Keeping your things to yourself

October 2019 Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure

Securing IoT devices is a task every security installer, integrator, consultant and risk assessor needs to build into their arsenal. Fortunately, IoT security is not something brand new for those who have a grounding in cybersecurity as it applies to the physical security industry - not that the distinction between cyber and physical security is something we will have for much longer.

To obtain some further insights into the challenges and best practices around IoT security, Hi-Tech Security Solutions asked three experts to give us their take on securing the IoT in order to attain the benefits on offer without the cyber risks inherent in electronic communications.

An oxymoron in security

Gregory Dellas.

By Gregory Dellas, security presales, CA Southern Africa.

When it comes to enterprise IT, the term ‘IoT cybersecurity’ is an oxymoron in the industry and some of the incidents involving vulnerable IoT devices can indeed be laughable. Take for example the 2017 case of hackers breaching a casino’s high-roller database by first exploiting an automated thermostat in the lobby aquarium ( IoT may represent many new attack vectors for an organisation, but the traditional principles for securing the organisation still apply.

The advent of IoT is simply an increase in the number of devices and services that an organisation must secure. Working from this paradigm, the impact on a proactive organisation will be minor. Bringing IoT devices such as heating, ventilation and air conditioning (HVAC) sensors, stand-alone cameras or wearable trackers into the organisation should not be a chaotic exercise. Below are practical steps to harmonise IoT and cybersecurity.

Expand the risk scope: Ensure that the scope of your organisation’s IT management system takes IoT into account. Treat each device, no matter how small or specialised, as an asset that needs to be tuned for a tight security posture. Apply the same care in devising safeguards for IoT as you would for a database server. Steps such as disabling unnecessary services, updating firmware and protecting access credentials can be applied to even the most basic devices. Keeping a detailed asset register will aid in this.

Segregate IoT devices on the network: Good practice in network security involves segregation and this should extend to IoT. Commonly, the storage, servers and other out-of-band management networks are in place. Infrastructure IoT devices should belong to their own network, firewalled off and strictly monitored. This makes it easier to implement a policy of least privilege, slow down attackers and reduce damage from successful attacks.

Be aggressive with policy: Carefully scrutinise the functionality of each IoT device, even things like a simple wearable that supposedly tracks movement around the factory floor. Ensure that the manufacturer commits to collecting no additional data and monitor outgoing network traffic to confirm this. Extend audit practices like penetration testing to IoT. Press suppliers and contractors to only use equipment that has good vendor support. Finally, incorporate IoT into the BYOD policy as connected devices will continue to proliferate among general employees as time goes on.

The impact of IoT on security

Morne Maree.

By Morne Maree, senior product manager: IoT at Vox.

The security industry is realising benefits such as efficiency and live monitoring or near real-time monitoring which leads to effective security and quicker response times, whether it is armed response or making sure people are fulfilling their assigned duties.

An example is guards patrolling a business park. They have to report at specific points, but the report may only be verified at the end of the week. When you monitor with IoT you will know almost immediately if the guard wasn’t at a specific point, so IoT enables near real-time monitoring of guard and security movement.

Another example is maintenance and delivery that ties into physical security. An IoT device can monitor the generator in the business park and trigger a workflow when the generator needs a service or more diesel. The service provider can accept the work order and can notify the IoT system which technician it will dispatch to fulfil the order. The IoT system will notify the security at the gate on the day that the technician will arrive at a certain time.

The technician or diesel delivery person gains entry at the gate with his biometrics. While he is inside the business park he is monitored. His work order is for 80 litres of diesel, but if he only fills the generator with 60 litres, the IoT system will pick up the amount of diesel he has added to the generator and will verify it with the work order and determine that it is not enough. It will then trigger another workflow that will notify the relevant person to investigate. On the positive side, he fulfils his work order, locks the gate, which is also monitored by an IoT device and leaves the office park.

What are security companies doing?

We see partnerships forming, for example between Internet Service Providers (ISPs) and neighbourhood associations. We find that even in our own environment we are moving closer to our security team to collaborate on security solutions that incorporate IoT. For example, we integrate IoT devices with security cameras so that the device can give instructions to the heat vision camera in terms of where to point and what to look at.

Another industry example is where an alarm manufacturer incorporates IoT devices to communicate between the alarm control panel and the control room. Traditionally, it made use of radio frequency to relay communication to the control room, and licences were involved that had to be renewed every year.

IoT has opened up avenues to not only offer new services more efficiently as well as cost-effectively, but to standardise services.

Are physical security companies ready?

Physical security companies are establishing IoT divisions and are very active in developing applications for IoT. The industry is embracing automation as it can derive tremendous benefits from it, such as saving costs and gaining functionality, both of which add concrete value to security businesses.

