Security and Privacy (Including Cyber-Security and Blockchains)

Date: Monday, 6 April 2020-Wednesday, 8 April 2020
Time: 8:30am-6:30pm
Room: TBA

Track Description

IoT applications and prospective solutions mandate consideration of a broad set of security and privacy requirements. The explosion in the number of connected devices poses a significant challenge, as does the diversity of end uses. This year’s World Forum will again address the component and platform implications for IoT in the context of the full life cycle for security and privacy regimes. It will also address the many security architectures and approaches that have emerged from Government organizations around the world, from the Commercial Market space, and from the Research Community. Across the wide spectrum of use cases there is a need to appropriately balance security and privacy, and it is useful to think of classifications that distinguish the levels required. As an example, these may be thought of as:

• Highly security-centric “life-and-death” applications such as: critical infrastructure; control systems for connected automobiles, railroads, or aircraft; connected healthcare

• Intermediate security uses that include: smart home; routine monitoring of facilities; sports and physical exercise activities that involve tracking such as geolocation

• Casual uses such as: games, entertainment, public virtual reality applications, and aspects of social media and general information services

This year we are adding a workshop within the track delving into “TIPPSS for IoT”, a framework IEEE has been developing since a February 2016 End to End Trust and Security Workshop. TIPPSS – Trust, Identity, Privacy, Protection, Safety and Security – requirements and implications will be presented and discussed by experts from around the world in technology, research, applications of IoT, and policy. This “TIPPSS for IoT Workshop” will include presentations and panels for Clinical IoT and connected healthcare, Smart cities and transportation, Smart grid and energy systems, Technology and Policy considerations, and research in the IOT and Cyber Physical Systems security and privacy domains.

The topics which the “Security and Privacy Regimes for IoT Track” Presentations, Panels, and Working Group discussions will cover include:

• Achieving secure compose-ability of individually secure devices and components
• The role of the user in helping to secure their IoT components, e.g., changing default manufacturer passwords
• The role of manufacturers to reveal claims concerning assurances concerning their products and services, e.g., cloud
• Scalability (for massive number of devices, and as contributors to- and consumers of- big data)
• Device-associated robustness levels that also deal with the high variations in heterogeneity (such as stationary and mobile infrastructure, smart phones and user terminals, wearables, the wide range of possible sensors and actuator types, and embedded IoT devices)
• Device ownership and component control (accounting for interoperability, regulatory compliance, governance, audit-ability and risk management)
• Remediation for the reigning confusion caused by the proliferation of standards and certification, and the realization that IoT will create new experiences and a vulnerability surface that is not accounted for
• Defense in depth strategies from IP design in the chip through the devices, systems and network to the cloud, including data and device validation and interoperability,
• Testing approaches and procedures that overcome the lack of efficacious and accepted practices — These include: interfacing with and leveraging legacy devices and services; containment against expansion of compromise to other units, systems or networks; effective crypto-agility; defense against advanced threats such as quantum-computing attacks. These also include testing approaches for the differing device lifetimes, and lifecycle support of IoT solutions such as over-the-air firmware and software upgrades

One of the objectives of the Track is to launch future actions and activities that continue beyond the World Forum as part of the IoT Initiative Working Group on “IoT Security and Privacy”.

Schedule

Monday, 6 April 2020

 8:30-10:30am – S&P Session 1: IOT and Blockchain Security and Privacy
“Track Opening”, Co-chairs Florence Hudson, Founder & CEO, FDHint and Dr. Jeff Voas, NIST
Talk 1: “Managing the ‘PII in the Sky’. On Personally Identifiable Information, Blockchain and Internet of Things”, Dr. Christian Hansen, Department Chair and Professor of Statistics in the Department of Mathematics, Eastern Washington University
Talk 2: “How to Secure the Internet of Things (IoT) with Blockchain”, Dr. Xinxin Fan, Head of Cryptography, IoTeX
Talk 3: “IoT Cybersecurity and Blockchain Technology for Energy Applications: Where we are and what are the issues”, Dr. Sri Nikhil Gupta, Grid cybersecurity research engineer, Pacific Northwest National Laboratory
Panel Discussion: Jeff Voas moderates interactive panel of Session 1 presenters

10:30am-11:00am – Networking Break

11:00am-1:00pm – Plenary Session

1:00pm-2:00pm – Lunch

2:00pm-4:00pm – S&P Session 2: TIPPSS for Connected Healthcare and Clinical IoT
Talk 4: “Industrial IoT and Smart Cities – what can we learn from them to improve Healthcare IoT?”, Mitch Parker, CISO, IUHealth
Talk 5: “IoMT Security and Compliance: The Ramifications of Unmanaged Assets in the Healthcare Environment”, Cory Brennan, Security Advisor, Hall Render IT Advisory Services and  Emily Dillon, Information Security Consultant, CynergisTek, Inc
Talk 6: “How do you create an Internet of Things Workforce?”, Dr. Joanna DeFranco, Associate Professor of Software Engineering, Pennsylvania State University
Panel Discussion: Florence Hudson moderates interactive panel of Session 2 presenters

4:00pm-4:30pm – Networking Break

4:30pm-6:30pm – S&P Session 3: TIPPSS for Connected Healthcare and Smart Cities
Talk 7: “Blockchain for Healthcare: Opportunities, Challenges and Roadmap to the Future”, Dr. Mohamad Kassab, Associate research professor in Software Engineering, Pennsylvania State University
Talk 8: “Culture Clues for TIPSS for IoT and Mobile Computing in Medicine”, Sherri Douville, CEO, Medigram
Talk 9: Talk 12 “Privacy and security implications of smart cities in developing countries”, Dr. Nir Kshetri, Professor at University of North Carolina-Greensboro and Research Fellow at Kobe University
Panel Discussion: Florence Hudson moderates interactive panel of Session 3 presenters

Tuesday, 7 April 2020

8:30am-10:30am – S&P Session 4: TIPPSS for IOT and Smart Cities
Talk 1: “A Security Assessment Framework to Understand the Internet of Things (IoT) Threat Landscape for Military Smart Bases“, Dr. Zulema Caldwell, Senior Engineer, US DOD and Adjunct Associate Professor at University of Maryland
Talk 2: “Enabling Artificial Intelligence through Next-Gen Electronic Packaging Technologies”, Dr. Preeti Chauhan, Technical Program Manager in Data Center Systems Quality, Google
Talk 3: “Supporting accountability in the Internet of Things”, Dr. Jat Singh, Computer Science & Technology Department, University of Cambridge
Panel Discussion: Jeff Voas moderates interactive panel of Session 4 presenters

10:30am-11:00am – Networking Break

11:00am-1:00pm – Plenary Session

1:00pm-2:00pm – Lunch

2:00pm-4:00pm – S&P Session 5: TIPPSS for Smart Cities and Transportation
Talk 4: “Security and Compliance for IoT in the Built Environment “, Dr. Trevor Pering, systems software engineer, Google
Talk 5: “Can my charging station trust your EV? Exploring security problems & solutions to improve trusted vehicle to infrastructure communications”, Dr. Raju Gottumukkala, Assistant Professor Mechanical Engineering, University of Louisiana at Lafayette
Talk 6: “An IoT Perspective of Understanding the Boeing 737 MAX Crashes”, Dr. Zhaojun Steven Li, Associate Professor Department of Industrial Engineering & Engineering Management, Western New England University
Panel Discussion: Jeff Voas moderates interactive panel of Session 5 presenters

4:00pm-4:30pm – Networking Break

4:30pm-6:30pm – S&P Session 6: Technology and Policy TIPPSS for IoT
Talk 7: “Your Critical Role in the World of Compliance”, Hon. Cynthia Mares, District Court Judge, Colorado
Talk 8: “Hey Siri and Alexa – How on Earth (or, for that matter, in Outer Space) Can I Determine What Data Protection and Privacy Laws Apply and How to Comply?”, Martin Zoltick. Esq., Rothwell, Figg, Ernst & Manbeck, P.C.
Talk 9: “Keeping up with the Jetson’s—The Future of Personal Data and Data Privacy”, Jenny Colgate, Esq., Rothwell, Figg, Ernst & Manbeck, P.C.
Panel Discussion: Florence Hudson moderates interactive panel of Session 6 presenters

Wednesday, 8 April 2020

8:30am-10:30am – S&P Session 7: Emerging IOT/CPS and Blockchain Security solutions
Talk 2: “Authentication using Synchronization:  IoT Security Solutions Based on Zero-Power Timekeeping”, Dr. Shantanu Chakrabartty, Professor, Washington University in St. Louis
Talk 2: “Cybersecurity for IOT Supply Chains: Comparison of Emerging Types of Solutions”, Celia Paulsen, Cybersecurity Researcher, NIST
Talk 3: “Rethinking Distributed Ledger Technology”, Rick Kuhn, Computer Scientist, NIST
Panel Discussion: Florence Hudson moderates interactive panel of Session 7 presenters

10:30am-11:00am – Networking Break

11:00am-1:00pm – Plenary Session

1:00pm-2:00pm – Lunch

2:00pm-4:00pm – S&P Session 8: IOT security, privacy and accessibility in Smart Cities
Talk 4: “IoT Accessibility, Security, and Opportunity for Inclusiveness”, Dr. Kit August, Research, Stevens Institute of Technology
Talk 5: “Combinatorial Methods for Explainability in Autonomous Systems”, Rick Kuhn, Computer Scientist, NIST
Talk 6: “Trustworthiness: Understanding and Solving Challenges of Digital IT/OT Transformation”, Marcellus Buchheit, President & CEO of Wibu-Systms USA Inc. and Co-Founder, Wibu-Systems AG
Panel Discussion: Dr. Jeff Voas moderates interactive panel of Session 8 presenters

