Joe Sarno (Fortinet)
The demand for operational technology (OT) security is likely to continue to rise in the Asia Pacific region as industrial organisations increasingly turn to digital transformation to optimise the value chain.
Those thoughts were shared by Joe Sarno, Fortinet’s head of OT and senior VP international sales – emerging & APJ at the vendor’s recent Secure Operational Technology Summit 2023 APAC virtual event attended by Channel Asia.
“As we recover to the new normal, digital transformation is here to stay and we don’t see it slowing down as it generates a lot of economic benefits for industrial organisations to optimise the entire value chain,” Sarno said in his opening address.
“However, the scale and speed of digital transformation has opened up a huge amount of OT network and devices to the outside world and the world is seeing increased cyberattacks among OT infrastructures in recent years.”
His comments were based off the 2022 Fortinet State of Operational Technology and Cybersecurity Report, which found that 93 per cent of organisations had one or more security intrusions in the past year, with 61 per cent of intrusions affecting OT systems. The study found that OT risk is proportional to OT connectivity, yet inversely proportional to the integration of IT/OT security management.
Fortinet’s findings paralleled those found by Gartner. Back in 2021, the analyst firm predicted that by 2025 cyber attackers will have weaponised OT environments to successfully cause physical harm to people.
While it may sound alarmist, Gartner found that security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual harm, commercial vandalism, such as reduced output, and reputational vandalism – all of which can make a manufacturer ‘untrusted’ or ‘unreliable’. Gartner predicted that the financial impact of CPS attacks resulting in fatal casualties will reach over US$50 billion by 2023.
Even without taking the value of human life into account, they noted the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. What’s more, Gartner predicted that most CEOs will be personally liable for such incidents.
OT security investment across APAC
While the findings seem staggering, how do they translate to uptake of OT security solutions in the Asia Pacific region? Speaking on a panel discussion about all things industrial 4.0 and OT cyber security, Fortinet’s partners and customers believe there’s plenty of potential for continued investment here.
“When we look at 2022, the main headline from my perspective is just the continued investment in OT security with overall expenditure in the region increasing by around 20%, which is fairly considerable,” said panelist Steven Webb, who is a managing partner at consultancy firm Westlands Advisory.
Webb attributed the rise to several factors, one of which being the changing regulatory landscape in many countries. “There’s also a clear understanding of the risk associated with cyber incidents on industrial operations, so we’re seeing a slight sort of maturity in cybersecurity within the OT environment,” he added.
However, like Sarno, he believes the number one investment driver remains the increasing digitalisation of industrial operations. He relayed figures from the World Robotics Association that highlighted that the amount of industrial robots in APAC was three times the figure in Europe and the Americas combined.
“It just gives you a sense of the scale of manufacturing in Asia,” said Webb.
In addition to increasing automation, there’s also greater connectivity between OT and IT. Industries are seeing more remote access to systems and higher quantities of data are being extracted from IT to the cloud.
“What we’ve noted in 2022 is really a great awareness and security must be a core part of that digital transformation journey,” said Webb. “We’re seeing increasing use of detection technology – and that includes deception actually – the gradual emerging of IT and OT security operations, and certainly a greater focus on implementing zero trust architecture.”
Challenges amidst digital transformation
Therefore, as organisations across APAC invest in automation and assess the need for OT security, how can channel partners support customers through their digital transformation journey? As always, it should begin with understanding the customers’ challenges and finding ways to help them navigate the rapidly changing environment.
During the panel discussion, Dicky Wong, head of technology risk at major Hong Kong conglomerate, New World Corporate Services – a New World Group member – shared what his team faces regularly as they try to keep pace with transformation. New World’s core business is in real estate, particularly in property development, hotels, and infrastructure.
Wong is responsible for the oversight and governance for all technology and cyber related compliance, risk management, and security within the group. One of his major tasks is to define, design and implement a comprehensive and robust risk framework & protection for the group that applies to all business units.
This is a massive task as all units have different technological needs, which suggests that they held varying levels of risk. This challenge is made more complicated with the increasing IT-OT convergence.
“This has widened our whole security landscape compared to before,” said Wong. “Whereas in the old days probably the IT people would focus on IT and OT would focus on OT and now pretty much everything is scrambled together.
“So the first thing that’s on my table is to review the IT policy or playbook that we have within the organisation and how to manage security postures, and if anything happens, who and where to tackle this problem. On the policy part that’s a big challenge because you will need to know pretty much all the stuff within your landscape.”
The next challenge is in choosing a vendor as the security marketplace has become quite saturated in Asia. Organisations can always turn to vendors they have a long-term relationship with, but with the recent influx of security companies entering Asia, including startups, making the right choice for their organisational needs has not been as straightforward.
Lastly, he shared a universal challenge experienced by everyone in the industry, from vendors and channel partners to customers: manpower shortages.
“One of the biggest challenges around the world in IT or cybersecurity is the lack of manpower and lack of skill sets,” he said. “People always [mention] the lack of talent but for me I would say [the issue is] just manpower. We’re not talking about talent yet – talking about people who are willing to spend their day and night trying to understand cybersecurity; trying to get involved in cybersecurity; and people who are interested in working in cybersecurity. That is a big challenge because without people then there would be a lot of things to handle on our plate.”
To tackle such challenges, he shared that his team is always looking for ways to engage in more collaborative relationships with vendors and partners.
“Our playbook now is very different than before, so my strategy going forward is to ensure that I have a good security posture in place is by working closely or collaborating with my selected vendors to create a synergy together to build a better security posture, instead of just having a buy-sell relationship,” said Wong.
“So [be able] to sit down, discuss, and tell them what you want, as well as the challenges that you’re facing. Then ask them what they have got on the table or work on something else or new solutions.”
