IoT in security

October 2019 Editor's Choice, Information Security, Integrated Solutions, Infrastructure

While some think the Internet of Things (IoT) is an IT issue with scant impact on the physical security market, the reality is quite the opposite. In some circles, the physical security market is being viewed as a subset of the IoT market because security devices are simply electronic devices that communicate, more often than not today via IP.

The argument of whether security is part of the IoT or not is beyond the scope of this article, perhaps even belonging to the world of philosophy. However, the fact is that the security and IoT markets are intersecting and overlapping is beyond question. The result is that security installers and integrators (and DIY installers) need to incorporate IoT systems, skills and functionalities into their services, while traditionally ‘non-security’ installers and integrators are incorporating security solutions into their respective services.

If you are managing alarms, access control or surveillance from a central console, why should you not include additional communicating electronics on the same platform? In a residential setting, this could include lights, gates, air-conditioning and so on. More than simple management, the ability to set-up preventative maintenance processes (only servicing products when they need it as well as having a heads-up before components break) from the same platform is a necessary next step, and an added value for your customers.

While expanding your business without having to start from scratch is an ideal way to grow, the catch is that we know anything that communicates these days is a potential target for cybercriminals. Some may not consider it a serious security breach when someone hacks a camera and can view your parking lot (or is it a problem if syndicates know the timing and habits of people coming and going to and from your premises?), but they could also gain access to your business network, which is a dangerous security breach.

So what do security service providers need to keep in mind when embracing the IoT world and what skills should they enhance to make sure their customers are ‘cyber secure’. Furthermore, we have to ask if the cyber threat from IoT systems is a real risk since we are mostly talking about sensors that transmit minimal amounts of data.

The risks of integrating new sensors


Andre Kannemeyer.

Andre Kannemeyer, national CTO at Duxbury Networking confirms that although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for hackers.

“The biggest threat is for IoT devices to gain access to other systems or information that they should not have access to,” says Kannemeyer. “For example, if you look at the DDOS attack that was launched in 2016 on DynDNA (https://en.wikipedia.org/wiki/2016_Dyn_cyberattack). The IoT devices that launched the attack had full access to any device on the local network and the Internet instead of only the local DVR/NVR.”


Juan Joubert.

Similarly, Juan Joubert, technical lead for South Africa at Trend Micro, notes: “As the IoT, OT (operational technology) and the Industrial Internet of Things (IIoT) are now more common, data are being shared across these platforms and across multiple environments. Key IoT vulnerabilities we need to look out for are memory corruption, credential management, lack of authentication and code injection. From an IIoT attack perspective, organisations should focus on endpoints and legacy devices, vulnerable systems, proprietary software and communication protocols.”

It is in the integration and communication that we require to deliver the benefits of IoT that the risks reside. IoT solutions require advanced communication platforms and cloud solutions that facilitate seamless integration of devices, networks, gateways, applications and services, says Joubert. “This means that there is a wide range of exposure to potential vulnerabilities with multiple attack surfaces, creating a hacker’s playground.”

And it is not simply about injecting malware to corrupt legitimate data, adds Kannemeyer, but rather malware that runs on the IoT device that gains access or private information or gains access to systems unrelated to the device. He provides the example of a wireless light bulb connected to your Wi-Fi network; it should not have access to your accounting package that other Wi-Fi users have access to.

Can you secure a sensor?

When it comes to securing a device like a surveillance camera, it’s logical that these devices can be used for cyber-attacks due to the ever-growing processing power and memory available in today’s cameras. Are other, less-powerful IoT sensors also a risk since they only transmit minimal data – take a thermostat as an example?

Kannemeyer believes they are at risk and all edge devices can and should be secured. “IoT security starts with the network it connects to. IoT devices usually have very little to no security built into them, so we need to rely on the first point of contact [to the network] to provide the security layer.

“An autonomous network would be able to identify an IoT device, connecting to it (via a network port or Wi-Fi) and hyper-segment the device from the network so that it cannot see any other device on the network, only the required IoT server located in the data centre. The network would also apply a policy at the point of ingress, blocking all traffic to and from the device except for the legitimate TCP/UDP ports allowed.”

Since there are various attack surfaces available for attackers, Joubert agrees and advises that protection needs to be considered at three different layers:

1. Edge protection: Ensures device, mobile app, and web app integrity to prevent devices from becoming attack entry points.

