2023 INTERSCT. Conference

Join us at the 2023 INTERSCT. Conference on cyber security of Internet-of-Things on 23 May 2023 at The Hague Conference Center New Babylon on our journey towards an Internet of secure things,

2023 INTERSCT. Conference


With the Internet-of-Things (IoT) we are seamlessly connecting the cyber and the physical worlds extending the risk area to safety requiring a broader perspective on security. IoT is turning out to be one of the weakest spots in our infrastructure. With billions and in the near future potentially trillions of devices, the security risks are growing at great rates. Our economic and societal forces are creating a perfect storm, a pervasive infrastructure of trillions of IoT devices which on one hand will oversee our lives and economy, and on the other hand will be completely unmanageable from a security perspective.

To compound the risk, IoT systems are often devised and engineered in places where we have no control on, and unless we want to basically surrender our digital sovereignty by only relying on foreign solutions for our national cyber security, we need to find a way to secure them regardless of provenance and built-in malicious intents.

We cannot secure something we cannot manage, we need to rethink the security paradigm, delegating part of the security management to the system that needs to autonomously adapt to the changing environment, while remaining under our supervision, and rethink accordingly all our security technologies. We need to be able to design, develop and manufacture IoT systems-of-systems in a fundamentally different way enabling the overall system to become robust, resilient and trustworthy, even in the presence of individual IoT devices that are insecure or even compromised in a Zero-trust environment and providing the right ecosystem for their wide adoption within industry. We actually need to be able to design, develop and manufacture new types of IoT devices with security-by-design, security-by-default, robustness and resilience in mind; while continuously preserving all safety requirements, these devices must pro-actively manage their security, actively respond to attacks, recover from attacks, resume and restore themselves to a predefined level of operation following an attack etc.,

During the 2023 INTERSCT. Conference on cyber security of Internet-of-Things, on 23 May in The Hague Conference Center New Babylon, we will address many of these issues with an impressive line-up of invited speakers, panelists, and moderators. There will be keynote addresses by professor Ross Anderson and Dr. Julie Haney, a panel session moderated by professor dr. Bart Jacobs, two series of parallel sessions related to the various work packages in the NWO NWA INTERSECT project (Design, Defense, Attack, and Governance), a series of plenary sessions related to the state-of-the-art in cyber security of Internet-of-Things (facilitated by ACCSS), several public service announcements (facilitated by NWO, RVO, and dcypher), as well as a networking lunch and a networking reception at the end of the event.


08:30 Registration + Reception
09:00 Opening by professor Michel van Eeten (Delft University of Technology)
09:05 Keynote address by professor Ross Anderson (University of Cambridge and University of Edinburgh) entitled “Security, Safety, Sustainability – and Pervasive Machine Learning.” In this presentation, he will focus on legislation and regulations for goods with digital components. Now that we’re putting software and network connections into durable safety-critical goods such as cars and medical devices, we have to patch vulnerabilities, just as we do with phones and laptops. The EU has responded with Directive 2019/771, which gives consumers the right to software updates for goods with digital elements, for the time period they might reasonably expect – which for durable goods like cars means typically ten years. In my talk I’ll describe the background and the likely future effects. What tools should you use to write software for a car that will go on sale in 2023, if you have to support security patches and safety upgrades till 2043? The challenges will get even tougher as we start to incorporate components that use machine learning. The costs of software maintenance look set to dominate more industries than at present, and to set practical limits to what we can build and deploy. We may find ourselves negotiating a trilemma between rapid patching for security, thorough testing for safety, and the costs of doing both properly.


10:00 First award ceremonies (ACCSS)
10:30 First series of parallel sessions (WP2, WP3)
WP2 [Designmoderated by dr. Erik Poll (RU) WP3 [Defense] moderated by dr. Jerry den Hartog (TU/e)
Ralph Moonen (Secura) on “External Attack Surfaces: finding the blind spots

Attackers continuously scan the internet for vulnerable systems. Like opportunistic vultures they will flock around newly discovered vulnerabilities on exposed endpoints. At least, that is what we are led to believe. But is this really true? Is your attack surface solely defined by which network services you offer publicly, or is there more? In this talk Ralph Moonen will provide new insights in what the concept ‘attack surface’ can mean in the context of modern internet infrastructures. Many vendors offering solutions for Attack Surface Management are focused on discovery, while there are also some research topics that need attention that Ralph will address, such as risk ratings, completeness, IPv6 and others.

Sezen Acur (TNO) on “SOS! Ensuring Safety And Security In An Expanding System of Systems Landscape

Security and safety are often buzzwords used in complex environments to raise awareness of a system vulnerabilities as well as possible risks. Ensuring safety and security are difficult as there are multiple parties across the globe working on the same systems, there are many uncertainties and no specific set of standards one can follow for a guarantee. Therefore, how can we safeguard a system or deal with uncertainties? What if there is a lack of knowledge or ignorance towards safety and security? This presentation provides an overview of how safety and security shall be addressed within changing system landscapes and in a system of systems environment.


