IoT & Device Security logo

Munich, Germany
5-6 December 2017


Please find the IoT & Device Security conference programme below


Registration & Refreshments
Chairman’s Opening Remarks

Chairman TBC




Opening Keynote: IoT- What Does it Mean When Considering Security?

We are now in the era of the Internet of Things, where digitally connected devices are influencing every aspect of our lives, including our homes, offices, cars and even our bodies. The opportunities that IoT have developed are huge and without precedent. But it is becoming an increasingly attractive target for cybercriminals.
More connected devices mean more attack vectors and more possibilities for hackers to target us, thus we need to move fast to address this rising security concern. But how do we do it?
Several measures are already being taken to fill security holes and prevent security breaches at the device level, new regulations have been proposed and innovative technologies implemented.
Join us to hear analysis of the unstoppable growth of IoT and the necessity for organisations to take appropriate measures to protect their networks.

Matthias Brose, Vice President Corporate & Information Security and CISO, Schaeffler AG




Keynote: Going Digital? For Sure, but with Assurance Please! A Holistic CIO Perspective on the Necessary Risk Assurance Towards Going Digital

The world of IT and OT is coming together, with many large companies wanting to go digital to increase their business opportunities through new innovative digital technologies that have become available. And all of that should be implemented faster and faster and faster.
But, at the same time, in order to really increase value by going digital, this strategy absolutely needs to be guaranteed by the necessary assurance towards board and executive management regarding IT Risk.
This presentation tackles the CIO perspective on this challenge and will focus on the why and how of going digital. Why the necessary risk assurance is increasing the value of the digital roadmap. And how to best tackle this IT risk challenge with a whole framework of best practice IT security measures like security policies, awareness sessions, leakage prevention, device registration (802.1x), data classification and IAM techniques amongst many others.

Luc Verhelst, CIO, Metallo Group





Who’s Who Keynote Panel: Who Should Own IoT & Device Security Within Your Organisation

Organisations need to reassess how they approach IoT security. It’s no longer something apart from the business; it is a real business issue. Breaches can have a substantial impact on customer confidence and the bottom line. However confusion of who owns security within the development, testing and implementation process remains in question. The organisational functions most responsible for mobile and IoT security very often reside outside the security function. Being a business issue also means that IoT security is not just a technical challenge for the Chief Information Officer, Chief Technology Officer, or Chief Security Officer, it’s under the purview of all the corporate officers and the board.


Mr Dietmar Bettio, Vice President Information Technoloy & CIO, Vetter Pharma
Dr Rolf Reinema, Head of Technology Field IT Security, Siemens AG
Mr Matthias Brose, Vice President Corporate & Information Security and CISO, Schaeffler AG

Networking, Refreshment Break and 1-2-1 meetings
Presentation: A Bottom-Up Approach for IoT Security






Regulatory Panel: The Inescapable Rise of Regulation – GDPR as a Step to Create Trust?

In May 2018, the European General Data Protection Regulation becomes enforceable. The regulation concerns all electronic communications. The GDPR is strengthening the rights of individuals whose personal data is being processed mainly by requiring consents. Not easy at all, depending on context and use case. The new regulation is making it even more important for companies to set up measures to prevent privacy violation. In case of a breach, the GDPR requires administrative fines of up to 4% of global turnover for companies responsible for the incident. Companies therefore need to prove compliance with GDPR, in turn creating the chance to create trust in their IoT ecosystem.

So how are you preparing? Who can advise you on the specific risks regarding IoT and related technologies?


