IoT applications and prospective solutions mandate consideration of a broad set of security and privacy requirements. The explosion in the number of connected devices poses a significant challenge, as does the diversity of end uses. The World Forum will address the component and platform implications for IoT in the context of the full life cycle for security and privacy regimes. It will also address the many security architectures and approaches that have emerged from Government organizations around the world, from the Commercial Market space, and from the Research Community. Across the wide spectrum of use cases there is a need to appropriately balance security and privacy, and it is useful to think of classifications that distinguish the levels required. As an example, these may be thought of as:
- Highly security-centric “life-and-death” applications such as: critical infrastructure; control systems for connected automobiles, railroads, or aircraft; emergency healthcare
- Intermediate security uses that include: smart home; routine monitoring of facilities; sports and physical exercise activities that involve tracking such as geolocation
- Casual uses such as: games, entertainment, public virtual reality applications, and aspects of social media and general information services
The topics that the Presentations, Panels, and Working Group discussions, for the Track on “Security and Privacy Regimes for IoT” will cover include:
- Achieving secure compose-ability of individually secure devices and components
- Scalability (for massive number of devices, and as contributors to- and consumers of- big data)
- Device-associated robustness levels that also deal with the high variations in heterogeneity (such as stationary and mobile infrastructure, smart phones and user terminals, wearables, the wide range of possible sensors and actuator types, and embedded IoT devices)
- Device ownership and component control (accounting for interoperability, regulatory compliance, governance, audit-ability and risk management)
- Remediation for the reigning confusion caused by the proliferation of standards and certification, and the realization that IoT will create new experiences and a vulnerability surface that is not accounted for
- Testing approaches and procedures that overcome the lack of efficacious and accepted practices — These include: interfacing with and leveraging legacy devices and services; containment against expansion of compromise to other units, systems or networks; effective crypto-agility; defense against advanced threats such as quantum-computing attacks. These also include testing approaches for the differing device lifetimes, and lifecycle support of IoT solutions such as over-the-air firmware and software upgrades
One of the objectives of the Track is to launch future actions and activities that continue beyond the World Forum as part of the IoT Initiative Working Group on “IoT Security and Privacy”.
Jeff Voas, NIST
Jeffrey Voas is an innovator. He is currently a computer scientist at the US National Institute of Standards and Technology (NIST). Before joining NIST, Voas was an entrepreneur and co-founded Cigital that is now part of Synopsys (Nasdaq: SNPS). He has served as the IEEE Reliability Society President (2003-2005, 2009-2010, 2017-2018), and served as an IEEE Director (2011-2012). Voas co-authored two John Wiley books (Software Assessment: Reliability, Safety, and Testability  and Software Fault Injection: Inoculating Software Against Errors . Voas received his undergraduate degree in computer engineering from Tulane University (1985), and received his M.S. and Ph.D. in computer science from the College of William and Mary (1986, 1990 respectively). Voas is a Fellow of the IEEE, member of Eta Kappa Nu, Fellow of the Institution of Engineering and Technology (IET), Fellow of the American Association for the Advancement of Science (AAAS), and member of the Washington Academy of Sciences (WAS).
Konrad Wrona, NATO
Konrad Wrona currently holds a Visiting Professor position at the Military University of Technology in Warsaw, Poland. He is also a Principal Scientist at the NATO Communications and Information Agency in The Hague, The Netherlands. Konrad Wrona has over 20 years of work experience in an industrial (Ericsson Research and SAP Research) and in an academic (RWTH Aachen University, Media Lab Europe, and Rutgers University) research and development environment. He has received his M.Eng. in Telecommunications from Warsaw University of Technology, Poland in 1998, and his Ph.D. in Electrical Engineering from RWTH Aachen University, Germany in 2005. He is an author and a co-author of over sixty publications, as well as a co-inventor of several patents. The areas of his professional interests include broad range of security issues – in communication networks, wireless and mobile applications, distributed systems, and Internet of Things. Konrad Wrona is a Senior Member of the IEEE, Senior Member of the ACM and a member of IACR.
