Indonesia’s state-owned enterprises (BUMN) and critical infrastructure operators sit at the intersection of national economic interest and an expanding digital attack surface. They run the power grid, the fuel supply, the telecommunications backbone, and the national logistics chain. Because they are among the most targeted organisations in the country, establishing BUMN cybersecurity resilience has become a matter of national importance.
At the 2025 Digital Resilience Summit, Deputy Minister of BUMN Kartika Wirjoatmodjo warned that Indonesia’s rapid digital growth is accompanied by increased risk, particularly cyberattacks targeting strategic sectors.
The warning reflects a structural reality: the same hyperconnectivity that makes BUMN operations more efficient makes them more exposed.
Why BUMN and Critical Infrastructure Are High-Value Targets
The logic of targeting Critical National Infrastructure (CNI) security is straightforward. Disrupting a national energy company, a state bank, or a telecommunications provider produces operational, financial, and reputational damage at scale. It also creates pressure. Attackers understand that organisations responsible for essential services face intense pressure to restore operations quickly, which increases the likelihood of compliance with ransom demands.
Based on Eurasia Review, a significant breach impacted Indonesia’s National Data Centre in June 2024, disrupting immigration systems and government services across more than 200 agencies. The LockBit 3.0 ransomware attackers demanded an USD 8 million ransom, exposing serious deficiencies in the nation’s cybersecurity preparedness. State-owned utility PLN also suffered a data exposure affecting more than 17 million citizens, underscoring the urgent need to bolster BUMN cybersecurity resilience.
The breach did not target a private company. It targeted a national public asset. The downstream effects, disrupted immigration processing, suspended government services across more than 200 agencies, demonstrated exactly why critical infrastructure carries a different risk profile from commercial enterprise.
BUMN entities have been breached before. State-owned utility PLN suffered a data exposure affecting more than 17 million citizens, with compromised data including names, IDs, addresses, and energy consumption records appearing for sale on underground forums.
The Threat Landscape Has Changed
The volume and sophistication of attacks targeting Indonesia have increased consistently, with nearly 2,200 anomalous cyberattacks per minute recorded in 2023. Maintaining BUMN cybersecurity resilience requires defending against three primary vectors:
1. Ransomware
CYFIRMA’s threat landscape assessment identifies LockBit3, Alphv, and RansomHub as the most active ransomware operators targeting Indonesia, with finance, manufacturing, and government sectors as primary targets. The rise of Ransomware-as-a-Service has diversified the threat actor pool, increasing the complexity of defence.
2. State-sponsored APTs
State-sponsored groups and advanced persistent threats are exploiting vulnerabilities in critical infrastructure by leveraging artificial intelligence, machine learning, and other advanced tools. For BUMN entities in energy, defence, and telecommunications, this is not a theoretical risk. It is an active one.
3. Supply chain and third-party exposure
Based on Business-Indonesia, the World Economic Forum’s Global Cybersecurity Outlook 2025 highlights the growing complexity driven by the proliferation of interconnected supply chains, with 54% of large organisations identifying supply chain challenges as the biggest barrier to cyber resilience. BUMN entities that connect with hundreds of contractors, vendors, and system integrators inherit the security posture of every party in that chain.
What Hyperconnectivity Has Changed
Critical infrastructure once ran on isolated networks, but that boundary has largely disappeared. Digital transformation has introduced significant IT-OT convergence risks, where a breach in corporate IT can spread directly into operational systems. As IoT and connectivity expand, the attack surface grows, and a single compromised credential can now disrupt power distribution or financial settlement networks.
Where the Security Gaps Are
A 2024 survey found that only 12% of Indonesian organisations have achieved a mature level of cybersecurity readiness. For BUMNs, this gap is a national security exposure. Common structural gaps include:
- Unmonitored OT and ICS: Cyber-physical system protection is often neglected, with legacy industrial systems left unpatched and unmonitored .
- Inadequate Incident Response (IR): Many organisations have documentation but have not tested it under realistic conditions.
- Perimeter Dependency: Relying on firewalls without internal segmentation or identity controls allows attackers to move laterally after an initial compromise.
- Undertrained Workforces: With over 315,000 Indonesian credentials compromised in early 2024, the workforce remains a primary entry vector for social engineering.
What a Mature Security Programme Looks Like
For BUMN and critical infrastructure operators, security maturity is not defined by tool count. It is defined by the organisation’s ability to detect threats early, contain them before they reach operational systems, and recover without sustained disruption.
- Continuous monitoring across IT and OT: A unified view across IT and OT is now a baseline requirement. OT security events must reach the same analysts reviewing IT alerts, with context on what those systems control.
- Structured vulnerability management: Critical infrastructure cannot afford uncoordinated patching. A risk-based approach that prioritizes exploitable vulnerabilities by operational impact is the practical standard.
- Tested incident response: Tabletop exercises and realistic breach simulations reveal gaps that documentation cannot. Regulators under BSSN’s Cyber Crisis Management regulation expect proof of this.
- Identity and access control: Least-privilege access, multi-factor authentication, and privileged access management for OT systems reduce the blast radius of any single compromised credential.
- Third-party risk governance: Every vendor with access to BUMN networks or systems is a potential entry point. Contracts and regular security assessments are operational necessities, not procurement formalities.
Building Resilience Before the Next Incident
Indonesia’s rapid digitalisation increases exposure to data breaches that could potentially affect millions of citizens. Organisations that treat that exposure as an operational variable to be managed, rather than a risk to be deferred, are the ones that maintain continuity. Ultimately, BUMN cybersecurity resilience is the foundation upon which Indonesia’s digital future must be built.
Zentara works with critical infrastructure operators across Indonesia to build and validate security programmes under operational pressure.
Speak with our cybersecurity experts to assess your current posture against the threat environment BUMN and critical infrastructure operators face today.
