Speakers 2021

Speakers

This year we have a great line up of speakers such as Dr Stephen Pattison who is responsible for ARM’s Public Affairs, Dr. Franck Courbon, who is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge and Julie Chua, Director of Governance, Risk Management and Compliance (GRC) Division within the U.S. Department of Health and Human Services (HHS) Office of Information Security (OIS).

Keynote Speakers

Click on a speaker image to find out more

Dr. Stephen Pattision, Arm

Stephen is responsible for Arm’s Public Affairs, including contributions to public policy thinking across the world. His focus is London, Brussels, Washington and, increasingly, China. He was the first person to be appointed to a Public Affairs role at Arm, in 2012. Key issues on which he is working include Internet of Things, Smart Cities, Data Protection, Energy Efficiency, and Security. He also oversees Arm’s Corporate Responsibility Programme.

Prior to joining Arm, Stephen was CEO, International Chamber of Commerce UK, where he represented the interests of a range of companies and focussed on various policy and international trade issues. Before that he worked for James Dyson (Vacuum cleaners etc) as Head, International Business Development, where he introduced new products into new markets as well as accelerating growth in existing markets. He was once a British Diplomat and worked at the British Embassy in Washington, and on UN issues in London, New York and Geneva.

Stephen has a Master’s Degree from Cambridge University, and a Doctorate from Oxford. In 2003-4 he spent a year at Harvard as Fellow in International Affairs at the Weatherhead Center.

Presentation : The Best is Still to Come.

An outline of how IOTSF is looking at new directions in IoT Security in the months and years ahead.

Dr. Stephen Pattison

Arm

Erik Decker, Intermountain Health

Erik Decker is the Chief Information Security Officer for Intermountain Healthcare, a multi-state integrated delivery network based in Salt Lake City, Utah. Erik has 21 years of experience within Information Technology, with 13 years focused on Information Security. He is currently Co-Leading a Department of Health and Human Services (HHS) task group of more than 250 industry and government experts across the country for implementing the Cybersecurity Act of 2015, 405D legislation within the Healthcare sector. The publication was released in December 2018, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” aka HICP. He is also a member of the Executive Council of the Healthcare Sector Coordinating Council’s Joint Cybersecurity Work, which is a public-private workgroup formed under the National Infrastructure Protection Plan. Erik is the previous Chair of the Association for Executives in Healthcare Information Security (AEHIS) Board.

In November of 2019 he was awarded the ISE® North America Executive: Academic/Public Sector. In October of 2017 he was awarded the Chicago CISO of the Year. In 2018 he served as an expert witness to the House Committee on Energy and Commerce, Subcommittee on Health.

Erik has a Master’s of Science in Information Technology from Loyola University in Chicago and Bachelors degree of the University of Illinois in Champaign/Urbana in Cell and Structural Biology.

Presentation: From Business Risk to Patient Safety: A Discussion on Cybersecurity in Healthcare

“Cyber Safety is Patient Safety”

One cyber threat has the potential to shut down hospitals, compromise Electronic Health Records, divert critical patient care, and ultimately put our patients in danger. Join this discussion to learn how healthcare organizations and facilities are part of our critical infrastructure and about the best practices chosen by industry leaders to protect from cyber threats. We will also examine why cybersecurity risks should be part of an organization’s wide spectrum of core risks as part of Enterprise Risk Management. Finally, we will look at laws in the United States that support public-private partnerships and the ability to promote information sharing so that we can all fight this threat as one united front.

Erik Decker

Intermountain Health

Julie Chua, U.S. Dept. of Health & Human Services

Julie Chua is the Director of Governance, Risk Management and Compliance (GRC) Division within the U.S. Department of Health and Human Services (HHS) Office of Information Security (OIS). Julie is also the Federal Lead for the implementation of the Cybersecurity Act (CISA) of 2015, Section 405(d): Aligning Healthcare Cybersecurity Approaches. This public-private partnership effort is one of many HHS cybersecurity initiatives to help push forward the cybersecurity and resiliency of the HPH sector.

Presentation: From Business Risk to Patient Safety: A Discussion on Cybersecurity in Healthcare

“Cyber Safety is Patient Safety”

Julie Chua

U.S. Dept. of Health & Human Services

Kevin Fu, U.S. Dept. of Health & Human Services

Kevin Fu is Acting Director of Medical Device Cybersecurity at U.S. FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). Fu is also Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.

Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing.
He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org).

He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT.

He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.

