A CISO's perspective in Transforming Operational Technology DIGITAL REPORT 2022
IN ASSOCIATION WITH:
MERALCO
A CISO'S PERSPECTIVE IN TRANSFORMING OPERATIONAL TECHNOLOGY 2
meralco.com.ph
meralco.com.ph
3
MERALCO
Meralco embraces digital transformation with operational technology as it provides heightened customer experience through AI and automation
M
eralco – an acronym of the Manila Electric Railroad and Light Company – in the Philippines, is responsible for the power distribution within its franchise area. Meralco’s Vice President and Chief Information Security Officer, Mel Migriño, is responsible for the protection of the company’s technology stock alongside its operational technology infrastructure, with cybersecurity becoming the most important facet in the face of digitisation. “Meralco is a diverse business,” states Migriño. “We’re in FinTech, telecoms, retail energy, engineering, electric vehicles, logistics and construction and electromechanical. I work closely with my co-executives to ensure the development and implementation of the different cybersecurity programmes across the organisation.” As a major player in the Philippine energy industry, Meralco also has a specific and distinctive focus on sustainability, with its agenda, Powering the Good Life, firmly rooted in the United Nations’ Sustainable Development Goals. The four key pillars underpinning Meralco’s sustainability agenda – Power, Plant, People, and Prosperity – guide the commitments and actions of the company in support of sustainable and meaningful progress.
4
meralco.com.ph
Example of an image caption meralco.com.ph
5
While Meralco’s sustainability strategy is palpable in the here and now, it is also intended to stretch out over the long-term. Various initiatives and projects for the next few years have already been set in motion, demonstrating its commitment to reducing the company’s impact on the environment while fostering growth in the country. A number of transformations have already begun – including electrifying the company’s vehicle fleet, promoting gender diversity and inclusivity, ensuring its transformers are 99% biodegradable and recyclable through the use of ester oil, and planting trees whilst nurturing existing ones to preserve Philippine forests – setting the stage for future adaptations. 6
meralco.com.ph
“ Meralco is a diverse business. We’re in FinTech, telecoms, retail energy, engineering, electric vehicles, logistics and construction and electromechanical” MEL MIGRIÑO
VP AND GROUP CISO, MERALCO
“Cybersecurity is a business enabler, a key component in realising initiatives and future goals of the company,” Migriño says. “While I continue to serve my country and organisation, I also want to promote
MERALCO
MEL MIGRIÑO TITLE: VP AND GROUP CISO
EXECUTIVE BIO
LOCATION: PHILIPPINES Mel is the Vice President and Group CISO of Meralco and former Cyber Security Leader of a Big 4 auditing firm and the largest fintech in the Philippines. Concurrently, the Chairman and President of the Women in Security Alliance Philippines (WiSAP) which focuses on empowering women in Security. She was awarded as IFSEC Global Influencer for Security and Fire Top 5 under the Security Executives category on August 2021. Ranked #2 in the 2021 CISO ASEAN Awards by IDG and CSO Online and was recognized as the 2021 CISO of the Year by Women in Governance, Risk and Compliance Awards.
women empowerment in the context of cybersecurity and technology, which has been advancing for many years now.” On the horizon right now, though, is innovative technology and digital transformation, with an eye on the rise of AI and automation in the energy industry – and the potential security pitfalls that these can lead to for customers and employees alike.
Although the company’s roots can be traced back to the late 1800s, it officially began in 1903 – making Meralco almost 120 years old.
Building a future-facing energy company A commitment to looking forward and preparing for the future isn’t anything new for the energy titan. In fact, the company’s fascinating roots firmly establish Meralco as a pioneer in the Philippine energy sector.
1948 – Meralco focused chiefly on providing electricity. The electric service powered much of the post-war rehabilitation and early industrialisation of the young republic, which gained independence in 1946.
1903 – The company was established as Manila Electric Railroad and Light Company to provide electric light and power – as well as an electric street railway system – to Manila and its suburbs.
meralco.com.ph
7
Digital security, everywhere you need it. The Fortinet Security Fabric is the industry’s highest-performing cybersecurity mesh platform. Delivering broad, integrated, automated cybersecurity capabilities supported by a large, open ecosystem, makes cybersecurity mesh architectures a reality. The Fortinet Security Fabric empowers organizations to achieve secured digital acceleration outcomes by reducing complexity, streamlining operations, and increasing threat detection and response capabilities. Learn more
Copyright © 2022 Fortinet, Inc. All Rights Reserved.