Arina Kudriavtseva (UL) on “Secure Software Development Methodologies: A Multivocal Literature Review

A recognized way to improve security is through the adoption of methodologies that implement security practices at each step of the software development lifecycle (SDLC). While different methodologies have been proposed to address software security, and new ones continue to emerge regularly, we continue to observe many new software vulnerabilities and data breaches. This talk will provide an overview of security practices involved in 28 secure software development methodologies from industry, government, and academia. We will talk about security practices and auxiliary (non-technical) practices these methodologies use. Furthermore, we will talk about the methods used to provide evidence of the effectiveness of the methodologies.

Cristian Daniele, Seyed Andarzian and Erik Poll (RU) on “Stateful security testing

Fuzzing is a successful testing technique to find vulnerabilities, but still mostly used at testing stateless systems.  In this talk we will discuss efficient fuzzing strategies for network protocols and the challenges to fuzzing stateful systems.  For the latter we present AFL*, an AFL-based fuzzer that leverages AFL’s persistent mode to efficiently fuzz stateful systems,  three orders of magnitude faster AFLNet, an earlier stateful variant of AFL.

Among the aims of WP3 is to Creating Awareness and enable Collaborative Intelligent Monitoring.  Being aware of threats and vulnerabilities of systems and being able to share information about them is essential for this. Automating vulnerability discovery and monitoring can lead to the discovery of many such vulnerabilities and threats. In this session we look at the following issues related to this:
– What challenges does responsible disclosure bring when dealing with thousands of vulnerabilities?
– How can you share and consume information about threats and vulnerabilities in an automated fashion?
– What does the threat landscape look like and how can information about this be used in (research on) intelligent monitoring?Presentations
Jerry den Hartog (TU/e), Introduction 

Ting-Han Chen (UT) on “Challenges of responsible disclosure at scale

To improve the safety of ICT infrastructure, security experts have teamed up with stakeholders with the principle of coordinated vulnerability disclosure. However, the involved parties and scale have increased with the addition of IoT networks. How can we adopt new strategies for IoT vulnerability disclosure? Let’s look at the challenges and opportunities together!


Cristoffer Leite (TU/e) on “Actionable Cyber Threat Intelligence for Automated Incident Response

Applying Cyber Threat Intelligence (CTI) for active cyber defense, while potentially very beneficial, is currently limited to predominantly manual use. We propose an automated `actionable’ approach that creates network detectable attack patterns from Tactics, Techniques and Procedures (TTPs) from intelligence reports. The CTI related to matching patterns provides essential context to interpreting network incidents. We evaluate our approach with publicly available samples of different malware families, showing it can reliably match network incidents with intelligence reports.
By increasing automation, our approach addresses one of the major limiting factors of effective use of CTI.

Martin Rosso (TU/e) on “The OTCAD attack database; highlights and uses

This talk will focus on how we use OTCAD, a structured database of industrial IoT cyberattacks, to characterize attacks against industrial IoT systems. OTCAD reveals how cyberattacks against IoT change over time and how attacks differ across industrial domains. We briefly explore how ‘context factors’ of industrial IoT networks may influence the type of cyberattacks these systems face. By analyzing the IoT threat landscape, we can improve threat models with real-world observations and eventually help to build effective solutions.

12:00 Networking Lunch
13:00 Second series of parallel sessions (WP4, WP5)
WP4 [Attack] moderated by professor Herbert Bos (VU) WP5 [Governance] moderated by dr. Simon Parkin (TUD)
Michele Campobasso (TU/e) on “Not all cybercrime sucks if you know what to look for
Threat Intelligence monitors cybercriminal underground forums to provide information about current threats. However, the majority of such forums are not capable of effectively supporting trade and driving innovation. In this talk, we will discuss what are the characteristics of “good” underground communities, reducing the number of monitored communities and improving the quality of the extracted threat intelligence. From the observation of a “good” market, in 2020 we identified a market in its early stages, Genesis Market, leader in the Impersonation-as-a-Service threat model. From our investigation, we derived its underlying threat model and observed its maturity. Further, we ran an extensive data collection to measure the market’s economic activity to estimate its revenue, attacker preferences, and we used this data to inform a risk model.


Richard Clayton (University of Cambridge) on “A sophisticated attack?”
Almost every cybercrime is reported to be a “sophisticated attack”. This talk examines how incentives align to misrepresent very run-of-the-mill events in this manner — with some illustrations drawn from many years experience in monitoring attempts by “Mirai”-like IoT malware to infect IoT devices.


Harm Griffoen (TUD) on “Scan, Test, Execute. Identifying Adversarial Tactics in Amplification Attacks
Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. In this talk, we analyzes these adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks.


Asier Moneva (NWO-i NSCR) on “Stolen Data Markets on Telegram: Crime Script and Situational Crime Prevention Measures
Illicit data markets have emerged on Telegram, an online instant messaging application. Thousands of users participate in these markets where vendors offer large volumes of sensitive data and customers bid for them. This presentation describes how Telegram data markets operate and argues what interventions could be used to disrupt them. Using crime script analysis, we observed sixteen Telegram meeting places (i.e., channels and groups) and studied how they operate. We obtained information about how the different meeting places function, what are their inside rules, and how users advertise and trade data. Based on the crime script, we then suggest four feasible situational crime prevention measures to disrupt these markets: takedowns, reporting, spamming and flooding, and warning banners.

