Singapore, which chairs ASEAN this year, had made cybersecurity one of its priorities for the group. That makes sense because the entire region is becoming more digitally connected and cybersecurity threats have become more pronounced. Cybersecurity threats are pervasive and create vulnerabilities in many sectors. The power generation and distribution sectors — crucial to energy security — are highly vulnerable.
Industry reports and energy demand projections show that electricity demand among the ASEAN member states is set to increase by 80 percent between 2015 and 2040 due to population and economic growth, increasing industrialization, rural migration, urbanization, and increasing electrification in rural areas. Of the 10 ASEAN member states, Indonesia, Vietnam, Thailand, Malaysia, and the Philippines have the highest energy demand as of 2015, which will continue to grow in the future. Among the rest of the ASEAN member states, Myanmar’s growing energy needs will be the highest.
Currently, there is no large-scale deployment of smart grids in Southeast Asia, but Singapore, Indonesia, Thailand, Malaysia, Vietnam, and the Philippines have developed plans to introduce smart grid technology in the future. Until then, traditional power grids remain the dominant systems in the region. However, this does not imply that the traditional power grid system is safe from cybersecurity threats. Although traditional power grid systems do not rely on smart technologies, such as smart meters, the control systems in the power distribution centers in large cities are highly computerized, comprising interconnected computers and networked devices. These control systems are thus vulnerable to cybersecurity attacks.
The traditional power grid comprises power generation stations, substations, electricity transmission lines, and electricity distribution lines. Transmission and distribution lines can be located overhead as well as underground. These electrical lines carry electricity from the power generation stations to the consumers after passing through substations, which function to moderate the electricity voltage according to the needs of the consumers. The typical household requires lesser voltage than commercial buildings.
Cyberattacks can cause physical damage and systems malfunctions to the power generation stations and substations, which could lead to power disruptions and blackouts. In 2015 and 2016, more than 225,000 consumers in Ukraine were affected by blackouts that lasted up to six hours when several power distribution companies and substations were hit by cyberattacks. These incidents are believed to be the first known attacks on a national power grid.
Cybersecurity threats have evolved over a short period of time. Cybercrime actors have a wide range of devastating tools at their disposal, including denial-of-service attacks, distributed denial-of-service attacks, malware, and viruses. Threat actors include state and non-state actors such as hacktivists, militaries, organized crime syndicates, corporations, and employees.
Hacktivists are essentially computer fanatics with a sociopolitical mission and who are ideologically driven. State actors (governments) and terrorists are also involved in launching covert cyber attacks, and the damage that they seek to inflict tends to be acute rather than widespread. The tools that they employ are typically, though not limited to, denial-of-service, distributed-denial-of-service attacks, malwares, worms, and viruses. Organized crime syndicates are also actively exploiting cybersecurity vulnerabilities in energy companies and households. For instance, syndicates use spam to lure users to malicious web pages that masquerade as utility companies’ websites. Other than hacktivists and state/non-state actors, employees, and ex-employees (insider threats) can inflict damage to a company from within.
The “employee” category can be broken down further into four separate groups: disgruntled employees, ex-employees, unsuspecting employees, and “corporate spies.” The advantage that they have over hacktivists and other actors is their direct access to the companies’ internal information technology systems. A disgruntled employee can easily access sensitive information and then delete, modify, or sell it to the competitors.
Regional Cybersecurity Development
At the regional level, ASEAN member states recognize the need to defend their cyberspace and ICT infrastructure. To that end, there are four ASEAN mechanisms that look into aspects of cybersecurity and cybercrime, namely: the ASEAN Ministerial Meeting on Transnational Crime (AMMTC); ASEAN Telecommunications and IT Ministers Meeting (TELMIN); the ASEAN Regional Forum (ARF), and the ASEAN Senior Officials Meeting on Transnational Crime (SOMTC).
AMMTC reviews regional issues and sets the agenda for the various Southeast Asian government agencies to work together in the area of transnational crime. The SOMTC then carries out AMMTC’s agenda. SOMTC has identified eight areas of transnational crime — including cybercrime — under its purview, and Singapore has taken the lead in the area of cybercrime. The ARF’s programs include ASEAN seminars on cyber terrorism, conferences on terrorism and the Internet, and workshops on cyber incident response and preparedness measures to enhance cybersecurity. Singapore has even created a $10 million ASEAN Cyber Capacity Fund, which will be used to improve cybersecurity capabilities in the region.
Regional initiatives are critical towards reducing cybersecurity vulnerabilities among ASEAN member states, but these initiatives may not be sufficient if they primarily target technological mitigation and responses only. Efforts at the regional level should be reinforced with good governance and clear policies at the national level. For example, not every ASEAN member state has cybersecurity laws. Even fewer have a dedicated cybersecurity agency which has been designated and empowered to be the focal point for the state to mitigate vulnerabilities and respond to cybersecurity threats and attacks.
It is also important for the ASEAN member states to promote public-private partnerships given the myriad essential services that are provided through the private sector. Cybersecurity requires companies to invest heavily in their security infrastructure, human resources, and in staff capacity building, which is why companies may be reluctant to upgrade their systems, capabilities and conduct regular staff training. However, the private sector must be motivated and incentivized to increase their cybersecurity defenses despite the high recurring costs and states could provide the necessary technological and financial incentives. Finally, at the regional level, the more technologically advanced ASEAN member states must do more to contribute towards regional cybersecurity through capacity-building programs and technological support.
Nur Azha Putra is Research Associate at the Energy Studies Institute, National University of Singapore, Azha’s primary research interests are energy security, nuclear power governance and policy, and cybersecurity in ASEAN.