Dr. Michael Kiometzis, Referat IV, Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Mr. Achim Klabunde, Data Protection Officer, EDPS


12:10-12:40 Case Study: The Architecture for Secure Information and Analytics in a Data Rich Environment

Cricket is faced with the strategic imperative of growing and retaining participation in an ever-changing world. To do this, the sport must understand as much as possible about existing participants: why they play, attend and follow cricket; as well as understanding those who don’t participate or have lapsed and what will entice them back to the sport. The sport must also inspire people with new forms of the game and new, surprising, delightful ways to engage with cricket by continuous innovation. Cricket must also ensure that their elite athletes are perfectly prepared to perform to the highest standards on the field of play to make the cricket that people watch the most inspiring experience they can have, leaving no stone unturned in the pursuit of sporting excellence.
All of this requires an advanced data and analytics capability, and a significant amount of security to protect highly sensitive personally identifiable information, performance data, IoT sensor data, etc. and to deliver it into the hands of the people who need it in modern mobile apps in record time.
Mr. Damian Smith, Head of IT, England and Wales Cricket Board
Presentation: Security of Embedded IoT Devices – Some Lessons Learned

Dr. Hayszl will provide an overview of security issues with embedded systems in IoT areas such as transportation, healthcare, smart grids, critical infrastructure, and Industrie 4.0. He will explain which hacking methods will need to be countered by development teams for secure IoT devices and focus on issues closely connected to the device hardware and the physical access by hackers to those devices.

Applied cryptography and secure handling of keys is addressed as one major factor in preventing large-scale cyber-attacks on IoT devices.

Dr. Johann Heyszl, Head of Hardware Security Department, Fraunhofer – Institute for Applied and Integrated Security (AISEC)

Lunch, Networking and 1-2-1 meetings


Prevention Workshop: Detecting and Automatically Blocking Ransomware 

Malware and more specifically ransomware has been the most effective way for attackers to reach targets globally. This only proves the need for better, and faster ransomware protection methods. Of course, you want to block ransomware before it has a chance to encrypt your network data stores. But keeping up with the pace of ransomware innovation can be a challenge.
During the workshop, we will talk about costs and prevention of ransomware attacks by analysing deception technology and generic techniques.

Mr. Martin Overton, Head of Cyber Risks EMEA, AIG



Interactive Session: Industry 4.0 

Industry 4.0 incorporates and extends the IoT within the context of the physical world and it’s used to digitalise the business operation. But security implications of compromised IoT devices include production downtime, damage to equipment or facilities and much more.
IoT device manufacturers have a responsibility to produce IoT devices that are naturally more secure and hardened.

Mr. Dietmar Bettio, Vice President Information Technology & CIO, Vetter Pharma

Networking, Refreshment Break and 1-2-1 meetings

Case Study: Metrics – The Story So Far…

“CISOs need to speak the language of the board!”

That phrase has been touted around as a general statement and call to arms for several years but have we learned that language yet? Our speaker, Phil Cracknell stated two years ago that generally speaking, CISOs don’t have the words yet, a common language that both CISO and other C-levels understand.
In the beginning…the security industry was still waiting patiently for a balanced, independent and common collection of metrics, KPIs, measurements or risk indicators. No vendor, Big-4 or Analyst can claim to have a better insight, experience or perspective on what a CISO needs and how his board would like it measured and presented. A big statement, but only vendors, the Big-4 and analysts would contest this…
CISOs were also tiring of the only automatically generated statistics relating to security were product/solution derived, and as such spoke more about how that technology was doing.

The metrics are very much the key to our future. They continue to be defined, validated and tested by CISOs or the end-user community and are starting to detail exactly how we demonstrate our effectiveness, measure our exposure and agility, test our culture and pinpoint the responsibilities, highlighting investment or lack of it.

“Report what you should not what you can”

Mr. Phil Cracknell, CISO, Cyber Security/Risk Advisor, Non-Exec Director, HomeServe


Case Study: The New VDE/FNN Rule “Kaskade4140” and it’s Impacts on Smart Energy Processing & Security

Optimising the End to End Supply Chain in the Energy sector and avoiding Blackouts and financial losses is the aim of the new” Kaskade-Rule” which must be implemented from January 30, 2019 in each Company.

This presentation highlights the organisational impacts for all market sectors including Renewable Energy Generators, Energy Transmission and Local Distributors, Gateway Administrators & Smart Metering Providers.

