IoT in security

October 2019 Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure

While some think the Internet of Things (IoT) is an IT issue with scant impact on the physical security market, the reality is quite the opposite. In some circles, the physical security market is being viewed as a subset of the IoT market because security devices are simply electronic devices that communicate, more often than not today via IP.

The argument of whether security is part of the IoT or not is beyond the scope of this article, perhaps even belonging to the world of philosophy. However, the fact is that the security and IoT markets are intersecting and overlapping is beyond question. The result is that security installers and integrators (and DIY installers) need to incorporate IoT systems, skills and functionalities into their services, while traditionally ‘non-security’ installers and integrators are incorporating security solutions into their respective services.

If you are managing alarms, access control or surveillance from a central console, why should you not include additional communicating electronics on the same platform? In a residential setting, this could include lights, gates, air-conditioning and so on. More than simple management, the ability to set-up preventative maintenance processes (only servicing products when they need it as well as having a heads-up before components break) from the same platform is a necessary next step, and an added value for your customers.

While expanding your business without having to start from scratch is an ideal way to grow, the catch is that we know anything that communicates these days is a potential target for cybercriminals. Some may not consider it a serious security breach when someone hacks a camera and can view your parking lot (or is it a problem if syndicates know the timing and habits of people coming and going to and from your premises?), but they could also gain access to your business network, which is a dangerous security breach.

So what do security service providers need to keep in mind when embracing the IoT world and what skills should they enhance to make sure their customers are ‘cyber secure’. Furthermore, we have to ask if the cyber threat from IoT systems is a real risk since we are mostly talking about sensors that transmit minimal amounts of data.

The risks of integrating new sensors

Andre Kannemeyer.

Andre Kannemeyer, national CTO at Duxbury Networking confirms that although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for hackers.

“The biggest threat is for IoT devices to gain access to other systems or information that they should not have access to,” says Kannemeyer. “For example, if you look at the DDOS attack that was launched in 2016 on DynDNA ( The IoT devices that launched the attack had full access to any device on the local network and the Internet instead of only the local DVR/NVR.”

Juan Joubert.

Similarly, Juan Joubert, technical lead for South Africa at Trend Micro, notes: “As the IoT, OT (operational technology) and the Industrial Internet of Things (IIoT) are now more common, data are being shared across these platforms and across multiple environments. Key IoT vulnerabilities we need to look out for are memory corruption, credential management, lack of authentication and code injection. From an IIoT attack perspective, organisations should focus on endpoints and legacy devices, vulnerable systems, proprietary software and communication protocols.”

It is in the integration and communication that we require to deliver the benefits of IoT that the risks reside. IoT solutions require advanced communication platforms and cloud solutions that facilitate seamless integration of devices, networks, gateways, applications and services, says Joubert. “This means that there is a wide range of exposure to potential vulnerabilities with multiple attack surfaces, creating a hacker’s playground.”

And it is not simply about injecting malware to corrupt legitimate data, adds Kannemeyer, but rather malware that runs on the IoT device that gains access or private information or gains access to systems unrelated to the device. He provides the example of a wireless light bulb connected to your Wi-Fi network; it should not have access to your accounting package that other Wi-Fi users have access to.

Can you secure a sensor?

When it comes to securing a device like a surveillance camera, it’s logical that these devices can be used for cyber-attacks due to the ever-growing processing power and memory available in today’s cameras. Are other, less-powerful IoT sensors also a risk since they only transmit minimal data – take a thermostat as an example?

Kannemeyer believes they are at risk and all edge devices can and should be secured. “IoT security starts with the network it connects to. IoT devices usually have very little to no security built into them, so we need to rely on the first point of contact [to the network] to provide the security layer.

“An autonomous network would be able to identify an IoT device, connecting to it (via a network port or Wi-Fi) and hyper-segment the device from the network so that it cannot see any other device on the network, only the required IoT server located in the data centre. The network would also apply a policy at the point of ingress, blocking all traffic to and from the device except for the legitimate TCP/UDP ports allowed.”

Since there are various attack surfaces available for attackers, Joubert agrees and advises that protection needs to be considered at three different layers:

1. Edge protection: Ensures device, mobile app, and web app integrity to prevent devices from becoming attack entry points.

