The Philippines still has a lot of work to do to fulfill the National CyberSecurity Plan 2022, especially in protecting the operational technology (OT) side of businesses, according to a top executive of a cybersecurity solutions provider.
The Department of Information and Communications Technology (DICT), through its attached agency the Cybercrime Investigation and Coordination Center, developed and officially unveiled this framework 5 years ago. It has four primary goals: assuring the continuous operation of the nation’s critical infrastructures, public and military networks; implementing cyber resiliency measures to enhance the country’s ability to respond to threats before, during and after attacks; effective coordination with law enforcement agencies; and a cyber security educated society.
“They started formulating the plan in 2017, with the hope that by 2022 it’s fully implemented. I would say, we managed to move it a bit, but I would say in terms of completion, it’s not there yet,” Fortinet Philippines Country Manager Louie Castañeda said when asked for updates during the company’s recent press briefing held in Taguig City.
“Sometimes, programs like this are spearheaded by the previous administration, and when the new one comes in, they try to change the plan.”
Castañeda also noted that the success of an initiative depends on the leader assigned to manage it. In the case of OT security, it falls under the DICT and involves the Department of Energy and the Department of Environment and Natural Resources.
“So it’s always an interagency discussion, plus you have to involve the agencies related to implementing this, and also you have to align this with the other government agencies like the Department of Justice and all those other agencies,” he said.
The Philippines, for him, is already on a par with other countries in so far as the information technology (IT) protection is concerned.
“IT has always been there. In fact, I would say, in terms of IT regulations, we are able to implement a number of best practices as well that came from other countries like [the] GDPR [General Data Protection Regulation]. We have the Data Privacy Act in line with that,” he said.
Even if the Philippiens does not meet all the goals of the plan this year, the Fortinet executive said what is important is both the public and private sectors recognize the need to have a specific clause that targets the OT aspect of a business other than the IT.
“That’s an area that’s still developing and, obviously, that’s one of the tasks of Fortinet and other players in the industry [on] how do we lobby the government to be able to enact the laws and legislations that [are] very specific to providing guidelines for companies to follow when it comes to operational technology security.”
The latest Global 2022 State of Operational Technology and Cybersecurity Report released by Fortinet during the event showed that 94 percent of OT organizations in the country are experiencing an intrusion in the past 12 months.
The top three types of intrusion they have been facing are malware, phishing email, and hacker, the study revealed.
“In the Philippines, operational technology is a significant component of the country’s economy, with sectors that utilize OT, such as agriculture and industrial activities, contributing about 40 percent of the country’s GDP. Many OT equipment and devices are also going online, with OT organizations embracing digital transformation and so cyber security is now crucial to business,” he said.
The report on the local OT sector indicates that cyber risk increases even if organizations are enjoying business performance improvements.
At least 53 percent of those surveyed said that their organizations suffered an impact on operations in the industrial environment due to cyber intrusions, as 66 percent of them experienced operational outage that put physical safety at risk, more so than productivity loss and revenue loss.
“The Philippines recognizes cyber security as a serious boardroom issue, with the CEO as the top influencer of cyber security decisions,” Castañeda said. “However, it would be helpful to include OT cyber security as part of the responsibility of C-level executives as this might encourage IT and OT teams to work together to plan and provide holistic cyber security.”