Infrastructure that drives power generation, water treatment and transport operations are often complex and highly-interconnected today. Disruption to these systems, in the form of cybersecurity attacks, could create significant economic or public health and safety risks, prevent the daily lives of citizens from running smoothly, and even affect national security. In Malaysia, the vulnerability of these systems to cybersecurity attacks have increasingly become a concern.

A 2022 Kroll report that looked at the cybersecurity landscape in Malaysia showed that the country experienced more cyber attacks than any other country in Asia Pacific, and that most organisations are concerned about data loss. “Malaysia is one of the most digitally connected countries in the world,” said Dato’ Ts Dr Haji Amirudin Abdul Wahab, chief executive of CyberSecurity Malaysia, the national cybersecurity specialist agency under the Ministry of Communications and Digital. “The more our systems are connected, the more we are at risk of cyber attacks.”

The Ministry of Communications and Digital recently issued a warning that the frequency and severity of cybersecurity threats in Malaysia are increasing. Statistics from Cybersecurity Malaysia showed that the country reported 4,741 cases of cyber threats in 2022. These cases include ransomware attacks, cyber espionage, cyber scams and other types of threats.

Now there are worries that threat actors will increasingly target the country’s infrastructure and systems that are closely tied to national security interests. These are especially attractive to cyber criminals because of the enormous amount of personal data they hold, and also due to the fact that they cannot afford to have any amount of downtime in their systems.

Aviation is one example. Malaysian budget airline AirAsia fell victim to a ransomware attack in June 2023 by a hacker group called the Daixin Team. The hackers stole the personal data of 5 million unique passengers and all of the airline’s employees. While sensitive data being held hostage is highly undesirable, these types of attacks also illustrate how much more dangerous the situation could have been if the hackers chose to breach more critical areas such as air traffic control systems that could cause physical damage and potentially endanger the lives of aircraft passengers.

Cybersecurity Enforcement

The Malaysian government has realised the importance of preventing and fighting cyber crime to protect citizens, organisations and uphold national security. One initiative under development to strengthen cybersecurity in the country is to establish the Malaysian Cybersecurity Commission.

Amirudin explains that establishing a commission adds an element of regulation to the cybersecurity space. Although the Malaysian government can now instruct companies in key sectors to undertake cybersecurity measures such as conducting security assessments or enhancing staff training, no regulatory body or organisation currently oversees the enforcement of these measures, and a comprehensive legal framework is lacking. The Cybersecurity Commission’s role would be similar to Malaysia’s Energy Commission (Suruhanjaya Tenaga).

Sector Initiatives

Players in the energy sector have also taken steps to push for stronger cybersecurity safeguards. Siemens Energy, an energy technology company, recently launched a cybersecurity operations centre in Cyberjaya, Selangor. The Siemens Energy Cybersecurity Operations Centre Asia Pacific, launched in February 2023, is the region’s first managed detection response (MDR) and operational technology (OT) cybersecurity operations centre (CSOC).

“Many energy companies face limitations in effectively detecting and responding to cyber threats due to technological and resource constraints,” said Jack Chubb, head of industrial cybersecurity, Middle East and Asia Pacific, Siemens Energy.

“The energy sector heavily relies on legacy infrastructure, with outdated systems that were not originally designed with cybersecurity in mind, leaving them vulnerable to modern threats,” he adds. This hinders the collection and analysis of data from digitally connected energy assets for early threat identification.

Chubb says that the interconnectedness of energy systems, driven by digital transformation and the Internet of Things (IoT), also expands the attack surface and creates intricate networks that are challenging to secure comprehensively. The rapid pace of technological evolution in the sector, such as the integration of smart grids and renewable energy sources, introduces new vulnerability if robust security measures are not implemented concurrently.

By offering round the clock monitoring, detection and crisis support, The Siemens Energy CSOC helps to secure the business operations of critical infrastructure such as energy and utilities, helping organisations respond effectively to cyber threats and maintain operational continuity. Chubb explains that one reason that Malaysia was chosen as the location for the CSOC is due to its strategic position in the oil and gas market. The company also recognises that energy firms need help in bridging the gap between different operating environments and cybersecurity approaches with stakeholders along both upstream and downstream operations.

The Siemens Energy CSOC located in Cyberjaya, Selangor, is designed to monitor, detect and mitigate cyber threats on critical infrastructure such as energy and utilities. Image: Siemens Energy.

Water utilities have also been investing heavily in digitisation and interconnectivity of their systems to improve key processes such as water treatment, supply and storage. Similar to energy companies, they too are still reliant on legacy systems that leave them prone to cyber attacks, while their rapid adoption of the internet of things and OT systems heighten the risks of attacks.

Air Selangor, Malaysia’s largest water operator and sole public water services provider for Selangor, Kuala Lumpur and Putrajaya, completed a pilot implementation of the Identity and Access Management (IAM) system in 2021. The system is designed to reduce cybersecurity risk related to identity management by controlling user access to critical information.

In the telecommunications sector, Telekom Malaysia (TM) and CyberSecurity Malaysia signed a memorandum of collaboration (MoC) in 2021 to strengthen the level of cybersecurity in Malaysia through sharing of best practices, leveraging each other’s technical capabilities and delivering technology solutions to both the private and public sectors. This is vital to ensuring the safety of telco providers and users in the country as Malaysia seeks to rapidly expand its rollout of the 5G network, which will present new cyber security challenges due to increased speed, faster response times and increased capacity.

Dato’ Ts Dr Haji Amirudin Abdul Wahab, chief executive of CyberSecurity Malaysia, says that companies need a multi-layered approach in dealing with cybersecurity.

Jack Chubb, head of industrial cybersecurity, Middle East and Asia Pacific, Siemens Energy, believes that boards must allocate sufficient resources to combat cyber crime.

Best Practices to Manage Cyber Threats

Organisations today face several common gaps in cybersecurity. These include using outdated systems and weak security measures that increase vulnerability to cyber threats. In addition, inadequate updates and patching leave software and firmware exposed to attacks, while third party risks also arise from working with vendors who have access to critical systems.

To effectively deal with cyber threats and address these gaps, organisations must undertake a comprehensive approach. CyberSecurity Malaysia, for example, looks at cybersecurity issues by grouping them across three pillars: people, process and technology.

There is particular emphasis on skill competencies of its staff, as well as comprehensive policies, guidelines and measures that can strengthen the “process” pillar. Holistic measures such as risk assessments, tailored security controls, incident response plans and consistent monitoring and threat vulnerability assessments are needed. Focused training programmes can also add to the security awareness of staff, hence reducing the chances of human error and successful cyber attacks.

Cybersecurity experts that Bursa Sustain spoke to also emphasised the value of working with players in other industries, including with government agencies and security organisations. Fostering cross-border collaboration and learning from the best practices of companies elsewhere are also important.

These experts cautioned that cyber attacks are becoming more sophisticated. For example, scammers are now using AI (artificial intelligence) voice cloning tools to impersonate the voices of authority figures or executives and demand fraudulent transfers of money or information. It is therefore vital that cybersecurity protection evolves to keep pace with new challenges.

The traditional security approach, such as firewalls and anti-virus software, while important, is no longer sufficient. A multi-layered approach that combines the elements of responsive, preventive, detective and predictive capabilities is recommended. Companies should also adopt a “zero-trust approach” – a strategy which assumes that all individuals, devices and services that attempt to access company resources are not to be trusted.