2023 INTERSCT. Conference
Introduction
With the Internet-of-Things (IoT) we are seamlessly connecting the cyber and the physical worlds extending the risk area to safety requiring a broader perspective on security. IoT is turning out to be one of the weakest spots in our infrastructure. With billions and in the near future potentially trillions of devices, the security risks are growing at great rates. Our economic and societal forces are creating a perfect storm, a pervasive infrastructure of trillions of IoT devices which on one hand will oversee our lives and economy, and on the other hand will be completely unmanageable from a security perspective.
To compound the risk, IoT systems are often devised and engineered in places where we have no control on, and unless we want to basically surrender our digital sovereignty by only relying on foreign solutions for our national cyber security, we need to find a way to secure them regardless of provenance and built-in malicious intents.
We cannot secure something we cannot manage, we need to rethink the security paradigm, delegating part of the security management to the system that needs to autonomously adapt to the changing environment, while remaining under our supervision, and rethink accordingly all our security technologies. We need to be able to design, develop and manufacture IoT systems-of-systems in a fundamentally different way enabling the overall system to become robust, resilient and trustworthy, even in the presence of individual IoT devices that are insecure or even compromised in a Zero-trust environment and providing the right ecosystem for their wide adoption within industry. We actually need to be able to design, develop and manufacture new types of IoT devices with security-by-design, security-by-default, robustness and resilience in mind; while continuously preserving all safety requirements, these devices must pro-actively manage their security, actively respond to attacks, recover from attacks, resume and restore themselves to a predefined level of operation following an attack etc.,
During the 2023 INTERSCT. Conference on cyber security of Internet-of-Things, on 23 May in The Hague Conference Center New Babylon, we will address many of these issues with an impressive line-up of invited speakers, panelists, and moderators. There will be keynote addresses by professor Ross Anderson and Dr. Julie Haney, a panel session moderated by professor dr. Bart Jacobs, two series of parallel sessions related to the various work packages in the NWO NWA INTERSECT project (Design, Defense, Attack, and Governance), a series of plenary sessions related to the state-of-the-art in cyber security of Internet-of-Things (facilitated by ACCSS), several public service announcements (facilitated by NWO, RVO, and dcypher), as well as a networking lunch and a networking reception at the end of the event.
Schedule
08:30 | Registration + Reception | |
09:00 | Opening by professor Michel van Eeten (Delft University of Technology) | |
09:05 | Keynote address by professor Ross Anderson (University of Cambridge and University of Edinburgh) entitled “Security, Safety, Sustainability – and Pervasive Machine Learning.” In this presentation, he will focus on legislation and regulations for goods with digital components. Now that we’re putting software and network connections into durable safety-critical goods such as cars and medical devices, we have to patch vulnerabilities, just as we do with phones and laptops. The EU has responded with Directive 2019/771, which gives consumers the right to software updates for goods with digital elements, for the time period they might reasonably expect – which for durable goods like cars means typically ten years. In my talk I’ll describe the background and the likely future effects. What tools should you use to write software for a car that will go on sale in 2023, if you have to support security patches and safety upgrades till 2043? The challenges will get even tougher as we start to incorporate components that use machine learning. The costs of software maintenance look set to dominate more industries than at present, and to set practical limits to what we can build and deploy. We may find ourselves negotiating a trilemma between rapid patching for security, thorough testing for safety, and the costs of doing both properly.
|
|
10:00 | First award ceremonies (ACCSS) | |
10:30 | First series of parallel sessions (WP2, WP3) | |
WP2 [Design] moderated by dr. Erik Poll (RU) | WP3 [Defense] moderated by dr. Jerry den Hartog (TU/e) | |
● Ralph Moonen (Secura) on “External Attack Surfaces: finding the blind spots”
Attackers continuously scan the internet for vulnerable systems. Like opportunistic vultures they will flock around newly discovered vulnerabilities on exposed endpoints. At least, that is what we are led to believe. But is this really true? Is your attack surface solely defined by which network services you offer publicly, or is there more? In this talk Ralph Moonen will provide new insights in what the concept ‘attack surface’ can mean in the context of modern internet infrastructures. Many vendors offering solutions for Attack Surface Management are focused on discovery, while there are also some research topics that need attention that Ralph will address, such as risk ratings, completeness, IPv6 and others. ● Sezen Acur (TNO) on “SOS! Ensuring Safety And Security In An Expanding System of Systems Landscape” Security and safety are often buzzwords used in complex environments to raise awareness of a system vulnerabilities as well as possible risks. Ensuring safety and security are difficult as there are multiple parties across the globe working on the same systems, there are many uncertainties and no specific set of standards one can follow for a guarantee. Therefore, how can we safeguard a system or deal with uncertainties? What if there is a lack of knowledge or ignorance towards safety and security? This presentation provides an overview of how safety and security shall be addressed within changing system landscapes and in a system of systems environment.