Giancarlo Fortino (SM’12) is Full Professor of Computer Engineering at the Dept. of Informatics, Modeling, Electronics and Systems (DIMES) of the University of Calabria (Unical), Rende (CS), Italy. He has a Ph. D. degree and Laurea (MSc+BSc) degree in Computer Engineering from Unical. He is High-end Foreign Expert of China (term 2015-2018), Guest Professor at the Wuhan University of Technology (China), High-end Expert of HUST (China), and Senior Research Fellow at the Italian National Research Council – ICAR Institute. He has been also Visiting Researcher and Professor at the International Computer Science Institute (Berkeley, USA) and at the Queensland University of Technology (Australia), respectively. He is in the list of Top Italian Scientists (TIS) by VIA-academy, with h-index=37 and 5000+ citations according to GS. He is the director of the SPEME (Smart, Pervasive and Mobile Systems Engineering) Lab at DIMES, Unical and co-director of two joint-labs on IoT technologies established with Wuhan University of Technology and Shanghai Maritime University, respectively. His main research interests include Internet of Things computing and technology, agent-based computing, body area networks, wireless sensor networks, pervasive and cloud computing, multimedia networks, and mobile health systems. He participated to many local, national and international research projects and currently is the deputy coordinator and scientific & technical project manager of the EU-funded H2020 INTER-IoT project. He authored over 375 publications in journals, conferences and books. He chaired more the 90 Int’l conferences/workshops as co-chair, organized more than 40 special issues in well-known ISI-impacted Int’l Journals, and participated in the TPC of over 450 conferences. He is the founding editor of the Springer Book Series on “Internet of Things: Technology, Communications and Computing”, and currently serves (as associate editor) in the editorial board of IEEE Transactions on Affective Computing, IEEE Transactions on Human-Machine Systems, IEEE IoT Journal, Sensors Journal, IEEE Access, Journal of Networks and Computer Applications, Engineering Applications of Artificial Intelligence, Information Fusion. He is the recipient of the 2014 Andrew P. Sage SMC Transactions Paper award. He is co-founder and CEO of SenSysCal S.r.l., a spin-off of Unical, developing innovative IoT-based systems for e-health and domotics. He is the Chair of the IEEE SMC Italian Chapter, Member-at-large of the IEEE SMCS BoG, Member of the IEEE Press Board of Directors, and founding chair of the IEEE SMC Technical Committee on “Interactive and Wearable Computing and Devices”.
Talk Title: The Role of Trust in Internet of Things Ecosystems: State-of-the-Art and Research Challenges
Prof. Alessandro Armando received his M.Eng. and his PhD in Computer Engineering at the Univeristy of Genova. His appointments include a position as research fellow at the University of Edinburgh and one at INRIA-Lorraine (France). He is Full Professor at the University of Genova where he teaches Computer Security and has founded and coordinated a Master in Cybersecurity and Data Protection. In 2011 he founded (and led until 2016) the Security & Trust Research Unit of the Bruno Kessler Foundation in Trento. He has been coordinator and/or team leader in several national and EU research projects, including the AVISPA, AVANTSSAR, SpaCIoS and SECENTIS projects. He contributed to the discovery of an authentication flaw in the SAML 2.0 Web-browser SSO Profile and of a serious man-in-the-middle attack on the SAML-based SSO for Google Apps. He is currently serving as vice director of the CINI National Cybersecurity Laboratory.
Jart Armin is a leading activist, analyst, and researcher of hacker intrusion, and advances in cybercrime mechanisms and assessment. Jart gained notoriety for exposing cyber attacks on Georgia as well as cybercriminal hosts such as RBN (Russian Business Network) McColo, Atrivo, Spetsenergo, and others. More recently, Jart has been at the forefront of quantification of cybersecurity and cyber attacks, as well as advances in CTI (cyber threat intelligence), botnet, automated threat tracking, and attribution. Jart is a member of NATO’s “National Cyber Security Framework” and a member of the ENISA Threat Landscape Stakeholder Group.
