IoT in security

October 2019 Editor's Choice, Information Security, Integrated Solutions, Infrastructure

While some think the Internet of Things (IoT) is an IT issue with scant impact on the physical security market, the reality is quite the opposite. In some circles, the physical security market is being viewed as a subset of the IoT market because security devices are simply electronic devices that communicate, more often than not today via IP.

The argument of whether security is part of the IoT or not is beyond the scope of this article, perhaps even belonging to the world of philosophy. However, the fact is that the security and IoT markets are intersecting and overlapping is beyond question. The result is that security installers and integrators (and DIY installers) need to incorporate IoT systems, skills and functionalities into their services, while traditionally ‘non-security’ installers and integrators are incorporating security solutions into their respective services.

If you are managing alarms, access control or surveillance from a central console, why should you not include additional communicating electronics on the same platform? In a residential setting, this could include lights, gates, air-conditioning and so on. More than simple management, the ability to set-up preventative maintenance processes (only servicing products when they need it as well as having a heads-up before components break) from the same platform is a necessary next step, and an added value for your customers.

While expanding your business without having to start from scratch is an ideal way to grow, the catch is that we know anything that communicates these days is a potential target for cybercriminals. Some may not consider it a serious security breach when someone hacks a camera and can view your parking lot (or is it a problem if syndicates know the timing and habits of people coming and going to and from your premises?), but they could also gain access to your business network, which is a dangerous security breach.

So what do security service providers need to keep in mind when embracing the IoT world and what skills should they enhance to make sure their customers are ‘cyber secure’. Furthermore, we have to ask if the cyber threat from IoT systems is a real risk since we are mostly talking about sensors that transmit minimal amounts of data.

The risks of integrating new sensors


Andre Kannemeyer.

Andre Kannemeyer, national CTO at Duxbury Networking confirms that although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for hackers.

“The biggest threat is for IoT devices to gain access to other systems or information that they should not have access to,” says Kannemeyer. “For example, if you look at the DDOS attack that was launched in 2016 on DynDNA (https://en.wikipedia.org/wiki/2016_Dyn_cyberattack). The IoT devices that launched the attack had full access to any device on the local network and the Internet instead of only the local DVR/NVR.”


Juan Joubert.

Similarly, Juan Joubert, technical lead for South Africa at Trend Micro, notes: “As the IoT, OT (operational technology) and the Industrial Internet of Things (IIoT) are now more common, data are being shared across these platforms and across multiple environments. Key IoT vulnerabilities we need to look out for are memory corruption, credential management, lack of authentication and code injection. From an IIoT attack perspective, organisations should focus on endpoints and legacy devices, vulnerable systems, proprietary software and communication protocols.”

It is in the integration and communication that we require to deliver the benefits of IoT that the risks reside. IoT solutions require advanced communication platforms and cloud solutions that facilitate seamless integration of devices, networks, gateways, applications and services, says Joubert. “This means that there is a wide range of exposure to potential vulnerabilities with multiple attack surfaces, creating a hacker’s playground.”

And it is not simply about injecting malware to corrupt legitimate data, adds Kannemeyer, but rather malware that runs on the IoT device that gains access or private information or gains access to systems unrelated to the device. He provides the example of a wireless light bulb connected to your Wi-Fi network; it should not have access to your accounting package that other Wi-Fi users have access to.

Can you secure a sensor?

When it comes to securing a device like a surveillance camera, it’s logical that these devices can be used for cyber-attacks due to the ever-growing processing power and memory available in today’s cameras. Are other, less-powerful IoT sensors also a risk since they only transmit minimal data – take a thermostat as an example?

Kannemeyer believes they are at risk and all edge devices can and should be secured. “IoT security starts with the network it connects to. IoT devices usually have very little to no security built into them, so we need to rely on the first point of contact [to the network] to provide the security layer.

“An autonomous network would be able to identify an IoT device, connecting to it (via a network port or Wi-Fi) and hyper-segment the device from the network so that it cannot see any other device on the network, only the required IoT server located in the data centre. The network would also apply a policy at the point of ingress, blocking all traffic to and from the device except for the legitimate TCP/UDP ports allowed.”

Since there are various attack surfaces available for attackers, Joubert agrees and advises that protection needs to be considered at three different layers:

1. Edge protection: Ensures device, mobile app, and web app integrity to prevent devices from becoming attack entry points.

2. Network protection: Secures communication channels to prevent man-in-the-middle attacks.

3. Cloud protection: Assures data privacy and prevents data leakage.

For those who think the edge-security operation (securing the devices at the edge of the network) lies in the control centre, Joubert explains that network or edge layer protection can be built into the IoT device (built-in IoT security software, when vendors actually make the effort to secure their devices), and that the security status should be monitored from one single point. “This ensures firmware integrity and reduces the attack surface. In doing so, it not only keeps IoT devices from being hacked, but also minimises device maintenance costs and protects IoT device developer’s reputation.”

Kannemeyer also warns that normal firewalls and IDS (intrusion detection systems) are usually deployed, but he notes, “This legacy way of deploying firewalls still allows the IoT devices to gain access to all internal services on the internal network.”

This means IoT devices could possibly launch a ransomware attack on the internal network, such as encrypting all files on the internal file shares. He therefore stresses that IoT security must be applied at the networks internal edge, closest to the IoT connection point.

Top three steps to securing IoT

It’s easy to talk about the security and risks associated with the IoT, as well as past breaches and attacks these device-types have been used in, however, what practical advice should the security market take into account when securing their or their customers’ IoT-enhanced systems.

Kannemeyer’s top three tips for securing your IoT infrastructure include the following:

1. Hyper segmentation: Segmenting the device off the normal network, you should almost see it as a separate VPN tunnel across the internal network.

2. Network access control: Identifying different IoT devices connecting to your network and ensuring that the correct network policy is applied to each device.

3. Limiting the IoT device to access only the required IoT resources.

Joubert adds that, unlike multipurpose computers such as PCs, IoT devices are generally more like single-purpose computers and his top three tips therefore include:

1. System hardening.

2. Risk detection.

3. Web detection or malicious URL detection.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Addressing today’s mining challenges: cyber risks beyond IT
Editor's Choice Information Security Mining (Industry)
Despite the mining industry’s operational technology systems being vulnerable to cyberattacks, many decision-makers still see these threats as purely an IT issue, even though a breach could potentially disrupt mining operations.

Read more...
Workforce Consortium to reskill 95 million people
Editor's Choice News & Events AI & Data Analytics
ICT Workforce Consortium of global leaders has come together, committing to train and upskill 95 million people over the next 10 years, as 92% of jobs analysed are expected to undergo either high or moderate transformation due to advancements in AI.

Read more...
How to effectively share household devices
Smart Home Automation Information Security
Sharing electronic devices within a household is unavoidable. South African teens spend over eight hours per day online, making device sharing among family members commonplace. Fortunately, there are methods to guarantee safe usage for everyone.

Read more...
How is technology changing the industry?
Editor's Choice
SASA and the International Code of Conduct for Security Providers Association (ICoCA), a Geneva-based organisation, will hold a consultative workshop in South Africa in September to discuss how technology is changing the industry and the associated risks.

Read more...
Western Digital reveals new solutions
WD South Africa Products & Solutions News & Events Infrastructure
Western Digital unveiled new solutions and technology demonstrations at the Future of Memory and Storage Conference 2024. The innovations cater to diverse market segments, from hyperscale cloud to automotive and consumer storage.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Fortinet establishes new point-of-presence in South Africa
News & Events Information Security
Fortinet has announced the launch of a new dedicated point-of-presence (POP) in Isando, Johannesburg, to expand the reach and availability of Fortinet Unified SASE for customers across South Africa and southern African countries.

Read more...