1. ASEAN CRITICAL INFORMATION
INFRASTRUCTURE PROTECTION
FRAMEWORK
ASEAN CRITICAL INFORMATION
INFRASTRUCTURE PROTECTION
FRAMEWORK

2. Table of Contents
Introduction 1
Methodology 1
Results and Deliverable Outcome 1
I. Identifying CIIs that Have Strategic Imperatives 1
1. Identify National CIIs, Common Regional CIIs, and Cross-border CIIs Dependency
2. Identify Key Decision-making Factors to Help Identifying National CII of the AMS Who Have
Not Yet Defined Their CIIs
3. Identify Cross-border CII Dependency Risk Perception
II. Developing Coordinated Approaches for Cybersecurity Protection 4
4. Identify Common CII Sectors that Are “Sensitive” and “Feasible” for Information Sharing
among ASEAN
5. Identify Supports Needed to Raise the Protection Levels of CII Across All AMS
6. Identify Actions Needed to Enhance Information Sharing and Regional Collaboration to Raise
the CIIP Levels Across All AMS.
7. Identify Status and the Ways to Promote Bilateral or Multilateral Cooperation and
Agreements to Improve the CII Protection Levels in ASEAN
Framework Recommendation 5
ASEAN Critical Information Infrastructure Protection (CIIP) Framework 6
1. Policy Coordination,
2. Identifying CIIs,
3. Protecting CIIs,
4. Information Sharing,
5. Incident Response, and
6. Capacity Building.
Way Forward 9

3. 1
Summary of
ASEAN Critical Information Infrastructure
Protection Framework Project
Introduction
The main purpose of the study and its point of action is to develop regional critical information
infrastructure (CII) resilience practices by identifying CII that have strategic imperatives and
developing coordinated approaches for cybersecurity protection. The scope of this project study
is based on the ASEAN ICT Masterplan 2020 which aims to strengthen information security and
assurance among ASEAN Member States (AMS).
Methodology
The project study approached its objectives in four stages. The first stage is conducting research
on country overviews dealing with AMS CII approaches, concept and definition, cross-border and
CII interdependencies, cybersecurity policy, strategies, and laws for CII protection. The second
stage is conducting the survey among AMS coordinating authorities or national cybersecurity
experts while the third stage included the sharing of best practices by experts with advanced or
long-time experience with CII protection. Last, a roundtable discussion was held where AMS
participants discussed the survey results, provided mutual agreements on different challenges,
and shared their perspectives, experiences, and implications towards a common goal of building
CII resilience to secure and protect information security in the region.
Results and Deliverable Outcome
The project study has reached its objectives and achievements which include (I) identifying CIIs
that have strategic imperatives and (II) developing coordinated approaches for cybersecurity
protection. The project results and deliverable outcome will be described by the 7 key findings
which consists of the following:
I. Identifying CIIs that Have Strategic Imperatives
1. Identify National CIIs, Common Regional CIIs, and Cross-border CIIs Dependency
Beyond national CIIs of the 7 AMS that have been previously defined (Brunei, Indonesia,Malaysia,
Philippines, Singapore, Thailand, and Vietnam), the project study identifies potential national CIIs
of the remaining AMS who have not yet defined their CIIs and participated in the survey
(Cambodia and Laos) and reached a common AMS CII.* These sectors are Government Agency,