Talk Title: IOT Security and Disease Control
It is a simple axiom, all cybercrime, cyber-attacks, malware, and Internet badness is hosted and trafficked, from somewhere, by someone. In tangent, all the data gained from data breaches, intrusion, malicious scanning, are trafficked and stored somewhere, again by someone and used by others for malicious purposes. It is not magic!
Noting that the recent metric shows that the minority of all Internet traffic is now human, 52% is automated, with 23% of all traffic is malicious in the form of automated threats. This is the most serious threat to the deployment and use of an estimated 20.4 billion IoT devices by 2020. Ironically many of these automated threats have been around for 5 to 10 years.
Rather than spend the estimated $134 billion annually by 2022 just on defensive cybersecurity for IoT devices. We have to start to think and act in terms of digital epidemiology (disease control). We have to find and dismantle the sources of the digital disease, allied to removing the digital garbage, that creates the environment for the disease in the first place. This is achievable, threat removal is cheaper and more effective in the long term.
Tolga Arul received his Ph.D. degree on channel switching-triggered charging for Pay-TV over IPTV in computer science from Technical University Darmstadt, Germany. He joined the Center for Advanced Security Research Darmstadt (CASED), Germany, as a research associate in the field of cyber-physical systems security in 2009. Since March 2017 he is a postdoctoral researcher in the Security Engineering Group at the Technical University Darmstadt. His current research interests include trusted computing and embedded security applied to IoT, transportation, and broadcasting environments.
Talk Title: Lightweight Security Solutions for IoT Using Physical Unclonable Functions
Scott Cadzow has over the past 20 years become a recognized standards development expert, primarily for security standards, in a number of international standards development organizations including ETSI, ITU-T and ISO. Scott has also contributed to reports from ENISA on network resilience, supply chain integrity and on measures to counter internet bullying. More recently Scott has been involved in a number of projects under the FP7/CIP/H2020 umbrella looking at security and privacy aspects of smart cities. This has led Scott to take a wider view at the whole interoperability conundrum and to address the need to look more deeply at the problems we will face with the IoT and dynamic self-configuring equipment in the world of GDPR, NIS and the CyberSecurity acts to come.
Talk Title: Bridging the Gaps: Security, Privacy and Safety Together
Whilst common use of the terms security, privacy and safety often have semantic and conceptual overlap and some degree of uncertainty when any of these terms appear in a requirement it is also true to suggest that there are strong links. The purpose of the presentation in this workshop is to contextualization what is expected of engineers and their associated teams of designers, managers and financiers in building systems that are safe, that are privacy preserving and that are secure. The paper/presentation will look to concrete steps to use specific tools from the CIA toolkit of security to enable each of safety and privacy. The result will be a network of bridges that safely allow crossing from sector to sector.
Dr. John Callahan is Chief Technology Officer (CTO) at Veridium, a leading biometric authentication company. Dr. Callahan recently served as the Associate Director for Information Dominance at the US Navy’s Office of Naval Research Global (ONRG) London UK office from 2010-2014 via an Intergovernmental Personnel Act (IPA) assignment from the Johns Hopkins University Applied Physics Laboratory (JHUAPL) in Laurel, Maryland USA. From 2000-2006, Dr. Callahan served as VP of Engineering and CTO of BDMetrics, Inc. and Sphere.com where he managed social networking systems for the world’s largest trade shows such as the Consumer Electronics Show (CES), PackExpo, and National Association of Broadcasters (NAB). Prior to 2001, he was a tenured Associate Professor in the Department of Computer Science and Electrical Engineering at West Virginia University (WVU) in Morgantown, WV USA and research director at the NASA Independent verification and Validation (IV&V) Facility in Fairmont, WV USA. He completed his PhD in Computer Science at the University of Maryland, College Park USA. Dr. Callahan has worked for Xerox Corporation in Palo Alto, CA USA, NASA Goddard Space Flight Center in Greenbelt, MD USA, and IBM Corporation.
