio has included discovering patterns in IoT vulnerabilities and identifying new ways in which devices are attacked.


Breakout Session: Behind the Scenes of the Cyber Talent Shortage

4:15 pm – 4:30 pm

Sponsored by CyberSN, CEO Deidre Diamond gives a “from the trenches” perspective on the cyber security skills shortage. How is it affecting firms? What are cutting edge firms in financial services, healthcare and other industries doing to find and retain top cyber talent? Find out in this illuminating breakout session!

Speaker

Deidre Diamond, CEO CyberSN

Deidre Diamond is the CEO and Founder of CyberSN.com, a cybersecurity research and staffing company, and the Founder of brainbabe.org, a cybersecurity not-for-profit organization. Deidre’s vision and leadership has resulted in a dramatic decrease in the frustration, time and cost associated with job searching and hiring for cybersecurity professionals.

Prior to CyberSN, Deidre was the CEO of Percussion Software, the first VP of Sales at Rapid7  and the VP of Staffing and Recruiting for the national technical staffing company Motion Recruitment. Deidre leads with a strong commitment to transparency, equality, training, support, high-productivity and love in the workforce.


Breakout Session: One Vulnerability to Rule them All (ReFirm Labs)

4:30 pm – 4:45 pm

In this IoT security innovators breakout session, ReFirm Labs CEO Terry Dunlap will demonstrate the often-overlooked security risks of IoT firmware. Diving into how his team discovered firmware vulnerabilities left behind by China’s second-largest camera manufacturer, Dahua, Terry will unmask how flawed firmware on IoT devices has resulted in countless cases of privacy invasion and malicious tampering proven detrimental to government organizations.

Speaker

Terry Dunlap, CEO ReFirm Labs

Arrested in 1985 at the age of 17 for doing naughty things with a Commodore 64 and a 1200 baud modem, Terry Dunlap went on to receive a Top Secret security clearance with the US National Security Agency. Dunlap continued to do creative things against embedded devices but this time it was with his government’s blessing. He currently serves as the CEO of ReFirm Labs, a company he founded in 2017 that focuses on vetting firmware for vulnerabilities. Prior to founding ReFirm Labs, he launched and led a successful Maryland-based cybersecurity startup named Tactical Network Solutions.

 


Breakout Session: Scaling security and identity for real world IoT deployments (Zuul IoT)

4:45 pm – 5:00 pm

In this IoT security innovators breakout session, Zuul IoT CEO Drew Cohen will discuss the challenges managing both identity and security at scale in IoT deployments including smart city, transportation and industry. He will discuss the need for both new tools and processes to secure IoT at scale.

CEO, Zulu IOT

Drew Cohen, CEO Zuul IoT

Drew’s background is rooted in software and system delivery. Early in his career he developed systems that were deployed across the Intelligence Community and DoD, including the first operational Navy intelligence system built using commercial-off-the-shelf (COTS) hardware, POST, and the map rendering software for one of the first GIS systems deployed widely across the Intelligence Community, Oilstock.

After developing an exclusive relationship with Netscape in the early 1990’s, he left Government contracting to become the CTO and founder of an Internet startup, iFusion LLC. In 1995 he moved to Silicon Valley and joined Intel Corporation as Director of Technical Strategy for Intel’s Content Group. During this time he was also a key member if the original team at what later became Intel Capital, Intel’s venture capital arm. In 1997 he left Intel to become a founder and CEO of NeoPlanet Inc., a technology startup that was sold to Compaq in 2001.

He returned to his roots, to support the Government after 9/11, working for Booz Allen Hamilton. During this time he was promoted to Partner and Senior Vice President and was responsible for starting Booz Allen’s cloud computing initiative and leading the Booz Allen’s Systems development work across National Security Accounts.