Nearly any moviegoer would be familiar with the trope where an evil mastermind hacks into the “system” to remotely launch nuclear missiles or change traffic light colours to speed up their getaway.
This may seem fanciful, but the premise of bad actors taking over real-world assets is not limited to the world of fiction. Back in 2020, Israel saw a cyberattack on its water facilities where cyber threat actors attempted to take control of their industrial control systems to raise water chlorine levels which could have posed a health concern to those who ingested it. Thankfully it was caught in time.
The rise of Industry 4.0 has led to an increased potential for harm from bad actors. This is particularly evident in the Asia Pacific region and around the world, where innovative technologies are being harnessed to introduce intelligent automation and significantly enhance efficiency.
Consequently, there is a growing interconnection between sensitive Operational Technology (OT) environments and the Internet.OT systems are used for a myriad of use cases such as, controlling transportation systems, running power grids, managing lift maintenance, and controlling industrial robots on assembly lines. We are constantly seeing new uses being developed.
Countries in the region are heavily reliant on OT which serves as the backbone of critical sectors like manufacturing, energy, agriculture and transportation. For example, in the Philippines, sectors that heavily utilise OT, such as agriculture and industrial activities, contribute about 40% of the country's GDP.
Once overlooked, OT security is now a key concern not just for IT departments, but for entire organisations. The reason for this shift in focus is simple: the stakes are higher than ever before as attacks have consequences.
See also: Keys to achieving human-centred automation testing
The potential fallout from OT security breaches extends beyond financial losses and reputational damage, reaching into the realm of national security, public safety, and economic stability. For example, if you are an industrial player dependent on the uptime of factories to generate revenue, a cyberattack on your OT systems could put a stop to manufacturing till the issue is fixed, leading to millions in lost revenue.
Historically, businesses have focused on IT cybersecurity risks, underestimating the potential risks posed by OT systems. The belief that these systems were isolated and therefore immune to the cyber threats faced by IT systems has been proven false in recent years.
A lack of awareness and understanding of OT security, along with the perceived complexity of these systems, has also contributed to this security blind spot.
See also: Human element still important for effective mass communication
Meanwhile, manufacturers, under pressure to prioritise cost and speed to market, have often failed to incorporate robust security features into OT devices. On top of these challenges, the absence of clear regulatory regimes has left businesses in uncharted waters.
While cloud migration is a familiar topic for IT teams, its implications are new terrain for many manufacturers. The recent surge in cloud adoption, remote work, and the intricate web of OT and IT systems signal a shift that requires legacy systems to be updated with modern solutions. Amid these swift changes, the augmented risk cannot be ignored.
However, the tide is shifting, with governments across the Asia-Pacific region taking decisive action. There has been escalating urgency around the protection of OT and Industrial Internet of Things (IIoT) across the region. Emerging legislative frameworks in the region underscore this trend, revealing a landscape where OT security is no longer a luxury, but a strategic necessity for businesses and governments alike.
For example, the Philippines embarked on its National CyberSecurity Plan 2022, designed to ensure the continuous operation of the nation's critical infrastructures, and has acknowledged the need for specific guidelines around OT security to secure critical infrastructure. Thailand also implemented its Cybersecurity Act in 2019, outlining measures to protect Critical Information Infrastructures (CIIs), including OT systems.
These developments signal a trend towards increasing regulation of OT security across the Asia-Pacific region. While this is potentially good news for national security and public safety, it presents a new set of challenges for businesses. Companies now find themselves having to navigate a complex and evolving regulatory landscape, with potentially significant penalties for non-compliance.
Regulations should not be perceived as burdensome constraints, but rather as opportunities for enhancement. By aligning regulations with international, consensus-driven standards, clarity and flexibility are promoted, leading to a reduction in duplication. Businesses that take this approach will be better positioned to protect themselves from cyber threats, ensuring business continuity, maintaining customer trust, and upholding their reputation.
The emerging focus on OT security in the Asia Pacific region represents more than just a compliance requirement—it's a call to action. It's an opportunity for businesses to bolster their resilience, enhance their market position, and contribute to safeguarding our shared infrastructures.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
In an increasingly interconnected world, companies that can demonstrate a commitment to OT security may find themselves with a competitive edge. By exceeding the minimum requirements set out in government regulations, these businesses can differentiate themselves in the market, appealing to consumers who are increasingly aware of and concerned about digital security.
Adopting advanced cybersecurity measures fosters trust among stakeholders, minimises the risk of costly downtime, and protects against reputational damage. It also prepares businesses for future regulatory changes, preventing scrambling to comply at the eleventh hour.
In this era, it is not enough to secure IT systems; the safety of industrial operations depends equally on robust OT security. Manufacturers and operators of critical infrastructure must understand that cybersecurity is now intrinsic to the safety and functionality of their systems.
The strength and security of our systems will define our future. Embracing OT security isn't just a business necessity; it's a societal imperative.
Dick Bussiere is the technical director for Tenable APJ