Sandra Rivera Perez (TUD) on “Factors influencing the number of vulnerabilities and the patch availability delay of IoT vendors
With the increasing use of IoT devices in our daily lives, ensuring their security and privacy has become a critical concern. The security community is no stranger to the repeated claim that vendors are dropping the ball on security and privacy, with numerous papers highlighting the many vulnerabilities in IoT products. However, more than simply counting the number of known vulnerabilities disclosed by a vendor is required to judge a vendor’s commitment to security. This study investigates the factors that influence the number of vulnerabilities per IoT vendor. We also analyze the patch availability and patch delay for disclosed vulnerabilities after the public disclosure of a vulnerability. We compiled a dataset of 104 leading IoT vendors and identified several factors to characterize their security performance in terms of preventing vulnerabilities and releasing patches. We provide descriptive statistics on the practices of the vendors and present a model that estimates the causal relationship between various factors and the dependent variables. The findings enable us to under- stand the security practices of these IoT vendors and evaluate what factors contribute to their vulnerability management practices.


Lorenz Kustosch (TUD) on “Consumer expectations of IoT security and privacy: Reasonable and normative perspectives and their role in product liability law
Consumer Internet-of-Things (IoT) devices and their users repeatedly face security and privacy incidents, and it is unclear who is responsible to respond and in what way. For safety-related incidents, product liability and conformity regulations protect users in case of product defects and ensure that manufacturers comply with minimal requirements. Such mechanisms do not exist for security or privacy ‘defects’ yet. In this talk, we will present work we did on empirically measuring consumer expectations about IoT devices’ security and privacy, and how such expectations of consumers can play a role in product liability and conformity law and regulation for IoT devices.


Mattis van ‘t Schip (RU) on “Supply Chain Cybersecurity and the NIS2 Directive: A New Pathway for IoT Cybersecurity?
The recently adopted NIS2 Directive from the European Union contains rules for the cybersecurity risk management of “network and information systems” used in the most critical sectors (e.g., energy, health). Among the rules, the Directive requires “supply chain security” measures in these sectors. In this presentation, I delve into the meaning of this particular set of rules for the cybersecurity of Internet of Things devices in critical sectors.

14:10 Second award ceremonies (ACCSS)
14:40 Break
15:00 Public Service Announcements (NWO, RVO, dcypher)

  • Leon Klomp (NWO)
  • Claire Selbeck (RVO)
  • René Kamphuis  (dcypher)
15:20 Panel session moderated by professor Bart Jacobs (Radboud University)

  • professor Ross Anderson (University of Cambridge and University of Edinburgh)
  • professor Eleni Kosta (Tilburg University)
  • Nelly Ghaoui (Ministry of Economic Affairs and Climate Policy, Digital Economy)
  • Petra Oldengarm (Cyberveilig Nederland)
16:10 Keynote address by Dr. Julie Haney (NIST) entitled “IoT Cybersecurity Labels: Lessons Learned When Applying Human-Centered Research to Practice
In this presentation she will describe the development of consumer-focused IoT cybersecurity label criteria in response to a U.S. Presidential Executive Order. The talk will include a discussion of the value of leveraging human-centered IoT research insights throughout the process and lessons learned when applying research to a real-world scenario.
17:05 Closing by professor Sandro Etalle (TU/e, scientific director NWO NWA INTERSECT)
17:10 Networking Reception (until 18:30)


Invited speakers

  • Professor Ross Anderson is Professor of Security Engineering at the Universities of Cambridge and Edinburgh. He made early contributions to the study of cryptographic protocols, hardware tamper-resistance, security usability and the economics of information security, and has worked with a range of applications from payment networks and electronic health records to vehicle tachographs and prepayment utility meters. He is a Fellow of the Royal Society and the Royal Academy of Engineering, and won the Lovelace Medal, Britain’s top award in computing. He is the author of the standard textbook “Security Engineering – A Guide to Building Dependable Distributed Systems”.
  • Dr. Julie Haney is a computer scientist and lead for the Usable Cybersecurity program in the Visualization and Usability Group at the National Institute of Standards and Technology (NIST). She conducts research about human factors of cybersecurity, including the usability and adoption of security solutions and people’s perceptions of privacy and security. Previously she spent over 20 years working in the U.S. Department of Defense as a security professional and technical leader primarily in the cyber defense mission. She has a PhD and M.S. in Human-Centered Computing from University of Maryland, Baltimore County, an M.S. in Computer Science from University of Maryland, and a B.S. in Computer Science from Loyola University Maryland.

Opportunities for collaboration

During the 2023 edition of the INTERSCT. Conference on cyber security of Internet-of-Things, there will also be opportunities to discuss possibilities for collaboration with organizations that are not a member of the INTERSECT public-private partnership. If you would be interested in a short meeting during the event to discuss such possibilities, please let us know via the registration.


Registration via Eventbrite: https://INTERSCT23.eventbrite.com/.