Speakers
This year we have a great line up of speakers such as Dr Stephen Pattison who is responsible for ARM’s Public Affairs, Dr. Franck Courbon, who is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge and Julie Chua, Director of Governance, Risk Management and Compliance (GRC) Division within the U.S. Department of Health and Human Services (HHS) Office of Information Security (OIS).
Keynote Speakers
Click on a speaker image to find out more
Dr. Stephen Pattision, Arm
Prior to joining Arm, Stephen was CEO, International Chamber of Commerce UK, where he represented the interests of a range of companies and focussed on various policy and international trade issues. Before that he worked for James Dyson (Vacuum cleaners etc) as Head, International Business Development, where he introduced new products into new markets as well as accelerating growth in existing markets. He was once a British Diplomat and worked at the British Embassy in Washington, and on UN issues in London, New York and Geneva.
Stephen has a Master’s Degree from Cambridge University, and a Doctorate from Oxford. In 2003-4 he spent a year at Harvard as Fellow in International Affairs at the Weatherhead Center.
Presentation : The Best is Still to Come.
An outline of how IOTSF is looking at new directions in IoT Security in the months and years ahead.

Dr. Stephen Pattison
Arm
Erik Decker, Intermountain Health
Erik Decker is the Chief Information Security Officer for Intermountain Healthcare, a multi-state integrated delivery network based in Salt Lake City, Utah. Erik has 21 years of experience within Information Technology, with 13 years focused on Information Security. He is currently Co-Leading a Department of Health and Human Services (HHS) task group of more than 250 industry and government experts across the country for implementing the Cybersecurity Act of 2015, 405D legislation within the Healthcare sector. The publication was released in December 2018, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” aka HICP. He is also a member of the Executive Council of the Healthcare Sector Coordinating Council’s Joint Cybersecurity Work, which is a public-private workgroup formed under the National Infrastructure Protection Plan. Erik is the previous Chair of the Association for Executives in Healthcare Information Security (AEHIS) Board.
In November of 2019 he was awarded the ISE® North America Executive: Academic/Public Sector. In October of 2017 he was awarded the Chicago CISO of the Year. In 2018 he served as an expert witness to the House Committee on Energy and Commerce, Subcommittee on Health.
Erik has a Master’s of Science in Information Technology from Loyola University in Chicago and Bachelors degree of the University of Illinois in Champaign/Urbana in Cell and Structural Biology.
Presentation: From Business Risk to Patient Safety: A Discussion on Cybersecurity in Healthcare
“Cyber Safety is Patient Safety”
One cyber threat has the potential to shut down hospitals, compromise Electronic Health Records, divert critical patient care, and ultimately put our patients in danger. Join this discussion to learn how healthcare organizations and facilities are part of our critical infrastructure and about the best practices chosen by industry leaders to protect from cyber threats. We will also examine why cybersecurity risks should be part of an organization’s wide spectrum of core risks as part of Enterprise Risk Management. Finally, we will look at laws in the United States that support public-private partnerships and the ability to promote information sharing so that we can all fight this threat as one united front.

Erik Decker
Intermountain Health
Julie Chua, U.S. Dept. of Health & Human Services
Julie Chua is the Director of Governance, Risk Management and Compliance (GRC) Division within the U.S. Department of Health and Human Services (HHS) Office of Information Security (OIS). Julie is also the Federal Lead for the implementation of the Cybersecurity Act (CISA) of 2015, Section 405(d): Aligning Healthcare Cybersecurity Approaches. This public-private partnership effort is one of many HHS cybersecurity initiatives to help push forward the cybersecurity and resiliency of the HPH sector.
Presentation: From Business Risk to Patient Safety: A Discussion on Cybersecurity in Healthcare
“Cyber Safety is Patient Safety”
One cyber threat has the potential to shut down hospitals, compromise Electronic Health Records, divert critical patient care, and ultimately put our patients in danger. Join this discussion to learn how healthcare organizations and facilities are part of our critical infrastructure and about the best practices chosen by industry leaders to protect from cyber threats. We will also examine why cybersecurity risks should be part of an organization’s wide spectrum of core risks as part of Enterprise Risk Management. Finally, we will look at laws in the United States that support public-private partnerships and the ability to promote information sharing so that we can all fight this threat as one united front.

