IoT in security

October 2019 Editor's Choice, Information Security, Integrated Solutions, Infrastructure

While some think the Internet of Things (IoT) is an IT issue with scant impact on the physical security market, the reality is quite the opposite. In some circles, the physical security market is being viewed as a subset of the IoT market because security devices are simply electronic devices that communicate, more often than not today via IP.

The argument of whether security is part of the IoT or not is beyond the scope of this article, perhaps even belonging to the world of philosophy. However, the fact is that the security and IoT markets are intersecting and overlapping is beyond question. The result is that security installers and integrators (and DIY installers) need to incorporate IoT systems, skills and functionalities into their services, while traditionally ‘non-security’ installers and integrators are incorporating security solutions into their respective services.

If you are managing alarms, access control or surveillance from a central console, why should you not include additional communicating electronics on the same platform? In a residential setting, this could include lights, gates, air-conditioning and so on. More than simple management, the ability to set-up preventative maintenance processes (only servicing products when they need it as well as having a heads-up before components break) from the same platform is a necessary next step, and an added value for your customers.

While expanding your business without having to start from scratch is an ideal way to grow, the catch is that we know anything that communicates these days is a potential target for cybercriminals. Some may not consider it a serious security breach when someone hacks a camera and can view your parking lot (or is it a problem if syndicates know the timing and habits of people coming and going to and from your premises?), but they could also gain access to your business network, which is a dangerous security breach.

So what do security service providers need to keep in mind when embracing the IoT world and what skills should they enhance to make sure their customers are ‘cyber secure’. Furthermore, we have to ask if the cyber threat from IoT systems is a real risk since we are mostly talking about sensors that transmit minimal amounts of data.

The risks of integrating new sensors


Andre Kannemeyer.

Andre Kannemeyer, national CTO at Duxbury Networking confirms that although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for hackers.

“The biggest threat is for IoT devices to gain access to other systems or information that they should not have access to,” says Kannemeyer. “For example, if you look at the DDOS attack that was launched in 2016 on DynDNA (https://en.wikipedia.org/wiki/2016_Dyn_cyberattack). The IoT devices that launched the attack had full access to any device on the local network and the Internet instead of only the local DVR/NVR.”


Juan Joubert.

Similarly, Juan Joubert, technical lead for South Africa at Trend Micro, notes: “As the IoT, OT (operational technology) and the Industrial Internet of Things (IIoT) are now more common, data are being shared across these platforms and across multiple environments. Key IoT vulnerabilities we need to look out for are memory corruption, credential management, lack of authentication and code injection. From an IIoT attack perspective, organisations should focus on endpoints and legacy devices, vulnerable systems, proprietary software and communication protocols.”

It is in the integration and communication that we require to deliver the benefits of IoT that the risks reside. IoT solutions require advanced communication platforms and cloud solutions that facilitate seamless integration of devices, networks, gateways, applications and services, says Joubert. “This means that there is a wide range of exposure to potential vulnerabilities with multiple attack surfaces, creating a hacker’s playground.”

And it is not simply about injecting malware to corrupt legitimate data, adds Kannemeyer, but rather malware that runs on the IoT device that gains access or private information or gains access to systems unrelated to the device. He provides the example of a wireless light bulb connected to your Wi-Fi network; it should not have access to your accounting package that other Wi-Fi users have access to.

Can you secure a sensor?

When it comes to securing a device like a surveillance camera, it’s logical that these devices can be used for cyber-attacks due to the ever-growing processing power and memory available in today’s cameras. Are other, less-powerful IoT sensors also a risk since they only transmit minimal data – take a thermostat as an example?

Kannemeyer believes they are at risk and all edge devices can and should be secured. “IoT security starts with the network it connects to. IoT devices usually have very little to no security built into them, so we need to rely on the first point of contact [to the network] to provide the security layer.

“An autonomous network would be able to identify an IoT device, connecting to it (via a network port or Wi-Fi) and hyper-segment the device from the network so that it cannot see any other device on the network, only the required IoT server located in the data centre. The network would also apply a policy at the point of ingress, blocking all traffic to and from the device except for the legitimate TCP/UDP ports allowed.”

Since there are various attack surfaces available for attackers, Joubert agrees and advises that protection needs to be considered at three different layers:

1. Edge protection: Ensures device, mobile app, and web app integrity to prevent devices from becoming attack entry points.

