North Asia Falling Short in Maturity Levels for Integrated IT/OT Security
- By Jay Gomez, Telstra International
- December 01, 2024
As businesses across APAC strive for digital transformation in their day-to-day operations, they increasingly embrace integrating information technology (IT) and operational technology (OT) — two traditionally segregated systems. To better understand the current IT/OT convergence trends in organizations, we commissioned research firm Omdia to conduct an independent survey on 250 business and IT leaders across mainland China, Hong Kong, Japan, Korea and Taiwan.
Unsurprisingly, 48% of leaders across the region find IT/OT convergence to be “very important” to business outcomes. After all, this process can bring many benefits, including innovation, reliability, integrity, and revenue growth improvements. On an operational level, convergence can streamline and enable data flow for manufacturing, healthcare, retail/wholesale, transport, logistics and shipping.
What’s clear is that IT/OT convergence is a growing trend, as over half (53%) of respondents expect their IT and OT systems to be connected in the next 12-18 months. However, the race to convergence reveals a glaring issue. As businesses rush into a digital-first era through integration, they inevitably expose themselves to cybersecurity risks, revealing gaps in their abilities to prevent and mitigate attacks.
Most businesses at only basic preparedness
The Telstra-Omdia study found that only 13% of North Asian businesses are currently at an advanced level of readiness for IT/OT security; most organizations (60%) are merely prepared at a basic level. The manufacturing sector is the least prepared at an industry level, with a scant 38% in the region reporting “operational” or “advanced” maturity levels. This is not breaking news – manufacturing operations have long emphasized manual processes and labor, resulting in a lack of integration across operations and a slow adoption of digital technologies.
South Korea and Hong Kong fare slightly better regarding their security maturity levels, respectively, registering 52% and 45% of firms reaching “operational” or “advanced” maturity. However, their similarities to the regional statistic of 44% reflect a widespread lack of cybersecurity preparedness.
These statistics unveil an alarming state of affairs when we factor in the current landscape where ransomware and cyberattack events occur across Asia-Pacific daily. Almost nine out of ten (88%) organizations have recently experienced a security incident that directly impacted OT production environments, while 74% of cyberattacks that have affected critical infrastructure operations can be traced back to corporate IT systems. The traditional air-gapped approach to cybersecurity, where OT systems are segregated from corporate networks, is no longer a sufficient cybersecurity measure. The need for solid resilience against emerging threat actors has never been stronger for businesses, especially those in North Asia.
Organizations must proactively tackle security challenges with strategic precision to harness the vast potential of converged technologies safely.
Leveraging the right partners
While only 26% of attacks are traced back to OT systems, many have not been connected to the Internet, which poses an even greater cybersecurity risk. As such, 73% of organizations state that they plan to fully or partially outsource their IT/OT security to a third party, while 19% report a reliance on vendor platforms and systems. Trusted managed security service providers (MSSPs) can help organizations develop comprehensive and tailored IT/OT convergence and security strategies. They also provide the added benefit of supporting businesses to bridge their skills gap and overcome budget constraints.
Equipping IT executives with the right resources
50% of surveyed businesses employ a CISO responsible for understanding and implementing an IT/OT converged cybersecurity program. However, our conversations with executives revealed that cybersecurity leaders have limited visibility of what they are expected to secure. Currently, operation offices’ line-of-business managers are typically the gatekeepers of Level 0-3 systems, but IT executives also require access to the necessary resources, tools, and support to spearhead their organization’s IT/OT security plans.
Avoiding the “us versus them” mentality
Due to the physical nature of operations, responsibilities for IT (corporate) and OT (production/industrial) systems are traditionally divided between different teams. As they begin to converge, responsibilities and accountability can blur, hindering cybersecurity processes in the event of an attack. Leaders must adhere to a convergence plan that maps out different stakeholders’ responsibilities. They should also take an agile and programmatic approach when designing their cybersecurity plans to maximize effectiveness against attacks.
In the race towards digital transformation, we see a growing motivation for organizations to optimize their business and operational processes through IT/OT convergence. Yet this process brings a heightened risk for cyber incidents, and it is evident that North Asian companies’ current IT/OT security levels are not adequate in the face of today’s increasing frequency and severity of attacks. How businesses minimize and mitigate cybersecurity risks across their interconnected systems will ultimately become a defining factor for their operational resilience, customer experience and competitive sustainability.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/BeeBright
Jay Gomez, Telstra International
Jay Gomez is the field CISO, advisor and consultant at Telstra International.