Presentation Title: TBC

This talk will provide a glimpse into the risks, benefits, technical solutions, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

Kevin Fu

U.S. Food and Drug Administration (FDA)

Paul Waller

Paul has worked in cryptography and hardware security since graduating with a degree in mathematics in 2001. He has represented the NCSC and its predecessor organisation in various standards bodies, including the Trusted Computing Group, Global Platform and FIDO. His current role as Head of Capability Research allows him to spend time with academic and industry partners learning what the future holds for security technology, and also to help user communities take advantage of new features. Outside of work (when pandemic restrictions allow!) Paul likes to cycle up small hills in summer, and ski down bigger ones in winter.

Presentation : IoT Security – what can government do?

All of us need to work together to improve the security and resilience of our connected systems. I’ll discuss some of the options for government and also some current projects

Paul Waller

National Cyber Security Centre (NCSC)

Katerina Megas

Kat leads the NIST Cybersecurity for the Internet of Things (IoT) Program at the US. National Institute of Standards and Technology (NIST), focused on advancing and accelerating the development and application of research, standards, guidelines, and technologies necessary to improve the security and privacy of ecosystem of connected devices. Before joining NIST, Kat worked in the private sector and led the development and execution of IT strategies.

Presentation : The road to IoT security: updates on the NIST IoT Cybersecurity program

NIST will present updates on the IoT Cybersecurity program, including updates on the NIST activities that support recent IoT policy stateside such as the IoT Cybersecurity Improvement Act that directs NIST to develop guidelines for federal agencies on the minimum requirements of IoT devices that the Federal government procures, as well as the recent Executive Order 14028 signed by President Biden that directs NIST to pilot a cybersecurity product label for consumer IoT devices.

Katerina Megas

NIST

Speakers

Click on a speaker image to find out more

Dr. Franck Courbon, University of Cambridge

Dr Franck Courbon, has obtained 3 Master degrees (Telecom St-Etienne, INSA Lyon, University of Glasgow) and a Phd. in Microelectronics in 2015 (Ecole des Mines de St-Etienne). He has been working 3.5 years within the evaluation team of a French leader in digital security, Gemalto (now Thales DIS) before joining the University of Cambridge in October 2015. He has worked on the security evaluation (common criteria scheme) of smart cards (banking cards,
e-passports), the optimization of attack platforms (laser fault attacks) and the development of a new methodology to ensure product authenticity at chip/Silicon level (hardware trojan detection/supply chain security). He has also developed hardware-based methods to extract contents from non-volatile memories.

He is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge Department of Computer Science and Technology. He has been the recipient of an EPSRC Impact Acceleration Account Partnership Development Award (£47.7k) co-sponsored by an industry partner (£47.7k) for which he is project and team lead. He has been using state of the art facilities across Cambridge University (XRAYs, FIBs, SEMs, AFMs…). Dr Franck Courbon has published to top security (CARDIS, HOST, COSADE, HaSS), computer design (DATE) and failure analysis (ISTFA) venues. He has reviewed for ICM, HOST, VLSI-SoC and been PC member for PAINE workshop.

Dr Franck Courbon has taken initiatives for cross-School vision and development. For instance, he provided an article on “Empowering trust and security from the hardware” for the launch of the Cambridge Trust and Technology initiative and he has been the first project advisor and supervisor from the Department of Computer Science and Technology for the ESPRC CDT in Nanoscience and Nanotechnology (NanoDTC). He has supervised undergraduate and postgraduate students within the Department of Physics, Department of Engineering and the Department of Computer Science and Technology. He also initiated the
first MPhil. on Hardware Security at the Department of Computer Science and Technology.

He is leading an industry forum bringing technical solutions for secure and efficient electronics happening December 2021 in Churchill College, Cambridge, co-sponsored by IEEE. He is currently bringing his innovative mindset to the creation of meaningful solutions for the good of all. He has been sponsored to take part in several entrepreneur programs: Cambridge Judge Business School EnterpriseTECH 2020, Department of Physics Impulse program 2021 and IECT
Herman Hauser Summer School 2021. Finally, he is currently semi-finalist of the Chris Abell Postdoc Business Plan Competition 2021.