4:00pm-4:30pm – Networking Break

4:30pm-6:30pm – S&P Session 9: IoT Security

• Talk 7: “Mitigating IoT Risks by Securing Software in Network Connectable Devices”, Joe Jarzombek, Director for Government & Critical Infrastructure Programs, Synopsys, Inc
• Talk 8: “IoT Vulnerabilities via NIST Bugs Framework”, Dr. Irena Bojanova, Computer Scientist, NIST
• Talk 9: “IoT in the Security Industry”, John Viega, Co-founder and CEO, Capsule8
• Panel Discussion: Dr. Jeff Voas moderates interactive panel of Session 9 presenters

Track Co-Chairs

Florence DiStefano Hudson FDHint LLC, New York USA

Florence D. Hudson is Founder & CEO of FDHint, LLC, consulting in advanced technologies, diversity and inclusion. Her expertise includes technical and business leadership, artificial intelligence, big data and analytics, Internet of Things (IoT), smart campus and cities, cybersecurity, connected healthcare, clinical IoT, blockchain, partnerships, ecosystems, innovation, strategic growth, business development, change management, marketing, diversity & inclusion. Formerly an IBM Vice President and Chief Technology Officer, Internet2 Senior Vice President and Chief Innovation Officer, and an aerospace engineer at Grumman and NASA, she is Special Advisor for TrustedCI – the NSF Cybersecurity Center of Excellence at Indiana University, and Northeast Big Data Innovation Hub at Columbia University. She is Chair of the IEEE-Standards Association working group (P2733) for Clinical Internet of Things (IOT) Data and Device Interoperability with TIPPSS – Trust, Identity, Privacy, Protection, Safety, and Security, and is a co-leader of the IEEE-Standards Association workstream on blockchain for clinical trials. Widely published, she is author of multiple articles and chapters including an article in the Huffington Post on Smart Buildings, articles in IEEE magazines on wearables and medical interoperability, and enabling trust and security for the Internet of Things, and book chapters on IoT and cognitive computing, as well as smart cities. She is Editor in Chief for the book “Women Securing the Future with TIPPSS for IOT” written by 17 women. She did a TEDx talk on energy and the environment, for sustainability on a smarter planet. She serves on advisory boards for Princeton, Cal Poly, and Stony Brook Universities, the open peer-reviewed journal Blockchain in Healthcare Today, and the IEEE Engineering in Medicine and Biology Standards Committee (EMB-SC). She graduated from Princeton University with a BSE in Mechanical and Aerospace Engineering, and attended executive education at Harvard Business School and Columbia University.

Jeffrey Voas NIST, Gaithersburg, MD USA

Jeffrey Voas is an author and innovator. He is currently a computer scientist at the US National Institute of Standards and Technology (NIST) in Gaithersburg, MD. Before joining NIST in 2009, Voas was an entrepreneur and co-founded Cigital that is now a part of Synopsys (Nasdaq: SNPS). He has served as the IEEE Reliability Society President (2003-2005, 2009-2010, 2017-2018), and served as an IEEE Director (2011-2012). Voas co-authored two John Wiley books (Software Assessment: Reliability, Safety, and Testability [1995] and Software Fault Injection: Inoculating Software Against Errors [1998], is on the editorial board of IEEE Computer Magazine, and was on the Editorial Advisory Board of IEEE Spectrum Magazine.  Voas will be the Editor-in-Chief of IEEE Computer starting in 2020. Voas received his undergraduate degree in computer engineering from Tulane University (1985) and received his M.S. and Ph.D. in computer science from the College of William and Mary (1986, 1990 respectively).   Voas is a Fellow of the IEEE, member of IEEE Eta-Kappa Nu (IEEE Honor Society), Fellow of the Institution of Engineering and Technology (IET), Fellow of the American Association for the Advancement of Science (AAAS), and Life Member of the Washington Academy of Sciences. Voas’s current research interests include Internet of Things (IoT), Blockchain, verified time and timestamping using atomic clocks. Voas received the Gold Medal from the US Department of Commerce in 2014.

Track Speakers

Shantanu Chakrabartty, Washington University in St, USA

Shantanu Chakrabartty is a Clifford Murphy professor in the Mckelvey School of Engineering at Washington University in St. Louis. His research covers different aspects of analog computing, and in particular, self-powered and energy-efficient computing systems. Dr. Chakrabartty is a recipient of National Science Foundation’s CAREER award, University Teacher-Scholar Award from Michigan State University and the 2012 Technology of the Year Award from MSU Technologies. Dr. Chakrabartty is a senior member of the IEEE with over 170 journal and conference publications along with twelve issued and pending US patents. He has served on the editorial board for the IEEE Transactions of Biomedical Circuits and Systems and the Frontiers of Neuromorphic Engineering journal. Dr. Chakrabartty holds a Ph.D. from The Johns Hopkins University and previously he has held academic appointments at Michigan State University where he co-founded a startup to commercialize self-powered infrastructural monitoring technologies.

Talk Title: Authentication using Synchronization:  IoT Security Solutions Based on Zero-Power Timekeeping 

Abstract: For low-resource internet-of-things (IoTs) like wearables, health-monitors, tags and sensors, existing authentication techniques (using encryption, strong hash functions and pseudorandom number generators) might be impractical for securing access to critical data. This is because these IoT platforms have limited computational bandwidth; limited availability of energy; and require real-time authentication. On the other hand, static identifiers like bar-codes, product IDs, embedded physical unclonable functions (PUFs) or stored private keys are vulnerable to theft, counterfeiting, replay attacks or tampering. In this talk I will present a hardware-software approach that could be used for a SecureID-type dynamic authentication on low-resource IoTs. The approach uses a quantum-based zero-power timer technology for time-keeping and for distributed synchronization without the need for any external powering (using batteries or energy-scavenging). Rapid trust verification and authentication is achieved by comparing the synchronized tokens generated by the IoT and a remote server. In the absence of any external powering, the dynamic tokens are secure against any power side-channel attacks, snooping and tampering. The hardware-software infrastructure also supports mutual authentication, where the IoT device could also query and verify the trust of its reader. In addition to using the zero- power timer technology for designing ultra-secure root-of-trust, I will also highlight some unique extensions of the technology for generating dynamic signatures that could be used for tracking and authenticating product supply-chain.

Jenny Colgate, Rothwell, Figg, Ernst and Manbeck, USA

Jenny Colgate is a partner at Rothwell, Figg, Ernst and Manbeck in Washington, DC.  She is an experienced litigator, including contract and licensing matters, counselling, and opinion work. Ms. Colgate’s practice covers a broad range of diverse technologies, including high technology (e.g., LEDs and mobile phones), software and hardware (including open source issues), finance/fintech, media/publishing, medical device, chemical coatings, machinery, and consumer products.

Ms. Colgate was named a Washington DC Super Lawyer “Rising Star” for IP litigation seven years in a row from 2013 through 2019.

Ms. Colgate was a summa cum laude graduate of the University of Pennsylvania, where she graduated with honors in Communications, completing her thesis in the area of children’s cognitive abilities to distinguish online advertisements from web site content.  While in college, Ms. Colgate captained the University of Pennsylvania equestrian team, and she competed in equestrian at the national level.
Ms. Colgate received her J.D. and LLM (in intellectual property, commerce and technology) from Franklin Pierce Law Center (now the University of New Hampshire).  She graduated magna cum laude.  While in law school, Ms. Colgate was a teaching assistant of Constitutional Law, Legal Writing, and Torts; an editor of IDEA, the Intellectual Property Law Review; and in 2004, Ms. Colgate was a judicial intern for the Honorable Arthur J. Gajarsa of the U.S. Court of Appeals for the Federal Circuit.  Ms. Colgate wrote a book on her law school experience, which was published in 2006.

Talk Title: Keeping up with the Jetson’s—The Future of Personal Data and Data Privacy

 Abstract: Technology is developing much faster than the laws and policies surrounding data privacy and cybersecurity.  As a result, it is important for the people conducting business in this ever-changing environment to keep in regular communication with law and policy-makers.  In this session, we will explore the future together – a future where the IoT is constantly recording individuals’ emotions, wellbeing, and actions through security systems, appliances, wearables, and cars.  In this world, your devices know everything about you – whether you are happy or sad, healthy or sick, have indigestion, are stressed, tired, energetic, hungry, etc.  And they do not all have GUIs to interact with.  It’s not always possible to “click a button” saying “do not share my personal information.”  Also, in this world data is processed in and transmitted via outer space.  And even if your company is not processing data in outer space, your vendors likely are.  Meanwhile, the legal regime is likely not that different than it is today.  Privacy and cybersecurity laws are still regulated by nation states.  There is no international treaty on data privacy and cybersecurity.  The laws of outer space remain focused on space exploration, and not commercialization.  “Cross-border” data transfers ignore that data can be transmitted outside of nation states.  And CCPA continues to require a “do not sell my personal information” button, even though interfaces are no longer graphical.