2. Network protection: Secures communication channels to prevent man-in-the-middle attacks.

3. Cloud protection: Assures data privacy and prevents data leakage.

For those who think the edge-security operation (securing the devices at the edge of the network) lies in the control centre, Joubert explains that network or edge layer protection can be built into the IoT device (built-in IoT security software, when vendors actually make the effort to secure their devices), and that the security status should be monitored from one single point. “This ensures firmware integrity and reduces the attack surface. In doing so, it not only keeps IoT devices from being hacked, but also minimises device maintenance costs and protects IoT device developer’s reputation.”

Kannemeyer also warns that normal firewalls and IDS (intrusion detection systems) are usually deployed, but he notes, “This legacy way of deploying firewalls still allows the IoT devices to gain access to all internal services on the internal network.”

This means IoT devices could possibly launch a ransomware attack on the internal network, such as encrypting all files on the internal file shares. He therefore stresses that IoT security must be applied at the networks internal edge, closest to the IoT connection point.

Top three steps to securing IoT

It’s easy to talk about the security and risks associated with the IoT, as well as past breaches and attacks these device-types have been used in, however, what practical advice should the security market take into account when securing their or their customers’ IoT-enhanced systems.

Kannemeyer’s top three tips for securing your IoT infrastructure include the following:

1. Hyper segmentation: Segmenting the device off the normal network, you should almost see it as a separate VPN tunnel across the internal network.

2. Network access control: Identifying different IoT devices connecting to your network and ensuring that the correct network policy is applied to each device.

3. Limiting the IoT device to access only the required IoT resources.

Joubert adds that, unlike multipurpose computers such as PCs, IoT devices are generally more like single-purpose computers and his top three tips therefore include:

1. System hardening.

2. Risk detection.

3. Web detection or malicious URL detection.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Insights from the 2023 Cloud Security Report
News Cyber Security
Increased costs, compliance requirements, hybrid and multi-cloud complexities, reduced visibility, and a lack of skilled practitioners cause organisations to slow or adjust their cloud adoption strategies.

Supporting local manufacturing
Industrial (Industry) IT infrastructure
Smart Security asked Esenthren Govender, Solutions Executive at Technodyn for insight into how the company supports local manufacturing organisations to optimise their business.

New algorithm for OT cybersecurity risk management
Industrial (Industry) Cyber Security News Commercial (Industry)
OTORIO’s new risk management model and attack graph analysis algorithm technology, calculates OT cybersecurity threats and provides risk mitigation actions, prioritised according to actual exposure and potential impact on operations.

Robots: a security opportunity or a threat?
Editor's Choice News Conferences & Events
Professor Martin Gill, Director of Perpetuity Research & Consultancy International and the School of Criminal Justice at the University of South Africa (UNISA), will be holding a Global Thought Leadership Security webinar on 22 June 2023 to discuss the contentious issue of robots operating in the security industry.

UNISA sponsors Securex seminars
Editor's Choice News Conferences & Events
As part of UNISA’s 150-year birthday celebrations, UNISA has sponsored the Securex Theatre Seminar Programme, which will include a number of prominent industry specialists, academics and security practitioners focusing on a number of themes.

From the editor's desk: Get Smart
Technews Publishing News
Welcome to the fourth issue of Hi-Tech Security Solutions for 2023, which is also the first issue of Smart Security Solutions. As noted in previous issues, Hi-Tech Security Solutions has been rebranded to Smart Security Solutions.

Accenture Technology Vision 2023
Editor's Choice News
New report states that generative AI is expected to usher in a ‘bold new future’ for business, merging physical and digital worlds, transforming the way people work and live.

Economists divided on global economic recovery
Editor's Choice News
Growth outlook has strengthened in all regions, but chief economists are divided on the likelihood of a global recession in 2023; experts are concerned about trade-off between managing inflation and maintaining financial stability, with 76% anticipating central banks to struggle to bring down inflation.

Success in business process best practices
Technews Publishing Kleyn Change Management Editor's Choice Integrated Solutions Security Services & Risk Management
This month we commandeer time with the woman who is spearheading our national conversation on Women in Security, Lesley-Anne Kleyn, to get to know the lady herself a little better.

Addressing the SCADA in the room
Industrial (Industry) Cyber Security
Few other sectors command the breadth of purpose-built and custom devices necessary to function, as the industrial and manufacturing industries. These unique devices create an uncommon risk that must be assessed and understood to fully protect against incoming attacks.