Presentation: Limiting hardware-enabled threats while enabling fairer and greener technology

More and more electronic devices, in critical infrastructures or not, are getting intelligent and connected. They can send raw data that need to remain private while some other devices directly process the data at the edge. Various technologies and architecture are used, and, in this presentation, we will mainly focus on hardware-based security principles, threats and countermeasures, associated with these IoT devices. Indeed, there are nowadays strong concerns regarding the security of these devices (or the ones providing them secure contents) in terms of scalable hardware-based attacks, IP protection, broken root of trust or unsecure supply chain. We will first talk about attack threats (company losses, scalability) while being aware of usability, energy, obsolescence/updates requirements. We will conclude on IoT devices security requirements and current solutions. We then focus on a lower abstraction layer of embedded devices with the hardware itself and advances in open hardware/open source. We may also mention security aspect of test and debug capabilities (with a security point of view). We will then cover the fabrication flow of Application Specific Integrated Circuits (ASICs)/Systems on Chip (SoCs), how IP are re-used and introduce the different packages, technologies and materials associated with IoT devices at chip level. We will also identify sample preparation requirements for failure analysis or side channel/fault/invasive investigations. A focus will be given on emerging technologies and hardware-based security attack techniques and tools of the trade. We will introduce two developments, both scalable, linking security and greener electronics while the second one link privacy and fairer electronics. At last, we will go through current development for hardware-based security education.

Dr. Franck Courbon

University of Cambridge

Andrew Delamare, Amazon

Andrew is a innovation driven Enterprise Architecture leader with 27 years of delivering solutions across Industrial, ISP, Telecoms and large scale utilities networks focusing on process and technology validation.

Working for many of the world’s leading companies to create solutions that make a difference globally.

Presentation: Using a Zero Trust security Model in AWS IoT

Providing an overview of how AWS IoT already helps customers adhere to the Zero Trust core principle (identity-based security) and what customers can do in addition to advance Zero Trust with their IoT workloads.

Andrew Delamare

Amazon

Chris Rouland, Phosphorus Cybersecurity

Chris Rouland is co-founder and CEO of Phosphorus Cybersecurity Inc. A 25-year veteran of the information security industry, Chris is a renowned leader in cybersecurity innovation and disruption. In his career, Chris has founded and led several multi-million dollar companies including Bastille, the first company to enable enterprise security teams to assess and mitigate the risk associated with the growing Internet of Things, and Endgame, which recently sold to Elastic for $247MM. Chris also stood up the X-Force at Internet Security Systems in 1998, as well as serving as CTO up to the $1.6B sale to IBM where he was appointed CTO and Distinguished Engineer.. Chris is a sought-after speaker with appearances at prestigious global security conferences including RSA, Black Hat, and HITB GSEC, and has been featured as a security expert and contributor for national broadcast and print media outlets including CNN, Forbes, and The Wall Street Journal. Chris holds twenty patents and a Master’s Degree from the Georgia Institute of technology.

Presentation: A random walk through 1,000,000 Things

At Phosphorus Cybersecurity, we have examined over 1M individual IOT devices in the Enterprise. This includes everything from desktop VoIP phones to BACnet devices such as power distribution and chillers, to cameras, thermostats, door lock controllers, fire control panels and lots of printers. We find a 90% common corpus of vendors to have been deployed in the Enterprise, and almost all, are uncompleted unmanaged, and insecure. With our own data, we can positively confirm remarkable statistics of IOT in the enterprise; those of us with grey hair will remember what the Internet looked like in the 1990s, that is the state of IOT security today.

During the presentation we will exam key statistics such as numbers of CVE’s, numbers of CRITICAL CVE’s, commonality of default credentials, average age and half-life of IOT firmware.

Chris Rouland

Phosphorus Cybersecurity

Jeff Day, British Telecom

Jeff Day is Chair of the IoTSF Best Practice Working Group.  He is Security Lead for all fixed-line voice services at British Telecom, having previously been security lead for their IoT programme. Jeff has worked in security for some 20 years and is the author of several BT internal security specifications and standards.

Presentation Title: Coordinated Vulnerability Disclosure – An updated IoTSF Guide

In this short talk we’ll discuss what Coordinated Vulnerability Disclosure is and the potential consequences of not having a Vulnerability Disclosure Policy. After that we’ll take a brief look at the free-to-download Vulnerability Disclosure Guide recently updated by the IoTSF.

Jeff Day

British Telecom

Jan Greersma, Signify

I work as director IoT and Cloud for Corporate Product Security at Signify. This involves working with Consumer IOT like Philips HUE lighting and Professional IOT through Interact. Previously I was working for Ericsson as security responsible for IoT Accelerator, a large mobile network for devices. I work with standards, people and technologies to reach a good security level.

Presentation : Communicating securely in your own home

Using a browser to connect securely to devices in your home will give you security warnings. The whitepaper digs deeper into why this is. We’re preparing a paper to map out the options could work to bring trusted certificates to your own network. It’s a long road to create a Secure and Usable Intranet Browser.

Jan Geertsma

Signify

Dr. Cédric LÉVY-BENCHETON, Cetome

Dr. Cédric LÉVY-BENCHETON is the CEO and founder of Cetome, an independent consultancy specialised in IoT and OT cyber security.

