A CISO’s perspective in Transforming Operational Technology

Meralco – an acronym of the Manila Electric Railroad and Light Company –  in the Philippines, is responsible for the power distribution within its franchise area.

Meralco’s Vice President and Chief Information Security Officer, Mel Migriño, is responsible for the protection of the company’s technology stock alongside its operational technology infrastructure, with cybersecurity becoming the most important facet in the face of digitisation.

“Meralco is a diverse business,” states Migriño. “We’re in FinTech, telecoms, retail energy, engineering, electric vehicles, logistics and construction and electromechanical. I work closely with my co- executives to ensure the development and implementation of the different cybersecurity programmes across the organisation.”

As a major player in the Philippine energy industry, Meralco also has a specific and distinctive focus on sustainability, with its agenda, Powering the Good Life,  firmly rooted in the United Nations’ Sustainable Development Goals. The four key pillars underpinning Meralco’s sustainability agenda - Power, Plant, People, and Prosperity - guide the commitments and actions of the company in support of sustainable and meaningful progress.

While Meralco’s sustainability strategy is palpable in the here and now, it is also intended to stretch out over the long-term. Various initiatives and projects for the next few years have already been set in motion, demonstrating its commitment to reducing the company’s impact on the environment while fostering growth in the country.

A number of transformations have already begun – including electrifying the company’s vehicle fleet, promoting gender diversity and inclusivity, ensuring its transformers are 99%  biodegradable and recyclable through the use of ester oil, and planting trees whilst nurturing existing ones to preserve Philippine forests – setting the stage for future adaptations.

“Cybersecurity is a business enabler, a key component in realising initiatives and future goals of the company,” Migriño says. “While I continue to serve my country and organisation, I also want to promote women empowerment in the context of cybersecurity and technology, which has been advancing for many years now.” 

On the horizon right now, though, is innovative technology and digital transformation, with an eye on the rise of AI and automation in the energy industry – and the potential security pitfalls that these can lead to for customers and employees alike.

Building a future-facing energy company

A commitment to looking forward and preparing for the future isn’t anything new for the energy titan. In fact, the company’s fascinating roots firmly establish Meralco as a pioneer in the Philippine energy sector.

Although the company’s roots can be traced back to the late 1800s, it officially began in 1903 – making Meralco almost 120 years old. 

1903

The company was established as Manila Electric Railroad and Light Company to provide electric light and power - as well as an electric street railway system - to Manila and its suburbs.

1948

Meralco focused chiefly on providing electricity. The electric service powered much of the post-war rehabilitation and early industrialisation of the young republic, which gained independence in 1946.

1961

A group of Filipino investors - led by entrepreneur Eugenio Lopez Sr. - bought Meralco from its American owners, rendering it the first major American enterprise to be 'Filipinised'. This new Filipino management built electricity-generating and distributing facilities at an unprecedented pace to meet the growing needs of its franchise area.

It is also during this period that Meralco became the first Philippine company to issue mortgage trust indenture bonds successfully in the US financial market on Wall Street.

1969

Meralco became the very first billion-peso company in the Philippines. This was all the more remarkable because much of it had been achieved without recourse to government guarantees.

1970

The Philippine Government made it a state policy for the government to own all major generating facilities. Meralco sold its generating plants to the National Power Corporation, and electric distribution became its core business. 

1980

Meralco's franchise area tripled from 2,678 square km to 9,337 square km.

Meralco - upon the request of the government - organised, started up and operated the country's first elevated light rail transit (LRT) system in Manila.

At the end of the decade, Meralco turned over the efficiently functioning system to the government.
1995

Meralco drove the following initiatives around TQM, re-engineering, Meralco Transformation Program, with certain common emphases: customer satisfaction; world-class efficiency and productivity; performance-driven rewards; good corporate citizenship; transparent good governance; and process, organisational and human resources development.

2009 - 2012

The López Group reduced its holdings in Meralco by selling most of its shares to the First Pacific Group

The First Pacific Group and Metro Pacific Investment Corporation currently hold majority shares in Meralco, followed by the JG Summit Group.

2022

Meralco continues to embark on various initiatives to further expand its infrastructure, and now the organisation is excitingly embracing digital transformation in ICT and in its operational technology to provide better customer experience through AI and automation.