MERALCO
“ Now, the organisation is excitingly embracing digital transformation in ICT, looking to use operational technology to provide better customer experience through artificial intelligence and automation” MEL MIGRIÑO
VP AND GROUP CISO, MERALCO
1961 – A group of Filipino investors – led by entrepreneur Eugenio Lopez Sr. – bought Meralco from its American owners, rendering it the first major American enterprise to be 'Filipinised'. This new Filipino management built electricity-generating and distributing facilities at an unprecedented
pace to meet the growing needs of its franchise area. It is also during this period that Meralco became the first Philippine company to issue mortgage trust indenture bonds successfully in the US financial market on Wall Street. 1969 – Meralco became the very first billion-peso company in the Philippines. This was all the more remarkable because much of it had been achieved without recourse to government guarantees. 1970 – The Philippine Government made it a state policy for the government to own all major generating facilities. Meralco sold its generating plants to the National Power Corporation, and electric distribution became its core business. meralco.com.ph
9
MERALCO
1980 – Meralco's franchise area tripled from 2,678 square km to 9,337 square km. Meralco – upon the request of the government – organised, started up and operated the country's first elevated light rail transit (LRT) system in Manila. At the end of the decade, Meralco turned over the efficiently functioning system to the government. 1995 – Meralco drove the following initiatives around TQM, re-engineering, Meralco Transformation Program, with certain common emphases: customer satisfaction; world-class efficiency and productivity; performance-driven rewards; good corporate citizenship; transparent good governance; and process, organisational and human resources development. 2009 - 2012 – The López Group reduced its holdings in Meralco by selling most of its shares to the First Pacific Group. The First Pacific Group and Metro Pacific Investment Corporation currently hold majority shares in Meralco, followed by the JG Summit Group. 2022 – Meralco continues to embark on various initiatives to further expand its infrastructure, and now the organisation is excitingly embracing digital transformation in ICT and in its operational technology to provide better customer experience through AI and automation. “Now, the organisation is excitingly embracing digital transformation in ICT, looking to use operational technology to provide better customer experience through artificial intelligence and automation,” outlines Migriño. 10
meralco.com.ph
MERALCO
Combining Meralco’s overlapping enterprises The company’s operations cover such areas as construction and logistics, telco, energy, and FinTech – but how exactly do each of these tie together? “The capabilities and resources of each company within the group can be leveraged for the benefit of the other, so that’s the beauty of it – recognising that each company is contributing to the overall fulfilment of the direction and profitability of the parent company,” explains Migriño.
“The capabilities and resources of each company within the group can be leveraged for the benefit of the other, so that’s the beauty of it – recognising that each company is contributing to the overall fulfilment of the direction and profitability of the parent company” MEL MIGRIÑO
VP AND GROUP CISO, MERALCO
“An example would be Bayad, which is actually our Payments and FinTech arm within the group,” says Migriño. “So the integration there is practical, providing a seamless experience where customer payments are processed through digital platforms, which can be processed in real-time.” When discussing securing the combination of the Internet of Things (IoT) with the industrial side of the business, Migriño goes on to explain the use of a smart grid. “It consists of digital substations, numerous sensors – even on your controller – and an advanced metering infrastructure for meralco.com.ph
11
Meralco Undertakes Cybersecurity Transformation, Leverages Innovative Cloud Technologies to Gain Simplicity and Agility
Insights from an industry-leading Vice President and Group Chief Information Security Officer (CISO), Ms Mel Migriño Digitisation With Comprehensive Cybersecurity at Its Core Manila Electric Railroad and Light Company (Meralco) is responsible for electric power generation and distribution in the Philippines. With Mel Migriño, Vice President and Group CISO at its helm, Meralco underwent rapid expansion and modernisation to help protect the company’s technology stock alongside its operational technology infrastructure. For this digitisation initiative, cybersecurity became an important consideration.
