Managing digital identities is one of the most vexing problems on the Internet of Things. That shouldn’t come as a surprise – managing digital identities was a high bar to clear even for the old “Internet of machines,” where the challenges of managing PKI infrastructure often prompted application and device makers to take shortcuts, or avoid the use of strong identities altogether.
On the Internet of Things, of course, the challenges multiply. Endpoints might be small and resource constrained. Ecosystems are spread between dispersed agents and cloud-based management back ends. Deployments are far more varied and – in some cases- have far greater scale than could be found on any enterprise network. Identity on the IoT has to be secure – yes – but also highly- scalable and cryptographically-agile. That’s a big challenge.
Still: strong, provable digital identity is more critical than ever. Just last week, for example, the security firm Pen Test Partners warned that their red team analysis of SatCom satellite communications systems used aboard container ships revealed a range of security flaws that could be exploited by malicious adversaries to coax the huge ships off course – possibly even sinking or grounding them. Pen Test hackers found they could hack into satcom terminal hardware via administrative interfaces that were accessible from the public Internet over the insecure Telnet and HTTP protocol. Many accepted unsigned firmware updates, as well, they found.
This can’t stand. We’ve already tasted the fruit of insecure IoT deployments with the Mirai botnet and the WannaCry and NotPetya wiper malware. As the stakes of adverse events move from bits and bytes to “flesh and blood” (as our featured speaker Josh Corman will explain), organizations that are building and deploying connected products need to do son on a foundation of trust.
That’s why we’re thrilled to welcome CSS as a Security of Things sponsor and to have Judah Aspler of CSS on our agenda on June 19th to talk about how CSS’ customers are using trusted partners – including CSS and PTC – to secure IoT deployments at scale. In his featured talk, Judah will discuss how organizations can use ThingWorx platform to provide a wide range of security capabilities to IoT deployments, including authentication, authorization, encryption and secure software and firmware updates.
If you’re not familiar with CSS, they provide a range of solutions that offer effective PKI operations and digital certificate management. Their tools allow firms to automate the management of digital certificates, enforce certificate security requirements and scale PKI to IoT dimensions in a way that is economically viable. You can learn more about CSS here.
We look forward to seeing you in the audience for Judah’s talk on strong identity and IoT, which takes place at 11:00 AM on Tuesday, June 19!
Joshua Corman, the Chief Security Officer at PTC and co-founder of the grassroots advocacy group I Am The Cavalry will be a featured speaker at the 5th Security of Things Forum on June 19th in Boston.
Corman, formerly the Director of the Cyber Statecraft Initiative, will present a talk entitled “Bits and Bytes, Flesh and Blood: The Real Cyber Consequences of Unsafe IoT.” In it, Corman discusses the need to re-evaluate cyber risk and cyber security for the Internet of Things.
Our society and others have learned through hard experience to balance the convenience and public health trade offs of other technological breakthroughs. It took decades, for example, for public health and safety advocates to force basic safety features like seatbelts on the automobile industry. Four decades later, seatbelts are accompanied by front and side airbags and the safety rating of a vehicle is a big part of its value on the sales lot.
In the information security space, however, the stakes for attacks and failures have – thus far- been low: the loss of data or availability, a hit to an organization’s productivity numbers. However, that is changing. Faults in IT systems increasingly have real world consequences, as the WannaCry attack demonstrated when it crippled hospitals throughout the UK.
With cyber risk involving not just “bits and bytes” but “flesh and blood,” as Corman notes, do we need an equivalent “five star safety rating” for Internet of Things devices like connected cars, implantable medical devices or even the lowly webcam? If so, what is the best way to stand up such an oversight function and where should its authority lie?
Beyond that: what cultural changes are needed within the software development- and information security industries to address the risks posed by billions of Internet connected things? Corman gives us his thoughts and a vision of a possible future.
Join us on June 19th in Boston to hear Josh’s illuminating talk!
Since 2014, experts, practitioners and entrepreneurs from government, academia and the private sector get together to explore the practical and political challenges of securing a global population of tens of billions of connected, intelligent devices.