Cédric has deep expertise in IoT security. He has worked with manufacturers and developers to simplify their implementation of security by design and help them prepare them to new regulations.

He previously created the IoT security domain at ENISA, the European Union Cyber Security Agency, where he published several guidance and animated public/private working groups. Before that, Cédric designed critical networks for public transports. He holds a PhD in telecommunications from University of Lyon.

Presentation: How to get ready for a world of IoT cyber security regulations?

IoT systems keep surprising us with their insecurity. And yet nobody is surprised! How can we still accept the risks they create on other systems, our data, privacy, and our safety? Current solution and self-regulation did not bring the expected results. It is now time to regulate! Several governments and economic areas have chosen this path. But how can we make sure regulation is fit for purpose and enables IoT security?

In this talk, we present a panorama of IoT cyber security regulations across the world. We analyse and identify key elements to design and implement a successful IoT cyber security regulation: For policy makers and for manufacturers. We then present solutions to support the implementation of these new rules and discuss on the necessity of enforcement.

Dr. Cédric LÉVY-BENCHETON

Cetome

Susanne Furman, National Institute of Standards and Technology

Susanne Furman is a Cognitive Scientist in the US National Institute of Standards and Technology’s Visualization and Usability Group. She works on and investigates usability for both cybersecurity and biometric devices for agencies such as the US Department of Homeland Security and the Federal Bureau of Investigation as well as the privacy and security of smart home devices. Prior to coming to NIST,
Furman has worked at GE, IBM, and the US Department of Health and Human Services where she ran its usability program. She has a BA in Psychology, and an MA and PhD degrees in Human Factors and Applied Cognition from George Mason University where she is also an adjunct professor in the psychology
department.

Presentation: User Perceptions and Preferences for Smart Home Device Updates

IoT smart home updates are a critical mechanism by which manufacturers can remediate security vulnerabilities and one of the few tools users have to secure their devices. Yet, security professionals view difficulties in patching IoT devices as a major threat. However, consumers ‘perspective on smart home updates, including needs and preferences, had not been fully explored. We will describe our research efforts to better understand consumers’ experiences and challenges with smart home updates, including how those relate to security and privacy perceptions and practices. In an interview study investigating consumers’ experiences with smart home devices, we began to uncover challenges associated with updates. We followed up with a survey of 412 consumers to explore these challenges and identify consumer updated preferences. We will summarize the results of both studies, using participant quotes from the interview study to illustrate points found in the broader survey. Results include participant’s attitudes towards update importance, urgency, and purpose; challenges participants experienced; insights into current device update mechanisms, notifications and user’s preferences for those; concerns about end-of-life device support. We will also discuss relationships between user’s perceptions about smart home security and privacy and their update attitudes. We will then provide practical implications on how our results can be employed by smart home device manufacturers and security guidance developers. Attendees will gain novel insights into consumer perceptions, experiences, and challenges with smart home updates from both a usability and security perspective. They will also leave with recommendations for how the design of smart home device update mechanisms and notifications can be improved to provide a more usable platform for manufacturers to deploy critical security patches when necessary.

Susanne Furman

NIST

Julie Haney, National Institute of Standards and Technology

Julie Haney is a computer scientist and lead for the Usable Cybersecurity program at the U.S. National Institute of Standards and Technology (NIST). She conducts research about human factors of cybersecurity, including the usability and adoption of security solutions and people’s perceptions of privacy and security. She has been an invited speaker at numerous security forums spanning industry, government, and academia. Previously she spent over 20 years working in the U.S. Department of Defence as a security professional and technical director primarily in the cyber defense mission. She has a PhD and M.S. in HumanCentered Computing from University of Maryland, Baltimore County, an M.S. in Computer Science from University of Maryland, and a B.S. in Computer Science from Loyola University Maryland

Presentation: User Perceptions and Preferences for Smart Home Device Updates

Julie Haney

NIST

Laurie Mercer, HackerOne

Laurie is a security consultant at HackerOne, the world’s most popular vulnerability disclosure platform. His primary focus is on vulnerability disclosure best practice, operations and policy. Laurie has a strong technical background, having worked as both a developer, penetration tester and security consultant for nearly 20 years – he loves to find and fix vulnerabilities.

He has worked with customers as diverse as The UK Government and Asian tech firms in various roles involving software, security and pedagogy. Outside of work, Laurie likes to tinker with 3D Printing, Raspberry Pis, and is an amateur fermentation revivalist.

Laurie Mercer

HackerOne