Navigating OT security challenges across Asia’s production landscapes

Digital transformation continues to be the theme for many of Asia's enterprises, which are straddled with legacy systems, processes, and infrastructure, and, in many cases, cultures resistant to change. Internet of Things (IoT) is no exception, and arguably, one of the last remaining strongholds of the 1970s idiom: "If it ain't broke, don't fix it!"

I say "few remaining" may be because it is difficult to make a complete inventory of how much non-IT technology is out in the wild, only to be discovered. After all, it broke, or is scheduled for upgrade or replacement.

Projections indicate the Asia-Pacific IoT market will surge to US$355 billion by 2029, driven by industrial automation, smart cities, and 5G adoption. In China alone, over 3 billion active IoT devices were reported in 2023, underscoring the region's dominance in data generation and its expected capture of 58% of global IIoT data by 2025.

However, this connectivity boom brings documented risks, including escalating cyber threats and supply chain vulnerabilities, alongside opportunities for enhanced efficiency and resilience.

Mapping and validating security controls

A core challenge in Asia's connected landscape is ensuring security across sprawling data pathways. Many organisations overlook actual data flows, focusing instead on theoretical designs.

"Most organisations approach this as a control inventory exercise, but this often misses the real issue: few teams have a complete picture of how their data actually moves," notes Wai Kit Cheah, APAC CISO & Connected Ecosystem leader at Lumen Technologies. "In practice, most teams don't, and that's where security breaks down."

This gap is acute in industrial IoT (IIoT), where legacy devices and supplier access exacerbate risks. Across APAC, key weaknesses include unpatchable devices and fragmented monitoring, with failures often occurring at cloud handoffs.

Adequate validation must prioritise operational realities over audits, as cyber incidents ranked as the top global risk in 2026, cited by 42% of respondents in the Allianz Risk Barometer.

Balancing reliability, latency, and security

Connectivity strategies in Asia must adapt to diverse terrains, from urban hubs to remote sites. Urban areas face complex networks that amplify attack surfaces, while remote operations compromise security to maintain uptime.

"Urban and remote environments tend to fail in different ways," Cheah explains. "In dense, regulated markets, connectivity is generally stable but highly complex. In contrast, remote locations often operate with limited bandwidth and higher latency, and a tendency to relax security controls simply to keep operations running."

Classifying assets by criticality and testing failover scenarios is essential. Opportunities arise in 5G's massive machine-type communications, which support up to a million devices per square kilometre and enable large-scale IIoT in logistics and manufacturing. In ASEAN, supply chain growth integrates AI for predictive analytics, reducing failures and enhancing tracking.

Enforcing network segmentation and tenant isolation

Preventing lateral movement post-breach demands identity-based controls beyond physical layouts. "Effective segmentation and tenant isolation require controls that operate independently of the network's physical layout," states Cheah, advocating identity-tied policies, default-deny rules, and separated planes.

"Enforcement is then validated by simulating a compromised device or tenant and confirming that lateral movement is blocked by design, not merely detected after the fact." Wai Kit Cheah

Validation through breach simulations is key. In Asia, where OT/IoT convergence ranks as a top concern (49% in WEF surveys), fragmented approaches hinder resilience.

"In 2026, ASEAN nations and enterprises must begin a transition away from the current fragmented approach and towards a unified, interoperable and data-centric regional ecosystem," warns an expert from Wireless Logic.

Mandating encryption for data in transit

Encryption remains non-negotiable amid rising transit risks. "All IoT data in transit should be protected using end-to-end encryption (E2EE), regardless of location or network types," Cheah advises, highlighting TLS for applications and IPsec for carriers.

Handoffs as zero-trust boundaries prevent decryption vulnerabilities. He argues that data should remain encrypted until it reaches a tightly controlled enterprise or cloud environment.

"Architectures that decrypt traffic inside the network introduce unnecessary risk and expand the potential blast radius of a compromise," comments the connected ecosystem leader at Lumen Technologies.

With IoT attacks surging 400% in 2025, Asia's mobile and IoT exposures outpace defences, per Zscaler reports. Opportunities include AIoT for secure, real-time healthcare monitoring, projected to drive market growth at 15% CAGR through 2030.

