The recent SolarWinds and Colonial Pipeline cyberattacks have highlighted serious vulnerabilities in US critical infrastructure, with far-reaching and severe implications affecting both businesses and the public alike. As Southeast Asia increases its physical and economic connectivity among ASEAN member nations in line with its 2025 master plan—which includes projects such as the ASEAN Highway Network and the Singapore-Kunming Rail Link—Southeast Asia should brace itself for attacks on its critical infrastructure as well.
With a rising combined GDP and a shift to the digital economy, Southeast Asia could become a prime target for cyberattacks similar to those seen in the US. “Industrial systems across the region have been undergoing unprecedented digital transformation in recent years,” says David Allott, who heads the cyberdefence unit in Asia-Pacific at Orange Business Services. He observes that ageing industrial control systems are increasingly being connected to the internet to support digital transformation initiatives—delivering agility, computing power, and connectivity but unfortunately exposing them to cyberthreats at the same time.
Thus, it is crucial that operational technology (OT) systems are not directly connected to the internet. “The common concern for cyber-physical vulnerabilities is to ensure that OT systems are not connected to IT systems or directly to the internet,” says Lim Thian Chin, director of the Critical Information Infrastructure Division at the Cyber Security Agency of Singapore.
ASEAN initiatives in protecting critical infrastructure
In the face of rising cyberthreats, ASEAN governments are ramping up the security of their critical infrastructure through regulatory measures and initiatives such as the CII Supply Chain Programme in Singapore and MyDigital in Malaysia.
These government initiatives rely on open intelligence-sharing among ASEAN nations as well as strong collaboration with key cybersecurity industry entities such as computer emergency response teams (CERTs) and computer security incident response teams to build the capabilities necessary to defend critical infrastructure systems.
Allott is a proponent of this approach: “Given that ASEAN countries are all at different stages of cyber maturity with regards to protecting their critical infrastructure, the best solution remains collaboration. Sharing threat intelligence among agencies remains a core requirement to bolstering national and regional defences against cyberattacks.”
He cites the joint launch of the APAC Regional Intelligence and Analysis Centre in 2017 as a great example. “Setting up the regional centre in Singapore was aimed at growing collaboration in fighting cybercrime and promoting intelligence-sharing across ASEAN countries.” Microsoft similarly recently launched the Asia Pacific Public Sector Cyber Security Executive Council to fight cyberthreats across the region.
Kunal Sehgal, the former managing director of the OT information sharing and analysis centre at the Global Resilience Federation, warns that as attacks on infrastructure become a new normal, critical sectors must learn from mistakes and bolster their cyber defences. “ASEAN must be prepared for inevitable attacks not only from relatively low-skilled adversaries that aim to make a quick buck, but also from nation-state threat actors that are going to be patient and meticulous, and will go to extremes to cripple the national infrastructure of an enemy nation.”
How Southeast Asia can reduce cybersecurity risks to critical infrastructure
Due to increasing cyberattacks targeting Southeast Asia, Allott says regional organisations must collectively address the immediate risk of low cyberresiliency in critical infrastructure. He believes this effort to be particularly challenging due to the significant nuances around coordinating and orchestrating strategic initiatives across the very different countries in the ASEAN region.
“Much of the risk can be attributed to limited security awareness and attention by organisational leadership, the shortage of cybersecurity talent across member nations, and the lack of a truly unified regional governance framework,” Allott says. Without a more cohesive and coordinated approach, the collaboration and sharing of threat intelligence across Southeast Asia remain limited in effectiveness. “While we see progress from initiatives and policy changes in countries like Singapore and Malaysia, it is imperative the risk is acknowledged and all nations actively engage to ensure more funding is directed to increase awareness, resourcing, and governance,” he says.
Allott says there are five key areas that businesses and government agencies everywhere must bear in mind to keep themselves safe from potential attacks:
- Identify: Conduct regular operational transformation audits to create an inventory of all assets and how supply chain partners are accessing critical infrastructure systems.
- Protect: Subscribe to the basic principles of least-privileged access and microsegment an IT-OT environment as this helps contain damage if one part is compromised. Deploying capabilities around encryption and using multifactor authentication and patching techniques are also important.
- Detect: There are many means of detection, including the deployment of IT-OT probes and maintaining up-to-date detection, with alerts being actively monitored round the clock.
- Respond: Respond to any threats with speed by using a blend of human and AI tools to detect and cluster threats at scale.
- Anticipate: Leverage global threat intelligence databases by monitoring your own network feeds and via subscriptions to all major third-party threat feeds.
Allott also emphasises real-time visibility into the changing critical infrastructure threat landscape, including vulnerabilities, tools, techniques, and other relevant factors. “This helps businesses and governments dynamically adjust their tactics and apply resources to areas having the greatest impact.”
Apart from preventing attacks, cybersecurity leaders should also be looking into the operational resilience of their critical infrastructure: How quickly can operations resume following an attack? OT systems are vital to ensure the resilience of critical infrastructures—from keeping liquid flows in a pipe at a predetermined pressure or temperature to alerting engineers when a part in a piece of equipment needs servicing. How quickly they can be restored after a breach is critical to business continuity, preventing further loss of time and revenue.
Both Lim and Allott say having full visibility over assets and IT networks provides assurance to executives to make informed decisions, but that the visibility of assets in their critical infrastructure environments is a main gap in protecting critical infrastructure. “It is essential that organisations have a clear view of these assets and data flows,” Allott says.