Mitchell Parker, IU Health

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.
He also publishes in multiple publications, including CSO Magazine, Healthcare IT News, HealthsystemCIO.com, Security Current, Healthcare Scene, and HIMSS’ blog. He also has contributed a chapter for an upcoming Cybersecurity in Healthcare textbook, an essay to Voices of Innovation, which was published in March 2019 by HIMSS, and has a chapter in an upcoming book on Healthcare Cybersecurity for the American Bar Association’s Health Law section. Mitch has also been quoted in numerous publications, including the Wall Street Journal, ISMG, HealthITSecurity, and Becker’s Hospital Review.
Mitch is also a co-vice chair of the IEEE P2733 working group, Trust, Integrity, Privacy, Protection, Safety, and Security of the Internet of Things (IoT), and a co-subgroup chair of the P2418.6, Blockchain in Healthcare and Life Sciences Cybersecurity and IoT subgroups. Mitch also participates in other IEEE working groups related to security of the Internet of Things and collaborates with researchers and professionals worldwide on establishing and understanding standards for cybersecurity.

Talk Title: Industrial IoT and Smart Cities – what can we learn from them to improve Healthcare IoT?

Abstract: As healthcare both deals with an epidemic of ransomware and with the changing landscape from inpatient to outpatient, technology needs to adapt to serve the needs of and protect patients.  Ransomware means that organizations need more than ever to take steps to safeguard and protect not only their assets, but how they are managed and protected from insiders and outsiders.  It’s not enough to claim that a device is going to be only used internally, and therefore does not need the same security controls that a router or industrial IoT device requires.

Additionally, the center of patient treatment is moving from the hospital to the home.  This is driven by cost and the need to monitor for compliance to improve health.  This means that the devices utilized to monitor patients in an inpatient setting are operating in a hostile environment.

Organizations such as Johns Hopkins have set up capacity command centers to monitor patient safety, experience, volume, and movement.  These command centers draw upon experience from power, utilities, and aviation.  They utilize simulation modeling of workflows and processes with a focus on improvement.

Smart Cities and Industrial IoT have these command centers at their core to help monitor and triage issues from the thousands of sensors that blanket factories and cities.

What we will discuss are recommendations to expand Hospital Capacity Command Centers to also include Security Operations, Remote Device Management, and Device Monitoring.  As we shift from the inpatient to outpatient world, and with the focus on device security, we’ll go over how to augment the command center.

The recommendations we will make to augment them are to isolate command center networks, monitor device health and security, include Security Operations and Clinical Engineering on the Command Center staff, utilize simulation modeling of workflows for medical device management, including security updates and patches, loss of connectivity, and alarm situations, and utilize well-defined security requirements as part of the device purchasing and management process (such as IU Health’s).

We will go over how important process and simulation modeling is to an effective command center, and how this important concept learned from Industrial IoT and Smart Cities can be expanded to evolve to meet the needs of health systems as their focus changes.

Zulema Belyeu Caldwell

Zulema Caldwell graduated with a B.S. in Electrical Engineering from Texas A&M University and a M.S. in Electrical Engineering from the University of Maryland at College Park. She completed her Ph.D. in Information Technology with a specialization in Computer Information Security at Capella University. Zulema has a wealth of experience as a researcher, engineer, and software developer. She was the former owner and lead technical partner for a defense contracting company, which served multiple DoD agencies. Zulema has served as a technical director for several organizations within the Department of Defense, and she has also served as a program manager responsible for the budget and resources of multi-tiered national security projects. She is currently a technical director specializing in cyber security solutions for critical infrastructure, industrial control systems, and industrial Internet of Things (IIoT) devices.  Zulema has performed research for several projects focused on energy disaggregation, machine learning anomaly detection, and security event management for industrial control systems. She is a certified computer information security specialist (CISSP), and she has served as an instructor at several higher learning institutions. She taught computer science courses at Anne Arundel Community College, and she is currently an adjunct faculty member teaching graduate level information assurance and cyber security courses at University of Maryland Global Campus, where she focuses on research for understanding the threat landscape, conducting security assessments, and identifying control measures or mitigations for a variety of information systems, including financial information systems, electronic health records management systems, telecommunications, and industrial control systems. Zulema is also a founding member of the University of Maryland Clark School Women in Engineering Advisory Board, and she devotes a significant amount of time supporting STEM programs at local elementary schools and serving as a mentor for high school and college students.

Talk Title: A Security Assessment Framework to Understand the Internet of Things (IoT) Threat Landscape for Military Smart Bases

Abstract: The number of interconnected devices has exploded and continues to grow at a steady pace.  The International Data Corporation (IDC) estimates that there will be 41.6 billion connected Internet of Things (IoT) devices generating over 79 zettabytes (ZB) of data by 2025.  As the market continues to develop and mature, IoT will be a major part of the infrastructure that enables the exchange of information between machines, people, and processes.  In addition, IoT will pay a major role in smart city implementations for public safety and infrastructure monitoring.  Military installations, which function as small cities, have also begun preparing for a new way of operating through the implementation of IoT solutions for a variety of critical domains, including energy and utilities, transportation, military personnel engagement, infrastructure, safety, and security.  The Department of Defense has selected four bases as the first military installations to start testing and experimenting with 5G technology to support IoT integration for military smart bases.  Smart bases will, undoubtedly, enhance base operations, help to conserve limited resources, and identify new and creative ways to drive the mission through IoT and interconnected sensors.  However, there are numerous security threat vectors associated with IoT implementations, and the risk can be a major factor for national security, especially when it comes to military installations.  This presentation will initiate the discussion and demonstrate the need for a security assessment framework to evaluate the security posture of military smart bases, to identify the security challenges and provide an overview of the IoT threat landscape, as well as to identify effective countermeasures for base security and resiliency.

Rick Kuhn

Rick Kuhn is a computer scientist in the computer security division of the National Institute of Standards and Technology, and is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE). He has authored three books and more than 150 papers on information security, empirical studies of software failure, and combinatorial methods in software testing.  He previously served as program manager for the Committee on Applications and Technology of the President’s Information Infrastructure Task Force (1994-1995), and as manager of the Software Quality Group at NIST. Before joining NIST, he worked as a software developer with NCR Corporation and the Johns Hopkins University Applied Physics Laboratory. He received an MS in computer science from the University of Maryland College Park and an MBA from William & Mary.

Talk Title: Combinatorial Methods for Explainability in Autonomous Systems

Abstract: IoT is closely associated with autonomous systems, which often require extensive networks of sensors, decision nodes, and other components.  Because a human must ultimately take responsibility for autonomous system decisions and actions, explainability is essential, but existing methods leave much to be desired.

The central problem for explainability, according to DARPA, is to provide sufficient justification for a conclusion such that users know why a conclusion was reached, or why not, and to allow the user to know when an algorithm will succeed or fail, and when it can be trusted. Many conventional approaches leave users wondering what inputs led to a particular conclusion.  More than curiosity is involved, as many autonomous system applications may be security and safety critical, and accuracy rates that are high enough for some applications are inadequate when safety, security, and lives are at risk. For example, analysis within the aerospace industry concludes that the “artificial intelligence (AI) technology that has made spectacular progress in the consumer world is thus far unsuited to air transport safety standards”, and explainability will be essential for certification by regulatory authorities. Ideally, an AI algorithm should be able to explain its conclusion in a manner similar to a human expert, so that other human experts can have confidence in a conclusion, or spot a flaw in the reasoning.  This is a significant challenge for methods such as neural nets.

This presentation introduces an approach to producing explanations or justifications of decisions made by artificial intelligence and machine learning (AI/ML) systems, using methods derived from those for fault location in combinatorial testing. We use a conceptually simple scheme to make it easy to justify classifications or decisions: identifying combinations of features that are present in members of the identified class and absent or rare in non-members. The method has been implemented in a prototype tool, and examples of its application to IoT problems are given.

2^nd Talk Title: Rethinking Distributed Ledger Technology

The blockchain data structure was designed to solve the problem of double-spending in digital currency.  Blockchain’s desirable properties have made it attractive for distributed system applications other than cryptocurrency, but many of its features are very difficult to use for conventional applications.  As a result, much current research on blockchain is devoted to getting around its built-in properties.   This talk will present a different approach and data structure that provides useful features of blockchain, while making distributed ledger a more practical component for a broad range of distributed system applications.

Christian K. Hansen

Dr. Christian K. Hansen served as President of the IEEE Reliability Society (2014-2016) and is currently Department Chair and Professor of Statistics in the Department of Mathematics, Eastern Washington University (EWU). He is been a faculty member at EWU since 1993 and served in a variety of academic and administrative leadership positions. He has been active in the statistics and reliability engineering profession for over 30 years and published broadly on a variety of applications involving data derived from engineering systems. Over the past two decades, he has been active with the IEEE Reliability Society and has served in leadership positions that include vice-president of publications and treasurer before being elected to president in 2013. Dr. Hansen is a graduate of the Technical University of Denmark with degrees in Electrical Engineering (MS, 1988) and Statistics (PhD, 1991).

Talk Title: Managing the “PII in the Sky”. On Personally Identifiable Information, Blockchain and Internet of Things.

