Security and Privacy in the IoT
Elisa Bertino, Purdue University, United States
Sensor Networks as the new Attack Target
Nancy Cam-Winget, Cisco Systems, United States
The Future of Information Security
Bart Preneel, KU Leuven, Belgium
Security and Privacy in the IoT
Elisa Bertino
Purdue University
United States
https://www.cs.purdue.edu/homes/bertino/
Brief Bio
Elisa Bertino is professor of computer science at Purdue University, and serves as Director of Purdue Cyber Center and Research Director of the Center for Information and Research in Information Assurance and Security (CERIAS). She is also an adjunct professor of Computer Science & Info Tech at RMIT. Prior to joining Purdue in 2004, she was a professor and department head at the Department of Computer Science and Communication of the University of Milan. She has been a visiting researcher at the IBM Research Laboratory (now Almaden) in San Jose, at the Microelectronics and Computer Technology Corporation, at Rutgers University, at Telcordia Technologies. Her recent research focuses on data security and privacy, digital identity management, policy systems, and security for drones and embedded systems. She is a Fellow of ACM and of IEEE. She received the IEEE Computer Society 2002 Technical Achievement Award, the IEEE Computer Society 2005 Kanai Award and the 2014 ACM SIGSAC outstanding contributions award. She is currently serving as EiC of IEEE Transactions on Dependable and Secure Computing.
Abstract
The Internet of Things (IoT) paradigm refers to the network of physical objects or "things" embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with servers, centralized systems, and/or other connected devices based on a variety of communication infrastructures. IoT makes it possible to sense and control objects creating opportunities for more direct integration between the physical world and computer-based systems. IoT will usher automation in a large number of application domains, ranging from manufacturing and energy management (e.g. SmartGrid), to healthcare management and urban life (e.g. SmartCity). However, because of its fine-grained, continuous and pervasive data acquisition and control capabilities, IoT raises concerns about the security and privacy of data. Deploying existing data security solutions to IoT is not straightforward because of device heterogeneity, highly dynamic and possibly unprotected environments, and large scale. In this talk, after outlining key challenges in data security and privacy, we present initial approaches to securing IoT data, including efficient and scalable encryption protocols, software protection techniques for small devices, and fine-grained data packet loss analysis for sensor networks.
Sensor Networks as the new Attack Target
Nancy Cam-Winget
Cisco Systems
United States
Brief Bio
Nancy Cam-Winget is a Distinguished Engineer at Cisco Systems where she works in the Security CTO Office. She currently focuses on IoT security, Cyber and identity-based security solutions. Nancy was the product strategist and lead architect for Cisco’s Wi-Fi product group and lead security architect for Cisco’s Identity Services Engine and Platform Exchange Grid (pxGrid). She has authored and acted as editor for multiple published standards such as IEEE 802.11i, 802.11w, 802.11r, 802.1X and IETF RFC 7170 and RFC 7171. Nancy continues to be engaged in standards activities, where she’s now very active in other IoT standards forums and the IETF where she co-chairs the Managed Incident Lightweight Eschange. She is also an editor for the Secure Automation and Continuous Monitoring group, is the security advisor for the Autonomic Network group, and a member of the IoT directorate.
Abstract
With the growing adoption and use of sensor networks, breaches in this space are publicized and growing, highlighting the importance of security.
To cite a few examples:
• ATT’s 2015 Security report cites an increase of 458% in vulnerability scans against devices
• DHS’ annual report continues to cite over 200 reported breaches in the Industrial Control Systems disciplines
• There are many breaches publicized in the media today, but of importance is their impact. The second publically reported breach to have greatly impacted a critical infrastructure came in December 2014 where a steel mill was breached in Germany where physical damage was incurred.
With such an attack surface expanding, how can these networks be secured? What would the security solution look like? This presentation will provide a general framework for how Security can be balanced with safety and availability.
The Future of Information Security
Brief Bio
Bart Preneel is a full professor at the KU Leuven; he heads the COSIC research group, that is a member of the imec research center. The COSIC research group currently has 80 members, including 5 professors, 20 postdoctoral researchers, and more than 40 PhD students. He was visiting professor at five universities in Europe and scientific advisor at Philips Research. He has authored more than 400 scientific publications and is inventor of 5 patents. He has graduated more than 50 PhD students. His main research interests are cryptography, information security and privacy. Bart Preneel has participated to about 40 EU projects, for seven of these as coordinator. He has coordinated the Network of Excellence ECRYPT 2004-2012 (250 researchers) and is coordinating ECRYPT-CSA and the Marie-Curie ITN ECRYPT.NET. He has served as panel member, vice-chair and chair for the European Research Council and has been vice-president and president of the IACR (International Association for Cryptologic Research). He is a member of the Permanent Stakeholders group of ENISA (European Network and Information Security Agency), of the Academia Europaea, and of the Belgian Privacy Commission (subcommittee national register). He has been invited speaker at more than 120 conferences in 40 countries. In 2013 he testified in the European Parliament for the LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens. He received the 2014 RSA Award for Excellence in the Field of Mathematics and in 2015 he was nominated fellow of the IACR. In 2016 he received the Kristian Beckman award from IFIP TC-11 and he was invited to deliver the IACR Distinguished lecture.
Abstract
In June 2013 Edward Snowden leaked a large collection of documents that describe the capabilities and technologies of the NSA and its allies. Even to security experts the scale, nature and impact of some of the techniques revealed was surprising. In addition to “active defense” technologies and a focus on subverting end systems, the documents also reveal a systematic attempt to undermine cryptographic systems. A major consequence is the increased awareness of the public at large of the existence of highly intrusive mass surveillance techniques. There has also been some impact in the business world, including a growing interest in companies that (claim to) develop end-to-end secure solutions and a relocation of some services. There is no doubt that large nation states and organized crime have carefully studied the techniques and are exploring which ones they can use for their own benefit. But after more than three years, there is little progress in legal or governance measures to address some of the excesses by increasing accountability. Moreover, the security research community seems to have been slow to respond to the new threat landscape. In this talk we analyze these threats and speculate how they could be countered.