2. Network protection: Secures communication channels to prevent man-in-the-middle attacks.

3. Cloud protection: Assures data privacy and prevents data leakage.

For those who think the edge-security operation (securing the devices at the edge of the network) lies in the control centre, Joubert explains that network or edge layer protection can be built into the IoT device (built-in IoT security software, when vendors actually make the effort to secure their devices), and that the security status should be monitored from one single point. “This ensures firmware integrity and reduces the attack surface. In doing so, it not only keeps IoT devices from being hacked, but also minimises device maintenance costs and protects IoT device developer’s reputation.”

Kannemeyer also warns that normal firewalls and IDS (intrusion detection systems) are usually deployed, but he notes, “This legacy way of deploying firewalls still allows the IoT devices to gain access to all internal services on the internal network.”

This means IoT devices could possibly launch a ransomware attack on the internal network, such as encrypting all files on the internal file shares. He therefore stresses that IoT security must be applied at the networks internal edge, closest to the IoT connection point.

Top three steps to securing IoT

It’s easy to talk about the security and risks associated with the IoT, as well as past breaches and attacks these device-types have been used in, however, what practical advice should the security market take into account when securing their or their customers’ IoT-enhanced systems.

Kannemeyer’s top three tips for securing your IoT infrastructure include the following:

1. Hyper segmentation: Segmenting the device off the normal network, you should almost see it as a separate VPN tunnel across the internal network.

2. Network access control: Identifying different IoT devices connecting to your network and ensuring that the correct network policy is applied to each device.

3. Limiting the IoT device to access only the required IoT resources.

Joubert adds that, unlike multipurpose computers such as PCs, IoT devices are generally more like single-purpose computers and his top three tips therefore include:

1. System hardening.

2. Risk detection.

3. Web detection or malicious URL detection.


Credit(s)





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Alarms are smarter than ever
Spectrum Security Products Technews Publishing SMART Security Solutions Arxtech Perimeter Security, Alarms & Intruder Detection
Modern smart alarms are evolving beyond simple sirens and basic alerts. They now include features such as system health checks, remote management, real-time notifications, mobile apps, and multiple communication options.

Read more...
From the editor's desk: The high price of cheap
Technews Publishing News & Events
Bringing fire and safety, along with intrusion and perimeter protection, into the same publication is an interesting exercise. At their core, all these systems exist for one reason: to warn people ...

Read more...
Balancing secure access control and fire safety
Editor's Choice Access Control & Identity Management Fire & Safety
In modern building management, few topics create as much tension as the intersection between security access control and fire evacuation safety. Nichola Allen of G2 Fire sheds light on this delicate balance.

Read more...
Fire safety in South Africa
Technoswitch Fire Detection & Suppression Technews Publishing SMART Security Solutions Editor's Choice Fire & Safety Security Services & Risk Management
Fire safety is sometimes ignored, sometimes relegated to whatever is cheapest, and sometimes treated with the seriousness it deserves, given that it focuses on protecting life and assets.

Read more...
Preventing and suppressing lithium fires
SMART Security Solutions Technews Publishing Editor's Choice Fire & Safety Security Services & Risk Management Smart Home Automation
SMART Security Solutions asked Clyde Becker, director of Pyro Brand, for some insight into the mechanics of lithium-ion battery fire risks, especially thermal runaway, and to define a comprehensive, layered approach to fire detection and suppression.

Read more...
Integrated layers offer dependable security
OPTEX SMART Security Solutions Technews Publishing Perimeter Security, Alarms & Intruder Detection Integrated Solutions
A layered approach to security tightens protection and minimises downtime and operational risk. Moreover, integrating all the parts of a solution and proving they can do the job before spending money are critical.

Read more...
Duxbury Cybersecurity sharpens reseller offering
Duxbury Networking Information Security News & Events
Duxbury Networking has strengthened its Duxbury Cybersecurity business unit by adding WatchGuard and Cynet, giving South African resellers broader, more integrated coverage for the security risks customers are now asking them to address.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Sophos establishes South African legal entity to strengthen local operations
News & Events Information Security
Global cybersecurity company, Sophos, has announced the formation of its local legal entity, which will support local invoicing, partner enablement, compliance requirements and expanded regional investment.

Read more...
From drone market growth to application-level commercialisation
IoT & Automation Infrastructure
After years of pilot projects and technology validation, the question for the market is shifting from whether drones can fly safely and collect data, to where they can deliver repeatable operational value at scale.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.