Understanding the Criticality of Cybersecurity As a diverse business dealing in various sectors fintech, telecom, retail energy, engineering, electric vehicles, logistics, construction and electromechanical - Meralco needed to develop and implement different cybersecurity programmes. Mel, a leading expert in the cybersecurity space, realised that the rise of AI and automation in the energy industry, which has so far lagged behind, could throw up potential security pitfalls for customers and employees alike. Knowing cybersecurity was paramount, Mel spearheaded the implementation of an all-inclusive cybersecurity policy that could cascade across Meralco and its subsidiaries. Palo Alto Networks ensured compliance to all of our requirements and continued to demonstrate excellence and leadership from the beginning to the end. Palo Alto Networks set the bar high in terms of response time, providing zero trust through visibility, real-time threat detection and run-time protection.” Ms Mel Migriño Vice President Group Chief Information Security Officer (CISO), Meralco
Industry Utilities Focus Area Further strengthen the implementation of zero trust framework in a high-risk segment Outcomes • Diverse businesses with unique cybersecurity needs • The rise of AI and automation meant increased risks • Comprehensive cloud technologies would offer simplicity and agility
Reimagining Cybersecurity as a Business Enabler Palo Alto Networks’ Zero Trust Enterprise Framework is rooted in the principle of ‘never trust, always verify’. Given that the next five years is expected to witness the evolution of more secure networks, increased cloud storage dependence and innovation, Meralco looked to Palo Alto Networks, the industry leader in cybersecurity to address their security concerns and establish a safe cyber ecosystem.
Learn more about Zero Trust
MERALCO
real-time demand and response, all of which has been brought about by the IT and OT convergence or driven by Industry 4.0 – hence the prevalence of IT and OT technologies.” With rapidly advancing technology being integrated into such systems, maintaining and heightening security protocols can be much more difficult to track and so requires a comprehensive cybersecurity policy. “To maintain a level of resilience through the implementation of a zero-trust security
model, and whilst embarking on digital transformation programmes, it’s most important – first and foremost – to create an architecture where security is included right from the start,” Migriño says. This architecture should consist of three layers, where the first is a physical layer, the second is a communication layer, and the third is the actual application layer – where the head end systems would actually reside. “We need to identify the risk in each layer and implement appropriate security measures,” Migriño asserts. “Looking at the physical layer as an example, we can see the data as a potential risk as it can lead to fraud or theft in case of tampering with cyber meralco.com.ph
13
MERALCO
physical systems. Other possible risks here would be the denial of service or attacks.” “This is where we need to look at strong encryption in smart metres, as well as the possibility of deploying an IoT secure gateway and proper segmentation within the smart metre network.” Such infrastructure will prevent the interception of vital personal and confidential data, helping to prevent attacks that result from vulnerabilities exposed by shared software and hardware systems on one singular platform, and ensure secure communication protocols – and this should be established across each of the aforementioned layers. “Visibility is important. If you can start collecting logs and then integrating these logs into the security operation centre, then that is great,” Migriño says. “You need to think about the capabilities, so you need to have the right blend of people and skills that will actually support this. Look at the things around establishing IIoT security operations that will support the IT and OT transformation within the enterprise.” “We look at the different data from various security logs, then have it correlated to create an intelligent behavioural-based risk to detect and respond to an attack,” she says. “With the infusion of analytics coming from the intelligent sensors and automations in the smart grid, operations can be improved, maintenance costs reduced, and real-time communication and support enabled.” Migriño believes that achieving the correct balance between security and performance can be a challenge, particularly when there are “organisational silos”, as they can have a ripple effect on all other aspects, which requires thorough risk-assessment planning, coordination 14
meralco.com.ph
and monitoring by both the cyber and technology teams for “remediation”. Looking at the future of cyber security “We could have gone through having an unsecure network wherein it got compromised then evolved to a secure network but with the aggressive stance on risk, certain risk conscious organisations will move to a very secure network. So things could swing on premise but the use of cloud will remain because businesses will still look for less expensive and faster ways to innovate. But digital trust and all of its components will be even greater than what we are experiencing now.”
“Also, the use of AI will play a significant role as we progress through the years, but there should be a focus on tightly securing components within the AI infrastructure otherwise we will be in big trouble.” “Vendors and end-users are collaborating more extensively to share their experiences and knowledge to help one another – especially in addressing security concerns and incidents,” she explains. “I also envision that renewable power sources will be the centre of transformation, as well as enhancing the security of processing personal data in light of evolving privacy and data protection laws. Digital trust is paramount.”
Alongside these overall aims for the future, continuing the promotion of gender equality in the energy and cybersecurity sector and building sustainability are core to the company’s growth plan. As for the future of cybersecurity? Well, it seems that the next 5 years are set to witness the evolution of more secure networks, increased cloud storage dependence, and innovation to both drive down costs and “increase digital trust”.
meralco.com.ph
15
Lopez Building Meralco Avenue Ortigas Center Pasig City Philippines 1600 www.meralco.com.ph
POWERED BY: