OT/ICS security
OT and ICS cybersecurity in Indonesia: a guide for energy, manufacturing, and oil and gas
In short
Operational Technology and Industrial Control Systems security in Indonesia: specific threats, BSSN requirements for critical infrastructure, and OT risk assessment methodology.
Operational Technology (OT) and Industrial Control Systems (ICS) are a categorically different target from enterprise IT. They control physical processes: oil flow, electricity distribution, manufacturing production lines. When these systems are compromised, the consequences can extend far beyond a leaked database or an interrupted service.
In Indonesia, the energy, oil and gas, and manufacturing sectors rely on OT infrastructure that is increasingly connected to IP networks, often without adequate security layers.
Why OT is different from IT
Security professionals experienced in IT are not necessarily ready to handle OT environments. The differences are fundamental, not just technical.
| IT environment | OT/ICS environment | |
|---|---|---|
| Security priority | Confidentiality > Integrity > Availability | Physical safety > Availability > Integrity |
| Downtime tolerance | Hours, with fallback and redundancy | Near zero, downtime can mean physical accidents |
| System update cycle | Monthly or quarterly | Years, many systems cannot be patched at all |
| Worst-case incident impact | Data breach, service disruption, financial loss | Explosion, fire, casualties, national infrastructure damage |
| Security testing techniques | Active exploitation can be used in controlled conditions | Active exploitation risks disrupting physical operations, must be passive or highly controlled |
OT threats relevant in Indonesia
Ransomware targeting OT
Modern ransomware groups move laterally into OT networks to maximise leverage. The Colonial Pipeline attack in 2021 halted fuel distribution across parts of the US East Coast by spreading from the IT network into OT systems.
Industrial espionage and nation-state actors
Energy and manufacturing assets are targets for nation-state actors seeking to map critical infrastructure or steal industrial intellectual property. Indonesia, as one of the region's largest commodity producers, is a natural target.
IT-OT integration gaps
New connectivity between enterprise management systems (IT) and factory control systems (OT) opens attack paths that did not previously exist. Traditional firewalls are not sufficient without deep understanding of OT protocols like Modbus, DNP3, and PROFINET.
Industrial device supply chain
Many OT devices are imported with unpatched firmware or even with embedded backdoors introduced at manufacturing. Without rigorous asset inventory and verification, this threat is invisible.
Regulations for critical infrastructure operators in Indonesia
| Regulation | Obligation | Authority |
|---|---|---|
| PP 71/2019 | Requires critical information infrastructure operators to protect systems from cyber threats. Sectors covered: energy, transportation, finance, healthcare, government, and telecommunications. | Kominfo / BSSN |
| Perpres 82/2022 | National Cybersecurity Framework establishing responsibility for critical infrastructure protection and national incident response coordination. | BSSN |
| BSSN OT Guidelines | Specific guidance for industrial control system security based on the IEC 62443 framework, the international standard for OT security. | BSSN |
OT risk assessment methodology
- 1
OT asset inventory
Identify all OT assets: PLCs, RTUs, HMIs, historians, and IT-OT gateways. Many organisations lack an accurate OT asset inventory, and without it no security can be built.
- 2
Network mapping and segregation analysis
Verify that OT networks are properly segregated from IT. Identify all connection points between IT and OT zones, including remote monitoring connections.
- 3
Passive vulnerability analysis
Use passive monitoring techniques rather than active scanning, which can disrupt sensitive OT devices. Specialist OT tools provide visibility without disruption risk.
- 4
Threat scenario simulation
Tabletop exercises for scenarios such as ransomware moving from IT to OT, sensor manipulation through man-in-the-middle, or firmware sabotage. Identify response gaps in operational playbooks.
- 5
Recommendations and roadmap
Prioritise remediation by risk, not just a list of technical vulnerabilities. In OT environments, not all vulnerabilities can be patched, so compensating controls and network segmentation are often the pragmatic solution.
Why this sector needs OT specialists
A general security consultant without experience in OT protocols and operational environments can cause more harm than good. Aggressive network scanning on a subnet containing legacy PLC devices can cause those devices to crash or behave unpredictably.
Alpha Code has experience in security assessments for operational environments, including coordination with OT/SCADA teams to ensure assessments do not disrupt ongoing operations.
Frequently asked questions
In IT security, the primary priority is confidentiality, then integrity, then availability, in that order. In OT, the priorities are reversed: availability and physical safety come first. Downtime on a factory SCADA system is not just a business problem, it can result in physical accidents, spills, or casualties. The same security approach cannot be applied to both environments.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.