Why Nominated: Elisa Costante conducts research on critical infrastructure and industrial systems and then applies her findings toward the development of important technology solutions. She recently developed a specialization in business automation systems, last year revealing five vulnerabilities in popular BAS devices.
More recently, Costante has established herself as one of the leading researchers on operational technology (OT) networks and critical infrastructure threats. In particular, she has immersed herself in the study of BAS technology, which allows centralized control of a smart building’s HVAC, lighting and physical security systems. An attack on such systems could negatively impact critical functionality or allow hackers access to sensitive information on the network.
Of the five BAS device flaws recently uncovered by Costante and her team, one of them can be exploited by attackers to access the credentials of the device’s legit users, and another can allow adversaries to gain full control of the device. All of the bugs were reported to their respective manufacturers and patched appropriately. Additionally, Costante and her team developed proof-of-concept malware capable of targeting critical HVAC and physical access systems.
Based in the Netherlands, Constante started her research career at the Eindhoven University of Technology, where she received her PhD. In 2014, she joined Security Matters, a startup company that designs technology to protect critical infrastructure networks and devices from cyberattacks. By 2016, she was in charge of all research at the company, and oversaw innovation teams that looked to turn her findings into new prototypes for products. She was promoted to CTO last year, before joining Forescout.
What colleagues say: Dr. Costante is one of the very few people who basically have everything: She is an excellent researcher, visionary, hacker [and] manager. She has natural leadership and tremendous people skills. I have been supervising and coaching people for 20 years and I never found anyone with quite the same powerful combination of skills.
Researchers are usually either “visionaries,” who can see the big picture, but have difficulty with the small details, or they are “hackers,” who are good with detail and low-level reasoning, but have a hard time abstracting their work to a broader view. Dr. Costante is an eminent exception to this rule. She is equally at home presenting a vision to C-level people as she is discussing – for hours, if needed – the technical details of an elaborate IoT hack. – Sandro Etalle, co-founder of Security Matters, and full professor and chair of the security group at Eindhoven University of Technology