Mr. Peter Breuning, Head of Grid Control, Stadtwerke Schwäbisch Hall GmbH



Privacy Perspective: Building Protection to Reduce Vulnerability and Privacy Concerns 

The inescapable introduction of sensors and devices into currently intimate spaces poses challenges and a major area of concern is privacy. As physical objects in our everyday lives increasingly detect and share observations about us, consumers will likely continue to want privacy. Security and privacy challenges for any IoT solution need to be addressed from the start.
We will look at how introducing security in the early life cycle of the IoT solution can reduce vulnerability and privacy concerns.

Dr. Michael Kiometzis, Referat IV, Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

17:50– 18:00
Chairman’s Day 1 Recap
Evening Drinks Reception


Registration & Refreshments


BVDW Breakfast Briefing and 1-2-1 meetings
09:00- 09:10
Chairman’s Welcome & Day One Recap


Keynote Presentation: The Usual Insecurity of Things

While the Internet of Things is used to describe a host of new lightweight technologies, when it comes to security it pays to focus less on the novelty of IoT, and more on what IoT applications have in common with previous technologies that have learned about security the hard way (by first getting it wrong). It’s time to go back to basics, and reflect on what security means in cyberspace. Only once this is understood, can we hope to secure any type of application that resides there.

Prof. Keith Martin, Information Security Group, Royal Holloway, University of London




CISOs Point of View: What is the Cost of a Data Breach?

The IoT budget will reach $547 million by 2018, according to a Gartner report. But it’s still challenging for a CISO to get budget for IoT Security, since the board of directors wants to spend that IT money on projects and solutions that will expand the business and bring in more revenue. But the cost of a data breach is composed of several things, including the cost of acting to reduce the impact, the loss of brand reputation and consumer trust, and even the cost of litigation.
So how do you show that there is value in investing in IoT Security and justify a proper security budget?

Mr. Sebastian Hess, Cyber Risk Engineer, D/A/CH AIG Europe Limited

10:10- 10:30
Session reserved to Sponsor



Interactive Discussion: Security Patching: Making the Patch Process an Ally not a Foe ?

The biggest problem with many IoT devices is that they are un-patchable, and if they cannot be patched, they cannot be made secure. An IoT device is not a standalone product; it is highly dependent on the services it receives over the Internet, from the technical, organisation and policy services. Therefore, how can IoT software be updated?
The discussion will help us capture the current best practices in the IoT industry relative to software updates.


Dr. Apostolos Malatras, Officer Network and Information Security, ENISA
Mr. Mun Valiji, Chief Information Security Officer, Sainsbury’s

Networking, Refreshment break and 1-2-1 Meetings


Case Study: Risk Awareness & Control as Public Private Partnership – Some Experiences from the MELANI Project in Switzerland

In this session, some recent Cases of the MELANI Security Network in Switzerland around critical Infrastructure will be presented.
The speaker will show how Regulatory Authorities and Companies are co-working to increase Risk Awareness and minimise financial losses.

Mr. Marc Henauer, Head Melani Program, Swiss Federal Intelligence



Governance, Risk and Compliance Keynote: Fitting in with Guidelines and Standards

Corporate IT and within IoT can be complex environment, with ongoing regulatory and compliance challenges likely to grow in importance. Understanding the risks, opportunities and challenges for the complex Corporate IT Architecture is the first critical step towards effective and secure Processes & Control Measurements. This presentation focusses  on Actions & Measurements in Finance, It compliance, Risks and Security of an innovative Energy Company. It will show, how Business Processes & IT Applications are permanently challenged.

Axel Junghans, Head of Quality, Process and Problem Management, Innogy SE



Presentation: Already Thinking about API Protocols?

There are security protocols already in place to improve IoT security, but with the continued rise of IoT device use, business leaders must make sure API management is a central part of their security strategies in order to protect the safety and security of their organisation’s connected devices and customers’ data.

Our expert will show several steps that organisations can follow in order to maintain device security through APIs.

Mr. Razvan Tudor, Head of IT Security at ING Software Development Centre

Lunch, Networking and 1-2-1 Meetings



Presentation: Prevent our IoT Attack!

