Critical infrastructure threats
Critical infrastructure cyber threats in Indonesia: SCADA, water, energy, and manufacturing
In short
Mapping cyber threats against Indonesia's critical infrastructure: ransomware claims on water utility SCADA systems, public data breaches, sector-level ICS risk data, and the IT-to-OT attack path.
Indonesia's physical infrastructure, from PDAM water distribution networks to PLN electricity grid control systems, increasingly relies on computers and networks to operate processes that were once entirely mechanical. That connectivity brings operational efficiency but also opens an attack surface that did not exist before. Attackers no longer need physical access to a control room to disrupt operations.
This page maps documented and claimed threats against Indonesia's critical infrastructure, explains how attackers move from IT networks into industrial control systems, and describes why OT environments need a security approach distinct from standard IT.
21.81%
ICS computers in Indonesia with threats detected, Q1 2026 (Kaspersky ICS CERT)
28%
Oil and gas ICS computers affected, Q1 2026, highest sector (Kaspersky ICS CERT)
8 sectors
Vital Information Infrastructure sectors under Perpres 82/2022 (BSSN)
Claimed and documented incidents
FunkSec is a ransomware group publicly analysed by Check Point Research in January 2025. Within a short period following its emergence in late 2024, the group claimed more than 85 victims across multiple countries, including Indonesian infrastructure entities. Among the data published on their leak site were claims of access to SCADA systems at an Indonesian water utility and PII data from the West Java desa.id village government portal, a platform that manages resident information for thousands of villages.
Ransomware claims require careful reading. These groups sometimes list targets whose data was sourced elsewhere, or overstate the depth of access achieved. But the targeting pattern is consistent: systems managing large-scale public services, storing civilian records, or controlling essential infrastructure are tactically attractive, both as negotiating pressure and as proof of capability to potential affiliates.
Beyond FunkSec's claims, Indonesia's incident history makes the exposure concrete. The June 2024 ransomware attack on Pusat Data Nasional (PDN), attributed by security analysts to Brain Cipher, disrupted services at 239 central and regional government agencies. That incident confirmed Indonesian public digital infrastructure is a viable target, not a theoretical one.
- 01
Reconnaissance
Public scanning for internet-exposed OT devices, web-based HMI interfaces, and remote management systems
- 02
Initial access
Phishing against IT or system administration staff, exploitation of unpatched RDP or VPN services, or compromise of third-party vendor accounts
- 03
Lateral movement
Pivoting from IT workstations into the DMZ or historian that bridges the IT and OT networks
- 04
OT access
Login to HMI or engineering workstations using compromised IT credentials, often with no additional authentication required
- 05
Impact
Encrypting servers and backups, disrupting processes, or exfiltrating operational data and SCADA configuration files
ICS threat levels in Indonesia
Kaspersky ICS CERT publishes quarterly reports measuring the share of ICS computers where malicious objects are detected and blocked. Q1 2026 data places Indonesia above the global average: 21.81 percent versus 19.6 percent globally. Oil and gas was the most exposed sector by a significant margin.
Share of ICS computers in Indonesia with malicious objects blocked by sector, Q1 2026. Source: Kaspersky ICS CERT, as reported by IndoTelko, June 2026.
The figures cover a single quarter. More than one in five industrial computers in Indonesia saw an attack attempt within those three months. The elevated oil and gas figure reflects the value of assets and the downstream impact of service disruption. Operators of power generators, pipelines, and processing facilities draw attention from threat groups because disruptions in those systems have immediate and visible consequences for the public.
How attackers move from IT to OT
Most successful OT incidents do not begin with a direct attack on control systems. They start at familiar IT entry points and work inward layer by layer. The diagram below shows the common path, based on patterns documented by ICS-CERT and published OT incident investigations.
The most common gap is at the IT-OT boundary layer. A historian that stores real-time process data to an IT database typically sits in both networks simultaneously. Engineering workstations used to program PLCs often have internet or email access. Both create unplanned bridges that allow IT malware to reach the OT network without passing through an OT firewall directly.
Why OT is harder to secure than IT
Three characteristics of OT systems make their protection different in practice from corporate IT, and those differences are worth understanding before designing controls.
The first is priorities. In IT environments, data confidentiality sits at the top of the security hierarchy. In OT, operational availability comes first. A PLC controlling water pressure or grid voltage cannot simply be rebooted for a security update. Many patches are never applied, not through negligence, but because the production risk is real and calculated.