Implementing egress filtering and allow listing

Controlling outbound communications curbs exfiltration. "Yes, provided enforcement is consistent and centrally governed," Cheah confirms. "A default-deny approach ensures IoT devices are only allowed to communicate with explicitly approved endpoints, with all other outbound traffic blocked."

"Any exceptions should be time-bound, auditable, and reviewed regularly, so temporary access doesn't become permanent exposure," adds Cheah.

In cloud-heavy Asia, IP fragility demands identity-anchored controls. DDoS and malware threats (49% of IoT risks) underscore this, with regulations such as the EU Cyber Resilience Act shaping APAC standards.

Controlling privileged access

Least privilege minimises insider threats. "Least privilege access hinges on limiting who can access systems, what they can do, and how long that access lasts," Cheah elaborates, recommending role separation, temporary permissions, and audits.

"Regular audits are essential to identify unused privileges, standing exceptions, or access that no longer aligns with operational roles. If permissions are not routinely reviewed, the least privilege exists only on paper." Wai Kit Cheah

Skills shortages (56% barrier in WEF data) amplify risks, but AI-driven monitoring offers opportunities for automation in production environments.

Evaluating provider certifications

Certifications like ISO 27001 provide baselines but often fail to address ecosystem gaps.

"Certifications such as ISO 27001 or SOC 2 attestation are important, but they rarely cover the entire IoT ecosystem," Cheah cautions. "These certifications should be assessed alongside contractual and operational responsibility models."

In Asia, where supply chain attacks rose sharply, 65% of large firms cite third-party vulnerabilities as their top challenge. "Cybersecurity risk in 2026 is accelerating, fuelled by advances in AI, deepening geopolitical fragmentation and the complexity of supply chains," observe Jeremy Jurgens and Paolo Dal Cin from the World Economic Forum.

Authenticating device identity and verifying data integrity

Spoofing prevention starts at transmission. "Each device should be treated as a unique security principal, not a generic endpoint. Every device is issued a distinct identity, supported by certificates or hardware-rooted credentials, and must authenticate before any data is accepted," Cheah stresses.

He stresses the importance of these controls applied at the point of transmission, adding: "If identity or integrity checks are deferred upstream, malicious or spoofed data has already infiltrated the environment. Regular credential rotation and strict rejection of unauthenticated traffic complete the control model."

Credential rotation is vital. Asia's IoT boom, with Northeast Asia holding 70% of global cellular connections by 2025, heightens these needs, but edge AI enables real-time verification, boosting predictive maintenance in manufacturing.

Building resilience to region-specific risks

Asia's varied risks—from outages to disasters—demand designed-in failover. "Resilience to region-specific risks depends on whether failure has been explicitly designed into the system," Cheah notes.

He also warns that: "If resilience only works under ideal conditions, it will fail during real disruptions such as natural disasters, fibre cuts, or regional regulatory shifts."

Local continuity and tested backups are crucial. Opportunities in smart grids and environmental monitoring align with sustainability goals, with low-power IoT reducing costs.

Ensuring compliance with evolving regulations

Data sovereignty evolves rapidly. Cheah reminds us that ensuring compliance starts with visibility and consistency. "This means knowing where data is created, processed, and stored across devices, networks, and platforms," he continues.

"Core security and privacy controls such as encryption, access control, logging, and retention should be applied uniformly by default, with jurisdiction-specific requirements layered on top of a common architecture, rather than implemented as separate country designs." Wai Kit Cheah

He concludes the discussion advising that clear ownership across the entire data lifecycle is essential to ensure accountability and to address gaps as regulations evolve.

In Asia, frameworks like Singapore's digital trust initiatives support this, fostering innovation amid geopolitical tensions.

Asia's IoT trajectory offers immense opportunities, from 30% reductions in factory downtime to AIoT-optimised supply chains. Yet, with AI vulnerabilities growing fastest (87% in WEF surveys), proactive security is imperative. By addressing these trends, enterprises can harness connectivity for resilient growth.