Operational Technology Security in ASEAN

ERIAResearchProjectReportFY2023No.19 OperationalTechnologySecurityinASEAN EditedbyKeitaOikawa YoichiroHatakeyama OperationalTechnologySecurityinASEAN EconomicResearchInstituteforASEANandEastAsia(ERIA)SentralSenayanII6thFloor JalanAsiaAfrikaNo.8,GeloraBungKarnoSenayan,JakartaPusat12710 Indonesia ©EconomicResearchInstituteforASEANandEastAsia,2023ERIAResearchProjectReportFY2023No.19 PublishedinDecember2023 Allrightsreserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformbyanymeanselectronicormechanicalwithoutpriorwrittennoticetoandpermissionfromERIA. Thefindings,interpretations,conclusions,andviewsexpressedintheirrespectivechaptersareentirelythoseoftheauthor/sanddonotreflecttheviewsandpoliciesoftheEconomicResearchInstituteforASEANandEastAsia,itsGoverningBoard,AcademicAdvisoryCouncil,ortheinstitutionsandgovernmentstheyrepresent.Anyerrorincontentorcitationintherespectivechaptersisthesoleresponsibilityoftheauthor/s. Materialinthispublicationmaybefreelyquotedorreprintedwithproperacknowledgement. ListofAuthors KeitaOikawa Economist,EconomicResearchInstituteforASEANandEastAsia(ERIA),Jakarta,Indonesia. YoichiroHatakeyama SeniorPolicyAdvisorattheEconomicResearchInstituteforASEANandEastAsia(ERIA),Jakarta,Indonesia. KoichiHasegawa ManagingDirector&PartneratBostonConsultingGroup,Tokyo,Japan. MasamiShibatani AssociateDirectoratBostonConsultingGroup,Tokyo,Japan. EisukeTanaka ProjectLeaderatBostonConsultingGroup,Tokyo,Japan. JunichiIda ConsultantatBostonConsultingGroup,Tokyo,Japan. YokoYarimizu SeniorAssociateatBostonConsultingGroup,Tokyo,Japan. TableofContents ListofAuthors iii ListofFigures v ExecutiveSummary vi Chapter1 Overview 1 Chapter2 CurrentStatusofOperationalTechnologySecurity 8 Chapter3PolicyRecommendationsforASEAN–JapanCooperationon 26 OperationalTechnologySecurity Appendix32 ListofFigures Figure1.1 GDPbyIndustryinASEANMemberCountries 5 Figure1.2 GDPinASEANMemberCountriesanditsRelationshipwithJapan 6 Figure2.1 IEC62443 12 ExecutiveSummary Thisstudycommemoratesthe50thanniversaryofAssociationofSoutheastAsianNations(ASEAN)–JapanfriendshipandcooperationbyexaminingthechallengesandproposingcollaborativesolutionsforoperationaltechnologysecurityintheASEANregion.MultinationalcompaniesinJapanestablishedinternationalproductionnetworks(IPNs)inASEANandEastAsia,whichprovedresilientduringthecoronavirusdisease(COVID-19)pandemicandsupportedtheregionaleconomy.However,maintainingcompetitivenessrequiresaddressingchallengessuchasadvancedsupplychaindigitalisationandtheassociatedneedforincreasedsecuritymeasures.Operationaltechnologysecurityrisks,regulatorydisparities,andgovernanceframeworksareglobalconcernsinthedigitalisationofcriticalinfrastructure.ToenhanceIPNcompetitiveness,cyber-resilienceacrossAsiamustbeimproved,prioritisingoperationaltechnologysecurityincriticalinfrastructureandmanufacturingsupplychains.Thisresearchbridgesthegapbetweencurrentanddesiredoperationaltechnologysecuritystates,proposespolicies,andcontributestoASEANcybersecurityreadinessandIPNsustainabilityincollaborationbetweenASEANandJapan. WhileawarenessofinformationandcommunicationtechnologysecurityisrisinginASEAN,operationaltechnologysecurityawarenessandpreparednessremaininsufficient.InASEAN,fewcountrieshavelaunchedinitiativesonoperationaltechnologysecurityasacountry.SingaporehasdevelopeditsownstandardsbasedonInternationalElectrotechnicalCommission(IEC)62443andhasalsodevelopedproductcertificationforoperationaltechnologysecurityinawaythatistiedtogovernmentprocurementrequirements.Malaysiahasbeguntodevelopitsownstandardsfrom2023,byadoptingIEC62443.However,inotherASEANcountriesnonationalinitiativeshaveyetbeenseen. AsforcurrentoperationaltechnologysecuritylevelinASEANcompanies,whilesomearehighlysensitivetoitduetohighawarenessofenhancedgovernanceandtheoccurrenceofrelatedincidents,othersarenottakingmeasuresduetodelaysindigitalisationandlackofunderstandingofitsnecessity.Globalcompaniesandsomelocalcompanies(e.g.companiesinindustrieswhereoperationaltechnology-relatedincidentshaveoccurredinthepast,companiesrelatedtocriticalinfrastructure,etc.)tendtotakevoluntarymeasuresbyreferringtoglobalstandards,regardlessoftheexistenceoflocalstandards.However,therearemanycompaniesthatunderstandtheimportanceofoperationaltechnologysecuritybuthaveyettotakesystematicmeasuresduetohighcost,lackofexperts,orlackofcleargovernmentguidelines.Therearealsomanylocalcompaniesthathavenottakenmeasuresduetolowprioritycausedbylackofunderstandingoftheimportanceofoperationaltechnologysecurity.Inaddition,therearecompaniesthatarenotrequiredtotakeoperationaltechnologymeasuresduetothelackofautomationintheirplants. Incontrasttocurrentstatus,ideally,coordinatedeffortstoenhanceoperationaltechnologysecurityshouldbepromotedthroughouttheregion,andregulationsshouldbeintroducedbyeachgovernmentbasedonaregionalagreement,andcorporateoperationaltechnologysecuritymeasuresshouldmaturebasedontheseregulations.Inrecenttrends,duetotheexpansionofglobalsupplychains,theimportanceofcoordi