This year we have a great line up of speakers such as Dr Stephen Pattison who is responsible for ARM’s Public Affairs, Dr. Franck Courbon, who is currently a Project Investigator with his Leverhulme Trust Early Career Research Fellowship hosted at the University of Cambridge and Julie Chua, Director of Governance, Risk Management and Compliance (GRC) Division within the U.S. Department of Health and Human Services (HHS) Office of Information Security (OIS).
Click on a speaker image to find out more
Click on a speaker image to find out more
Click on a speaker image to find out more
Shadi Razak, ANGOKA Limited
Shadi is a cyber security and business digitisation expert, with a strong foundation in business and IT strategy. His expertise in information security management, data privacy and protection, information governance and compliance, cloud security and business digitisation has made him a sought after advisor to and coach for a number of international blue chip companies, government organisations, financial services and SME’s in the UK and the MENA region for the past 15 years.
He has been a visiting lecturer at a number of International and British universities and is currently a Board Member and President of the Information Security Group (ISG) Alumni, Technology and Finance Society and a mentor for a number of FinTech and SecurityTech start-ups in London and Dubai. Shadi lives and works in London (UK). He holds a BSc in Computer Engineering, a MSc in Information Security from Royal Holloway, University of London and an MBA from the University of Sunderland.
Presentation: Securing Internet of Drones
Internet of Things (IoTs) technology is rapidly evolving and yet the security aspect of IoT networks needs to be explored in depth before adoption. One promising application of IoTs is Internet of Drones (IoDs), which can be thought of as a managed space for drones connected together. The idea of IoDs has been around for a while and is expected to expedite the efficiency of tasks in services like medical, military, transport, and others. The United Kingdom is moving forward as a global leader in building up an open framework for Unmanned Traffic Management (UTM) for drones. A recent report published by Connected Places Catapult UK highlights a global market of commercial drones worth around GBP127 billion.
Inherent properties of Unmanned Aerial Vehicles (UAVs) such as high mobility propose challenges in deployment of security primitives, thus they still rely on conventional ways of secure communication (VPN/TLS). Based on the report by Drone Association (ARPAS-UK), it could be seen that major partnerships and providers are coming alongside in building open UTM and very soon IoDs would be in action. Therefore to gear up for this IoT revolution, this presentation provides an insight on working of IoDs, threat analysis and proposal of security solution to mitigate the security risks.
A novel security solution based on the idea of Device Private Networks (DPNs) has been proposed for the IoDs framework. The idea has been backed with the design of a real-time attack scenario which would be demonstrated live as part of the presentation.
Simon Goda, Doulos Ltd
Simon Goda is a senior member of technical staff at Doulos, the world-renowned training provider for hardware and software design. He has been working with Linux in embedded systems for over 15 years, starting at STMicroelectronics (R&D) Ltd, supporting and training customers using Linux and RTOS on set-top box and home entertainment products. At Doulos he writes and delivers training in the embedded Linux space, including device drivers, Yocto and Linux security.
Presentation: Confining Linux Applications with LibSeccomp
In this presentation we will introduce the Linux kernel feature Seccomp and its accompanying user space library LibSeccomp and show how these can be used to confine an application to a small subset of the available system calls. We will show if the application were to be compromised in some way so that malicious code is executed then the system can stop the application running before any potential damage is done. The technical points will be illustrated with a simple example.
Paul Kearney, Birmingham City University
Paul Kearney is part-time Professor of Cybersecurity in the Networks and Cybersecurity Department at Birmingham City University (BCU). He has had a long and varied career in research and development in industry, and has previously worked for British Aerospace (BAe), Sharp and British Telecom (BT). His research interests include security and trust architectures for large-scale dynamic IoT systems, monitoring cybersecurity in the smart home, model-based security risk assessment, and application of data science and AI to cybersecurity problems. In addition to his role at BCU, Paul is a member of the Advisory Board of METCLOUD, an active contributor to the activities of the IoT Security Foundation, a visiting research fellow at EBTIC, Khalifa University, Abu Dhabi, an expert reviewer for the Horizon Europe programme, and a consultant on cybersecurity R&D.
Presentation: Towards Continuous Assurance of IoT Cybersecurity (provisional)
Future economic prosperity requires a thriving market in IoT products featuring rapid innovation in response to end-user needs. However, this cannot be achieved at the expense of exposing stakeholders to undue cybersecurity risk. Vendors have a responsibility to provide products that are fit for purpose security-wise, with clear guidance and constraints regarding secure usage. Similarly, customers must select products with appropriate security properties, and to operate them securely, often as part of larger systems. This requires confidence in the statements from vendors about their products and development and production practices
The existing market resembles the ‘wild west’, expanding and developing rapidly, fuelled by pioneering spirit, but lawless and with many innocent casualties as a result. This situation cannot be sustained, but how can order be achieved without sacrificing innovation and dynamism? The current product certification ‘solution’ involves a static assessment of a specific product under specific conditions. The associated processes are lengthy, ‘paper heavy’, and resource and capital intensive, which acts as a disincentive to their adoption. Certified products are likely to be uncompetitive by virtue of being expensive and late to market.
A new approach – call it continuous assurance, or perhaps active certification — is required that can reduce costs, automate maintenance, be scalable, sustainable, and timely in delivery. Properties of such an approach include the following:
- Meeting these conditions will need an increasing degree of automation and/or software support, which in turn requires mathematical formalisation of concepts to allow them to be represented in a form that is understandable by people and machines and can be reasoned about by both.
- Claims (i.e. statements about security properties of a product) should be modular and scheme-independent, so that the same product can be certified according to additional schemes with minimal effort.
- Claims should be composable in the sense that, a claim proven about a component can be used to support proof of a claim made about the system in which the component is used.
- The approach needs to apply over the full product lifecycle, from requirement to retirement. In particular:
- Security by Design should be baked into the development process. It needs to be compatible with software development processes including the various flavours of agile and DevSecOps.
- Initial certification should make use of evidence gathered during Development. Such evidence should include software and hardware bills of materials (SBoM, HBoM) identifying incorporated external components and dependencies and their certification status or other evidence of trustworthiness.
- Certification should not be based on evaluations performed on a snapshot of an evolving product and operational context at a point in time. Rather, validation should be performed continuously, on-demand, or in response to events.
- Key evidence upon which certification depends should be identified and monitored. Certification status is conditional on these remaining true. If this is not the case, it may be necessary to return temporarily to the Development stage. An example is discovery of a new vulnerability that affects a library identified in the SBOM.
- If a condition invalidating certification is discovered during the operational phase then processes should be launched to remediate. Pending resolution, the product’s certification status could be downgraded, or withdrawn if remediation is not possible or will take a significant time.
- The behaviour of device instances should be monitored during Operations. Deviation from expectations could indicate e.g. exploitation of a previously-unknown vulnerability or that assumptions on which certification was based are not valid. Either of these could affect certification status.
The talk will explore these and related issues, and briefly review related on-going initiatives, with the aim of stimulating debate about fruitful ways forward.
Birmingham City University
Kevin Fu, U.S. Dept. of Health & Human Services
Kevin Fu is Acting Director of Medical Device Cybersecurity at U.S. FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). Fu is also Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.
Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing.
He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org).
He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT.
He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.
Presentation Title: TBC
This talk will provide a glimpse into the risks, benefits, technical solutions, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.
U.S. Food and Drug Administration (FDA)
Paul has worked in cryptography and hardware security since graduating with a degree in mathematics in 2001. He has represented the NCSC and its predecessor organisation in various standards bodies, including the Trusted Computing Group, Global Platform and FIDO. His current role as Head of Capability Research allows him to spend time with academic and industry partners learning what the future holds for security technology, and also to help user communities take advantage of new features. Outside of work (when pandemic restrictions allow!) Paul likes to cycle up small hills in summer, and ski down bigger ones in winter.
Presentation : IoT Security – what can government do?
All of us need to work together to improve the security and resilience of our connected systems. I’ll discuss some of the options for government and also some current projects
National Cyber Security Centre (NCSC)
Presentation : The road to IoT security: updates on the NIST IoT Cybersecurity program
NIST will present updates on the IoT Cybersecurity program, including updates on the NIST activities that support recent IoT policy stateside such as the IoT Cybersecurity Improvement Act that directs NIST to develop guidelines for federal agencies on the minimum requirements of IoT devices that the Federal government procures, as well as the recent Executive Order 14028 signed by President Biden that directs NIST to pilot a cybersecurity product label for consumer IoT devices.