Good news:
The last several weeks have been a hurricane of engagement and progress – especially surrounding our initiatives with Connected Vehicle safety/security.
Bad news:
The travel and supporting work delayed our “monthly” update a bit.
Back to Good News:
That means we have even more to report below… (as this is but a sampling).
While we’ve been crazy busy, it’s the good kind of crazy busy…
Thank you to all of you who have shown support and helped to Collect, Connect, Collaborate, and Catalyze… to drive safety into connected technologies.
It’s working…
Josh Corman
Highlights:
- Invitation to join Auto Industry group (SAE) to help with Cyber Safety
- White House Briefing on 5 Star Automotive Cyber Safety Letter/Framework
- Flood of briefings with Auto Makers, Suppliers, Government & Industry Groups
Achievements:
The Cavalry invited to join Auto Industry group (SAE) to help with Cyber Safety
SAE International (Society of Automotive Engineers), a global association of more than 138,000 engineers and technical experts in the aerospace, automotive and commercial-vehicle industries, invited I Am The Cavalry to present to their monthly meeting. After a detailed overview and discussion of our initiative and framework, they invited us to nominate a representative to join their regular meetings and collaborate on issues of automotive cyber safety.
White House Briefing on 5 Star Automotive Cyber Safety Letter/Framework
Met onsite with members of the White House National Security Staff for Cyber Security. The staff was impressive and very pleased with our approach and content in the 5 Star Automotive Safety Framework. I believe the headline was “Love it!” They also recognized immediately how its approach and abstraction applies to Medical Devices, Connected Homes and Critical Infrastructure – specifically in context of the NIST Cyber Security Framework (CSF). They are bringing our framework to contacts in US DHS, DOT, GSA, NIST and other relevant stakeholders.
Flood of briefings with Auto Makers, Suppliers, Government & Industry Groups
We hoped to Collect, Connect, Collaborate, and Catalyze… and boy did we. For at least the 1st 5 weeks after the 5 Star Framework posted at DEF CON, we averaged about a briefing per business day with automotive industry players. These briefings ranged from government – such as US Dept of Transportation (DOT) to technology suppliers, insurers, think tanks, car makers, consortiums and even dealer associations. While there were pockets of skepticism or caution, the overall tone has been quite positive. This week, in fact, the Cavalry is participating in a “connected car” working group with US DHS/DOT.
Conferences and Events of Note:
Several events (both past and upcoming) showcase the I Am The Cavalry mission. Here are a few of them; if you know of others or would like to get involved let us know at info@iamthecavalry.org.
- -44CON in London – September, 2014
- -Intel Developers Forum – September, 2014
- -DerbyCon in Louisville, KY – September, 2014
- -ISC2 Congress in Atlanta, GA – September, 2014
- -Hack In the Box Malaysia – October, 2014
- -FDA Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity – October, 2014
- -GIGAOM Structure Connect – October, 2014
- -0redev IoT Summit – November, 2014
- -DHS/DOT Connected Car Security Workshop – November, 2014
- -SANS penetration testing summit – November, 2014
- -CISO Summit Mumbai – November, 2014
- -CiscoSecCon – December, 2014
- -NH-ISAC / SANS Healthcare – December, 2014
- -SAE Automotive in DC – January, 2015
- -OWASP APPSEC Southern CA conf – January, 2015
- -ShmooCon – January, 2015
- -RSA USA 2015 – April, 2015
- -SAE Automotive in Detroit – April 2015
44CON is an annual information security conference and training event taking place in London. Put on by Sense/Net Ltd, 44CON is intended to provide current security information to business and technical information security professional. At this event, I am The Cavalry was introduced to UK students, researchers and industry professionals.
A good deal of the Internet of “all the things” is going to involve techolgy stacks like Intel. They have been receptive to much of the Cavalry mission and setup a Panel (including Josh Corman and Chris Valisek) and several meetings with internal teams to make sure they are on the right track and connected to the right initiatives.
Derbycon is a conference for security professionals interested in sharing and learning the latest from the infosec community in a fun and family-style atmosphere. Space Rogue and Beau Woods discussed the I Am The Cavalry mission and Year[0] review, activities over the past year, and vision forward. Jen Ellis and Steve Ragan conducted a very well received, half day media training workshop. Here is a link to the short talk which came just prior. Many thanks to Dave Kennedy and company for their continued support!
ISC2 was incredibly supportive of I am The Cavalry – and generous with their annual congress. We were praised by their Executive Director Hord Tipton during opening ceremonies. We were given a talk in the solutions theatre. We got to share our mission during the Safe & Secure Online training workshop. Josh Corman delivered the keynote for the ISLA Awards dinner (where our own Tony Vargas was honored with the President’s Award!) Lastly, we got to kick off the 1st our of their Chapter Leadership meetings to plan for next year. What was clear is that they have a ready made network and resources, are highly supportive of our initiative, share many of our values (especially on their lesser know 501c3 Foundation side), and are actively looking for ways we can work together.