The second is protocols. Modbus, DNP3, PROFINET, and most other OT protocols were designed in an era when industrial networks were assumed to be isolated from the internet. They have no built-in authentication or encryption. Anyone who reaches the right network segment can send commands to a PLC without credentials, and the system has no native way to detect commands arriving from an unexpected source.
The third is lifecycle. Standard IT hardware turns over every three to five years. OT equipment, PLCs, RTUs, and SCADA servers, is designed to run for twenty years or more. Many run on operating systems that no longer receive security patches. Replacement requires process re-engineering, vendor involvement, and planned downtime, so organisations often keep running systems that work even when they are technically vulnerable.
Impact beyond data loss
Essential service disruption
An attack on water distribution SCADA can halt supply to residential areas. A grid control system compromise can cause outages. Unlike data incidents, these effects are immediate and visible to the public, not just to the organisation being targeted.
Layered reporting obligations
IIV providers must report cyber incidents to BSSN within 24 hours under Perpres 82/2022. If personal data of residents is involved, UU PDP adds notification obligations to affected individuals and the supervisory authority within three times 24 hours.
Physical equipment damage
In globally documented cases, commands sent to PLCs caused physical damage to industrial equipment. Sabotage through control systems does not require an explosion; running processes outside safe parameters for a sustained period can degrade equipment or trigger unexpected failures.
Extended recovery timelines
OT recovery is not the same as restoring an IT backup. If PLC configuration is not documented, rebuilding the correct operating state takes time. Recovery often requires vendor engagement, manual reconfiguration, and process validation before systems can safely return online.
What protection for OT requires
Effective protection starts with visibility. Many infrastructure operators do not have an accurate, complete OT asset inventory, so they do not know which devices are connected or via which paths. Without that inventory, segmentation cannot be designed correctly, and monitoring has no baseline against which to detect anomalies.
The next step is segmentation assessment: whether the path from IT to OT runs only through planned controls, or whether unintended bridges exist through historians, shared workstations, or vendor access accounts that were never decommissioned. Testing is done passively to avoid disrupting live processes, a requirement that is non-negotiable in environments with low downtime tolerance.
For ongoing monitoring, OT and ICS security services require the ability to read what normal traffic looks like in industrial protocols. Anomalies in Modbus or DNP3 communications are invisible to a SIEM trained only on IT network patterns, so monitoring that does not cover OT protocols will miss threats that have already crossed the boundary.
If your environment falls under Perpres 82/2022 as an IIV provider, the Perpres 82/2022 compliance assessment and IEC 62443 assessment offer a structured starting point. For operators who are not sure where to begin, an OT posture assessment provides a clear picture of what is genuinely exposed and what is adequately protected before deciding where to invest.
References
- 1.Check Point Research. "FunkSec: The New Face of Ransomware at the End of 2024." January 2025.
- 2.IndoTelko. "Sektor migas jadi target utama serangan siber ICS di Indonesia." June 2026.
- 3.BSSN. "Lanskap Keamanan Siber Indonesia 2024." Annual report, February 2025.
- 4.Presidential Regulation 82/2022 on Protection of Vital Information Infrastructure (Perpres 82/2022).
- 5.Dragos. "OT Cybersecurity Year in Review 2024." 2025.
- 6.CISA ICS-CERT. Advisories and Reports. Cybersecurity and Infrastructure Security Agency.
Frequently asked questions
Yes, with documented incidents. FunkSec, analysed by Check Point Research in January 2025, claimed access to the SCADA systems of Indonesian water utilities and published PII data from the West Java desa.id village government portal. The 2024 Pusat Data Nasional (PDN) ransomware attack disrupted services at more than 200 government agencies. Ransomware claims are not always independently verified, but the targeting pattern is consistent.
Related
Solutions
- Critical infrastructure security assessment under Perpres 82/2022
- IEC 62443 compliance assessment for Indonesian industrial operators
- OT/ICS VAPT services in Indonesia: SCADA, DCS, and PLC security assessment
- OT and ICS cybersecurity in Indonesia: a guide for energy, manufacturing, and oil and gas
- Ransomware response in Indonesia: what to do in the first 72 hours
- Indonesia cyber attack statistics: verified numbers, updated quarterly
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.