2026 APAC/SEA Energy OT Cybersecurity CXO Priorities Survey, in collaboration with TXOne

Please enable JavaScript in your browser to complete this form.

purpose insurance local

Name *

First

Last

Email *

Phone

Business Name *

Job Title *

Industry *

Company Size *

Physical Address *

City *

Given the highly fragmented regulatory landscapes and varying levels of industrial digitalisation across the APAC/SEA region (ranging from strict frameworks like Australia’s SOCI Act and Singapore’s CCoP to emerging guidelines in SEA), how would you describe your current capability to maintain an accurate, centralised OT asset inventory across diverse operational jurisdictions? *

Fully automated & unified: Real-time visibility across all regional sites, automatically mapped to local compliance/regulatory requirements.
Regionally fragmented: Automated asset inventory exists at primary or modern facilities, but regional/legacy sites rely on manual, localised tracking
Primarily manual: Centralised visibility is limited; we rely on periodic manual audits and spreadsheets across different business units or countries.
No centralized inventory: Asset tracking is managed strictly at the local plant level with no centralized regional oversight.

As APAC energy operators balance traditional power generation/Oil & Gas with rapid investments in renewable energy and smart grid integration, what percentage of your operational environment consists of unpatchable legacy systems that cannot be updated due to strict 24/7 availability constraints? *

Less than 10% - Our environment is highly modernized, allowing for regular patch cycles and endpoint updates.
10% to 40% - A complex hybrid mix of newly deployed renewable/digital assets and legacy distribution/generation infrastructure.
41% to 70% - Heavy reliance on aging, unpatchable infrastructure where any modification risks regional grid downtime.
More than 70% - Operations are almost entirely driven by legacy systems, making virtual patching/compensating controls our only viable defence.

Geopolitical tensions and targeted ransomware pose a rising threat to APAC’s energy grid resilience. When a threat is detected at an isolated remote site or the IT-OT boundary, what is your team's current capability to mitigate the risk without disrupting operational continuity? *

Active inline enforcement: We can segment and block threats at the OT layer in real time without dropping the broader network or stopping production.
Passive visibility only: We can detect the threat, but lack native OT-layer tools to block it dynamically without risking a costly operational shutdown.
Delayed/Scheduled response: Mitigation is manual; we must wait for a scheduled maintenance window or execute emergency physical isolation.
No distinct OT capability: We have blind spots at the OT layer and rely almost entirely on corporate IT security tools.

With industrial digitalisation accelerating cross-border connectivity and cloud-managed utilities across SEA and APAC, how would you describe the depth of your network segmentation strategy? *

Strict micro-segmentation: Granular, asset-level isolation down to individual workstations and PLCs to prevent lateral threat movement.
Zone-based segmentation: Clear separation between major operational processes, aligned with localized standards or the Purdue Model.
Perimeter separation only: A broad firewall barrier between the corporate IT network and the production/OT environment.
Flat network architecture: High connectivity with minimal segmentation, exposing the OT environment to IT-side vulnerabilities.

APAC’s energy sector heavily relies on a fragmented ecosystem of regional system integrators, OEMs, and third-party engineering contractors. What is your primary mechanism for scanning and governing physical files or transient devices (e.g., USBs, vendor laptops) brought on-site? *

OT-native workflow security: Mandatory physical scanning kiosks and data-cleansing workflows required for all incoming transient assets.
Policy-driven trust: We rely on contractual vendor compliance and basic endpoint software installed on corporate machines.
Ad-hoc verification: Spot-checking or manual scans are performed primarily before major turnaround or maintenance windows.
No formal mechanism: Third-party vendors connect directly to operational zones without mandatory local file scanning.

While cyber insurance underwriters are tightening global requirements, APAC operators face a compounding layer of strict domestic critical infrastructure laws. How heavily do cyber insurance compliance and local regulations influence your OT cybersecurity investments? *

Regulatory-led: Domestic critical infrastructure laws (e.g., Australia's SOCI, India's CERT-In guidelines, Singapore's Cybersecurity Act) strictly dictate our roadmap; insurance is a secondary benefit.
Dual-driven: We balance both regional regulatory compliance and insurance underwriting standards equally to optimise our risk and premiums.
Risk-led: Investments are driven purely by internal risk assessments and operational continuity priorities, independent of insurance or compliance.
Reactive: Cybersecurity investments are primarily driven by incident response or urgent budget allocations rather than proactive compliance/insurance alignment.

I consent to Intelligent Global Media and TXOne collecting and processing my personal contact details (provided in this form) for the purpose of sending me information about their products, services, and events. I understand that my data will be handled in accordance with their respective privacy policies. I can withdraw my consent at any time via the individual privacy policies. *

Yes, I agree to these terms
No, I do not agree to these terms