Abstract: Over the last few decades there has been a growing interest in protecting the security and privacy of personally identifiable information (PII), and new legislation has been passed by various governments with the intent of legally enforcing the protection of such sensitive data. With the deployment of the Internet of Things (IoT) massive volumes of “big data” are being collected continuously and stored on the cloud, and the issue of protecting the “PII in the sky” is becoming increasingly challenging. While IoT has given rise to endless opportunities for collection and sharing of data, Blockchain technologies have been successfully used to secure the authenticity of data and transactions involving the exchange of sensitive data. In this presentation we review some historical trends and challenges related to the evolution of data collection and storage and we discuss areas that will likely require the most attention over the next decades.

Xinxin Fan

Dr. Xinxin Fan is the Head of Cryptography at IoTeX, a startup focusing on building the next-generation, auto-scalable, and privacy-centric blockchain infrastructure for the Internet of Trusted Things (IoTT). He is responsible for directing the company’s strategy and product roadmaps as well as developing the core technologies and IP portfolio. Before joining IoTeX, he was a senior research scientist of Security and Privacy Group at Bosch Research Technology Center North America, where he defined and conducted innovative research on security and privacy for Internet of Things, machine-to-machine communication, cloud computing and data mining. Dr. Xinxin Fan received his Ph.D. in Electrical and Computer Engineering from the University of Waterloo in 2010. He has published 50+ referred research papers in top-tired journals, conferences and workshops in the areas of cryptography and information security and is an inventor of 15 patent filings for innovative information security and privacy-enhancing technologies. He is also a Certified Information Systems Security Professional (CISSP) from (ISC)².

Talk Title: How to Secure the Internet of Things (IoT) with Blockchain

Abstract: Internet of Things (IoT) and blockchain are two technologies that are gaining popularity since their creation. While the IoT is transforming business processes and consumer behaviors, blockchain promises a number of salient features, such as decentralization, immutability, transparency, etc., which have great potential for tackling the security challenges faced by the IoT systems. This presentation will first talk about the IoT security challenges and the key features provided by blockchain, followed by the description of the blockchain reference architecture (https://www.trusted-iot.org/businesses) developed by Trusted IoT Alliance (TIoTA). With the reference architecture in place, the focus will shift to integration of blockchain technologies into the IoT data lifecycle and discuss how to enhance its security with blockchain. The presentation will wrap up by identifying some research challenges when merging the IoT and blockchain.

Mohamad Kassab

Dr. Kassab is an associate research professor in Software Engineering at Pennsylvania State University, earned his Ph.D. and M.S. degrees in Software Engineering from Concordia University in Montreal, Canada, B.S. in Computer Science from University of Windsor and B.Eng. in Computer Engineering from the Lebanese American University. Previously, Dr. Kassab has been postdoctoral researcher at ÉTS School of Advanced Technology in Montreal and visiting scholar at Carnegie Mellon University. Kassab’s research interests include requirements engineering, system architecture, software quality and measurements, blockchain and The Internet of Things. He has published extensively in software engineering books and journals. With more than 18 years of industrial experiences, he worked in different industrial roles among which: Business Unit Manager at Soramitsu, Senior Quality Engineer at SAP, Senior Associate at Morgan Stanley, Senior Quality Assurance Specialist at NOKIA and Senior Software Developer at Positron Safety Systems.

Katherine Grace August

Katherine Grace August, PhD (Kit) – Stevens Institute of Technology – Research Guest – ECE Intelligent Networks, IEEE NJ Coast Section Volunteer PACE SIGHT Group Chair, History Chair, AP-VT-EMC Vice Chair, Whitaker Scholar 2009-2012, PhD Biomedical Engineering, NJIT, MSCS-MIS Marist College, BFA Communications Design Parsons The New School for Design. Current research projects involve humanitarian activities following the United Nations Sustainable Development Goals: quality education, gender equality, reduced inequalities, peace, justice, and strong institutions. Projects focus on collaborations and employing technology to reduce inequity for those with hearing loss, and promoting improved opportunity for women and girls through inventing. Research experience in neurorehabilitation with robots, haptics, and virtual reality, functional brain imaging, signal processing, wireless, systems engineering, and the like. Former Bell Labs MTS New Service Concepts Systems Engineering 1991 – 2002.  18 United States Patents; 50 International Patents.  ‘Hear, here!’ Do Good Robotics Startup Competition Finalist University of Maryland, 2019; ‘Justice for All’ Event May – June 2019; ‘Do Good Things, Justice for All,’ IEEE SIGHT Project Funding 2019 – 2020, an experiential learning system in augmented reality to improve understanding of hearing loss, accommodation, disparities, and the Americans with Disabilities Act.  Google Scholar: https://scholar.google.com/citations?user=v_azvz4AAAAJ&hl=en.  LinkedIn: https://www.linkedin.com/in/kit-august-0000331/  Team Blog: https://www.sites.google.com/site/sensosmartvirtualsensors/do-good-robotics-competition-hear-here  IEEE NJ Coast Section History Wiki: https://ethw.org/IEEE_New_Jersey_Coast_Section_History

Talk Title: IoT Accessibility, Security, and Opportunity for Inclusiveness

Abstract: IoT with powerful computing, flexible connectivity, vast sources of data and information, and billions of connected devices, promises to deliver transformational experiences to people globally. IoT Accessibility holds great potential to promote inclusiveness and reduce disparity consistent with United Nations Sustainable Development Goals (UN SDGs) through various means including connected hearing assistance and smart environments. One third of people over age 65 have hearing loss; five percent of the population of the world or 360 million people have disabling hearing loss while the majority live in developing countries. The world’s production of hearing aid devices only meets about 10% of the need. IoT Accessibility with appropriate Security features can make a significant difference through lower cost connected devices with capabilities to learn and improve solutions available thus serving a wider population with a variety of needs in many settings.

IoT Accessibility can also play a role in acoustic scene analysis, in selecting algorithms for speech, preferences, and noise processing. Hearing is a psychoacoustic experience subject to human senses, the acoustic scene, and language processing style creating a unique requirement for user selection of features that work best for speech understanding, the main goal of hearing assistance. Currently, accommodation technology solutions are standalone, expensive, developed in silos, complicated with proprietary interfaces, and are not interoperable with mainstream communication technologies while research rarely advances products. In addition, solutions often do not overcome obstacles of hearing loss, such as recognizing a person’s identity through voice, hearing an ambulance or police siren, a carbon monoxide or fire alarm, or a baby cry. As a result, people with hearing loss are at risk in various ways and existing solutions rarely address such risks of Trust, Identity, Privacy, Safety, and Security.

With the proliferation of low cost connected devices, IoT Accessibility holds potential for rapidly evolving features and solutions that were previously impractical, with data for cloud learning, individual preferences, and can accommodate distributed Security solutions for those with hearing loss. IoT Accessibility can monitor the acoustic scene for important cues not perceptible to those with hearing loss, representing the scene by alternative means, integrated with the smart environment, when noise reduction algorithms are in use, or when the person has removed the hearing aid for sleep.  IoT Accessibility and Security can bridge the gap of information otherwise provided by our human senses which inform our experiences and decisions.

IoT Accessibility in smart environments can improve Trust pinpointing Accessibility needs and resources without the individual having to announce their hearing loss status. While hearing individuals can rely on recognizing the voice or speech pattern of another individual, or cues of emotion or truthfulness, a person with hearing loss cannot, placing them at risk for fraud. IoT Accessibility can confirm Identity of the individuals communicating, employing a distributed approach for example, Blockchain to improve Security and inclusiveness for all.

Sherri Douville

Medigram’s mission is to eradicate the leading cause of preventable death, which is a delay ininformation, while at the same time improving health care systems’ finances through workflowre-engineering and improved communications between health care providers. In her role as CEOand Board Member, Sherri’s focus has been on leading and inspiring a world-class team andecosystem to execute on this mission, including technology, legal, healthcare administration,
physician, and business executives. Sherri has been published and quoted 15 times in the last two  years in healthcare industry and IT media such as CIO.com, Becker’s Hospital Review, and HITInfrastructure.com. She has contributed to a book about managing data breaches and iscurrently working on a number of chapters and books, one as editor, on the subjects of mobilecomputing in medicine, mobile security in healthcare, security in IoT, privacy law in medicine, andprinciples for ethics and trust for the application of IoT and data in medicine. Sherri is passionateabout coaching and developing leaders at Medigram. She has 15 years of experience in executivemanagement, product development, sales and marketing including with Johnson & Johnson, andas a product development and business consultant in the medical market. She has aBiophysics degree and has completed three certificates in electrical engineering, analytics, ML,and computer science through MIT. Sherri is also a member of the MIT Technology Review GlobalPanel and has served on the board of the NorCal HIMSS. Sherri is also thrilled to be part of theworking group for the IEEE P2733 Standard for Clinical Internet of Things (IoT) Data and DeviceInteroperability with TIPPSS (Trust, Identity, Privacy, Protection, Safety, Security) principles.Sherri also advises Health IT, Medical Informatics, and genetics startup companies. Sherri and herhusband, Dr. Art Douville volunteer together with a variety of non-profits including the Board ofFellows for Santa Clara University.

Talk Title: Culture Clues for TIPSS for IoT and Mobile Computing in Medicine

Abstract: Mobilizing data, devices and people to support medical practice is both a technical challenge of multiple disciplines as well as a resulting culture challenge. Physicians frequently face the worst combination of conditions for mobile computing contributing to bad connectivity, slow data, and bad application performance when working from mobile devices. Cultural challenges also hinder the collaboration required for digital transformation with IoT. The best use of IoT in HealthCare is the seamless convergence and interpretation of all available data from an IoT ecosystem. However, many dominant data standards do not adequately support the computational physics of mobile computing in the hospital and clinic settings. These are some of the reasons why physicians have actively adopted so few mobile and IoT apps. The
technical challenges span the uncoordinated reality of multiple industries including but not limited to mobile network, smartphone, chip, and wireless networking. These multi sector challenges require an unprecedented level of multidisciplinary collaboration at every level across organizations. In addition, complying with the California Consumer Privacy Act will force all technical teams to incorporate and execute on security knowledge of networking, hardware, and software. IoT devices and applications will have to become secure by design. In this session, Ms. Douville will review how to think about the industries converging into mobile computing and IoT in medicine. She will also cover some of the leading culture practices to drive the crossfunctional collaboration required for this new reality. This session will include ways to explain key parts of the new CCPA law to engineers, as well as how to explain necessary technical details to other stakeholders, such as lawyers and clinicians.

Martin M. Zoltick

Martin M. Zoltick is a shareholder with Rothwell, Figg, Ernst & Manbeck, P.C. in Washington, DC. He has been practicing in the field of technology law for more than 30 years.  His practice is focused primarily on IP matters, transactions, and privacy, data protection, and cybersecurity.  Mr. Zoltick is a Certified Information Privacy Professional in the United States (CIPP/US) and works with his clients to help them understand and navigate the rapidly evolving area of privacy and data protection law. He is working with clients to prepare, integrate, and implement best practices for CCPA, other state’s laws, and GDPR compliance. With his technical background and expertise, he is uniquely positioned to work with IT and technical teams to understand potential exposure and minimize the risks of a breach. Mr. Zoltick is currently providing thought leadership on the application of data protection laws and industry/technology-specific data privacy and security considerations for IoT devices, biometric data, and in outer space

Mr. Zoltick is a registered patent attorney, and a substantial part of his practice involves drafting and prosecuting patent applications and, along with that, developing with his clients IP strategic plans designed to maximize value and satisfy both legal and business objectives. Mr. Zoltick also has significant experience handling contested cases and disputes on behalf of his clients. He regularly serves as trial counsel in major patent disputes in the U.S. federal district courts and as lead counsel in post-grant proceedings before the U.S. Patent and Trademark Office Patent Trial and Appeal Board.

Mr. Zoltick represents a wide range of U.S.-based and international clients, including independent inventors, entrepreneurs, emerging businesses, middle market and mature companies, as well as investors and venture capitalists.

Talk Title: “Hey Siri and Alexa” – How on Earth (or, for that matter, in Outer Space) Can I Determine What Data Protection and Privacy Laws Apply and How to Comply?

Abstract: New laws are taking effect across the globe to regulate the collection, use, and protection of personal information.  At the same time, the rate of cyber attacks, data breaches and unauthorized use of personal data is growing exponentially. The massive proliferation of IoT devices and technology, now expanded even further to include space-based technologies, gives rise to unique and challenging considerations from a legal and regulatory perspective. With the autonomous data collection, transfer, tracking, analysis, and decision-making enabled by IoT and IoS technologies that will no doubt include personal information, it is more important than ever to understand the rights and obligations of individuals and organizations with respect to personal information. The rapidly evolving technology landscape and high profile data breach cases have elevated privacy, data protection, and cybersecurity to a key business risk and operational priority.

In this presentation, I will address the new data protection and privacy laws, rules and regulations that are, or soon will be, in effect, including the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other similar regulations being adopted in the US and around the World. I will relate these new laws to several use cases involving IoT devices and the processing of personal information, including location, financial, health, genetic, and biometric data.  I will then address what steps are necessary to develop and implement a compliance strategy and framework for risk management to establish best practices for compliance with the evolving new data protection and privacy laws, and touch on the role of new technologies utilizing, for example, blockchain and AI techniques in mitigating risks and supporting compliance.

Joanna F. DeFranco

Joanna F. DeFranco, earned her Ph.D. in computer and information science from New Jersey Institute of Technology, M.S. in computer engineering from Villanova University, and a B.S. in Electrical Engineering and Math from Penn State University. She is an Associate Professor of Software Engineering with the Pennsylvania State University.  She has worked as an Electronics Engineer for the Navy as well as a Software Engineer at Motorola. Her research interests include software engineering teams, and Internet of Things and Blockchain.

Talk Title: How do you create an Internet of Things Workforce?

Abstract: Internet of Things (IoT) products and Cyber Physical Systems (CPS) are being utilized in almost every discipline.  According to Forbes magazine (2017) there will be a significant increase in spending on the design and development of IoT applications and analytics.  Furthermore, the most significant increase in spending will be in the business-to-business (b2b) IoT systems (e.g. manufacturing, transportation, utilities etc.) as it will reach $267B by 2020.  Accordingly, engineers and computer scientists need the appropriate training to build safe and effective IoT systems.   However, it is not sufficient to add an IoT or CPS course to a program curriculum for students to gain the knowledge necessary to build effective, efficient and safe CPS/IoT systems.   In this presentation, the results of a review of engineering and computer science programs at the top 50 ranked US based and international universities to determine how many programs had courses with a CPS/IoT focus will be discussed along with a mapping of those courses to the five NIST Network of Things primitives (NIST 800-183).   In addition, a discussion on courses in the literature that cover the design of IoT/CPS systems will be presented along with a mapping of those courses to the NIST NoT primitives and the ACM/IEEE knowledge areas.  This presentation will conclude with discussion on recommendations that academic institutions may consider to develop an IoT/CPS curriculum.

Irena Bojanova

Irena Bojanova is a computer scientist at the National Institute of Standards and Technology (NIST), leading the Bugs Framework (BF) project, and a professor at the Johns Hopkins University, Carey Business School. Previously she was a program chair and professor at the University of Maryland University College (UMUC), an academic director at JHU, Center for Talented Youth (CTY), and a co-founder of OBS Ltd. (now CSC Bulgaria). Irena earned her Ph.D. in Mathematics/ Computer Science from the Bulgarian Academy of Sciences in 1991.

Irena Bojanova serves as EIC of IEEE IT Professional magazine, co-chair of IEEE RS IoT TC and founding member of IEEE TSC on Big Data. Previously she served as the founding chair of IEEE CS Cloud Computing STC, EIC of IEEE Transactions on Cloud Computing, Committee on Integrity Chair and a Member at Large of the IEEE CS Publications Board. Irena also serves as General Co-Chair of the Software Technology Conference (STC) and the IT in Practice (ITiP) Symposium of COMPSACK. Previously she served as General Co-Chair of ISSRE and QRS.

Talk Title: IoT Vulnerabilities via NIST Bugs Framework

Abstract: The Internet of Things (IoT) has had significant impact on cybersecurity via vulnerabilities related to IoT devices access control, firmware memory use, cryptographic issues, IDs generation, power consumption, and information exposure. The Common Vulnerabilities and Exposures (CVE) repository for example lists vulnerabilities such as CVE-2015-8287, CVE-2017-3209/-8865/-8866/-8867/-12865/-14493, CVE-2019-6692/-9445/-19278/-20410, CVE-2019-8985/-9125/-10962/-11219/-11220/-13473/-13474. This presentation will analyze such known IoT vulnerabilities and will provide their clear, precise, and unambiguous descriptions via the NIST Bugs Framework (BF).

Accurate, precise, and unambiguous definitions of software weaknesses (bugs) and clear descriptions of software vulnerabilities are vital for building the foundations of cybersecurity. BF organizes software weaknesses (bugs) into distinct classes, such as Buffer Overflow (BOF), Injection (INJ), Pseudo Random Number Generation Bugs (PRN), Encryption Bugs (ENC), Verification Bugs (VRF), and Information Exposure (IEX). It is an hierarchy of abstract and concrete classes of bugs with:

• Precise Definitions.
• Level – either low (language-related) or high (semantic).
• Attributes that identify or distinguish the software fault. Each attribute is an enumeration of possible values.
• Causes that bring about faults, which include implementation mistakes, conditions, preceding weaknesses and circumstances that bring about the fault
• Consequences faults could lead to.
• Possible Sites in code where faults might occur under circumstances indicated by the causes.

Nir Kshetri

Nir Kshetri is Professor at University of North Carolina-Greensboro and a research fellow at Kobe University. He has authored nine books, one of which has been selected as an Outstanding Academic Title by Choice Magazine. He has also published over 140 articles in various journals. Nir has been quoted/interviewed and/or his work has been featured by hundreds of media outlets worldwide such as Wall Street Journal, Foreign Policy, Scientific American, Bloomberg TV, CBS News, TV Mundo (Peru), ABF TV (Brazil), Fortune, Time, Christian Science Monitor, SF Gate, U.S. News & World Report, Asia Times, Channel News Asia, New York Daily News, New Boston Post, Observer and Salon.  His scholarly works and popular press publications have millions of readers worldwide. In March 2018, he gave a TED Talk about the potential roles of cryptocurrencies in fighting poverty.

Nir was the winner of IEEE IT Professional’s Most Popular Paper Award in 2019 and 2018 and Outstanding Contribution in Authorships award in 2019. He also won the Blockchain Connect Conference’s Most Influential Blockchain Research Paper in 2019. He was awarded Pacific Telecommunication Council’s Meheroo Jussawalla Research Paper Prize twice.