In SECoT 2018 our focus continues to zero in on exploring the obstacles real world IoT security implementations face in arenas such as critical infrastructure, manufacturing and healthcare. This is an event that can’t be missed!
Keynote: New York Times Bestselling Author Cory Doctorow
9:05 am – 9:45 am
Panel: Securing Real World IoT Deployments in agriculture, aquaculture, smart city
10:00 am – 10:45 am
This panel will discuss the challenges of securing real world Internet of Things deployments in areas like manufacturing, robotics, agriculture/aquaculture and more.
Chris Rezendes, SphericalAnalytics & Context Labs
Chris is the Chief Business Officer at SphericalAnalytics.io, a blockchain-enabled Trust Platform that ingests, proofs and ledgers the most accurate environmental data and climate analytics in the world. Chris is also Executive Staff at Context Labs BV. Prior to that, Chris was the founder of INEX Advisors and IoT Impact Labs, which brought together IoT startups with small and mid-sized businesses (SMBs) to run live field pilots and grow revenue-generating commercial programs for various IoT solutions in real-world settings.
Christopher Cacioppo, 6 River Systems
Chris is co-founder and CTO of 6 River Systems, a Waltham-based company that is disrupting the eCommerce logistics space by utilizing autonomous robots to work in collaboration with floor level operators. Chris leads multidisciplinary teams of talented engineers, with backgrounds in mechanical, electrical, firmware, software, robotics, and cloud computing. Chris’s background is in Algorithms, Electrical Engineering, Firmware and Computer Science, with additional work in Industrial Design and Mechanical Engineering.
Gavin Nicol, CEO Context Labs
Gavin has been a technology leader and innovator for 25+ years working at corporate research centers in Japan, and corporations and startups in the US and the Netherlands.
Through his work at EBT, a founding member of the W3C, he has broadly influenced many of the technologies underlying the modern web. He played a significant role in the development of the HTML, HTTP, XML, XSL, DOM, XPath, SVG, XQuery and XLink standards, and in building some of the earliest prototypes and implementations of the technologies. He is considered “the father of I18N on the WWW”.
His work at Context Labs focuses on scalable blockchain and distributed ledger technologies, security models, identity models, large scale data analytics, graph analytics, and on applications of these technologies within verticals.
Chris Poulin, Booz Allen Hamilton
Chris Poulin leads the Internet of Things (IoT) security research and development activities for the Cyber Futures team at Booz Allen Hamilton. Chris filled a number of information security roles over the past three decades, most recently focusing on IoT, with a specialty in connected cars, as well as threat intelligence and cognitive computing.
Chris began his career as a software developer in the U.S. Air Force and managed global intelligence networks for the National Reconnaissance Office. After leaving the military, Chris founded FireTower Inc., an information security consulting firm, which worked for a variety of Fortune 100 clients. After selling FireTower Inc., Chris joined Q1 Labs, a startup in the security information and event management space, as chief security officer. IBM acquired Q1 Labs, where Chris spent the last 5 years researching and analyzing security trends in cybercrime, cyber warfare, corporate espionage, and hacktivism. He also spent much of his time focused on emerging threats as a research strategist for IBM’s X-Force research and development team.
Trust is the Foundation of a Cyber Security Framework
11:00 am – 11:45 am
Sponsored by CSS Security, this talk will discuss the concept of secure identity for the Internet of Things and how secure identity lays the foundation of trust on the Internet of Things: from NIST guidelines to life critical devices.
Judah Aspler, Certified Security Solutions (CSS)
Judah Aspler is the vice president of business development at CSS and is responsible for CSS’ partner strategy, including technology alliances, channel, and OEM.
Judah comes to CSS from Microsoft, where he served in sales and business development roles within the Identity & Security and Mobile Device Management businesses, as well as serving as an Account Technology Strategist in Canada.