Julie Chua
U.S. Dept. of Health & Human Services
Kevin Fu, U.S. Dept. of Health & Human Services
Kevin Fu is Acting Director of Medical Device Cybersecurity at U.S. FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). Fu is also Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.
Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing.
He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org).
He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT.
He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.
Presentation Title: TBC
This talk will provide a glimpse into the risks, benefits, technical solutions, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

Kevin Fu
U.S. Food and Drug Administration (FDA)
Paul Waller
Paul has worked in cryptography and hardware security since graduating with a degree in mathematics in 2001. He has represented the NCSC and its predecessor organisation in various standards bodies, including the Trusted Computing Group, Global Platform and FIDO. His current role as Head of Capability Research allows him to spend time with academic and industry partners learning what the future holds for security technology, and also to help user communities take advantage of new features. Outside of work (when pandemic restrictions allow!) Paul likes to cycle up small hills in summer, and ski down bigger ones in winter.
Presentation : IoT Security – what can government do?
All of us need to work together to improve the security and resilience of our connected systems. I’ll discuss some of the options for government and also some current projects

Paul Waller
National Cyber Security Centre (NCSC)
Katerina Megas
Presentation : The road to IoT security: updates on the NIST IoT Cybersecurity program
NIST will present updates on the IoT Cybersecurity program, including updates on the NIST activities that support recent IoT policy stateside such as the IoT Cybersecurity Improvement Act that directs NIST to develop guidelines for federal agencies on the minimum requirements of IoT devices that the Federal government procures, as well as the recent Executive Order 14028 signed by President Biden that directs NIST to pilot a cybersecurity product label for consumer IoT devices.

Katerina Megas
NIST
Speakers
Click on a speaker image to find out more
Dr. Franck Courbon, University of Cambridge
Dr Franck Courbon, has obtained 3 Master degrees (Telecom St-Etienne, INSA Lyon, University of Glasgow) and a Phd. in Microelectronics in 2015 (Ecole des Mines de St-Etienne). He has been working 3.5 years within the evaluation team of a French leader in digital security, Gemalto (now Thales DIS) before joining the University of Cambridge in October 2015. He has worked on the security evaluation (common criteria scheme) of smart cards (banking cards,
e-passports), the optimization of attack platforms (laser fault attacks) and the development of a new methodology to ensure product authenticity at chip/Silicon level (hardware trojan detection/supply chain security). He has also developed hardware-based methods to extract contents from non-volatile memories.
He is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge Department of Computer Science and Technology. He has been the recipient of an EPSRC Impact Acceleration Account Partnership Development Award (£47.7k) co-sponsored by an industry partner (£47.7k) for which he is project and team lead. He has been using state of the art facilities across Cambridge University (XRAYs, FIBs, SEMs, AFMs…). Dr Franck Courbon has published to top security (CARDIS, HOST, COSADE, HaSS), computer design (DATE) and failure analysis (ISTFA) venues. He has reviewed for ICM, HOST, VLSI-SoC and been PC member for PAINE workshop.
Dr Franck Courbon has taken initiatives for cross-School vision and development. For instance, he provided an article on “Empowering trust and security from the hardware” for the launch of the Cambridge Trust and Technology initiative and he has been the first project advisor and supervisor from the Department of Computer Science and Technology for the ESPRC CDT in Nanoscience and Nanotechnology (NanoDTC). He has supervised undergraduate and postgraduate students within the Department of Physics, Department of Engineering and the Department of Computer Science and Technology. He also initiated the
first MPhil. on Hardware Security at the Department of Computer Science and Technology.
He is leading an industry forum bringing technical solutions for secure and efficient electronics happening December 2021 in Churchill College, Cambridge, co-sponsored by IEEE. He is currently bringing his innovative mindset to the creation of meaningful solutions for the good of all. He has been sponsored to take part in several entrepreneur programs: Cambridge Judge Business School EnterpriseTECH 2020, Department of Physics Impulse program 2021 and IECT
Herman Hauser Summer School 2021. Finally, he is currently semi-finalist of the Chris Abell Postdoc Business Plan Competition 2021.
Presentation: Limiting hardware-enabled threats while enabling fairer and greener technology
More and more electronic devices, in critical infrastructures or not, are getting intelligent and connected. They can send raw data that need to remain private while some other devices directly process the data at the edge. Various technologies and architecture are used, and, in this presentation, we will mainly focus on hardware-based security principles, threats and countermeasures, associated with these IoT devices. Indeed, there are nowadays strong concerns regarding the security of these devices (or the ones providing them secure contents) in terms of scalable hardware-based attacks, IP protection, broken root of trust or unsecure supply chain. We will first talk about attack threats (company losses, scalability) while being aware of usability, energy, obsolescence/updates requirements. We will conclude on IoT devices security requirements and current solutions. We then focus on a lower abstraction layer of embedded devices with the hardware itself and advances in open hardware/open source. We may also mention security aspect of test and debug capabilities (with a security point of view). We will then cover the fabrication flow of Application Specific Integrated Circuits (ASICs)/Systems on Chip (SoCs), how IP are re-used and introduce the different packages, technologies and materials associated with IoT devices at chip level. We will also identify sample preparation requirements for failure analysis or side channel/fault/invasive investigations. A focus will be given on emerging technologies and hardware-based security attack techniques and tools of the trade. We will introduce two developments, both scalable, linking security and greener electronics while the second one link privacy and fairer electronics. At last, we will go through current development for hardware-based security education.

Dr. Franck Courbon
University of Cambridge