Russell Gyurek currently a Director, IoT-CTO and Industries at Cisco. He has over 25 years of networking related technology experience, the majority in leadership positions. Russ’ range of expertise includes; IoT/connectivity of things, analytics and big data, cloud, optical networking technologies, broadband architectures and related technical policy, and emerging market development. He has held various leadership roles in creating strategy and direction in these areas. In Russ’ current role he is responsible for technology leadership, market development and partner due diligence & enablement related to IoT. The CTO group evaluates future trends, emerging standards, technologies, and architectures that drive and influence Cisco’s market portfolio relating to IoT. He also works closely with the vertical solutions organization- turning strategy into real world IoT deployments, including Smart Cities. In addition, Russ is a value-of-the-infrastructure advisor to customers, helping to create new business models and use cases to leverage network data for cloud and real time event processing.
Russ engaged in numerous sponsored research work at various universities during his 17 plus career at Cisco. In industry related work, he holds a board seats on the OCF (Open Connectivity Foundation), University of Washington IoT Board, and the NCSU ECE strategic advisory board. In these board roles he has collaborated with multi-stakeholders to create new programs for IoT and data science/analysis. He has given numerous keynotes at conferences and research workshops on IoT and related topics. Russ has played key roles in IEEE standards development and ratification including 802.3. Russ holds an appointed position on the FCC-TAC (Technical Advisory Council) where he has chaired Working Groups on the “sunset of the PSTN”, “network resiliency”, “IoT”, and Next Generation Internet. He is currently the working group Chairman for the FCC “Next Generation Policy and Regulations” team. Russ has led and participated on numerous technical policy teams in the past 10 years. These include the state of California, West Virginia, and the country of Lebanon. Prior to Cisco, Russ held senior technical and leadership roles at BellSouth (AT&T), in the networking part of the business.
Joe Jarzombek is Director for Government, Aerospace & Defense Programs in Synopsys, Inc., the Silicon to Software™ partner for innovative organizations developing microelectronic products and software applications. He guides efforts to focus Synopsys’ global leadership in electronic design automation (EDA), silicon IP, and software integrity solutions in addressing technology challenges of the public sector, aerospace and defense, and critical infrastructure. He participates in relevant consortia, public-private collaboration groups, trade associations, standards groups, and R&D projects to assist in accelerating technology adoption.
Previously, Joe served as Global Manager for Software Supply Chain Solutions in the Software Integrity Group at Synopsys. He led efforts to enhance capabilities to mitigate software supply chain risks via software security and quality test technologies and services that integrate within acquisition and development processes; enabling detection, reporting, and remediation of defects and security vulnerabilities to gain assurance and visibility within the software supply chain.
Jarzombek has more than 30 years focused on software security, safety and quality in embedded and networked systems. He has participated in industry consortia such as ITI, SAFECode, NDIA and CISQ; test and certification organizations such as Underwriters Labs’ Cybersecurity Assurance Program, standards bodies, and government agencies to address software assurance and supply chain challenges.
Prior to joining Synopsys, Jarzombek served in the government public sector; collaborating with industry, federal agencies, and international allies in addressing cybersecurity challenges. He served in the US Department of Homeland Security Office of Cybersecurity and Communications as the Director for Software & Supply Chain Assurance, and he served in the US Department of Defense as the Deputy Director for Information Assurance (responsible for Software Assurance) in the Office of the CIO and the Director for Software Intensive Systems in the Office of Acquisition, Technology and Logistics.
Jarzombek is a retired Lt Colonel in the US Air Force, a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional. He received an MS in Computer Information Systems from the Air Force Institute of Technology, and a BA in Computer Science and BBA in Data Processing and Analysis from the University of Texas – Austin.
Talk Title: Cybersecurity for Software: High Assurance Practices for Mitigating IoT Risks
As the cyber landscape evolves and external dependencies grow more complex, managing risks attributable to exploitable software in IoT includes requirements for security and quality with ‘sufficient’ test regimes throughout the software supply chain. IoT is contributing to a massive proliferation of a variety of types of software-reliant, connected devices throughout critical infrastructure. With IoT increasingly dependent upon third-party software, software composition analysis and other forms of testing are used to determine ‘fitness for use’ and trustworthiness of assets. Standards for measuring and sharing information about software security and quality are used in tools and services that detect weaknesses and vulnerabilities. Test and certification programs provide means upon which organizations use to reduce risk exposures attributable to exploitable software. Ultimately, addressing software supply chain dependencies and leveraging high assurance test regimes enable enterprises to provide more responsive mitigations.
