Keeping your things to yourself

October 2019 Editor's Choice, Information Security, Integrated Solutions, Infrastructure

Securing IoT devices is a task every security installer, integrator, consultant and risk assessor needs to build into their arsenal. Fortunately, IoT security is not something brand new for those who have a grounding in cybersecurity as it applies to the physical security industry - not that the distinction between cyber and physical security is something we will have for much longer.

To obtain some further insights into the challenges and best practices around IoT security, Hi-Tech Security Solutions asked three experts to give us their take on securing the IoT in order to attain the benefits on offer without the cyber risks inherent in electronic communications.

An oxymoron in security


Gregory Dellas.

By Gregory Dellas, security presales, CA Southern Africa.

When it comes to enterprise IT, the term ‘IoT cybersecurity’ is an oxymoron in the industry and some of the incidents involving vulnerable IoT devices can indeed be laughable. Take for example the 2017 case of hackers breaching a casino’s high-roller database by first exploiting an automated thermostat in the lobby aquarium (https://interestingengineering.com/a-casinos-database-was-hacked-through-a-smart-fish-tank-thermometer). IoT may represent many new attack vectors for an organisation, but the traditional principles for securing the organisation still apply.

The advent of IoT is simply an increase in the number of devices and services that an organisation must secure. Working from this paradigm, the impact on a proactive organisation will be minor. Bringing IoT devices such as heating, ventilation and air conditioning (HVAC) sensors, stand-alone cameras or wearable trackers into the organisation should not be a chaotic exercise. Below are practical steps to harmonise IoT and cybersecurity.

Expand the risk scope: Ensure that the scope of your organisation’s IT management system takes IoT into account. Treat each device, no matter how small or specialised, as an asset that needs to be tuned for a tight security posture. Apply the same care in devising safeguards for IoT as you would for a database server. Steps such as disabling unnecessary services, updating firmware and protecting access credentials can be applied to even the most basic devices. Keeping a detailed asset register will aid in this.

Segregate IoT devices on the network: Good practice in network security involves segregation and this should extend to IoT. Commonly, the storage, servers and other out-of-band management networks are in place. Infrastructure IoT devices should belong to their own network, firewalled off and strictly monitored. This makes it easier to implement a policy of least privilege, slow down attackers and reduce damage from successful attacks.

Be aggressive with policy: Carefully scrutinise the functionality of each IoT device, even things like a simple wearable that supposedly tracks movement around the factory floor. Ensure that the manufacturer commits to collecting no additional data and monitor outgoing network traffic to confirm this. Extend audit practices like penetration testing to IoT. Press suppliers and contractors to only use equipment that has good vendor support. Finally, incorporate IoT into the BYOD policy as connected devices will continue to proliferate among general employees as time goes on.

The impact of IoT on security


Morne Maree.

By Morne Maree, senior product manager: IoT at Vox.

The security industry is realising benefits such as efficiency and live monitoring or near real-time monitoring which leads to effective security and quicker response times, whether it is armed response or making sure people are fulfilling their assigned duties.

An example is guards patrolling a business park. They have to report at specific points, but the report may only be verified at the end of the week. When you monitor with IoT you will know almost immediately if the guard wasn’t at a specific point, so IoT enables near real-time monitoring of guard and security movement.

Another example is maintenance and delivery that ties into physical security. An IoT device can monitor the generator in the business park and trigger a workflow when the generator needs a service or more diesel. The service provider can accept the work order and can notify the IoT system which technician it will dispatch to fulfil the order. The IoT system will notify the security at the gate on the day that the technician will arrive at a certain time.

The technician or diesel delivery person gains entry at the gate with his biometrics. While he is inside the business park he is monitored. His work order is for 80 litres of diesel, but if he only fills the generator with 60 litres, the IoT system will pick up the amount of diesel he has added to the generator and will verify it with the work order and determine that it is not enough. It will then trigger another workflow that will notify the relevant person to investigate. On the positive side, he fulfils his work order, locks the gate, which is also monitored by an IoT device and leaves the office park.

What are security companies doing?

We see partnerships forming, for example between Internet Service Providers (ISPs) and neighbourhood associations. We find that even in our own environment we are moving closer to our security team to collaborate on security solutions that incorporate IoT. For example, we integrate IoT devices with security cameras so that the device can give instructions to the heat vision camera in terms of where to point and what to look at.

Another industry example is where an alarm manufacturer incorporates IoT devices to communicate between the alarm control panel and the control room. Traditionally, it made use of radio frequency to relay communication to the control room, and licences were involved that had to be renewed every year.