4. 2
Energy & Utilities, Banking/Financial Services, and Information/Communications/Telecommunications
(ICT)
Common AMS Critical Information Infrastructure (CII)*
1) Government Agency
2) Energy & Utilities
3) Banking/Financial Services
4) ICT
(* Not represented or related to cross-border CII or CII Interdependency)
Cross-border CII dependency, in other words, CIIs that could have high cross-border
cybersecurity risk impacts in the region is also investigated and identified. On a scale of ‘none’ to
‘high’ (where 0 = none, 1= low, 2 = medium, and 3 = high), the project study indicates most AMS
do not perceive or are aware of a high level of cross-border sectoral dependency in the region at
this moment. However, Information/Communications/Telecommunications (ICT) is the sector
that most AMS consider posing highest cross-border cybersecurity risk impacts in ASEAN. Other
Sector/Service/
Industry
Brunei Indonesia Malaysia Philippines Singapore Thailand Vietnam
Common
Cambodia
and
Lao PDR
# Numbers 8 10 10 12 11 7 11 Potential
1
Government
Agency/Ministry
✓
1. Law
Enforcement
2. E-GOV’T
GOV’T
(including
E-GOV’T)
GOV'T GOV'T GOV'T
1. E-GOV'T
2. Smart-
City
3. Natural
Resources
✓
2
Energy and/or
Utilities ✓
Energy and
Mineral
✓ ✓ ✓
✓ ✓ ✓
3 Water ✓ ✓ ✓ ✓
4
Banking/Financial
Services
✓ ✓
1. Banking
2. Finance
✓ ✓ ✓
1. Banking
2. Finance
✓
5 Healthcare Services ✓ ✓ ✓ ✓ ✓ ✓ ✓ 
6 ICT ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
7 Transportation ✓ ✓ ✓
1. Land
2. Maritime
3. Air
1. Land
2. Maritime
3. Aviation
✓ ✓
8
Defense & Security
Services
Defense
Defense &
Strategic
Industry
(Resilience)
Defence &
Security
 Security &
Emergency
Services
✓ ✓
9 Emergency Services  ✓ ✓ ✓  ✓
10
Media & Public
Communications
   ✓ ✓  
11 E-Government ✓      
12
Food and
Agriculture
 Food Security ✓    
13
Business Process
Outsourcing (BPO)
   ✓   

5. 3
sectors include Energy & Utilities, Government Agency, Transportation, and Banking/Financial
sectors, respectively.
AMS perception of cross-border CII Dependency Ranked
highest to lowest
1st ICT
2nd Energy & Utilities
3rd Government Agency/Ministry
4th Transportation
5th Banking/Financial Services
2. Identify Key Decision-making Factors to Help Identifying National CII of the AMS
Who Have Not Yet Defined Their CIIs
The project study combines and compares key decision-making factors to identify national CIIs
of AMS who have not yet defined their CIIs to those of AMS who already have CIIs. It has been
concluded that Impact on the Economy is the most important key decision-making factor that
was considered in identifying the national CIIs by all AMS.
Rank
Common Decision-Making Factors to Identify National CIIs
By the AMS
which already have CIIs defined
By the (Perception of) AMS
which have not defined their CIIs
1st
Impact on the economy
Impact on the public safety
Impact on the economy
Impact on the national security and defense
2nd
Impact on the national security and defense
Impact on the public health
Reliance on digital technologies
Impact on the gov’t capabilities to function
3rd
Impact on the public order and social well-
being
Impact on the national image
Impact on the gov’t capabilities to function
Impact on the public order and social well-
being
Impact on the public safety
Impact on the public health
4th Reliance on digital technologies Impact on the national image
Other Impact on the personal data violation
3. Identify Cross-border CII Dependency Risk Perception
The project study indicates that significant risks related to cross-border CII dependency are (1)
technological risks, (2) legal and procedural risks, and (3) social or cultural aspects.
Top technological risks include specific threats and risks (geographic risks: disruption of regional
network in one region) and man-made hazards (lack of technical expertise, operating errors, and
failure of systems). In addition, AMS have identified that threats and incidents that are likely to
have the most influence on ASEAN cross-border dependencies include availability (such as a
DDos attack), intrusion attempts, and malicious code.
Legal and procedural risks include the differences in legislation and policy (on an international
level) and the lack of equivalent security standards (on the ASEAN level). Most AMS also pointed

6. 4
out risks in social or cultural aspect to be considered such as lack of information sharing for both
reactive and preventive activities, lack of trust, and difference in threat perception.
II. Developing Coordinated Approaches for Cybersecurity Protection
4. Identify Common CII Sectors that Are “Sensitive” and “Feasible” for Information
Sharing among ASEAN
The project study finds the most “sensitive” sectors for regional information sharing are Defense
and Security, Financial Services, and Government Agency/Ministry and the most “feasible” sectors
for information sharing among AMS are Media & Public Communications, Food and Agriculture,
and Transportation, respectively.
Most Sensitive Sectors
for AMS Information Sharing
Ranked highest to lowest
Most Feasible Sectors
for AMS Information Sharing
Ranked highest to lowest
1st Defense and Security
2nd Financial Services
3rd Government Agency/Ministry
1st Media & Public Communications
2nd Food and Agriculture
3rd Transportation
Transportation, however, is the sector that most AMS consider pose comparatively high cross-
border cybersecurity risk impacts in the region as well as being feasible for information sharing
among AMS. Therefore, the sector that AMS should consider starting and focusing on
information sharing for CII protection at this moment is the Transportation sector.
5. Identify Supports Needed to Raise the Protection Levels of CII Across All AMS
In order to increase the protection level of CII across all AMS, the following supports needed
among AMS are:
5.1 Enhancing information sharing among AMS.
5.2 Identifying their own CII assets and CIIP responsibilities as well as the member’s
dependency among AMS.
5.3 Empowering point of contact of organizations that can respond and coordinate
(aside from legislation, capacity building, and the budget) among ASEAN.
5.4 Adopting a regional CIIP framework which will be the basis and baseline for each
AMS in identifying and protecting CIIs in the region.
5.5 Developing a joint consensus to protect the CII and to ensure security and
resilience in each AMS and ASEAN.
5.6 Having a forum or working group for CIIP initiatives.
5.7 Being committed to support CII operators to achieve regional security standard
level and ensure countermeasuresof each AMS and ASEAN such as building human
resource capacity through training programs, workshops, and others relevant
activities.
The projec study finds the supports most needed by AMS in order to raise the CII protection
levels in the region is Information Sharing.