Learning Objectives – Attendees will learn how:
- External dependencies contribute risks in the form of technical debt throughout the IoT software supply chain;
- Standards can be used to convey expectations and measure IoT software security and quality;
- Software composition, static code analysis, fuzzing, and other forms of testing can be used to determine weaknesses and vulnerabilities that represent vectors for attack and exploitation;
- Testing can support procurement and enterprise risk management to reduce risk exposures attributable to exploitable software in IoT.
Dr. Mikko Kiviharju works as a principal scientist and cryptographer in the Finnish Defence Research Agency (FDRA). He has wide background in cyber defence lasting some 15 years now, and ranging from tactical principles in cyber operations to hardware security and theoretical cryptography. He is involved in both national and international governmental cryptographic standardization efforts. Currently, his research interests involve quantum-resistant cryptography, and cryptographic solutions intended for sparsely connected, heterogenous networks in high-risk environments.
Kiviharju holds an MSc in computer science and a PhD in cryptology. His dissertation on cryptology addressed access control models enforced with next-generation public-key cryptography. This line of work can also be used for a concept called data-centric security, which is one proposed solution to tackle IoT security.
Talk Title: Using Physically Unclonable Functions (PUFs) as a Root of Trust in the IoT Network Edge
Typical problems in enforcing IoT security are connected to sensor node and network edge communications security. One of the key concepts here is remote attestation, which – while possible – may require expensive high-end solutions such as Trusted Platform Modules (TPMs). This talk will focus on the feasibility and applicability of using Physical Unclonable Functions (PUFs) in IoT end node and network edge security. PUFs are a type of “hardware fingerprint”, whose main ability is to be able to produce unpredictable challenge-response-behavior from minor physical deviations inherently present in some types of standard manufacturing processes of ICT hardware. Independent research of PUFs, both in implementations and applications, has increased ten-fold in the past decade, and a solid theory of using PUFs in cryptography is beginning to emerge. Many PUFs are cheap to produce and use (measured with a variety of resource types), which makes them an ideal candidate to use in IoT environments. Good PUF implementations would, for example, naturally solve the remote attestation problem for a wider application space than is currently possible or feasible with TPMs.
Hsiao-Ying Lin, a senior researcher in Shield Lab, conducts connected car security research in Huawei International, a firm aiming at building a better connected world. Her research interests include embedded system security, applied cryptography and security issues in automotive areas. Before devoting her work fulltime to Huawei International, Hsiao-Ying served as a senior engineer focusing on smartphone platform security in MediaTek Inc. (a fabless semiconductor company), and an assistant research fellow in Intelligent Information and Communications Research Center in National Chiao Tung University. She received the MS and PhD degrees in computer science from National Chiao Tung University, Taiwan, in 2005 and 2010, respectively.
Talk Title: Cyber Security of Intelligent Connected Electric Vehicles
Electrification, intelligentization, connectivity and sharing are four major trends reshaping car industry for providing a more comfortable and safe driving environment. Connectivity of cars is the essential technology for accelerating intelligentization and car sharing services. It also brings notable cyber security requirements into car industry. As more communication technologies are deployed in vehicles to provide various connectivity, more external interfaces expose vehicles in publicly accessible networks. Those interfaces include various sensors, Bluetooth, DSRC (dedicated short-range communications), 3/4G and OBD (on-board diagnostics) interfaces. As a result, there are multiple potential ways for attackers remotely getting access into vehicles to take control over them. Designing and deploying security mechanisms for connected vehicles is critical for not only security but also safety reasons. This talk will introduce the attack surface of intelligent connected electric vehicles, challenges and potential mitigations.