He has provided consulting services to Asian Development Bank and various UN agencies. In December 2018, he spoke at the Plenary Session, Digital Technology and Sustainable Development: South-South Cooperation in the Digital World at the Hong Kong Summit of the United Nations Office for South-South Cooperation (UNOSSC)and the Finance Center for South-South Cooperation (FCSSC), a special consultative body of the United Nations Economic and Social Council (ECOSOC).

Talk Title: Privacy and security implications of smart cities in developing countries

Abstract: Smart city technologies are rapidly diffusing in developing countries. For instance, China alone is estimated to have over 500 active smart city pilot projects. In order to improve infrastructures and the quality of services, smart cities use Internet of Things (IoT) devices such as connected sensors, lights, and meters. These devices collect and process data and take relevant actions.
The paper argues that developing countries differ from their developed counterparts in terms of economic, political, social and cultural factors, which have important implications for privacy and security issues facing smart cities and IoT devices used in such cities. For instance, smart cities in developing countries are likely to use lower cost IoT devices with weaker security than the ones used in developed countries. A large proportions of internet users in developing countries have been connected to the Internet not long ago. They are thus inexperienced and lack technological savviness and cybersecurity orientations. An additional factor that is prominent in discussions of smart city technologies and IoT in these countries is that they are characterized by weak legislation and law enforcement. A related point is that most developing countries have weak privacy laws.
A key focus of the paper is also on the internationalization of Chinese smart city technologies in developing countries as a key element of the Digital Silk Road, which aims to support the Belt and Road Initiative (BRI) through digital technologies. Critics have argued that Chinese companies such as Huawei, Hikvision, Dahua, and ZTE are exporting surveillance technologies to many developing countries’ smart city projects. Artificial intelligence (AI) surveillance technologies provided by Chinese companies are estimated to be used in sixty-three countries, most of which are developing countries and the BRI participants.
The article also delves into the deployment of surveillance technologies in smart cities in countries governed by autocratic and semi-autocratic regimes. A special focus of the article is the use of AI-based surveillance by authoritarian governments in smart cities.

Gabrielle E. Hempel

Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She started her career in regulatory compliance, and led specialized committees targeting Phase I and emergency research. Though she still serves on a board as a regulatory/genetic science consultant, she moved to cybersecurity in 2018 and works full-time as a Senior Security Analyst. She also works as a Penetration Tester for Black Mirage, LLC.

She continues to pursue education through a graduate program in Advanced Computer Security at Stanford, and has recently obtained her Certified Human Trafficking Investigator and Certified Expert in Cyber Investigations designations through the McAfee Institute. She collaborates with a variety of law enforcement entities and task forces in order to use digital forensics and offensive security to combat trafficking.

She has spoken at numerous national conferences on medical device security, webapp pentesting, and threat intelligence. Her continued areas of research include embedded/vehicle security, IoT vulnerabilities, and medical device security.

Talk Title: Hacking Humans: Addressing Vulnerabilities in the Advancing Medical Device Landscape

Abstract: As technology advances, the health care critical infrastructure sector comprises much of the potential attack surface of the national security landscape. Medical devices are being fitted with “smart” technology in order to better serve patients and stay at the forefront of health technology. However, medical devices that enable connectivity, like all other computer systems, incorporate software that is vulnerable to threats.

Medical device recalls increased 126% in the first quarter of 2018, mostly due to software issues and vulnerabilities. Abbott and Bayer, among other medical device companies, had recalls on devices based on weaknesses discovered by both government security entities and academic institutions. These devices, which included pacemakers, infusion pumps, and MRI machines, were found to have vulnerabilities ranging from buffer overflow bugs to the presence of hard-coded credentials that easily lent to unauthorized access of proprietary information.

A breach of any one of these devices could compromise data confidentiality, integrity, and availability, as well as patient safety. In order to mitigate these types of vulnerabilities, the FDA has issued a guidance, as well as a vulnerability scoring system, in order to assess impact. This system assesses the attack vector, the complexity, risk and severity of both patient harm and information compromise, and the remediation level. By utilizing a more rigid system along these guidelines, there is hope that the threat of a medical device attack will be diminished.

This talk will explore some of the past and current vulnerabilities facing the medical device industry, and the steps that the FDA and DHS are taking to mitigate these risks.

Jatinder Singh, University of Cambridge

Dr Jat Singh is based at the Dept. Computer Science & Technology, University of Cambridge. He leads the multi-disciplinary Compliant and Accountable Systems research group, which works at the intersection of computer science and law — exploring means for better aligning technology with legal concerns, and vice-versa. He also co-chairs the Cambridge Trust & Technology Initiative, which drives research exploring the dynamics of trust and distrust in relation to internet technologies, society and power. Jat is a Fellow of the Alan Turing Institute, and is active in the tech-policy space, serving on a range of advisory councils for government and regulators.

Talk Title: Supporting accountability in the Internet of Things

Abstract: As the IoT becomes increasingly ubiquitous, concerns are raised regarding how such systems are built and deployed. Things will go wrong, and when they do, how do we identify what happened, why that happened, and who is responsible? Given the complexity of such systems – where do we even begin? The grand visions of the IoT entail a ‘chain’ of interconnected systems, which come together to deliver functionality. That is, the IoT represents a system of systems, involving a data-driven assemblage including software, devices, cloud services, automation agents, and IoT platforms. As such, it can be difficult (even for experts) to uncover the series of events leading up to a particular occurrence, such as a data leak or system failure, and often even the systems and organisations that were involved. This talk describes aspects of accountability as they relate to IoT, in the context of the increasingly interconnected nature of such systems. It will highlight the need for mechanisms that capture information about IoT systems as a means for enabling systems to be better designed, engineered and deployed in accordance with legal, regulatory, and societal concerns. These aspects will only grow in importance as these connected environments increasingly pervade our world.

Emily Dillon, Information Security Consultant for CynergisTek, Inc

Emily Dillon is an Information Security Consultant for CynergisTek, Inc., who assists clients in performing risk assessments specific to biomedical devices and develops strategies for mitigating the security risks to the healthcare environment presented by these devices. Emily entered the healthcare industry working in the clinical engineering field where she focused on regulatory requirements and executed quality assurance audits. Additionally, she has also held information security operation roles with Ascension Technologies prior to CynergisTek where she regularly performed compliance and security risk assessments. Operating in these environments has provided her with a unique perspective and understanding of the two disciplines diverse qualities which is used to proficiently develop an effective medical device security program built through collaboration.

Talk Title: IoMT Security and Compliance: The Ramifications of Unmanaged Assets in the Healthcare Environment

Abstract: Today there are a large number of IoT companies making the world look smarter, smaller and very well connected. The benefits of this are not limited to the technology space alone – we see many other industries profiting from it, including the healthcare space. It’s time for us to wake up to the latest revolution in technology – the Internet of Medical Things (IoMT). And, just like any super power, with the benefits of this technology comes a great responsibility. A responsibility to ensure that IoMT devices are being used and managed in a manner that is smart, safe, and secure. Neglecting this duty can cause issues for any organization, but when it comes to healthcare, there is a human element.. the impact on patient care could become lethal. For example, malware vulnerabilities on medical devices present the opportunity for altered patient test results and manipulated clinical application settings. Unscheduled downtime or the unavailability of some essential medical devices could put a patient’s urgent care in jeopardy. Join experts on IoMT security and compliance to discuss common threats to clinical devices, real-life examples of the consequences associated with unmanaged IoMT devices, and best practices for ensuring the smart, safe, and secure use of these devices.

Trevor Pering, Google

Trevor Pering is a systems software engineer at Google, where recently he has been focusing on securing IoT systems for the built environment. He is the contributing editor for IEEE Computer’s THE IOT CONNECTION column, which exposes emerging IoT concepts to a broad audience. His career has focused on many different aspects of integrating the physical and digital worlds, all the way from mobile, pervasive, and ubiquitous computing through to interactive exhibits for experiential spaces. His current work aims to tame the decades-old “things” world of technology for office buildings (heating, lighting, etc…), and bringing it up-to-date with modern IT-centric infrastructure, with an emphasis on networking and security technologies. He received his BS and Ph.D. from the University of California, Berkeley, where he researched low power embedded operating systems for mobile devices.

Talk Title: Security and Compliance for IoT in the Built Environment

Abstract: Securing IoT in the built environment (office buildings, condominium complexes, etc…) presents a number key challenges that can be addressed by a combination of infrastructure-based techniques, rather than directly addressing the devices themselves. A three pronged approach addresses key aspects of cross-contamination, compliance, and normalization to transition a diverse ecosystem of existing devices to a secure collection of components that is suitable for operating in a modern IT environment. First, emergent Software Defined Networking systems can be used to isolate device communication patterns to a minimally required subset. Second, automated testing provides for compliance for basic security and network policies. Third, a clearly defined path for cloud-centric computing model enables the foundational security promises of a highly managed backend environment. Unlike a modern web-based or IT-based infrastructure, many building systems are running on decades old technology that was developed before “security” was a key concept. Not surprisingly, many IT departments are unwilling to bring these IoT systems online without significant improvements in how they are connected and operated.

This talk follows one key concept — “servers are bad” — and walks through a progression of techniques that mitigates the impact of any exposed service. This perspective assumes that all devices in an IoT environment are likely compromised, and potentially bad actors. Their behavior is highly restricted to what the infrastructure believes they should be doing, detects and secures misconfigured systems, and paves a path towards closing all doors that are not controlled by the governing infrastructure. By combining these techniques, the base security of the overall legacy system is immediately improved, and sets the stage for moving IoT systems in the built environment towards a setup acceptable by the modern IT ecosystem.