“Now, the organisation is excitingly embracing digital transformation in ICT, looking to use operational technology to provide better customer experience through artificial intelligence and automation,” outlines Migriño.

Combining Meralco’s overlapping enterprises

The company’s operations cover such areas as construction and logistics, telco, energy, and FinTech – but how exactly do each of these tie together?

“The capabilities and resources of each company within the group can be leveraged for the benefit of the other, so that’s the beauty of it – recognising that each company is contributing to the overall fulfilment of the direction and profitability of the parent company,” explains Migriño.

“An example would be Bayad, which is actually our Payments and FinTech arm within the group,” says Migriño. “So the integration there is practical, providing a seamless experience where customer payments are processed through digital platforms, which can be processed in real-time.”

When discussing securing the combination of the Internet of Things (IoT) with the industrial side of the business, Migriño goes on to explain the use of a smart grid.

“It consists of digital substations, numerous sensors – even on your controller – and an advanced metering infrastructure for real-time demand and response, all of which has been brought about by the IT and OT convergence or driven by Industry 4.0 – hence the prevalence of IT and OT technologies.”

With rapidly advancing technology being integrated into such systems, maintaining and heightening security protocols can be much more difficult to track and so requires a comprehensive cybersecurity policy.

“To maintain a level of resilience through the implementation of a zero-trust security model, and whilst embarking on digital transformation programmes, it’s most important – first and foremost – to create an architecture where security is included right from the start,” Migriño says.

This architecture should consist of three layers, where the first is a physical layer, the second is a communication layer, and the third is the actual application layer – where the head end systems would actually reside.

“We need to identify the risk in each layer and implement appropriate security measures,” Migriño asserts. “Looking at the physical layer as an example, we can see the data as a potential risk as it can lead to fraud or theft in case of tampering with cyber physical systems. Other possible risks here would be the denial of service or attacks.”

“This is where we need to look at strong encryption in smart metres, as well as the possibility of deploying an IoT secure gateway and proper segmentation within the smart metre network.”

Such infrastructure will prevent the interception of vital personal and confidential data, helping to prevent attacks that result from vulnerabilities exposed by shared software and hardware systems on one singular platform, and ensure secure communication protocols – and this should be established across each of the aforementioned layers.

“Visibility is important. If you can start collecting logs and then integrating these logs into the security operation centre, then that is great,” Migriño says. “You need to think about

the capabilities, so you need to have the right blend of people and skills that will actually support this. Look at the things around establishing IIoT security operations that will support the IT and OT transformation within the enterprise.”

“We look at the different data from various security logs, then have it correlated to create an intelligent behavioural-based risk to detect and respond to an attack,” she says. “With the infusion of analytics coming from the intelligent sensors and automations in the smart grid, operations can be improved, maintenance costs reduced, and real-time communication and support enabled.”

Migriño believes that achieving the correct balance between security and performance can be a challenge, particularly when there are “organisational silos”, as they can have a ripple effect on all other aspects, which requires thorough risk-assessment planning, coordination and monitoring by both the cyber and technology teams for “remediation”.

Looking at the future of cybersecurity

“We could have gone through having unsecure network wherein it got compromised then evolved to a secure network but with the aggressive stance on risk, certain risk conscious organisations will move to a very secure network. So things could swing on premise but the use of cloud will remain because businesses will still look for less expensive and faster ways to innovate. But digital trust and all of its components will be even greater than what we are experiencing now.”

“Also, the use of AI will play a significant role as we progress through the years, but there should be a focus on tightly securing components within the AI infrastructure otherwise we will be in big trouble.”

“Vendors and end-users are collaborating more extensively to share their experiences and knowledge to help one another – especially in addressing security concerns and incidents,” she explains. “I also envision that renewable power sources will be the centre of transformation, as well as enhancing the security of processing personal data in light of evolving privacy and data protection laws. Digital trust is paramount.”

Alongside these overall aims for the future, continuing the promotion of gender equality in the energy and cybersecurity sector and building sustainability are core to the company’s growth plan.

As for the future of cybersecurity? Well, it seems that the next 5 years are set to witness the evolution of more secure networks,  increased cloud storage dependence, and innovation to both drive down costs and “increase digital trust”.