Within OT environments in the Asia-Pacific region, a slight uptick in cybersecurity maturity is taking place, as evidenced by a 20% increase in OT security spending in 2022.
The reasons for this, as one expert noted, are: first and foremost, the changing regulatory landscape in many APAC countries; and secondly, a clear understanding among businesses about the risk associated with cyber incidents on industrial operations.
However, much work remains to ensure OT environments are ready for more sophisticated attacks from cybercriminals.
To provide some answers, several senior executives gathered for a panel titled “Industrial 4.0 and the OT Cybersecurity in APAC,” organised by Fortinet as part of its Secure Operational Technology Summit 2023.
The view so far
When it comes to digital transformation in APAC, the highest investment priority is still the automation of industrial operations, noted Steven Webb, Managing Partner, Westlands Advisory.
“The number of industrial robots in APAC hit nearly 400,000 last year, which is three times the amount in Europe and the Americas combined. So it just gives you a sense of the scale of manufacturing in Asia,” he said.
In addition to increasing automation, Webb also observed a growing connectivity between IT and OT systems.
“What we’re seeing is more remote access to systems and greater quantities of data being extracted from OT and onto the cloud. While automation and digitalisation can deliver great value, what we noted in 2022 is really a greater awareness that security must be a core part of that digital transformation journey. Therefore, we’re seeing increasing use of deception or detection technology,” he continued.
For Australia’s Essential Energy, strict protocols were already in place even before the pandemic.
As soon as the lockdowns were imposed, the utility company had to increase its stringent processes around who got access, what alerting mechanisms are used, and the manner of reporting and validation.
John Mihalis, Acting Cyber Manager, Essential Energy, emphasised that a holistic approach to building an OT security team is incredibly important.
“This is mainly due to the changing business models. The industry has encouraged change as well. Success in security has always been around people and processes, making sure we maintain good hygiene across all facets of the business. It’s everyone’s responsibility; there is no one person or specific group, it is everyone’s responsibility. And we do not want to have a concept where it’s someone else’s problem,” he said.
Roadblocks
While there is certainly an improvement in terms of APAC’s cybersecurity maturity in OT, Westlands Advisory’s Steven Webb thinks the level is still very low.
“We have to remember that not every organisation is a global enterprise with regulation and resources behind it. Also, we just need to think historically where we’ve come from, so it was never designed with security necessarily in mind. There’s always a focus on safety, reliability, and availability of systems. So the security gaps are quite considerable and that really needs to close,” he explained.
To describe the current scenario, Webb said organisations in the region are mostly still coming to terms with what assets they currently have.
“Once I understand the assets, discussions begin to unfold. You start with risk management and asset management, but first, you need to understand your cyber risk. From there, you can plan effectively: ‘What budget do I have? How should I allocate it? What tasks should I focus on first?’ In reality, most organisations are still in the early stages, just getting out of their starting blocks, and that’s the level they’re at,” he said.
Indeed, visibility is a key component that organisations must have before they can problematise their security posture, noted Dicky Wong, Head of Technology Risks, New World Corporate Services Limited.
“I need to know, what am I seeing? And most important of all, what am I not seeing? For those that I can see, I can put security measures on them, then it will be an easy game. For those that I cannot see, I have to find a way out; either I speak to the manufacturer or find out how to convert their network and put it on my centralised visibility,” he explained.
Finding the right path
To counter many of the more sophisticated threats that have arisen today, organisations have been employing tactics such as honeypots. However, such a technique works on a case-to-case basis, Wong added.
“If you’re asking a security professional whether implementing more preventive measures is beneficial, the answer is yes. But in a management role, there are many factors to consider. Do you have the resources to run a honeypot or analyse what you catch? What’s your plan if you capture potential attacks? What’s your mitigation strategy? These considerations must be balanced, so you need to find the right equilibrium between a robust security posture and operational efficiency,” the security expert noted.
Meanwhile, zero trust is another mechanism that can be applied to OT security, albeit with certain precautions, said Michael Murphy, Head of Operational Technology and Critical Infrastructure, Fortinet.
“With zero trust, what’s fundamental is not whether you’re adopting it into IT or OT, but understanding your key assets and vulnerabilities. You must sit down with your architectural team and ask: ‘What are my crown jewels? What motivates a threat actor to target my business? Why must I assess access to my critical components?’ It’s worth noting that many OT devices and hardware vendors have limitations that may prevent the full application of the zero-trust concept,” he explained.
Therefore, IT and OT teams need to sit down and discuss this conundrum, since disruption equals downtime, and downtime equals revenue loss. In many cases, revenue loss can lead to irreversible brand damage, Murphy continued.
Ways forward
The experts in the panel agree that designing and implementing OT security does not necessarily need to be complex, especially given the available tools and expertise in the industry.
“My strategy, moving forward, is to ensure that I have a good security posture in place, and synergise with my trusted vendors to build a better security posture, instead of merely having a buy-sell relationship with them. So sit down, tell them what you want and the challenges you’re facing, and ask them what they have on the table, or work on something else, something new, or innovate some new solutions that will fit in your organisation,” said Dicky Wong from New World Corporate Services.
For Westlands Advisory’s Steven Webb, reaching out to peers with more experience in designing OT security is always a good place to start, coupled with security inclusion in ESG initiatives.
Meanwhile, nothing beats simplicity and scalability, advised Essential Energy’s John Mihalis.
“Understanding what we have, ensuring that we can see how systems are operating, and confirming that they are working within specifications is absolutely fundamental. As our business model grows more complex, we want to enable third parties to assist in delivering our mission-critical services. We must focus our valuable resources on essential tasks rather than spending them on mundane activities,” he said.
Ultimately, nothing beats a proactive approach, especially when it comes to OT security, Fortinet’s Michael Murphy remarked.
“You can cross-reference shared intelligence with industry peers. Whether it’s a pre-existing incident or a new challenge, open communication is key. This dialogue helps in building a maturity plan tailored to your organisation. Start with the basics: Understand how you’ve obtained visibility into your IT and OT network. Then, consider implementing control points as a second stage. Finally, explore a SIEM and SOAR platform aligned with the MITRE attack framework. This approach will give you a comprehensive understanding of the tools and the tactics might be used against you,” he concluded.