7. 5
6. Identify Actions Needed to Enhance Information Sharing and Regional
Collaboration to Raise the CIIP Levels Across All AMS.
In order to enhance information sharing and regional collaboration to raise the CII protection
levels across the region, the major actions needed and recommended are:
6.1 Establishing an ASEAN Information Sharing and Analysis Center (ASEAN-ISAC).
6.2 Developing information sharing pilot projects for Transportation and ICT sectors.
(since both sectors are considered to pose the greatest cross-border cybersecurity
risk impacts in the region and to be feasible for comparative information sharing
among AMS).
6.3 Developing a trusted platform and building a communication forum among AMS
and ASEAN CII operators on provisions regarding cyber threats information
related to the CIIP.
7. Identify Status and the Ways to Promote Bilateral or Multilateral Cooperation and
Agreements to Improve the CII Protection Levels in ASEAN
Regarding the status of regional collaboration, the project study finds AMS are not aware of any
existing cooperation or agreements on CII protection at this moment. However, there could be
some form of AMS collaborations on CIIP that participating AMS may not recognize.
In order to promote bilateral or multilateral cooperation and agreement on CII protection levels
in the region, AMS has suggested the following:
7.1 Developing a CII sector-based approach by sharing functions and information,
having bilateral agreements on a sector-by-sector basis and then from country to
country, expanding to multilateral agreements before proceeding to an ASEAN
platform, and moving towards essential practical implementations. At the same
time, revising the existing agreements and instruments on ICT and/or
cybersecurity in CIIP specific clauses if possible.
7.2 Developing a regulatory body that can receive AMS information from each
recognized CII sector and having one central organization to collect and distribute
data in the region.
Framework Recommendation
In moving towards ASEAN’s initiative to strengthen information security and assurance among
AMS, the project study addressed a comprehensive ASEAN Critical Information Infrastructure
Protection (CIIP) Framework which provides strategic recommendations and coordinated
approaches to create more resilient cybersecurity across ASEAN’s critical information
infrastructure as follows:
Six pillars of ASEAN Critical Information Infrastructure Protection Framework
(1) Policy Coordination,
(2) Identifying CIIs,
(3) Protecting CIIs,

8. 6
(4) Information Sharing,
(5) Incident Response, and
(6) Capacity Building.
Diagram: 6 Pillars of ASEAN Critical Information Infrastructure Protection Framework

