Keeping your things to yourself

October 2019 Editor's Choice, Information Security, Integrated Solutions, Infrastructure

Securing IoT devices is a task every security installer, integrator, consultant and risk assessor needs to build into their arsenal. Fortunately, IoT security is not something brand new for those who have a grounding in cybersecurity as it applies to the physical security industry - not that the distinction between cyber and physical security is something we will have for much longer.

To obtain some further insights into the challenges and best practices around IoT security, Hi-Tech Security Solutions asked three experts to give us their take on securing the IoT in order to attain the benefits on offer without the cyber risks inherent in electronic communications.

An oxymoron in security


Gregory Dellas.

By Gregory Dellas, security presales, CA Southern Africa.

When it comes to enterprise IT, the term ‘IoT cybersecurity’ is an oxymoron in the industry and some of the incidents involving vulnerable IoT devices can indeed be laughable. Take for example the 2017 case of hackers breaching a casino’s high-roller database by first exploiting an automated thermostat in the lobby aquarium (https://interestingengineering.com/a-casinos-database-was-hacked-through-a-smart-fish-tank-thermometer). IoT may represent many new attack vectors for an organisation, but the traditional principles for securing the organisation still apply.

The advent of IoT is simply an increase in the number of devices and services that an organisation must secure. Working from this paradigm, the impact on a proactive organisation will be minor. Bringing IoT devices such as heating, ventilation and air conditioning (HVAC) sensors, stand-alone cameras or wearable trackers into the organisation should not be a chaotic exercise. Below are practical steps to harmonise IoT and cybersecurity.

Expand the risk scope: Ensure that the scope of your organisation’s IT management system takes IoT into account. Treat each device, no matter how small or specialised, as an asset that needs to be tuned for a tight security posture. Apply the same care in devising safeguards for IoT as you would for a database server. Steps such as disabling unnecessary services, updating firmware and protecting access credentials can be applied to even the most basic devices. Keeping a detailed asset register will aid in this.

Segregate IoT devices on the network: Good practice in network security involves segregation and this should extend to IoT. Commonly, the storage, servers and other out-of-band management networks are in place. Infrastructure IoT devices should belong to their own network, firewalled off and strictly monitored. This makes it easier to implement a policy of least privilege, slow down attackers and reduce damage from successful attacks.

Be aggressive with policy: Carefully scrutinise the functionality of each IoT device, even things like a simple wearable that supposedly tracks movement around the factory floor. Ensure that the manufacturer commits to collecting no additional data and monitor outgoing network traffic to confirm this. Extend audit practices like penetration testing to IoT. Press suppliers and contractors to only use equipment that has good vendor support. Finally, incorporate IoT into the BYOD policy as connected devices will continue to proliferate among general employees as time goes on.

The impact of IoT on security


Morne Maree.

By Morne Maree, senior product manager: IoT at Vox.

The security industry is realising benefits such as efficiency and live monitoring or near real-time monitoring which leads to effective security and quicker response times, whether it is armed response or making sure people are fulfilling their assigned duties.

An example is guards patrolling a business park. They have to report at specific points, but the report may only be verified at the end of the week. When you monitor with IoT you will know almost immediately if the guard wasn’t at a specific point, so IoT enables near real-time monitoring of guard and security movement.

Another example is maintenance and delivery that ties into physical security. An IoT device can monitor the generator in the business park and trigger a workflow when the generator needs a service or more diesel. The service provider can accept the work order and can notify the IoT system which technician it will dispatch to fulfil the order. The IoT system will notify the security at the gate on the day that the technician will arrive at a certain time.

The technician or diesel delivery person gains entry at the gate with his biometrics. While he is inside the business park he is monitored. His work order is for 80 litres of diesel, but if he only fills the generator with 60 litres, the IoT system will pick up the amount of diesel he has added to the generator and will verify it with the work order and determine that it is not enough. It will then trigger another workflow that will notify the relevant person to investigate. On the positive side, he fulfils his work order, locks the gate, which is also monitored by an IoT device and leaves the office park.

What are security companies doing?

We see partnerships forming, for example between Internet Service Providers (ISPs) and neighbourhood associations. We find that even in our own environment we are moving closer to our security team to collaborate on security solutions that incorporate IoT. For example, we integrate IoT devices with security cameras so that the device can give instructions to the heat vision camera in terms of where to point and what to look at.

Another industry example is where an alarm manufacturer incorporates IoT devices to communicate between the alarm control panel and the control room. Traditionally, it made use of radio frequency to relay communication to the control room, and licences were involved that had to be renewed every year.

IoT has opened up avenues to not only offer new services more efficiently as well as cost-effectively, but to standardise services.

Are physical security companies ready?

Physical security companies are establishing IoT divisions and are very active in developing applications for IoT. The industry is embracing automation as it can derive tremendous benefits from it, such as saving costs and gaining functionality, both of which add concrete value to security businesses.

Are cybersecurity companies ready?