Loopcast is DC/Beltway based podcast (outside of the security echo chamber) featuring political, technical and legal issues of the day. This episode featured discussions of automotive security, our 5 Star Cyber Safety Framework, society and the law.
I am The Cavalry joined a short (but high impact) discussion on IoT Safety & Security with the CEO of ElectricImp [VIDEO]. The well-vetted crowd stimulated a great deal of follow-up and we got to make some connections to large device manufacturers who want the help. We may even have convinced ElectricImp to make it easier for researchers to get their kit… (tbd).
In it’s 10th year as a Developer Conference, 0redev added its 1st IoT summit in Malmö, Sweden last week. The diverse speakers and topics made for speakers dinners and hallways tracks worth the trip alone: Disco Mode lighting to Fashionable Wearables to BioHacking to IoT Security… the lineup is here. Most of the videos posted here.
CiscoSecCon 2014
The Cavalry was invited to speak (along with other solid outside thinkers/researchers) at their internal security event in early December. Given the line-up of topics and speakers, it looks like they too are getting serious about the role(s) they will play in IoT Security.
NH-ISAC (National Health) / SANS Healthcare Cyber Security Summit
In early December, a few of us will be attending and speaking at the Healthcare Summit in San Francisco. If you’re planning to be there, let us know!
Related News:
Mainstream Media
The mainstream media news is a great way to get introduced to the Cavalry and the subject of connected device security. Here you will learn the major industry concerns in non-technical language, and how various researchers are influencing the discussion with projects and fact supported assertions.
- 007 Nemesis Le Chiffre Bolsters France in Cyber Attacks [Bloomberg]
- First Online Murder Will Happen by End of Year, Warns US Firm [The Independent]
o This hotly debated article (and others) stimulated a lot of “What’s FUD? what’s “junk research”? What’s of legitimate concern?
o The existence of these debates is all the the more reason we should be a credible, voice of reason and technical literacy on these issues.
Security/Technology Industry Media
Here is a sample of current industry news about I Am The Cavalry, targeted at the IT, security and high-technology community.
- Danish Radio show Harddisken [DR Netradio]
o I Am The Cavalry conducted an interview for Danish Radio. The segment starts at about 24 minutes.
Ongoing Projects:
Research Library
The Cavalry is creating a library indexing recent research and articles related to connected device security. This library will provide security experts with a launching pad for recent work in the field, and serve as a quick reference for those outside of the echo chamber. If you would like to submit content or help build the library, please email in…@iamthecavalry.org.
5-Star Collateral
In response to specific requests from automotive companies, the Cavalry is creating collateral around the 5-Star Cyber Safety Framework. The first project is the creation of a whitepaper documenting the safety framework and suggestions to the automotive community. This content will enable automotive industry experts to present safety ideas internally or disseminate information at conferences.
Minor Website Updates
We’re always adding and improving our web content. If you see an issue, please let us know and we will update the pages accordingly.
Long Range Future Plans:
Incorporation
We are currently evaluating several different options for incorporating as a non-profit educational foundation. Alternately we are evaluating existing non-profit organizations who want to adopt our message and mission as theirs. A legal corporate structure will allow us to continue to serve our mission in the way we have been – collecting, connecting, collaborating and catalyzing – and to expand our reach and capabilities. At Derbycon last month we had a chance to sit down for large chunks of time (face-to-face) and update what such an organization might look like, in terms of long-term vision, activities to undertake, etc. A year smarter and with more experiences will help us finalize our business plan and formal instantiation.
BSides Las Vegas 2015
We are working with BSides Las Vegas organizers to plan I Am The Cavalry activities for BSidesLV 2015. If you have organizational or content suggestions for next year’s conference, please post them to the discussion list or send them to us privately. Videos of some of the sessions from this year’s event can be found on the Irongeek website.
How to Get Involved:
- We are looking for volunteers to contribute to the Connected Device Security blog in the areas of Home Electronics, Automotive, Medical or Public Infrastructure. Feel free to write your perspective on the latest in IoT developments and any security concerns or news in the aforementioned verticals. Please contact info@iamthecavalry.org for more information.
- We need assistance with administration of the website. If you have web admin experience and interest in IoT security, please contact info@iamthecavalry.org.
- We need assistance with building, sustaining and managing the research library. This is a great way to get involved if you are new to connected device security. Please contact in…@iamthecavalry.org for more information.
- We are looking for people to do research and contribute to building out a matrix of carmakers and their capabilities from our Five Star Automotive Cyber Safety Framework. If you are interested, please email info@iamthecavalry.org.
