3 emerging risks the Internet of Things will have to fend against

By Yogesh Hirdaramani

The Internet of Things is foundational to smart city programs, but these devices continue to be plagued by vulnerabilities. GovInsider speaks to Poh Chang Chew, Principal Cybersecurity Consultant OT/Critical Infrastructure APAC, Fortinet on how government agencies adopting these technologies can protect them from emerging risks.

The Internet of Things promises to improve lives for citizens residing in smart cities across ASEAN, but IoT security professionals will need to be on guard against vulnerabilities. Image: Canva

In 2021, a malicious actor remotely accessed a water treatment plant in the US to increase the amount of sodium hydroxide in the water to a dangerous level – which could have potentially harmed millions of people. This is one example of how poorly secured IoT devices can affect public utilities and endanger citizens.


Across Southeast Asia, smart city initiatives like Singapore’s Smart Nation goals and Thailand’s Thailand 4.0 mission promise to improve the quality of life for citizens on national scales. But as physical systems become more intertwined with technologies like Internet of Things (IoT), vulnerabilities in these devices could lead to disastrous incidents.


The number of IoT devices is only set to grow. According to Statista, we can expect to see close to 30 billion connected devices globally by 2030, and at least 20 to 30 per cent of these devices will reside in Southeast Asia, says Poh Chang Chew, Principal Cybersecurity Consultant OT/Critical Infrastructure & Global Partners APAC, Fortinet to GovInsider. 


Chew shares with GovInsider three emerging risks that IoT security professionals need to watch out for in the coming years.

1. AI-enabled cyber warfare


First, security professionals will have to guard IoT devices against the rise of AI-enabled cyber attacks, says Chew.


As AI grows more advanced and generative AI such as ChatGPT proliferates, malicious actors could use these technologies to quickly identify vulnerabilities and loopholes within the source code of various connected devices, he explains.


Right now, threat actors use reconnaissance websites like Shodan or botnets to identify vulnerable devices connected to the Internet, such as IP cameras, heat sensors, and other devices used in smart city systems. Then, they can hack into vulnerable devices residing at data centres to modify cooling settings and disrupt operations, he explains. 


IoT devices tend to lack strong security, as IoT vendors prioritise speed to market rather than security during the development lifecycle, Chew says. AI can make the process of exploiting these vulnerabilities even easier.


Threat actors can also use AI to perform spear phishing, or phishing that is targeted to specific leaders in an organisation, like chief financial officers, he says. This can mean using generative AI to craft highly convincing messages that will lure such leaders into clicking a link or file carrying malware, thus exposing connected devices to infiltration.


But AI is a double-edged sword and security leaders like Fortinet have used AI to identify and thwart malicious code, he shares. Fortinet deploys AI within its FortiGuard Security Services to proactively detect and block new threats in real-time, such as botnets sending stolen data from connected devices to threat actors.


In turn, FortiRecon’s Digital Risk Protection service uses AI and human intelligence to help organisations proactively monitor internet-facing devices, identify vulnerable assets, and prioritise high-risk vulnerabilities for immediate action, he shares. Such a tool is critical when organisations begin deploying a wide range of IoT devices.

2. Widespread use of 5G


Next, he highlights the widespread use of 5G, which can inadvertently amplify the impact of distributed denial of services (DDoS) attacks if connected devices are not adequately protected. 


DDoS attacks, which disrupt online services by overloading networks with too much traffic, are particularly dangerous in the age of 5G. 5G promises hyperconnectivity, which can lead to a more deeply connected Internet of Things and more use cases for connected devices, but also a wider attack surface for DDoS attacks.


“5G means higher bandwidth and more reliability, but when there is a DDoS attack, important services will come to a standstill. For example, if a doctor is controlling a medical device from a remote location during a surgery, an unexpected DDoS attack can put the patient at risk,” says Chew. 


In 2016, the notorious Mirai botnet took over 600,000 connected devices such as webcams, air-quality monitors, and Internet routers. Once these connected devices were infected with malware, they were used to take down major websites through a DDoS attack. 


With 5G enabling more integrated and connected systems in hospitals, ports, and other critical public infrastructures, such an attack could severely obstruct public life and safety. Most recently, one of Japan’s largest ports has been brought to a standstill due to a ransomware infection, reported Nikkei Asia.


Organisations can use services such as the FortiGuard Intrusion Prevention Service to protect against threats targeting vulnerable IoT devices, particularly novel threats that traditional firewall services may not be fully equipped to handle. Such threats can use the high speeds of 5G to quickly exploit vulnerabilities that have yet to be patched.

3. Proliferation of connected devices


Finally, security professionals need to account for the increased growth of devices that may connect to various systems and networks, such as personal computers, smartphones, or other smart devices. Such devices can expose the entire network to risk, Chew says.


Chew explains that there is no universally accepted IoT reference architecture amongst vendors, which means that different devices may have different levels of in-built security controls. 


An unsecured device could potentially connect to the 5G network and punch a hole through an organisation’s firewall if these networks are not segmented and monitored, he says. Then, threat actors can use this device to by pass an organisation’s firewall.


This is why it is critical for organisations to have network access controls in place, so that any communication from these devices can be controlled. 


“Security in an office environment is as strong as the weakest link. Network access controls need to be deployed to ensure that any device entering the space has a minimum security health posture,” he says.


For example, a smart device connected to  the office should not have the same access as an authorised laptop, he explains.


Fortinet’s network access control (NAC) solution, FortiNAC, helps organisations actively discover all hardware that is connecting to an organisation’s network, such as IoT devices and personal devices.


NAC policies can then be used to ensure devices are authenticated to enter the network, and can restrict access to different categories of IoT devices.


Chew will be speaking at the upcoming webinar, “Internet of Things in the Crosshairs: Navigating Cyber Risks Targeting IoT in the AI Era” along with public sector cybersecurity leaders. To learn more about how agencies can secure their connected devices, sign up here


This article was produced in partnership with Fortinet.