2. Network protection: Secures communication channels to prevent man-in-the-middle attacks.

3. Cloud protection: Assures data privacy and prevents data leakage.

For those who think the edge-security operation (securing the devices at the edge of the network) lies in the control centre, Joubert explains that network or edge layer protection can be built into the IoT device (built-in IoT security software, when vendors actually make the effort to secure their devices), and that the security status should be monitored from one single point. “This ensures firmware integrity and reduces the attack surface. In doing so, it not only keeps IoT devices from being hacked, but also minimises device maintenance costs and protects IoT device developer’s reputation.”

Kannemeyer also warns that normal firewalls and IDS (intrusion detection systems) are usually deployed, but he notes, “This legacy way of deploying firewalls still allows the IoT devices to gain access to all internal services on the internal network.”

This means IoT devices could possibly launch a ransomware attack on the internal network, such as encrypting all files on the internal file shares. He therefore stresses that IoT security must be applied at the networks internal edge, closest to the IoT connection point.

Top three steps to securing IoT

It’s easy to talk about the security and risks associated with the IoT, as well as past breaches and attacks these device-types have been used in, however, what practical advice should the security market take into account when securing their or their customers’ IoT-enhanced systems.

Kannemeyer’s top three tips for securing your IoT infrastructure include the following:

1. Hyper segmentation: Segmenting the device off the normal network, you should almost see it as a separate VPN tunnel across the internal network.

2. Network access control: Identifying different IoT devices connecting to your network and ensuring that the correct network policy is applied to each device.

3. Limiting the IoT device to access only the required IoT resources.

Joubert adds that, unlike multipurpose computers such as PCs, IoT devices are generally more like single-purpose computers and his top three tips therefore include:

1. System hardening.

2. Risk detection.

3. Web detection or malicious URL detection.


Credit(s)





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

From the Editor's desk: The good, the bad, and the victims
Technews Publishing News & Events
When the Internet first arrived, everyone was expecting amazing things from it, well, everyone who knew what it was and how it worked. We had the dotcom boom and bust, and it’s fair to say that if we ...

Read more...
Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...
Identity, Security & Access Alliance focuses on intelligence and integration
SMART Security Solutions Ideco Biometrics BoomGate Systems Bosch Building Technologies Technews Publishing Integrated Solutions Surveillance Access Control & Identity Management
The Identity, Security & Access Alliance (ISAA) hosted several launch events in Johannesburg in August, showcasing the participating companies’ technical solutions with a primary focus on the solutions made possible by integrating high-quality systems to deliver comprehensive solutions.

Read more...
Make BIG and COMPLEX small and manageable
neaMetrics Suprema AI & Data Analytics Surveillance Integrated Solutions
Traditional CCTV and access systems often operate separately, creating gaps in visibility and efficiency. TRASSIR and Suprema have partnered to develop an integrated platform that improves security, operations, and situational awareness.

Read more...
Get the AI fundamentals right
Technews Publishing SMART Security Solutions Leaderware Editor's Choice Surveillance AI & Data Analytics
Much of the marketing for CCTV AI detection implies the client can just drop the AI into their existing systems and operations, and they will be detecting all criminals and be far more efficient when doing it.

Read more...
SMART Surveillance Conference in Johannesburg
Arteco Global Africa Technews Publishing SMART Security Solutions Axis Communications SA neaMetrics Editor's Choice Surveillance Security Services & Risk Management Logistics (Industry) AI & Data Analytics
SMART Security Solutions hosted its annual SMART Surveillance Conference in Johannesburg in July, welcoming several guests, sponsors, and speakers for an informative and enjoyable day examining the evolution of the surveillance market.

Read more...
Troye exposes the Entra ID backup blind spot
Information Security Infrastructure
If you trust Microsoft to protect your identity, think again. Many organisations naively believe that Microsoft’s shared responsibility model covers Microsoft Entra?ID – formerly Azure AD – but it does not.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Hytera supports communication upgrade for Joburg
News & Events Infrastructure Government and Parastatal (Industry)
By equipping Johannesburg’s metro police and emergency services with multimode radios which integrate TETRA and LTE networks, Hytera is bridging coverage gaps and improving response times across the city.

Read more...
Directory of suppliers
Technews Publishing SMART Security Solutions Fire & Safety
The Directory of Product and Solution Suppliers for the fire safety industry includes details of companies that provide security and risk mitigation products, advice, and services within this market.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.