Raju Gottumukkala, University of Louisiana at Lafayette, USA

Dr. Raju Gottumukkala is the Director of Research of Informatics Research Institute and AAMA/LEQSF Regents Assistant Professor with the Mechanical Engineering Department at University of Louisiana at Lafayette.  His research interests are in the areas of cyber-physical systems, distributed computing, cyber-security and data mining. He has over 50 publications, and has experience leading various research & development efforts amounting to $7M in the domains of big data, disaster management and cyber-physical system security. He also serves as the associate editor for Springer’s Data-Enabled Discovery and Applications.

Talk Title: Can my charging station trust your EV? Exploring security problems & solutions to improve trusted vehicle to infrastructure communications

Abstract: The connected and autonomous vehicle technology is touted to change how people will travel and use vehicles. These vehicles have to communicate with other vehicles, external infrastructures such as Road Side Units (RSU) and charging stations. Improved connectivity and automation brings convenience and improved safety, but the lack of trusted communication mechanism can have serious negative consequences that affects the cyber-security of infrastructure and vehicles that rely on the infrastructure. In this talk, I will cover cyber-security problems with today’s vehicle identification and communication methods and ways to improve trusted communication between Vehicle to Infrastructure (V2I). I will also present our ongoing research on methods on how we improved V2I security with vehicle fingerprinting and diagnostics.

Cory Brennan

Cory Brennan is a leader in the medical device security industry with nearly a decade of experience in developing medical device security and risk management strategies and implementing advanced technology solutions in order to align key business objectives with effective tools. Cory focuses her work on advisory services related to medical device security, such as performing risk assessments specific to the medical device environment in order to create a better understanding of medical device vulnerabilities and develop strategies for risk remediation, as well as integrating the implementation of security controls into the overall lifecycle approach for medical device management. She has excelled in developing, improving and managing an effective organizational medical device security and risk management program capable of meeting compliance standards and managing the demands of clinical operations for large organizations, including a multibillion-dollar health care system serving more than 2,600 sites across 21 states. Cory has extensive practical knowledge of health care information security and compliance standards including HIPAA/HITECH, NIST and ISO and is a member of the Healthcare Technology Leadership Council for the Association for the Advancement of Medical Instrumentation (AAMI). Cory’s certifications include: HealthCare Information Security and Privacy Practitioner (HCISPP), Certified Information Systems Security Professional (CISSP), Certified Associate of Project Management (CAPM), and Certified Associate in Healthcare Information and Management Systems (CAHIMS).

Talk Title: IoMT Security and Compliance: The Ramifications of Unmanaged Assets in the Healthcare Environment

Abstract: Today there are a large number of IoT companies making the world look smarter, smaller and very well connected. The benefits of this are not limited to the technology space alone – we see many other industries profiting from it, including the healthcare space. It’s time for us to wake up to the latest revolution in technology – the Internet of Medical Things (IoMT). And, just like any super power, with the benefits of this technology comes a great responsibility. A responsibility to ensure that IoMT devices are being used and managed in a manner that is smart, safe, and secure. Neglecting this duty can cause issues for any organization, but when it comes to healthcare, there is a human element.. the impact on patient care could become lethal. For example, malware vulnerabilities on medical devices present the opportunity for altered patient test results and manipulated clinical application settings. Unscheduled downtime or the unavailability of some essential medical devices could put a patient’s urgent care in jeopardy. Join experts on IoMT security and compliance to discuss common threats to clinical devices, real-life examples of the consequences associated with unmanaged IoMT devices, and best practices for ensuring the smart, safe, and secure use of these devices.

Sri Nikhil, Pacific Northwest National Laboratory, USA

Pacific Northwest National LaboratorySri Nikhil Gupta Gourisetti is a Grid – cybersecurity research engineer at Pacific Northwest National Laboratory (PNNL). During his research engagement at PNNL, he worked on several smart grid cyber-physical security projects addressing the security and grid systems interaction challenges and needs of critical facilities and infrastructure. He has been actively involved in research projects on security engineering solutions and responses for critical infrastructure. He is the Principal Investigator (PI)/Co-PI for numerous cybersecurity research projects in the critical infrastructure domains such as the power grid and buildings. Some of the noteworthy projects include DOE Cybersecurity projects such Keyless Infrastructure Security Solution – a blockchain-based system for critical infrastructure; Mitigation of External-exposure for Energy Delivery Systems; Cybersecurity Framework; blockchain-based transactive energy systems and supply chain management. He is one of the lead authors for DOE-PNNL led buildings cybersecurity framework and the lead developer for vulnerability assessment tools. He is the PI for the development of on-going cyber-physical security non-intrusive applications. He was a technical lead for an incentive-based hardware-in-the-loop project where the grid simulation software and hardware systems interact in real-time. Under a DARPA project, he also led a team to develop red team – blue team cyber-physical attack scenarios for grid systems. In the IEEE Blockchain working group, he is the co-lead of cybersecurity task force & the lead of transactive energy task force.

Talk Title: IoT Cybersecurity and Blockchain Technology for Energy Applications: Where we are and what are the issues

Abstract: Critical infrastructure systems such as the power grid and buildings are becoming increasingly interconnected, resulting in a large landscape of data exchanges between the networked smart systems, often referred to as the industrial internet of things (IIoT). This increased observability facilitates the engineers, regulators, and operators to make critical data-driven and system-driven operational decisions pertaining to reliability and resiliency of the critical infrastructure systems. However, there remain challenges related to the appropriate confidentiality, integrity and authenticity of the information in addition to ensuring the secure operation of the systems. To address these challenges, researchers from the Pacific Northwest National Laboratory (PNNL) have been developing cyber security tools and adapting evolving technologies to the critical infrastructure space. This presentation will demonstrate some of these innovating technologies to secure complex system-of-systems, such as: using blockchain for energy markets, data integrity, device security, supply chain management, and nonrepudiation; cyber security assessment and enumeration tools and technologies that can be used to understand the security maturity of the operational technology (OT)/industrial control systems (ICS) environment. In addition, this presentation will also showcase various critical cyber security challenges and research questions that are yet to be answered.

Marcellus Buchheit, President & CEO of Wibu-Systms USA Inc. and Co-Founder, Wibu-Systems AG

Marcellus Buchheit is co-founder and Chairman of the Board of WIBU-SYSTEMS AG in Karlsruhe, Germany. He currently serves as the President and CEO of Wibu-Systems USA Inc., located in Edmonds, WA where he resides.

Marcellus earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989. In the same year, he co-founded Wibu-Systems together with Oliver Winzenried. As the original architect and first software developer of the company’s successful WibuKey, CodeMeter, and SmartShelter product lines, he is well known in his field for his expertise in designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. The products he designed have never been cracked by hackers in multiple public global contests.

Marcellus is an active member of the international Industrial Internet Consortium (IIC), where he is involved with security, trustworthiness and monetization initiatives. He is one of the editors and authors of the Industrial Internet Security Framework document. He is a frequently invited speaker at industry events, and has accepted many industry awards on behalf of Wibu-Systems, including the CODiE awards in 2017, 2014 and 2009 in recognition by the SIAA of CodeMeter as the Best Content Rights and Entitlement Solution.

Since 1988, he has also been self-employed as a Windows development consultant. He wrote many articles in German software development magazines and was the author of a Windows programming book that became the standard for all of Germany (named as “the bible”). From 1996 thru 2004, he was an independent Microsoft Regional Director and MVP. At the age of 14, he developed his first microprocessor-based computer and wrote his first computer programs.

Talk Title: Trustworthiness: Understanding and Solving Challenges of Digital IT/OT Transformation

Abstract: Bringing the IT and OT world together in IoT (especially industrial) as part of the digital transformation process brings challenges in coordinating security and safety in combination with reliability, resiliency and privacy. The IIC (Industrial Internet Consortium) has established the Trustworthiness Model to provide better understanding of the impact of a pure technical- or business-related IoT transformation. The IIC defines trustworthiness as the degree of confidence one has that a system performs as expected, characterized by the five key elements of safety, security, reliability, resilience and privacy in the face of environmental disturbances, human errors, system faults and attacks.

The challenge of modern industrial systems design using IoT technology is that different design directions from the OT (Operation Technology) and the IT (Information Technology) clash in the IT/OT convergence. For example, OT is heavily safety/resilience-guided while IT, in regards to internet technology, is heavily security/privacy-guided. As a result, the system designs are frequently in conflict, delaying or even disrupting the overall design effort. Such conflicts can only be understood and preemptively prevented by a deeper understanding of the interaction of the five key elements of trustworthiness.