IoT has opened up avenues to not only offer new services more efficiently as well as cost-effectively, but to standardise services.

Are physical security companies ready?

Physical security companies are establishing IoT divisions and are very active in developing applications for IoT. The industry is embracing automation as it can derive tremendous benefits from it, such as saving costs and gaining functionality, both of which add concrete value to security businesses.

Are cybersecurity companies ready?

The landscape is evolving and cybersecurity companies are identifying the IoT as a risk and are developing solutions for this segment. An example that serves as a reminder of what can happen when devices are connected to the Internet is a high-end hotel in Europe. A vulnerability in a popular IoT lock key allowed researchers to break into hotel rooms.

The locks in question are dubbed ‘mobile keys’ because of their reliance on mobile phones as opposed to card-based access such as those based on mag-strips and RFID. Researchers showcased how they were able to circumvent the IoT connected key system. The hotel learned a hard lesson about the risk of not securing its IoT deployment as someone can gain entry into its system and lock all the rooms and hold the hotel to ransom.

There is a projection that by 2020 50 billion devices will be connected globally, which essentially means there are 50 billion points to hack and cause havoc. The benefit of using a reputable IoT company is that you are able to work with a team that is security conscious and you receive an IoT solution that is designed with security in mind.

That said, cyber terrorists are always looking for ways into the system.

Of botnets and ransomware


MJ Strydom.

By MJ Strydom, MD, DRS.

Is ransomware hijacking IoT? Well the simple answer to that is that it is certainly trying to do so. This is a very profitable high-tech business for criminals; it can range from encrypting victims’ data and asking for payment to release it, or attacking through DDoS (Distributed Denial of Service) and demanding payment to release services. Examples abound and include the hijacking of stock trading services, video or music services, emergency services or AI-enabled services.

IoT device ransom is similar to a hijack ransom, except the attackers go after the device itself. Any device connected to the Internet is susceptible to security lapses. The market will soon determine if users are willing to pay to regain control of their IoT devices.

Over the years we have seen the development and deployment of massive IoT-based botnets, built around thousands of compromised IoT devices. Most of these weaponised botnets have been used in cyber-attacks to knock out devices or services. Cyber criminals are already upgrading IoT-based botnets with swarm technology to make their attacks more efficient.

2020 should see even greater adoption of the public cloud as part of enterprises’ IT infrastructure, as a way to deliver services and run applications efficiently. This in turn generates a greater need to prevent breaches and ensure data and process integrity.

The one certainty is that 2020 will bring the next phase of threat evolution. Specialist cybersecurity ‘solutions’ (I emphasise this word, as it speaks volumes to examining customers’ specific needs and ensuring they are safe doing business, but not just by throwing products at the problem) providers must remain a step ahead of the next threat.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Addressing today’s mining challenges: cyber risks beyond IT
Editor's Choice Information Security Mining (Industry)
Despite the mining industry’s operational technology systems being vulnerable to cyberattacks, many decision-makers still see these threats as purely an IT issue, even though a breach could potentially disrupt mining operations.

Read more...
Workforce Consortium to reskill 95 million people
Editor's Choice News & Events AI & Data Analytics
ICT Workforce Consortium of global leaders has come together, committing to train and upskill 95 million people over the next 10 years, as 92% of jobs analysed are expected to undergo either high or moderate transformation due to advancements in AI.

Read more...
How to effectively share household devices
Smart Home Automation Information Security
Sharing electronic devices within a household is unavoidable. South African teens spend over eight hours per day online, making device sharing among family members commonplace. Fortunately, there are methods to guarantee safe usage for everyone.

Read more...
How is technology changing the industry?
Editor's Choice
SASA and the International Code of Conduct for Security Providers Association (ICoCA), a Geneva-based organisation, will hold a consultative workshop in South Africa in September to discuss how technology is changing the industry and the associated risks.

Read more...
Western Digital reveals new solutions
WD South Africa Products & Solutions News & Events Infrastructure
Western Digital unveiled new solutions and technology demonstrations at the Future of Memory and Storage Conference 2024. The innovations cater to diverse market segments, from hyperscale cloud to automotive and consumer storage.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Fortinet establishes new point-of-presence in South Africa
News & Events Information Security
Fortinet has announced the launch of a new dedicated point-of-presence (POP) in Isando, Johannesburg, to expand the reach and availability of Fortinet Unified SASE for customers across South Africa and southern African countries.

Read more...