Judah joined Microsoft in 2006 by way of its acquisition of Whale Communications, a start-up that developed the secure remote access solution later branded Unified Access Gateway (UAG). During his 6 years at Whale, Judah served in both technical and sales roles, acting as sales engineer and eventually enterprise account manager for major accounts, and then served as business development manager focused on building Whale’s strategic partnership with Microsoft.
Bits and Bytes, Flesh and Blood: The Real Cyber Consequences of Unsafe IoT
1:15 pm – 2:00 pm
Information security is no longer just about securing bits and bytes. More and more, it is about protecting flesh and blood. Join PTC Chief Security Officer Josh Corman discusses the need to re-evaluate cyber risk and cyber security for the Internet of Things.
Panel: IoT Standards – missing in action
2:15 pm – 3:00 pm
Sponsored by UL LLC, this animated discussion will address of the challenges in using IoT security frameworks. Among the topics discussed: identifying existing standards and best practices and addressing gaps in existing IoT security standards.
Rob Black, Fractional CISO
Rob Black, CISSP is the Founder and Managing Principal of Fractional CISO. Rob has extensive experience in cyber security, anti-fraud, Internet of Things (IoT), web services and cloud solutions. He has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. Rob received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP). Rob is the inventor of three security patents. He regularly speaks at conferences and blogs about IoT security.
Ken Modeste, UL
Ken Modeste is Director, Connected Technologies and the Cybersecurity Technical Lead for UL’s Commercial & Industrial Business Unit (C&I). His global responsibilities cover cybersecurity, interoperability and protocol compliance. Ken works to ensure the security and interoperability of C&I programs, and is its principal technical leader, and the primary technical lead for UL’s Cybersecurity Assurance Program (UL CAP). Ken is responsible for building capabilities within UL to service Manufacturers and Asset Owners by providing testing, advisory capabilities and certification for connected equipment and IoT.
For UL CAP, Ken led the effort in creating UL 2900 series of standards that addresses security concerns in network-connectable products and systems(IoT). He leads the test, compliance and advisory efforts of application software, embedded software, firmware, drivers, middleware, cloud and mobile apps and operating systems for industrial control systems, building automation, building security, commercial lighting, smart home and commercial & residential applications of appliances.
Ken participates in several global standards committees on security in multiple disciplines and as the global leader for cybersecurity, continues to drive thought leadership for cybersecurity assurance in the new IoT world
Brian Russell, Cloud Security Alliance
Brian Russell is a strategic advisor at VDOO, Chair of the Cloud Security Alliance (CSA) Internet of Things Working Group and an Adjunct Professor at the University of San Diego. He has served on the Editorial Panel for the 20 Critical Security Controls for Effective Cyber Defense, supported the Federal Communications Commission IoT Security Advisory Group, and is a regular contributor to the Securing Smart Cities initiative. Brian’s past experience includes the design and implementation of a Security Operations Center, engineering of high assurance IP security protocols, cryptographic modernization for the Navy, the design and development of Key Management Systems for the Department of Defense, and security architectures for unmanned aerial systems and connected vehicles operating within the United States.
William Brown, Johnson Controls
Will Brown leads the product security team responsible for the line of physical security products from Johnson Controls. He has over fifteen years of experience in the testing and certification of products as well as the development of standards and the auditing of test labs. Recently he has been working closely with UL and their development of the UL 2900 suite of cybersecurity standards and today has the only product certified to UL 2900-2-3.
Presentation: Lateral Attacks Between Connected Devices
Researchers from Senrio discuss the findings of research that shows how attackers can move laterally on IoT networks.
Stephen Ridley, CTO Senrio
Stephen is the founder and CTO at Senrio. Stephen has more than 10 years of experience in software development, software security, and reverse engineering. His original research on embedded device vulnerabilities has been featured on NPR, SecurityWeek, Wired and numerous other publications. Prior to his current work at Senrio, Mr. Ridley was Principal Researcher at Xipiter and served as the Chief Information Security Officer of a financial services firm. Prior to that, various information security researcher/consultant roles (Matasano Security, et al), Senior Security Architect at McAfee. Earlier in his career, Stephen was a founding member of the Security and Mission Assurance (SMA) group at a major U.S. Defense contractor where he did vulnerability research and reverse engineering in support of the U.S. Defense and Intelligence community.