Hon. Cynthia D. Mares, District Court Judge, Colorado

Hon. Cynthia D. Mares is currently a district court judge in Colorado. Her passion is board governance and cybersecurity. She is an author of the book Women Securing the Future with TIPPSS for IoT, published in 2019. Judge Mares is a governance fellow with the National Association of Corporate Directors since 2016 and a 2018 graduate of the Colorado Women’s Foundation Board Bound program. Her specialized education includes programs at Harvard’s Kennedy School of Government, Colorado’s National Cybersecurity Center and world-wide programs hosted by the Sedona Conference, including programs in Dublin, Ireland and Budapest, Hungary as well as numerous programs across the country. Ms. Mares serves as an advisory board member for Axon global, a cybersecurity company, and FDHint, a consulting firm in Advanced Technology, Cybersecurity and Diversity and Inclusion. She is also a former member of the Colorado Gaming Commission and current board member for the Colorado Hispanic Bar Association. She is a past president of the Hispanic National Bar Association. Ms. Mares holds a bachelor’s degree in Business Administration from the University of Colorado and a juris doctorate degree from the University of Denver.

Talk Title: Your Critical Role in the World of Compliance

Abstract: As a specialist in Privacy and Security, the laws applicable to you and your company can be overwhelming but that’s not your job, right? You are not a lawyer and therefore, not trained with the skills needed to comply with all the applicable laws. So, what is your role in this complicated world of cybersecurity? In this session, we will discuss your role and how to do it in a way that will impress your entire team.

Joe Jarzombek, Synopsys, Inc.

Joe Jarzombek is Director for Government & Critical Infrastructure Programs in Synopsys, Inc., the Silicon to Software™ partner for innovative organizations developing microelectronic products and software applications.  He guides efforts to focus Synopsys’ global leadership in electronic design automation (EDA), silicon IP, and software integrity solutions in addressing technology challenges of the public sector, aerospace and defense, and critical infrastructure.   He participates in relevant consortia, public-private collaboration groups, trade associations, standards groups, and R&D projects to assist in accelerating technology adoption.

Previously, Joe served as Global Manager for Software Supply Chain Solutions in the Software Integrity Group at Synopsys.  He led efforts to enhance capabilities to mitigate software supply chain risks via software security and quality test technologies and services that integrate within acquisition and development processes; enabling detection, reporting, and remediation of defects and security vulnerabilities to gain assurance and visibility within the software supply chain. Jarzombek has more than 30 years focused on software security, safety and quality in embedded and networked systems.  He has participated in industry consortia such as ITI, SAFECode, NDIA and CISQ; test and certification organizations such as Underwriters Labs’ Cybersecurity Assurance Program, standards bodies, and government public-private collaboration forums to address software assurance and supply chain challenges.

Prior to joining Synopsys, Jarzombek served in the government public sector; collaborating with industry, federal agencies, and international allies in addressing cybersecurity challenges.  He served in the US Department of Homeland Security as the Director for Software & Supply Chain Assurance, and he served in the US Department of Defense as the Deputy Director for Information Assurance (responsible for Software Assurance) in the Office of the CIO and the Director for Software Intensive Systems in the Office of Acquisition, Technology and Logistics.  Jarzombek is a retired Lt Colonel in the US Air Force, a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional. He received an MS in Computer Information Systems from the Air Force Institute of Technology, and a BA in Computer Science and BBA in Data Processing and Analysis from the University of Texas – Austin.

Talk Title: Mitigating IoT Risks by Securing Software in Network Connectable Devices

Abstract: As the cyber landscape evolves and external dependencies grow more complex, managing risks attributable to exploitable software in IoT includes requirements for security and quality with ‘sufficient’ test regimes throughout the software supply chain.  IoT is contributing to a massive proliferation of a variety of types of software-reliant, connected devices throughout critical infrastructure.  With IoT increasingly dependent upon third-party software, software composition analysis and other forms of testing are used to determine ‘fitness for use’ and trustworthiness of assets. Standards for measuring and sharing information about software security and quality are used in tools and services that detect weaknesses and vulnerabilities.  Test and certification programs provide means upon which organizations use to reduce risk exposures attributable to exploitable software.  Ultimately, addressing software supply chain dependencies and leveraging high assurance test regimes enable enterprises to provide more responsive mitigations.

Learning Objectives – Attendees will learn how:

• External dependencies contribute risks in the form of technical debt throughout the IoT software supply chain;
• Standards can be used to convey expectations and measure IoT software security and quality;
• Software composition, static code analysis, fuzzing, and other forms of application security testing can be used to determine weaknesses and vulnerabilities that represent vectors for attack and exploitation;
• Testing can support procurement and enterprise risk management to reduce risk exposures attributable to exploitable software in IoT.

Zhaojun Steven Li, Western New England University, Springfield, MA

Dr. Zhaojun Steven Li is an Associate Professor with the Department of Industrial Engineering & Engineering Management at Western New England University, Springfield, MA. Dr. Li’s research interests include IoT data analytics, applied statistics and operations research, reliability engineering, systems engineering and its applications in product design, diagnostics and prognostics of complex engineering systems. He received his PhD in Industrial Engineering from the University of Washington. He is an ASQ Certified Reliability Engineer and Caterpillar Six Sigma Black Belt. Dr. Li’s most recent industry position was a reliability team lead with Caterpillar to support the company’s new engine development. He is serving on editorial boards for IEEE Transactions on Reliability and IEEE Access. He is a senior member of IISE and IEEE. He has served as a board member of IISE Quality Control and Reliability Engineering (QCRE) Division and IEEE Reliability Society. He was  the VP for Publications of IEEE Reliability Society in 2019.

Talk Title: An IoT Perspective of Understanding the Boeing 737 MAX Crashes

Abstract: Recently, two serious airplane crashes involving Ethiopian airlines and Lion airlines have greatly impacted the aviation industry, sparked worldwide discussions as well as investigations from government agencies. Both crashed jets are brand new Boeing 737 MAX models, a derivative of the best-selling aircraft in history. This talk firstly briefly describes the key processes and highlights of the above two crashes. Then, the possible causes of the accidents are analyzed from three aspects of the design of automation software, airworthiness certification, and aircraft management, respectively. Especially, the accidents are analyzed from the IoT’s point of view. Lastly, suggestions and thoughts concerning the automation paradox and software design issues related to safety, reliability, and ethics, are discussed based on the outcomes of the multiple investigations.

Celia Paulsen, National Institute of Standards and Technology (NIST), USA

Celia Paulsen is a cybersecurity researcher at the National Institute of Standards and Technology (NIST). Her current research focuses on cyber-supply chain risk management and the intersection with tools such as blockchain and additive manufacturing. She has researched and co-authored several publications including NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations and NISTIR 7621 Rev. 1, Small Business Information Security: The Fundamentals. Prior to joining NIST, Celia was an analyst for the National Security Agency in the US Army. She has an MBA in information security from California State University, San Bernardino, and bachelor’s degrees in information technology and business management.

Talk Title: Cybersecurity for IOT Supply Chains: Comparison of Emerging Types of Solutions

Abstract: As vendors investigate inserting technology into their products, they are faced with the increasing problem of ensuring that the technology is safe, secure, and sound. One aspect of this challenge is ensuring a device is developed, integrated, and delivered with cybersecurity in mind. In the current business climate, a majority of this work is outsourced to a complex and interdependent and global supply chain. This talk will examine a number of technological and policy-based approaches to gaining visibility and control over the cybersecurity of an IOT supply chain and examine where there are opportunities for additional research and development.

Preeti Chauhan, Google, USA

Dr. Preeti Chauhan is a Technical Program Manager in the Data Center Systems Quality team at Google. In her prior role, Preeti was a Quality and Reliability TPM at Intel and led the Assembly and Test certification of Foveros 3D packaging technology and Server microprocessors. She is currently serving as Vice President of Technical Activities in IEEE Reliability Society and was previously peer reviewer of journal articles for Microelectronics Reliability and Transactions on Material Device Reliability. Dr Chauhan received 2017 Early Career Award from James Clark School of Engineering at University of Maryland, College Park in recognition of her professional achievements. More recently, she received the 2019 Intel Achievement Award for her contributions to development of industry first 3D packaging technology for Intel processors.

Dr Chauhan received PhD in Mechanical Engineering from University of Maryland, where her research focused on lead-free solder interconnect reliability. She has authored a book on Copper Wire Bonding, and published 20+ articles in peer reviewed journals and conferences in the areas of electronic packaging reliability and PHM.

Talk Title: Enabling Artificial Intelligence through Next-Gen Electronic Packaging Technologies

Abstract: Artificial intelligence (AI) has become a ubiquitous technology that is already shaping the world around us. From enabling voice assistance to self-driving cars, AI technology relies heavily on processing large data sets for machine learning. This requirement drives the development of new packaging technologies to deliver high computing power, high bandwidth, low power and low latency devices. One such technology is 2.5D/3D integration wherein heterogeneous integration of logic dies with multiple technology nodes and memory dies is achieved. This presentation will cover some of the 2.5D/3D integration technologies for AI applications along with the associated challenges and growth opportunities.

John Viega, Capsule8

Capsule8 Co-founder and CEO John Viega is an expert in building defensive systems to protect against exploitation of previously unknown vulnerabilities and building successful companies to bring those systems to market. Most recently, John was EVP of cloud security provider SilverSky, successfully transforming them from a managed services provider to an innovative cloud security company. Following the successful acquisition of SilverSky by BAE Systems, John went on to serve as EVP of Product, where he also had responsibility for a portfolio of analytics products that spanned financial crime and security. Prior to SilverSky, John was SaaS CTO at McAfee. John is an award-winning author with a half dozen books to his name, including “Building Secure Software” (the first book for software engineers on how to build secure programs) and “Network Security with OpenSSL.” He also co-designed the GCM encryption mode, which is used for more than 70% of encrypted web traffic.