Roberto Minerva. Roberto holds a Ph.D in Computer Science and Telecommunications from Telecom Sud Paris, France, and a Master Degree in Computer Science from Bari University, Italy. He is Maitre de Conference at Institut Mine-Telecom, Telecom Sud Paris. His research topics are: edge computing and 5G, virtualization and SDN, Internet of Things and Artificial Intelligence and Machine Learning. He was the Chairman of the IEEE IoT Initiative, an effort to nurture a technical community and to foster research in IoT. Roberto has been for several years in TIMLab, involved in activities on SDN/NFV, 5G, Big Data, architectures for IoT. He is authors of several papers published in international conferences, books and magazines.
Talk Title: Towards a Data-Driven Society. Challenges and Research Perspectives for a Next Generation Internet Integrating Networking, Data Management and Computing
Data are becoming more and more important for the digital world and the plethora of services and applications. The networks and especially the upcoming Next Generation Internet need to fully support the communication needs and flowing of data.
The speech will focus on some of the technical challenges that will be posed by the increased usage of data over the network such as:
- predicting the IoT flood, but really how much data will be transported
- different interaction paradigms beyond Client-Server and the role of network services
- the NGI network will be transactional for providing security, privacy and data usage fairness
- the edge computing will cooperate or will compete with the cloud? How much edge processing?
These challenges have also important business and social impacts that may determine whether a new fairer Internet capable of being an open environment will be built.
Celia Paulsen is a cybersecurity researcher at the National Institute of Standards and Technology (NIST). Her current research focuses on cyber-supply chain risk management and the intersection with tools such as blockchain and additive manufacturing. She has researched and written many documents related to supply chain risk management, metrics and measures for security, cybersecurity-related definitions, password usability, cybersecurity for small businesses, and related topics. In addition, she has served on and provided expertise to projects such as the National Initiative for Cybersecurity Education where she was the acting industry coordinator. Prior to joining NIST, Celia was an analyst for the National Security Agency in the US Army. She has an MBA in information security from California State University, San Bernardino, and bachelor’s degrees in information technology and business management.
Talk Title: Buzzword Bingo: Blockchain, IoT, and SCRM
Shiuhpyng Winston Shieh
Shiuhpyng Winston Shieh is currently a University Chair Professor of Computer Science Department and the Director of Taiwan Information Security Center at National Chiao Tung University (NCTU). Being actively involved in IEEE, he has served as Reliability Society VP, Editor of IEEE Trans. on Reliability, IEEE Trans. on Dependable and Secure Computing, Steering Committee member of IEEE IoT Magazine, and Associate Editor of ACM Trans on Information and System Security. He has been on the organizing committees of many conferences, such as the founding Steering Committee Chair and Program Chair of ACM Symposium on Information, Computer and Communications Security (AsiaCCS), Founding Steering Committee Chair of IEEE Conference on Dependable and Secure Computing, Program Chair of IEEE Conference on Security and Reliability. Along with Virgil Gligor of Carnegie Mellon University, he invented the first US patent in the intrusion detection field, and has published over 200 technical papers, patents, and books. Dr. Shieh is an IEEE Fellow, and ACM Distinguished Scientist. His research interests include network security, intrusion detection, penetration test, and malware behavior analysis. Contact him at email@example.com.
Talk Title: IoT Penetration Testing for Security Assurance
With fast growth of IoT technology, ubiquitous devices and services gradually take part in our daily life. These devices bring us not only convenience but also new security threats. An IoT ecosystem is composed of IoT devices, gateways, on-line services running on the cloud, and the network infrastructure connecting them. In the ecosystem, an IoT device are often connected to the cloud through a gateway, and they may be all under cyber attacks. In contrast to a conventional cloud where attacks are mainly from the Internet, the IoT cloud may be also exposed to both compromised IoT devices and apps it serves. In addition to defensive mechanisms used to protect the ecosystem, penetration testing has been widely used to offensively discover its vulnerabilities. Due to the complexity and heterogeneity of IoT environments, new penetration test techniques are desirable to cope with three types of penetration tests: interface test, transportation test, and system test. In this talk, we introduce the challenges and opportunities of IoT penetration testing. Case studies for penetration testing against the ecosystem will be also given. Our experiments and analysis showed that offensive methods like penetration testing can complement, not replace, defensive mechanisms in the life cycle of system development for security assurance.