● Arina Kudriavtseva (UL) on “Secure Software Development Methodologies: A Multivocal Literature Review” A recognized way to improve security is through the adoption of methodologies that implement security practices at each step of the software development lifecycle (SDLC). While different methodologies have been proposed to address software security, and new ones continue to emerge regularly, we continue to observe many new software vulnerabilities and data breaches. This talk will provide an overview of security practices involved in 28 secure software development methodologies from industry, government, and academia. We will talk about security practices and auxiliary (non-technical) practices these methodologies use. Furthermore, we will talk about the methods used to provide evidence of the effectiveness of the methodologies. ● Cristian Daniele, Seyed Andarzian and Erik Poll (RU) on “Stateful security testing” Fuzzing is a successful testing technique to find vulnerabilities, but still mostly used at testing stateless systems. In this talk we will discuss efficient fuzzing strategies for network protocols and the challenges to fuzzing stateful systems. For the latter we present AFL*, an AFL-based fuzzer that leverages AFL’s persistent mode to efficiently fuzz stateful systems, three orders of magnitude faster AFLNet, an earlier stateful variant of AFL. |
Among the aims of WP3 is to Creating Awareness and enable Collaborative Intelligent Monitoring. Being aware of threats and vulnerabilities of systems and being able to share information about them is essential for this. Automating vulnerability discovery and monitoring can lead to the discovery of many such vulnerabilities and threats. In this session we look at the following issues related to this: – What challenges does responsible disclosure bring when dealing with thousands of vulnerabilities? – How can you share and consume information about threats and vulnerabilities in an automated fashion? – What does the threat landscape look like and how can information about this be used in (research on) intelligent monitoring?Presentations ● Jerry den Hartog (TU/e), Introduction ● Ting-Han Chen (UT) on “Challenges of responsible disclosure at scale” To improve the safety of ICT infrastructure, security experts have teamed up with stakeholders with the principle of coordinated vulnerability disclosure. However, the involved parties and scale have increased with the addition of IoT networks. How can we adopt new strategies for IoT vulnerability disclosure? Let’s look at the challenges and opportunities together!
● Cristoffer Leite (TU/e) on “Actionable Cyber Threat Intelligence for Automated Incident Response” Applying Cyber Threat Intelligence (CTI) for active cyber defense, while potentially very beneficial, is currently limited to predominantly manual use. We propose an automated `actionable’ approach that creates network detectable attack patterns from Tactics, Techniques and Procedures (TTPs) from intelligence reports. The CTI related to matching patterns provides essential context to interpreting network incidents. We evaluate our approach with publicly available samples of different malware families, showing it can reliably match network incidents with intelligence reports. ● Martin Rosso (TU/e) on “The OTCAD attack database; highlights and uses” This talk will focus on how we use OTCAD, a structured database of industrial IoT cyberattacks, to characterize attacks against industrial IoT systems. OTCAD reveals how cyberattacks against IoT change over time and how attacks differ across industrial domains. We briefly explore how ‘context factors’ of industrial IoT networks may influence the type of cyberattacks these systems face. By analyzing the IoT threat landscape, we can improve threat models with real-world observations and eventually help to build effective solutions. |
|
12:00 | Networking Lunch | |
13:00 | Second series of parallel sessions (WP4, WP5) | |
WP4 [Attack] moderated by professor Herbert Bos (VU) | WP5 [Governance] moderated by dr. Simon Parkin (TUD) | |
● Michele Campobasso (TU/e) on “Not all cybercrime sucks if you know what to look for” Threat Intelligence monitors cybercriminal underground forums to provide information about current threats. However, the majority of such forums are not capable of effectively supporting trade and driving innovation. In this talk, we will discuss what are the characteristics of “good” underground communities, reducing the number of monitored communities and improving the quality of the extracted threat intelligence. From the observation of a “good” market, in 2020 we identified a market in its early stages, Genesis Market, leader in the Impersonation-as-a-Service threat model. From our investigation, we derived its underlying threat model and observed its maturity. Further, we ran an extensive data collection to measure the market’s economic activity to estimate its revenue, attacker preferences, and we used this data to inform a risk model.
