By Alex Nehmy, CTO Industry 4.0 Strategy, Asia Pacific & Japan - Palo Alto Networks
Asia Pacific (APAC) is at the frontline of IoT adoption with IoT spending in the region expected to reach US$437B by 2025. This growth is driven by governments and private organisations investing heavily in digital transformation projects like Singapore’s Smart Nation initiative.
IoT devices are a key pillar of digital transformation powering a wide range of use cases from sensors monitoring lighting and aircon appliances in smart buildings to autonomous robots in industrial environments. However, many smart devices are not designed with security in mind or may have vulnerabilities from the source code used within the manufacturer's supply chain, which users are unaware of. These security vulnerabilities combined with the rapid proliferation of IoT devices mean there’s an urgent need for organisations to think about the security of the devices on their networks. As companies further invest in digital transformation, they need to pay an equal amount of attention to the security of the devices and technologies they use in their everyday operations.
So, what are the security concerns surrounding IoT devices, and what can we do about them?
Security Limitations in IoT Devices
Alarmingly, visibility into threats from IoT devices is often dependent on manually updated databases of known devices.
For instance, certain IoT devices do not have sufficient storage or processing power to support logging or cryptographic abilities that protect sensitive information from being processed, making them vulnerable. As a result, businesses cannot accurately identify and protect against the risk posed by unknown and unmanaged IoT devices.
In fact, such risks have increased with work-from-home arrangements. Our IoT Security Report 2021 found that 81% of respondents in Singapore who have IoT devices connected to their organisation’s network, saw an increase in non-business IoT devices on their corporate networks. Some of these devices include home devices, medical wearables and even game consoles.
The hardware limitations to security controls in IoT devices, coupled with the rise of remote work, are some of the key factors causing regulators to turn their attention towards securing IoT devices across the region.
Regulators set the tone
In response to the growth of IoT technologies in the Asia Pacific region, regulators have developed IoT security regulations and standards for organisations and users.
In Singapore, the government has been proactively addressing this need, through initiatives such as the Cybersecurity Labelling Scheme and the National Integrated Centre for Evaluation (NiCE) to protect consumers and businesses from malicious actors, and to further research and be educated around IoT cybersecurity.
It has also established standards and published practical guidelines for IoT security (TR 64: 2018: “Guidelines for IoT security for smart nation” and Internet of Things (IoT) Cyber Security Guide). These guidelines are intended to serve as a blueprint for enterprise users and vendors to secure IoT devices.
Some of the key security measures outlined in the IoT Cyber Security guide include:
- Enforcing proper access controls for IoT devices (Section 6.4.1)
- Segmenting IoT and enterprise networks (Section 7.3.1)
- Establishing proper device management (Section 7.4.1)
- Conducting periodic vulnerability assessments on connected devices (Section 7.5.2)
Complying with local market regulations, on the Cloud
Digital transformation is fueling IoT adoption in the Asia Pacific region and making organisations increasingly reliant on these devices for critical business operations.
At the same time, companies also have to manage a growing set of local regulations on the usage and management of IoT device and data. Government policies may dictate how data can be collected and retained, and may even restrict the transfer of data across borders to prevent citizen data from being exploited.
It is common today to see businesses use a multitude of cloud services that host their data in different locations around the world. As such, regional companies that are reliant on cloud services to deliver services and enable remote work will find it challenging to comply with different local regulations.
Instead of using local servers to store data for every market, companies can use a cloud hosting solution in their market of choice to ensure that they can still take advantage of the cloud, while staying compliant with local data regulations. Cloud hosting solutions that are built with security and regulatory best-practices in mind will also allow businesses to meet both their data residency preferences, while protecting their enterprise network.
Businesses need to be proactive too
Aside from complying with regulatory standards, organisations must take the necessary precaution to proactively secure their networks in this digital economy as well.
A prerequisite to effectively applying these security measures is visibility into and an understanding of the identity and behaviour of all network-connected devices. A zero-trust approach to network-level IoT security - where enterprises have full visibility of IoT devices, practice continuous device and risk monitoring, and develop security policies with enforcement actions to prevent cyberattacks from happening - is needed to ensure organisations can better eliminate critical security blind spots.
Organisations can also take preventive measures a step further by deploying Machine Learning (ML) technologies to automate device identification, proactively detect malicious deviations, and automatically prevent attacks. As adversaries get more advanced, organisations can leverage ML capabilities to help them stay vigilant at all times.
IoT security is everyone’s responsibility
Both governments and businesses play an integral role in maintaining IoT security. The ubiquity of IoT devices will only mean that the applications of such devices will continue to grow across all industries, and it is everyone’s responsibility to protect themselves and the organisation from cyber adversaries:
- Regulators lay the groundwork for cybersecurity regulations and standards that can be applied at scale
- A cloud hosting solution with built-in security controls helps organisations meet data residency preferences while enjoying the benefits of the cloud
- Organisations need to proactively enforce a Zero Trust approach to eliminate IoT device blind spots and deploy ML technologies to automatically prevent attacks