M. Carlton. Senrio
M. Carlton leads the research team at Senrio, focusing on connected device security. After graduating from MIT, she worked in software security before joining the embedded security team at Draper Laboratory. Her recent work at Senrio has included discovering patterns in IoT vulnerabilities and identifying new ways in which devices are attacked.
Breakout Session: Behind the Scenes of the Cyber Talent Shortage
4:15 pm – 4:30 pm
Sponsored by CyberSN, CEO Deidre Diamond gives a “from the trenches” perspective on the cyber security skills shortage. How is it affecting firms? What are cutting edge firms in financial services, healthcare and other industries doing to find and retain top cyber talent? Find out in this illuminating breakout session!
Deidre Diamond, CEO CyberSN
Deidre Diamond is the CEO and Founder of CyberSN.com, a cybersecurity research and staffing company, and the Founder of brainbabe.org, a cybersecurity not-for-profit organization. Deidre’s vision and leadership has resulted in a dramatic decrease in the frustration, time and cost associated with job searching and hiring for cybersecurity professionals.
Prior to CyberSN, Deidre was the CEO of Percussion Software, the first VP of Sales at Rapid7 and the VP of Staffing and Recruiting for the national technical staffing company Motion Recruitment. Deidre leads with a strong commitment to transparency, equality, training, support, high-productivity and love in the workforce.
Breakout Session: One Vulnerability to Rule them All (ReFirm Labs)
4:30 pm – 4:45 pm
In this IoT security innovators breakout session, ReFirm Labs CEO Terry Dunlap will demonstrate the often-overlooked security risks of IoT firmware. Diving into how his team discovered firmware vulnerabilities left behind by China’s second-largest camera manufacturer, Dahua, Terry will unmask how flawed firmware on IoT devices has resulted in countless cases of privacy invasion and malicious tampering proven detrimental to government organizations.
Terry Dunlap, CEO ReFirm Labs
Arrested in 1985 at the age of 17 for doing naughty things with a Commodore 64 and a 1200 baud modem, Terry Dunlap went on to receive a Top Secret security clearance with the US National Security Agency. Dunlap continued to do creative things against embedded devices but this time it was with his government’s blessing. He currently serves as the CEO of ReFirm Labs, a company he founded in 2017 that focuses on vetting firmware for vulnerabilities. Prior to founding ReFirm Labs, he launched and led a successful Maryland-based cybersecurity startup named Tactical Network Solutions.
Breakout Session: Scaling security and identity for real world IoT deployments (Zuul IoT)
4:45 pm – 5:00 pm
In this IoT security innovators breakout session, Zuul IoT CEO Drew Cohen will discuss the challenges managing both identity and security at scale in IoT deployments including smart city, transportation and industry. He will discuss the need for both new tools and processes to secure IoT at scale.
CEO, Zulu IOT
Drew Cohen, CEO Zuul IoT
Drew’s background is rooted in software and system delivery. Early in his career he developed systems that were deployed across the Intelligence Community and DoD, including the first operational Navy intelligence system built using commercial-off-the-shelf (COTS) hardware, POST, and the map rendering software for one of the first GIS systems deployed widely across the Intelligence Community, Oilstock.
After developing an exclusive relationship with Netscape in the early 1990’s, he left Government contracting to become the CTO and founder of an Internet startup, iFusion LLC. In 1995 he moved to Silicon Valley and joined Intel Corporation as Director of Technical Strategy for Intel’s Content Group. During this time he was also a key member if the original team at what later became Intel Capital, Intel’s venture capital arm. In 1997 he left Intel to become a founder and CEO of NeoPlanet Inc., a technology startup that was sold to Compaq in 2001.
He returned to his roots, to support the Government after 9/11, working for Booz Allen Hamilton. During this time he was promoted to Partner and Senior Vice President and was responsible for starting Booz Allen’s cloud computing initiative and leading the Booz Allen’s Systems development work across National Security Accounts.