Cybersecurity Policy for Operational Technology: A Guide for Governments

This report will highlight some use cases and advantages of OT, describe the cybersecurity risks involving OT, and provide recommendations adapted from global best practices to create an effective OT cybersecurity regime.

Cybersecurity Policy for Operational Technology: A Guide for Governments

Operational Technology (OT) is facing a growing threat environment. Cybercriminals and nation-state actors are successfully targeting and impacting critical infrastructure entities globally. With this increased scale of attack and threat surface, policies are needed to better secure industrial networks and their connected OT. This report seeks to help cybersecurity officials create an effective cybersecurity policy framework, and increase the resilience and security of these OT systems.

OT represents the collection of hardware and software that helps to monitor, manage, and control physical devices and their related functions and processes, including components such as valve controls at water treatment facilities, monitoring mechanisms at nuclear power plants, or robotics on manufacturing floors. OT comprises vital components within critical information infrastructure (CII) sectors like utilities and transportation systems. The role of government in ensuring CII and other sectors operate safely and securely naturally reflects an important and similar government role to ensure the cyber resilience of OT.

The importance of OT cyber-resiliency and the role for government is further underscored by the evolving cyber threat environment for OT, where the global trend of cyberattacks on OT systems has intensified and will only get worse. In a survey by Ponemon Institute, 90% of OT enterprise respondents reported suffering at least one damaging cyberattack between 2017 and 2019. In sector-specific examples, cyberattacks on the maritime industry’s OT systems have spiked by 900% over the last three years. In a manufacturing example from June 2020, the SNAKE ransomware specifically targeted industrial control system (ICS) and supervisory control and data acquisition (SCADA) systems at Honda factories around the world, leading to production halts for several days. Digitization is also increasing and accelerated due to factors like COVID-19, which has only further raised the risks by increasing attack surfaces.

Yet the governance landscape for OT within Asia is only in its early stages. Just 9 of 14 top economies in APAC have cybersecurity guidelines for OT protection, and only 4 out of 14 economies have policies in place to coordinate OT cybersecurity at the national or sectoral level. Current laws and policies typically focus on protecting enterprise IT systems within CIIs from cyberattacks. This is worrying – as cybersecurity threats to OT systems mount, OT enterprises in Asia are likely to suffer significant losses from cyberattacks, with critical services and people’s safety being put at greater risk.

Countries need to address cybersecurity risks within OT. As such, governments should consider adopting policies to address OT cybersecurity that are risk-based and outcome-oriented, and allow enterprises and CII operators the flexibility to adopt the tools and technologies that are deemed appropriate and effective for their respective enterprises.

Governments can draw on emerging international and regional best practices and guidelines. These are still at a relatively nascent stage across Asia. Thus, governments have a unique opportunity to craft their respective national frameworks in ways that mutually support one another, both in terms of establishing regional norms that will improve OT cybersecurity and ensuring a level of regional consistency that allows companies and organizations that manage OT to scale their cybersecurity practices more uniformly as they operate and invest across the region.

Download the full report


This report was created by The Coalition for Cybersecurity in Asia Pacific (CCAPAC) – a group made up of Amazon Web Services, Becton Dickinson, Cisco Systems, VMware and Access Partnership.

Related Articles

Norms for Cybersecurity in Southeast Asia

Norms for Cybersecurity in Southeast Asia

Broad adoption of cybersecurity norms can help promote social development, economic development, and lend stability and security. That’s why Access Partnership have...

23 Nov 2017 Reports
Guide to Computer Emergency Response Teams (CERTs)

Guide to Computer Emergency Response Teams (CERTs)

Computer Emergency Response Teams (CERTs), alternatively referred to as Computer Incident Response Teams (CIRTs) or Computer Security Incident Response Teams...

24 Feb 2020 Reports
Impact of Cybersecurity Regulations on ICT Companies in the European Union

Impact of Cybersecurity Regulations on ICT Companies in the European Union

The purpose of this paper is to provide more clarity about the current two cybersecurity requirements in the EU which…
12 May 2020 Reports
Facial Recognition Technology: A Primer

Facial Recognition Technology: A Primer

At Access Partnership, we recognize the importance of balancing the interests of consumers, citizens, and governments with enabling sustainable market...

29 Sep 2020 Reports