Are cybersecurity companies ready?

The landscape is evolving and cybersecurity companies are identifying the IoT as a risk and are developing solutions for this segment. An example that serves as a reminder of what can happen when devices are connected to the Internet is a high-end hotel in Europe. A vulnerability in a popular IoT lock key allowed researchers to break into hotel rooms.

The locks in question are dubbed ‘mobile keys’ because of their reliance on mobile phones as opposed to card-based access such as those based on mag-strips and RFID. Researchers showcased how they were able to circumvent the IoT connected key system. The hotel learned a hard lesson about the risk of not securing its IoT deployment as someone can gain entry into its system and lock all the rooms and hold the hotel to ransom.

There is a projection that by 2020 50 billion devices will be connected globally, which essentially means there are 50 billion points to hack and cause havoc. The benefit of using a reputable IoT company is that you are able to work with a team that is security conscious and you receive an IoT solution that is designed with security in mind.

That said, cyber terrorists are always looking for ways into the system.

Of botnets and ransomware

MJ Strydom.

By MJ Strydom, MD, DRS.

Is ransomware hijacking IoT? Well the simple answer to that is that it is certainly trying to do so. This is a very profitable high-tech business for criminals; it can range from encrypting victims’ data and asking for payment to release it, or attacking through DDoS (Distributed Denial of Service) and demanding payment to release services. Examples abound and include the hijacking of stock trading services, video or music services, emergency services or AI-enabled services.

IoT device ransom is similar to a hijack ransom, except the attackers go after the device itself. Any device connected to the Internet is susceptible to security lapses. The market will soon determine if users are willing to pay to regain control of their IoT devices.

Over the years we have seen the development and deployment of massive IoT-based botnets, built around thousands of compromised IoT devices. Most of these weaponised botnets have been used in cyber-attacks to knock out devices or services. Cyber criminals are already upgrading IoT-based botnets with swarm technology to make their attacks more efficient.

2020 should see even greater adoption of the public cloud as part of enterprises’ IT infrastructure, as a way to deliver services and run applications efficiently. This in turn generates a greater need to prevent breaches and ensure data and process integrity.

The one certainty is that 2020 will bring the next phase of threat evolution. Specialist cybersecurity ‘solutions’ (I emphasise this word, as it speaks volumes to examining customers’ specific needs and ensuring they are safe doing business, but not just by throwing products at the problem) providers must remain a step ahead of the next threat.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

South Africa adopts ISO standard to guide use of social media in emergencies
Editor's Choice
The South African Bureau of Standards (SABS), through its technical committee, has adopted the ISO 22329 standard that provides guidance on the use of social media during an emergency or crisis.

Free and open-source tool for detecting stalkerware
Editor's Choice
Kaspersky has unveiled a new hub dedicated to TinyCheck, a unique, innovative tool designed to detect stalkerware on mobile devices.

Cybereason expands presence across sub-Saharan Africa
News Cyber Security
Cybereason has appointed Chantél Hamman as its new channel director focused on growing the company’s presence across sub-Saharan Africa.

Look before you leap into a back-up power solution
Editor's Choice Security Services & Risk Management
Before you rush into purchasing a back-up power solution, you need to take a considered and long-term view of how to get yourself as close to grid independence as possible.

Cyber resilience is more than security
Industrial (Industry) Cyber Security IT infrastructure
Kate Mollett, regional director at Commvault Africa advises companies to guard against cyberattacks in the shipping and logistics sector using an effective recovery strategy.

Optimised people, processes and technology
Industrial (Industry) Integrated Solutions
When embarking on an industrial digitisation project, it’s important to consider how people, processes and technology will work together and complement the other.

All-mobile people management solution with facial recognition
Editor's Choice Integrated Solutions Security Services & Risk Management Products
The new mobile Incident Desk People Management platform with facial recognition combines identification data on suppliers, staff, sub-contractors and even people on watch lists, for less than the cost of traditional service management tools.

Passion, drive and hard work
Technews Publishing Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management
Colleen Glaeser is a leader in the security market, having made her mark in the male-dominated security industry through determination and hard work, along with a vision of making the world a safer place.

Are you your insider threat?
Technews Publishing Editor's Choice Security Services & Risk Management Commercial (Industry)
Insider threats are a critical aspect of risk management today, but what happens when it is the owner of the company acting fraudulently and making sure none of his staff can catch him?

Preventing cyberattacks on critical infrastructure
Industrial (Industry) Cyber Security
Cyberattacks have the potential to disrupt our lives completely, and in instances where critical national infrastructure is attacked, they could disrupt the country’s entire economy, leading to loss of life and livelihoods.