9. 7
1. Policy Coordination
Policy coordination among AMS through mutually agreed coordinating mechanisms which
support and promote collaborative activities across AMS borders, sectors and organizations is
essential to the security of the CIIs within the ASEAN region.
AMS are encouraged to:
➢ Develop bilateral and/or multilateral cooperative agreements to enhance security of inter-
dependent CIIs within ASEAN.
➢ Implement and enhance Public-Private Partnerships, Business Continuity Management,
Crisis Management, and sets of cyber incident exercises and tests.
➢ Establish national and regional Points of Contact (POC) for the ASEAN network of
cybersecurity experts and organizations.
➢ Participate in cyber norm development activities at the regional and global levels such as
the 2015 UNGGE recommendations that were endorsed by the ASEAN Ministerial
Conference on Cybersecurity (AMCC) and the Global Forum on Cyber Expertise (GCFE)
Meridian Good Practice Guide on Critical Information Infrastructure Protection.
2. Identifying CIIs
Identifying ASEAN CIIs and their potential cross-border interdependency is the first step toward
making ASEAN CIIs more resilient and ensuring continuity of essential CII service delivery across
the region.
AMS are encouraged to:
➢ Identify national CIIs (if not yet defined) and their cross-border CII interdependency in the
region.
➢ Identify cross-border CII dependency measures (including legal, regulatory, policy, and
strategy), cross-border CII dependency risks, and how to assess and mitigate those risks.
➢ Coordinate the development of national regulation and legislation which governs cross-
border interdependent CIIs.
3. Protecting CIIs
Effective CII protection practices in each AMS including implementationof a minimumprotection
requirement, procedural mechanisms and guidelines (especially among the CIIs that are cross-
border interdependent), determine holistic ASEAN CII resilience.
AMS are encouraged to:
➢ Implement industry-recognized CIIP procedural mechanisms and guidelines such as the
NIST Framework for Improving Critical Infrastructure Cybersecurity.
➢ Develop national and regional backup and recovery strategies to safeguard critical
information and increase resilience across the ASEAN region.

10. 8
➢ Prioritize protectionof CIIs with high cross-border cybersecurityrisk impactsincluding (1)
energy and utilities, (2) transportation and (3) ICT sectors.
4. Information Sharing
Information sharing is a collaborative effort and a shared responsibility to enrich and improve
CII resilience practices through standardization at operational, regulatory, institutional and
policy levels across the ASEAN region.
AMS are encouraged to:
➢ Support the development of regional information sharing and collaboration platforms on
CIIP such as ASEAN Information Sharing and Analysis Center (ASEAN-ISAC).
➢ Formalize the format of information exchanges and the general terms/provisions of the
sharing agreement.
➢ Implement timely information sharing about the occurrence of cybersecurity incidents.
5. Incident Response
The ability to respond to CII security incidents in a timely and effective manner is critically
important to maintaining CII resilience. A coordinated approach should be employed when
dealing with incidents related to cross-border interdependent CIIs.
AMS are encouraged to:
➢ Enhance incident response effectiveness through cooperation, communication and
coordination among national CERTs.
➢ Support the establishment of a regional cybersecurity incident response capability, such as
the ASEAN Computer Emergency Response Team (ASEAN CERT), to support AMS national
CERTs and cybersecurity incident response agencies.
➢ Promote regional incident response readiness through the ASEAN Computer Emergency
Response Team Incident Drill (ACID) throughout the ASEAN region.
6. Capacity Building
Coordinated efforts to develop cybersecurity capacity to protect CIIs is a high priority for ASEAN
as the demand for cybersecurity experts continues to grow and remains a significant challenge.
AMS are encouraged to:
➢ Coordinate cybersecurity skills refresh and upgrade programs, including regular
provisional cybersecurity exercises.
➢ Define regional requirements and assess the effectivenessof capacity building efforts in the
region.

11. 9
➢ Strengthen ASEAN-wide cybersecurity capacity building programs including the courses
offered by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC), the ASEAN
Singapore Cybersecurity Centre of Excellence (ASCCE) and other ASEAN dialogue partners.
The ASEAN Critical Information Infrastructure Protection Framework should consist of current
and continually updated actions put into practice and improved as AMS provides feedback on
implementation progress which can then be integrated into future versions. The Framework can
be used to align cybersecurity decisions to mission objectives; organize cybersecurity
requirements originating from legislation, regulation, policy, and industry best practices;
communicate cybersecurity requirements with stakeholders, including partners and suppliers;
integrate privacy and civil liberties risk management into cybersecurity activities; measure and
express its current and desired state; prioritize cybersecurity resources and activities; and
analyze trade-offs between expenditure and risk.
Way Forward
As ASEAN prepares to deploy its Digital Masterplan 2025, the ASEAN Critical Information
Infrastructure Protection Framework will play a crucial role in building and ensuring CII
resilience, trust and security. This Framework will strengthen regional CII resilience and prevent
any potential escalation of cyber threats that could lead to national harm, disruption of services
and even loss of life. The adoption of this unified, flexible and practical protection framework will
encourage further cooperation, communication and collaboration among AMS across the region
to advance the vision of a secure ASEAN community.
Furthermore, bearing in mind that the scope of what one country considers CIIs may vary over
time and be influenced by a multitude of factors, it is recommended that ASEAN review, update
and re-assess the Framework and recommendations on a regular interval, such as every 2-3
years.