Cybersecurity and critical infrastructure defence strategies converging

With increasing attacks happening on critical information infrastructure (CII), governments are scrambling to improve the resilience of these strategic national assets.

As a result, national cybersecurity is increasingly becoming intertwined with critical infrastructure protection in the Asia-Pacific region.

IDC Asia/Pacific Public Sector Research Lead, Louise Francis, said by this year, 60 to 65 per cent of national governments in the region will adopt formal action plans to invest in cross-industry collaboration, planning and protection of critical infrastructure.

During a recent webinar titled, Scaling the twin peaks of cybersecurity and critical national infrastructure protection, Francis said this was a result of the rapid convergence happening between physical and digital infrastructure, leading to the convergence of cybersecurity with national infrastructure protection, she added.

Protecting national infrastructure from cyber attacks

Highlighting why this is important, Francis shared the case of a hacker in Florida in the United States, who gained access to a water treatment plant and attempted to pump over 100 times the normal limit of sodium hydroxide into the water supply in 2021.

Fortunately, it was spotted by a worker who stopped it.

To subscribe to the GovInsider bulletin click here.

Francis observed that while all countries in the region are moving towards upgrading their security policies, Singapore, Australia and India were at the forefront of defining what constitutes CII and writing policies to protect them.

All three countries broadly define CII as infrastructure that is vital to the continued delivery of essential services, such as water and electricity supply, transportation, telecommunications, information and communication (ICT) sector, and financial services, among others.

Francis noted that data centre infrastructure is starting to be on the radar of governments, with Singapore already designating it as CII and other countries are expected to follow suit. Similarly, the Australian government has incorporated space technology within the ambit of CII.

Macro factors complicate CII protection

During her presentation, Francis shared some of the big macro factors that complicate the development of a comprehensive protection plan for CII.

One of the key challenges is the fragmented nature of regulations, which in turn affects investment in infrastructure and technology.

Adding to this, she said, is geopolitical instability and the expanding footprint of cyber threats targeting national infrastructure, often orchestrated by nation states using artificial intelligence (AI) as a tool of war.

IDC research predicts that by 2027, 95 per cent of nations would have experienced major cyberattacks caused by threat actors using generative AI (GenAI) tools but only 30 per cent will be resilient enough to prevent significant disruptions and breaches.

Cybersecurity spending remains intact

Francis added that while governments around the region are tightening budgets, there have been no cuts in cybersecurity spending. However, there is pressure to make sure that investments generate maximum value.

Within cybersecurity, identity management will be one of the top five areas of investment in APJ in 2025, said Francis.

This will be followed by analytics and predictive tools like security information and event management (SIEM).

The other major areas of investment will be AI security posture management closely followed by encryption technology, data leakage prevention, and data security.

Digital sovereignty linked to CII

Francis said digital sovereignty is linked to critical infrastructure.

“You cannot talk about critical infrastructure or national objectives without talking about digital sovereignty,” she said. She noted that IDC has mapped out the typical digital sovereignty journey that most countries take with varying degrees of sophistication.

The journey starts with self-determination efforts, which comprise regulations on data sovereignty, data assurance, portability and transfers.

Once this stage is achieved, the focus shifts to technical aspects such as cloud sovereignty, interoperability and cybersecurity protection. The next stage is when assurance is achieved with assured workloads, mission resiliency, redundancy and portability.

This is followed by self-sufficiency with control over the supply chains for CII. The final state is survivability, in which technology is used to address strategic weaknesses and vulnerabilities of the attack surface, infrastructure, networks and data.

“We are seeing governments move through the stack a lot more quickly,” Francis said.

Sharing a prediction from last year, she said IDC had found that to ensure national intelligence superiority, 65 per cent of governments will address strategic weaknesses and deploy digital sovereignty to defend critical infrastructure by 2028.

Ahead in the race to secure CII

Francis said Australia has been in the news for incorporating the widening use of technologies such as GenAI and for setting up a national coordination mechanism.

The mechanism, the Critical Infrastructure Risk Management Program (CIRMP), aims to ensure responsible entities take a holistic and proactive approach toward identifying, preventing, and mitigating risks.

Similarly, Francis said Singapore “is really known for being the canary in the coal mine” tackling the challenges with technology and maximising economic opportunities while minimising risks.

“Most of us look to Singapore to see what they're doing… they take a holistic view of critical national infrastructure, and in March, the country announced that it had set up an inter-agency task force on the resilience of digital infrastructure, and this is kicking off the planning for the Digital Infrastructure Act, which is expected in 2025,” Francis said.

India has set up the National Critical Information Infrastructure Protection Centre (NCIIPC) which is responsible for identifying, protecting, and ensuring the longevity of critical sectors like energy, finance, telecommunications, and transport. 

Francis observed that other countries in APJ such as Malaysia, Hong Kong and Japan are moving to improve the resilience of their critical infrastructure.

Improving infrastructure resilience

Francis said this year and the next, governments will be working on improving infrastructure resilience, managing nation-state threat management, and incorporating AI into security operations.

They will also look to secure operational technology (OT), the Internet of Things (IoT), remote access networks, and standardise governance structures and responsibilities.

From 2025 to 2026, the focus will be on CII protection and cross-country collaboration. Early warning systems for threat management at the edge would also be set up along with a sovereign identity.

From 2026 onward there will be cross-nation intelligence sharing, secure, intelligent event management (of crisis) and threat intelligence and observability.

Adding a caveat, Francis said that these projections were “quite aspirational”.

“It’s not necessarily going to go this way, but when we talk to government agencies, these are some of the things that come through as this is where they want to be in the next two to three years,” she said.

For more information, please download the IDC eBook Scaling the Twin Peaks of Cybersecurity and Critical National Infrastructure Protection now.