The landscape is evolving and cybersecurity companies are identifying the IoT as a risk and are developing solutions for this segment. An example that serves as a reminder of what can happen when devices are connected to the Internet is a high-end hotel in Europe. A vulnerability in a popular IoT lock key allowed researchers to break into hotel rooms.

The locks in question are dubbed ‘mobile keys’ because of their reliance on mobile phones as opposed to card-based access such as those based on mag-strips and RFID. Researchers showcased how they were able to circumvent the IoT connected key system. The hotel learned a hard lesson about the risk of not securing its IoT deployment as someone can gain entry into its system and lock all the rooms and hold the hotel to ransom.

There is a projection that by 2020 50 billion devices will be connected globally, which essentially means there are 50 billion points to hack and cause havoc. The benefit of using a reputable IoT company is that you are able to work with a team that is security conscious and you receive an IoT solution that is designed with security in mind.

That said, cyber terrorists are always looking for ways into the system.

Of botnets and ransomware


MJ Strydom.

By MJ Strydom, MD, DRS.

Is ransomware hijacking IoT? Well the simple answer to that is that it is certainly trying to do so. This is a very profitable high-tech business for criminals; it can range from encrypting victims’ data and asking for payment to release it, or attacking through DDoS (Distributed Denial of Service) and demanding payment to release services. Examples abound and include the hijacking of stock trading services, video or music services, emergency services or AI-enabled services.

IoT device ransom is similar to a hijack ransom, except the attackers go after the device itself. Any device connected to the Internet is susceptible to security lapses. The market will soon determine if users are willing to pay to regain control of their IoT devices.

Over the years we have seen the development and deployment of massive IoT-based botnets, built around thousands of compromised IoT devices. Most of these weaponised botnets have been used in cyber-attacks to knock out devices or services. Cyber criminals are already upgrading IoT-based botnets with swarm technology to make their attacks more efficient.

2020 should see even greater adoption of the public cloud as part of enterprises’ IT infrastructure, as a way to deliver services and run applications efficiently. This in turn generates a greater need to prevent breaches and ensure data and process integrity.

The one certainty is that 2020 will bring the next phase of threat evolution. Specialist cybersecurity ‘solutions’ (I emphasise this word, as it speaks volumes to examining customers’ specific needs and ensuring they are safe doing business, but not just by throwing products at the problem) providers must remain a step ahead of the next threat.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Security industry embraces mobile credentials, biometrics and AI
AI & Data Analytics Access Control & Identity Management Integrated Solutions
As organisations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID.

Read more...
From the editor's desk: Interesting times
Technews Publishing News & Events
We certainly live in interesting times. From delaying the budget speech because the ANC doesn’t see any reason why VAT shouldn’t be increased by 2%, to crime fighters being set up and prosecuted in ...

Read more...
World-first safe K9 training for drug detection
Technews Publishing SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Government and Parastatal (Industry)
The Braveheart Bio-Dog Academy recently announced the results of its scientific research into training dogs to accurately detect drugs and explosives without harming either the dogs or their handlers.

Read more...
Nice launches DC Blue Astute garage door motor
Nice Group South Africa Technews Publishing News & Events Access Control & Identity Management Perimeter Security, Alarms & Intruder Detection
Nice Systems SA has launched the Nice DC Blue Astute, a garage door motor for the South African market featuring a pre-installed lithium-ion battery instead of traditional lead-acid batteries.

Read more...
The need for integrated control room displays
Leaderware Editor's Choice Surveillance Training & Education
Display walls provide a coordinated perspective that facilitates the ongoing feel for situations, assists in the coordination of resources to deal with the situation, and facilitates follow up by response personnel.

Read more...
Five tech trends shaping business in 2025
Information Security Infrastructure
From runaway IT costs to the urgent need for comprehensive AI strategies that drive sustainable business impact, executives must be prepared to navigate a complex and evolving technology environment to extract maximum value from their investments.

Read more...
Threats, opportunities and the need for post-quantum cryptography
AI & Data Analytics Infrastructure
The opportunities offered by quantum computing are equalled by the threats this advanced computer science introduces. The evolution of quantum computing jeopardises the security of any data available in the digital space.

Read more...
Cyber top business risk as climate change hits record high
Editor's Choice
Globally, companies identify cyberattacks, particularly data breaches, as their primary business concern for the coming year, with business interruption ranked second. In Africa and the Middle East, cyber incidents, shifts in legislation and regulation, and macroeconomic developments are the three foremost business risks.

Read more...
As technology converges, so does cybercrime
Editor's Choice
Cybercrime is no longer siloed: it involves complex collaborations and coordination between different malicious entities, including state actors, organised crime and even drug and human trafficking networks.

Read more...
The need for integrated control room displays
Editor's Choice Surveillance Training & Education
Display walls provide a coordinated perspective that facilitates the ongoing feel for situations, assists in the coordination of resources to deal with the situation, and facilitates follow up by response personnel.

Read more...