● Richard Clayton (University of Cambridge) on “A sophisticated attack?”
● Harm Griffoen (TUD) on “Scan, Test, Execute. Identifying Adversarial Tactics in Amplification Attacks”
● Asier Moneva (NWO-i NSCR) on “Stolen Data Markets on Telegram: Crime Script and Situational Crime Prevention Measures” |
● Sandra Rivera Perez (TUD) on “Factors influencing the number of vulnerabilities and the patch availability delay of IoT vendors” With the increasing use of IoT devices in our daily lives, ensuring their security and privacy has become a critical concern. The security community is no stranger to the repeated claim that vendors are dropping the ball on security and privacy, with numerous papers highlighting the many vulnerabilities in IoT products. However, more than simply counting the number of known vulnerabilities disclosed by a vendor is required to judge a vendor’s commitment to security. This study investigates the factors that influence the number of vulnerabilities per IoT vendor. We also analyze the patch availability and patch delay for disclosed vulnerabilities after the public disclosure of a vulnerability. We compiled a dataset of 104 leading IoT vendors and identified several factors to characterize their security performance in terms of preventing vulnerabilities and releasing patches. We provide descriptive statistics on the practices of the vendors and present a model that estimates the causal relationship between various factors and the dependent variables. The findings enable us to under- stand the security practices of these IoT vendors and evaluate what factors contribute to their vulnerability management practices.
● Lorenz Kustosch (TUD) on “Consumer expectations of IoT security and privacy: Reasonable and normative perspectives and their role in product liability law”
● Mattis van ‘t Schip (RU) on “Supply Chain Cybersecurity and the NIS2 Directive: A New Pathway for IoT Cybersecurity?” |
|
14:10 | Second award ceremonies (ACCSS) | |
14:40 | Break | |
15:00 | Public Service Announcements (NWO, RVO, dcypher) | |
15:20 | Panel session moderated by professor Bart Jacobs (Radboud University)
|
|
16:10 | Keynote address by Dr. Julie Haney (NIST) entitled “IoT Cybersecurity Labels: Lessons Learned When Applying Human-Centered Research to Practice” In this presentation she will describe the development of consumer-focused IoT cybersecurity label criteria in response to a U.S. Presidential Executive Order. The talk will include a discussion of the value of leveraging human-centered IoT research insights throughout the process and lessons learned when applying research to a real-world scenario. |
|
17:05 | Closing by professor Sandro Etalle (TU/e, scientific director NWO NWA INTERSECT) | |
17:10 | Networking Reception (until 18:30) |
Invited speakers
- Professor Ross Anderson is Professor of Security Engineering at the Universities of Cambridge and Edinburgh. He made early contributions to the study of cryptographic protocols, hardware tamper-resistance, security usability and the economics of information security, and has worked with a range of applications from payment networks and electronic health records to vehicle tachographs and prepayment utility meters. He is a Fellow of the Royal Society and the Royal Academy of Engineering, and won the Lovelace Medal, Britain’s top award in computing. He is the author of the standard textbook “Security Engineering – A Guide to Building Dependable Distributed Systems”.
- Dr. Julie Haney is a computer scientist and lead for the Usable Cybersecurity program in the Visualization and Usability Group at the National Institute of Standards and Technology (NIST). She conducts research about human factors of cybersecurity, including the usability and adoption of security solutions and people’s perceptions of privacy and security. Previously she spent over 20 years working in the U.S. Department of Defense as a security professional and technical leader primarily in the cyber defense mission. She has a PhD and M.S. in Human-Centered Computing from University of Maryland, Baltimore County, an M.S. in Computer Science from University of Maryland, and a B.S. in Computer Science from Loyola University Maryland.
Opportunities for collaboration
During the 2023 edition of the INTERSCT. Conference on cyber security of Internet-of-Things, there will also be opportunities to discuss possibilities for collaboration with organizations that are not a member of the INTERSECT public-private partnership. If you would be interested in a short meeting during the event to discuss such possibilities, please let us know via the registration.
Registration
Registration via Eventbrite: https://INTERSCT23.eventbrite.com/.