A fictitious company will be presented: Business Model, threats and vulnerabilities. Defender Team will choose the right countermeasures to mitigate risk. Industries experts tackle the company with some imaginary scenarios. Countermeasures cost money, damages, too – winner team is with the best balance after 5 rounds!

Our Industry expert will tackle some imaginary hacking scenario and attendees will create a framework of actions to prevent and then react, which will be presented and shared with the other tables.

Mr. Herbert Dirnberger, Team Lead ICS Security, Cyber Security Austria


Presentation: Securing the IoT with Reliable Roots of Trust

The advent of the current technological innovations has allowed us to connect both People-to-Machines and Machines-to-Machines, in turn creating new opportunities to improve people’s lives… but all the while creating new threats.

As a small snapshot of the types of attacks faced right now, these include Distributed Denial of Services (DDoS) attacks – which are becoming more widespread and more dangerous, causing organisations billion-dollar losses. Furthermore, men in the middle attacks can be carried out simply using video surveillance cameras…Hackers have different motivations (have fun, money, terrorism…) and different resources (material, collusion, expertise) to penetrate a system, but all IoT systems will face hacking, and in case of success, consequences can be heavy: stop or disturb services, affect people’s privacy and safety, provide opportunity for the theft of intellectual property, damage to brand reputation, loss of revenue and job destruction…

During this presentation, the speaker will consider how enterprises can guard themselves, including giving a digital identity to IoT devices based on digital certificates and associated secure assets built upon a reliable root of trust.

Mr. Benoit Makowka, VP IoT Business Unit, WiseKey




Case Study: Embedding IT Security in Industry Controlled Systems

When designing a system, it is important to understand the potential threats to that system, and add appropriate defences accordingly, as the system is designed and architected. To date, we have failed to embed security into each piece of data as it is created. All data should have embedded security, and the systems that consume, process and store this data must adhere to the security policies embedded therein.
We will analyse new business models based on design phase security, what solutions and what processes are needed.

Dr. Rolf Reinema, Head of Technology Field IT Security, Siemens AGresentation: Big Data & IoT Security Analytics
Networking, Refreshment break and 1-2-1 Meetings
 16:00-16:30 Case Study: From Research Directions to Case Studies: IoT Security & Serious Games in the Healthcare Sector

What to learn from current research, IT-Security games and case studies for future IoT scenarios? This presentation will present highlights from research on IT security for Critical Infrastructures and particularly the Health Care Sector that is applicable to future IoT scenarios. Selected findings from a series of real cases, results and insights from the IT security game series “IT-Security Matchplays” and from the “Monitor” survey among IT security professionals will also be covered.

Prof. Dr. Ulrike Lechner, University of “Bundeswehr” Munich 

 16:30-17:00 Case Study: Baseline Security Requirements for IoT in Critical Information Infrastructures (CII)

• Horizontal security measures for IoT across verticals
• IoT in the context of smart Cars and Transport
• Assets, threats, attack scenarios, security measures of IoT in CII
• Recommendations for baseline security

Dr. Apostolos Malatras, Officer Network and Information Security, ENISA 

17:00-17:30 Presentation: Secure IoT Data Analysis in Manufacturing; Challenges in Hybrid Cloud Infrastructures

Although IoT Data Analyses offer various economic and strategic benefits to companies, the current degree of usage still lags far behind its expectations in the manufacturing industry. In general, processing the enormous amount of machine data calls for Cloud based approaches. However, the combination of IoT data with sensitive costumer data as well as special knowledge of the machines is necessary to unlock the potential of IoT Data Analysis. In many cases, companies strive against processing this information in the Cloud. The secure implementation of Hybrid Cloud infrastructures might be the key to success of IoT Data Analyses in manufacturing. To securely use Hybrid Cloud infrastructures, traditional mechanical engineering companies typically face various security challenges.

Dr. André Loske, Security Information Officer, Heidelberger Druckmaschinen AG

Closing Remarks from the Chair and End of Conference