Operational Technology (OT) is facing a growing threat environment. Cybercriminals and nation-state actors are successfully targeting and impacting critical infrastructure entities globally. With this increased scale of attack and threat surface, policies are needed to better secure industrial networks and their connected OT. This report seeks to help cybersecurity officials create an effective cybersecurity policy framework, and increase the resilience and security of these OT systems.
OT represents the collection of hardware and software that helps to monitor, manage, and control physical devices and their related functions and processes, including components such as valve controls at water treatment facilities, monitoring mechanisms at nuclear power plants, or robotics on manufacturing floors. OT comprises vital components within critical information infrastructure (CII) sectors like utilities and transportation systems. The role of government in ensuring CII and other sectors operate safely and securely naturally reflects an important and similar government role to ensure the cyber resilience of OT.
The importance of OT cyber-resiliency and the role for government is further underscored by the evolving cyber threat environment for OT, where the global trend of cyberattacks on OT systems has intensified and will only get worse. In a survey by Ponemon Institute, 90% of OT enterprise respondents reported suffering at least one damaging cyberattack between 2017 and 2019. In sector-specific examples, cyberattacks on the maritime industry’s OT systems have spiked by 900% over the last three years. In a manufacturing example from June 2020, the SNAKE ransomware specifically targeted industrial control system (ICS) and supervisory control and data acquisition (SCADA) systems at Honda factories around the world, leading to production halts for several days. Digitization is also increasing and accelerated due to factors like COVID-19, which has only further raised the risks by increasing attack surfaces.
Yet the governance landscape for OT within Asia is only in its early stages. Just 9 of 14 top economies in APAC have cybersecurity guidelines for OT protection, and only 4 out of 14 economies have policies in place to coordinate OT cybersecurity at the national or sectoral level. Current laws and policies typically focus on protecting enterprise IT systems within CIIs from cyberattacks. This is worrying – as cybersecurity threats to OT systems mount, OT enterprises in Asia are likely to suffer significant losses from cyberattacks, with critical services and people’s safety being put at greater risk.
Countries need to address cybersecurity risks within OT. As such, governments should consider adopting policies to address OT cybersecurity that are risk-based and outcome-oriented, and allow enterprises and CII operators the flexibility to adopt the tools and technologies that are deemed appropriate and effective for their respective enterprises.
Governments can draw on emerging international and regional best practices and guidelines. These are still at a relatively nascent stage across Asia. Thus, governments have a unique opportunity to craft their respective national frameworks in ways that mutually support one another, both in terms of establishing regional norms that will improve OT cybersecurity and ensuring a level of regional consistency that allows companies and organizations that manage OT to scale their cybersecurity practices more uniformly as they operate and invest across the region.
This report was created by The Coalition for Cybersecurity in Asia Pacific (CCAPAC) – a group made up of Amazon Web Services, Becton Dickinson, Cisco Systems, VMware and Access Partnership.