Driven by always-on internet connectivity and digitalisation, the world we live in is becoming increasingly interconnected. Powered by advances in Internet of Things (IoT) technology, we’re seeing the rise of wearables, intelligent vehicles, as well as complex building automation and transportation logistics systems that are connected to the internet, and can send and receive data from other connected devices.
IoT can empower organisations of all sizes with increased visibility and data for better decision-making. From a public sector perspective, the same technology also undergirds Asia-Pacific’s progress towards smart cities, leveraging data collected across digital touchpoints that enable the delivery of intelligent services and improvements in infrastructure and public utilities.
Despite the benefits of IoT, IT and security decision makers will also have to be cognisant that each new IoT device that comes online expands the attack surface that will have to be monitored and protected. As IoT technology matures and becomes increasingly mainstream, the need to address nascent cybersecurity risks associated with connected devices will become mission-critical.
Understanding the visibility challenge and associated risks
Use of IoT in a business or government setting can take many different forms. However, it most commonly involves collecting data on preferences, processes, and conditions to maximise gains in terms of efficiency, productivity, and innovation. Organisations today typically leverage hundreds if not thousands of connected devices, platforms, and assets, with megatrends such as the shift to remote work and increasingly globalised organisations having led the number of connected IoT devices to skyrocket.
The sheer volume and types of devices in use today makes it challenging to have complete visibility of all connected devices, impacting the ability of chief information officers and chief information security officers to effectively mitigate risks and protect their network.
Complicating matters further is a tendency among organisations to grossly underestimate the scope and size of their network, with the number of known internet-connected devices often making up just a fraction of the network reality. Putting this into numbers, Forescout has found that organisations can be unaware of as many as 30-50% of the devices within the entire cybersecurity framework, raising their risk of a cyberattack.
Furthermore, government, medical, manufacturing, and retail are the industry verticals most at risk from IoT vulnerabilities. This was especially so for healthcare and manufacturing environments, which topped the charts in terms of number of device vulnerabilities per capita. In addition, manufacturers often work across an extensive supply network to achieve economies of scale, which can create challenges in device visibility.
The most vulnerable Internet of Medical Things (IoMT) devices include infusion pumps and medical imaging systems, which could have devastating consequences if not addressed. In the manufacturing sector, devices and processes that once required physical inspection and operation are oftentimes operated remotely, and could lead to significant downtime if breached.
The impact on Asia-Pacific economies
Failure to adopt a robust approach to IoT security could present a direct threat to Asia Pacific’s growth prospects. The region is today home to a booming digital economy, where IDC has forecasted 1 in 3 companies in the region to be generating more than 30% of their revenue from digital products and services by 2023. Enterprise IoT expenditure in Asia Pacific is expected to reach US$437 billion in 2025, and represents a US$2.9 billion opportunity in Singapore alone.
Having a strong IoT security strategy will also be key to Asia Pacific’s progress towards smart cities. These are expected to generate trillions in economic value for markets such as Singapore, which has invested significant resources into its smart city initiative, Smart Nation, and in IoT innovation to enable the hyperconnectivity that undergirds smart cities. Frost & Sullivan has forecasted Asia Pacific’s IoT market to reach US$436.77 billion in revenue by 2026, with spending on smart cities accounting for almost one-third of the market.
You can’t protect what you can’t see
Visibility and asset management form the basis of reliable network security because it is impossible to protect yourself from the things you can’t see. Core to an effective IoT cybersecurity strategy is to ensure security teams are empowered with knowledge of not only the number and diversity of devices, but also their behaviour and who is using them.
The first order of business is to acknowledge the large number of unknown devices on the network, and understand that actionable visibility of those devices will be key to implementing the right security measures. Though technology leaders will never want to admit they do not have a complete handle on their network, this is an essential first step.
Robust visibility management requires the use of a wide range of tools like traffic monitors and scanners to promptly detect every asset on the organisational network, determine which are running, and ensure its compliance with the current security policies. To facilitate this, the next step is to compile a complete inventory of all known devices and risk profiles. Being aware and understanding every device will allow security teams to properly categorise them and thereafter evaluate its compliance with security policies.
Bottom line is: All IoT, IoMT, operational technology, and IT devices need to be accounted for. Thereafter, this inventory can continue to be utilised as a means to accurately identify areas with the highest risk and ensure proper mitigation efforts are in place.
It is also key to remember that this should not be a one-off exercise, but must be done when new devices are connected and as configurations change. Automation will be important here, especially amid the cybersecurity talent shortage currently faced throughout Asia-Pacific, including in technology hubs such as Singapore.
Creating a more visible interconnected future
Cyberattacks and breaches have become part of the everyday lexicon, as digitalisation across both professional and personal lives takes root. Though they have become routine, their impact remains significant, and cybersecurity will continue to play a fundamental role for the foreseeable future.
As features become more advanced, “smart”, or automated, the number of connected devices will scale upwards accordingly as well, creating a constantly evolving threat landscape. The silver lining and key takeaway for decision makers is the availability of cybersecurity and monitoring solutions on the market today, creating opportunities to ensure that security programmes are keeping pace with change.