printer friendly version

Keeping your things to yourself

Securing IoT devices is a task every security installer, integrator, consultant and risk assessor needs to build into their arsenal. Fortunately, IoT security is not something brand new for those who have a grounding in cybersecurity as it applies to the physical security industry - not that the distinction between cyber and physical security is something we will have for much longer.

To obtain some further insights into the challenges and best practices around IoT security, Hi-Tech Security Solutions asked three experts to give us their take on securing the IoT in order to attain the benefits on offer without the cyber risks inherent in electronic communications.

An oxymoron in security

Gregory Dellas.

By Gregory Dellas, security presales, CA Southern Africa.

When it comes to enterprise IT, the term ‘IoT cybersecurity’ is an oxymoron in the industry and some of the incidents involving vulnerable IoT devices can indeed be laughable. Take for example the 2017 case of hackers breaching a casino’s high-roller database by first exploiting an automated thermostat in the lobby aquarium (https://interestingengineering.com/a-casinos-database-was-hacked-through-a-smart-fish-tank-thermometer). IoT may represent many new attack vectors for an organisation, but the traditional principles for securing the organisation still apply.

The advent of IoT is simply an increase in the number of devices and services that an organisation must secure. Working from this paradigm, the impact on a proactive organisation will be minor. Bringing IoT devices such as heating, ventilation and air conditioning (HVAC) sensors, stand-alone cameras or wearable trackers into the organisation should not be a chaotic exercise. Below are practical steps to harmonise IoT and cybersecurity.

Expand the risk scope: Ensure that the scope of your organisation’s IT management system takes IoT into account. Treat each device, no matter how small or specialised, as an asset that needs to be tuned for a tight security posture. Apply the same care in devising safeguards for IoT as you would for a database server. Steps such as disabling unnecessary services, updating firmware and protecting access credentials can be applied to even the most basic devices. Keeping a detailed asset register will aid in this.

Segregate IoT devices on the network: Good practice in network security involves segregation and this should extend to IoT. Commonly, the storage, servers and other out-of-band management networks are in place. Infrastructure IoT devices should belong to their own network, firewalled off and strictly monitored. This makes it easier to implement a policy of least privilege, slow down attackers and reduce damage from successful attacks.

Be aggressive with policy: Carefully scrutinise the functionality of each IoT device, even things like a simple wearable that supposedly tracks movement around the factory floor. Ensure that the manufacturer commits to collecting no additional data and monitor outgoing network traffic to confirm this. Extend audit practices like penetration testing to IoT. Press suppliers and contractors to only use equipment that has good vendor support. Finally, incorporate IoT into the BYOD policy as connected devices will continue to proliferate among general employees as time goes on.

The impact of IoT on security

Morne Maree.

By Morne Maree, senior product manager: IoT at Vox.

The security industry is realising benefits such as efficiency and live monitoring or near real-time monitoring which leads to effective security and quicker response times, whether it is armed response or making sure people are fulfilling their assigned duties.

An example is guards patrolling a business park. They have to report at specific points, but the report may only be verified at the end of the week. When you monitor with IoT you will know almost immediately if the guard wasn’t at a specific point, so IoT enables near real-time monitoring of guard and security movement.

Another example is maintenance and delivery that ties into physical security. An IoT device can monitor the generator in the business park and trigger a workflow when the generator needs a service or more diesel. The service provider can accept the work order and can notify the IoT system which technician it will dispatch to fulfil the order. The IoT system will notify the security at the gate on the day that the technician will arrive at a certain time.

The technician or diesel delivery person gains entry at the gate with his biometrics. While he is inside the business park he is monitored. His work order is for 80 litres of diesel, but if he only fills the generator with 60 litres, the IoT system will pick up the amount of diesel he has added to the generator and will verify it with the work order and determine that it is not enough. It will then trigger another workflow that will notify the relevant person to investigate. On the positive side, he fulfils his work order, locks the gate, which is also monitored by an IoT device and leaves the office park.

What are security companies doing?

We see partnerships forming, for example between Internet Service Providers (ISPs) and neighbourhood associations. We find that even in our own environment we are moving closer to our security team to collaborate on security solutions that incorporate IoT. For example, we integrate IoT devices with security cameras so that the device can give instructions to the heat vision camera in terms of where to point and what to look at.

Another industry example is where an alarm manufacturer incorporates IoT devices to communicate between the alarm control panel and the control room. Traditionally, it made use of radio frequency to relay communication to the control room, and licences were involved that had to be renewed every year.

IoT has opened up avenues to not only offer new services more efficiently as well as cost-effectively, but to standardise services.

Are physical security companies ready?

Physical security companies are establishing IoT divisions and are very active in developing applications for IoT. The industry is embracing automation as it can derive tremendous benefits from it, such as saving costs and gaining functionality, both of which add concrete value to security businesses.

Are cybersecurity companies ready?

The landscape is evolving and cybersecurity companies are identifying the IoT as a risk and are developing solutions for this segment. An example that serves as a reminder of what can happen when devices are connected to the Internet is a high-end hotel in Europe. A vulnerability in a popular IoT lock key allowed researchers to break into hotel rooms.

The locks in question are dubbed ‘mobile keys’ because of their reliance on mobile phones as opposed to card-based access such as those based on mag-strips and RFID. Researchers showcased how they were able to circumvent the IoT connected key system. The hotel learned a hard lesson about the risk of not securing its IoT deployment as someone can gain entry into its system and lock all the rooms and hold the hotel to ransom.

There is a projection that by 2020 50 billion devices will be connected globally, which essentially means there are 50 billion points to hack and cause havoc. The benefit of using a reputable IoT company is that you are able to work with a team that is security conscious and you receive an IoT solution that is designed with security in mind.

That said, cyber terrorists are always looking for ways into the system.

Of botnets and ransomware

MJ Strydom.

By MJ Strydom, MD, DRS.

Is ransomware hijacking IoT? Well the simple answer to that is that it is certainly trying to do so. This is a very profitable high-tech business for criminals; it can range from encrypting victims’ data and asking for payment to release it, or attacking through DDoS (Distributed Denial of Service) and demanding payment to release services. Examples abound and include the hijacking of stock trading services, video or music services, emergency services or AI-enabled services.

IoT device ransom is similar to a hijack ransom, except the attackers go after the device itself. Any device connected to the Internet is susceptible to security lapses. The market will soon determine if users are willing to pay to regain control of their IoT devices.

Over the years we have seen the development and deployment of massive IoT-based botnets, built around thousands of compromised IoT devices. Most of these weaponised botnets have been used in cyber-attacks to knock out devices or services. Cyber criminals are already upgrading IoT-based botnets with swarm technology to make their attacks more efficient.

2020 should see even greater adoption of the public cloud as part of enterprises’ IT infrastructure, as a way to deliver services and run applications efficiently. This in turn generates a greater need to prevent breaches and ensure data and process integrity.

The one certainty is that 2020 will bring the next phase of threat evolution. Specialist cybersecurity ‘solutions’ (I emphasise this word, as it speaks volumes to examining customers’ specific needs and ensuring they are safe doing business, but not just by throwing products at the problem) providers must remain a step ahead of the next threat.

Share this article:

Further reading: