printer friendly version

IoT in security

While some think the Internet of Things (IoT) is an IT issue with scant impact on the physical security market, the reality is quite the opposite. In some circles, the physical security market is being viewed as a subset of the IoT market because security devices are simply electronic devices that communicate, more often than not today via IP.

The argument of whether security is part of the IoT or not is beyond the scope of this article, perhaps even belonging to the world of philosophy. However, the fact is that the security and IoT markets are intersecting and overlapping is beyond question. The result is that security installers and integrators (and DIY installers) need to incorporate IoT systems, skills and functionalities into their services, while traditionally ‘non-security’ installers and integrators are incorporating security solutions into their respective services.

If you are managing alarms, access control or surveillance from a central console, why should you not include additional communicating electronics on the same platform? In a residential setting, this could include lights, gates, air-conditioning and so on. More than simple management, the ability to set-up preventative maintenance processes (only servicing products when they need it as well as having a heads-up before components break) from the same platform is a necessary next step, and an added value for your customers.

While expanding your business without having to start from scratch is an ideal way to grow, the catch is that we know anything that communicates these days is a potential target for cybercriminals. Some may not consider it a serious security breach when someone hacks a camera and can view your parking lot (or is it a problem if syndicates know the timing and habits of people coming and going to and from your premises?), but they could also gain access to your business network, which is a dangerous security breach.

So what do security service providers need to keep in mind when embracing the IoT world and what skills should they enhance to make sure their customers are ‘cyber secure’. Furthermore, we have to ask if the cyber threat from IoT systems is a real risk since we are mostly talking about sensors that transmit minimal amounts of data.

The risks of integrating new sensors

Andre Kannemeyer.

Andre Kannemeyer, national CTO at Duxbury Networking confirms that although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for hackers.

“The biggest threat is for IoT devices to gain access to other systems or information that they should not have access to,” says Kannemeyer. “For example, if you look at the DDOS attack that was launched in 2016 on DynDNA (https://en.wikipedia.org/wiki/2016_Dyn_cyberattack). The IoT devices that launched the attack had full access to any device on the local network and the Internet instead of only the local DVR/NVR.”

Juan Joubert.

Similarly, Juan Joubert, technical lead for South Africa at Trend Micro, notes: “As the IoT, OT (operational technology) and the Industrial Internet of Things (IIoT) are now more common, data are being shared across these platforms and across multiple environments. Key IoT vulnerabilities we need to look out for are memory corruption, credential management, lack of authentication and code injection. From an IIoT attack perspective, organisations should focus on endpoints and legacy devices, vulnerable systems, proprietary software and communication protocols.”

It is in the integration and communication that we require to deliver the benefits of IoT that the risks reside. IoT solutions require advanced communication platforms and cloud solutions that facilitate seamless integration of devices, networks, gateways, applications and services, says Joubert. “This means that there is a wide range of exposure to potential vulnerabilities with multiple attack surfaces, creating a hacker’s playground.”

And it is not simply about injecting malware to corrupt legitimate data, adds Kannemeyer, but rather malware that runs on the IoT device that gains access or private information or gains access to systems unrelated to the device. He provides the example of a wireless light bulb connected to your Wi-Fi network; it should not have access to your accounting package that other Wi-Fi users have access to.

Can you secure a sensor?

When it comes to securing a device like a surveillance camera, it’s logical that these devices can be used for cyber-attacks due to the ever-growing processing power and memory available in today’s cameras. Are other, less-powerful IoT sensors also a risk since they only transmit minimal data – take a thermostat as an example?

Kannemeyer believes they are at risk and all edge devices can and should be secured. “IoT security starts with the network it connects to. IoT devices usually have very little to no security built into them, so we need to rely on the first point of contact [to the network] to provide the security layer.

“An autonomous network would be able to identify an IoT device, connecting to it (via a network port or Wi-Fi) and hyper-segment the device from the network so that it cannot see any other device on the network, only the required IoT server located in the data centre. The network would also apply a policy at the point of ingress, blocking all traffic to and from the device except for the legitimate TCP/UDP ports allowed.”

Since there are various attack surfaces available for attackers, Joubert agrees and advises that protection needs to be considered at three different layers:

1. Edge protection: Ensures device, mobile app, and web app integrity to prevent devices from becoming attack entry points.

2. Network protection: Secures communication channels to prevent man-in-the-middle attacks.

3. Cloud protection: Assures data privacy and prevents data leakage.

For those who think the edge-security operation (securing the devices at the edge of the network) lies in the control centre, Joubert explains that network or edge layer protection can be built into the IoT device (built-in IoT security software, when vendors actually make the effort to secure their devices), and that the security status should be monitored from one single point. “This ensures firmware integrity and reduces the attack surface. In doing so, it not only keeps IoT devices from being hacked, but also minimises device maintenance costs and protects IoT device developer’s reputation.”

Kannemeyer also warns that normal firewalls and IDS (intrusion detection systems) are usually deployed, but he notes, “This legacy way of deploying firewalls still allows the IoT devices to gain access to all internal services on the internal network.”

This means IoT devices could possibly launch a ransomware attack on the internal network, such as encrypting all files on the internal file shares. He therefore stresses that IoT security must be applied at the networks internal edge, closest to the IoT connection point.

Top three steps to securing IoT

It’s easy to talk about the security and risks associated with the IoT, as well as past breaches and attacks these device-types have been used in, however, what practical advice should the security market take into account when securing their or their customers’ IoT-enhanced systems.

Kannemeyer’s top three tips for securing your IoT infrastructure include the following:

1. Hyper segmentation: Segmenting the device off the normal network, you should almost see it as a separate VPN tunnel across the internal network.

2. Network access control: Identifying different IoT devices connecting to your network and ensuring that the correct network policy is applied to each device.

3. Limiting the IoT device to access only the required IoT resources.

Joubert adds that, unlike multipurpose computers such as PCs, IoT devices are generally more like single-purpose computers and his top three tips therefore include:

1. System hardening.

2. Risk detection.

3. Web detection or malicious URL detection.

Share this article:

Further reading: