Singapore's Master Plan to Protect Critical InfrastructureBridging the Gap Between OT and Cybersecurity
The Cyber Security Agency of Singapore has come up with an operational technology and cybersecurity master plan aimed at building a secure and resilience ecosystem to protect critical infrastructure. It emphasizes cyber training, information sharing and building an effective framework for public-private partnership.
Some observers say the key to implementing the plan will be to get commitments from key stakeholders to take critical steps.
One major challenge, they say, is bridging the technical gaps between operational technology and cybersecurity because many components in OT environments were designed and deployed before internet connections for these components were common.
Many OT components have inadequate security built-in, notes Singapore-based Hingyan Lee, executive vice president, Cloud Security Alliance.
Aloysius Cheang, board director and executive vice president for APAC at the Center for Strategic Cyberspace and International Studies, notes that security controls in place for OT, which are mainly physical, are no longer effective.
The Cyber Security Agency's master plan aims at consolidating the OT and cybersecurity initiatives to tackle emerging threat vectors.
"As Singapore pushes itself toward a 'Smart Nation' vision, it is critical to build robust defenses to fend off the advanced attackers and protect critical information infrastructure by improving their posture by building a secure and resilient systems to improve operations and processes," David Koh, commissioner of cybersecurity and CEO at the Cyber Security Agency, says in a statement.
The master plan outlines key issues around people, process and technology to bolster the cybersecurity postures of 11 critical sectors and organizations that operate OT systems. The plan focuses on:
- Providing OT cybersecurity training;
- Facilitating the sharing of information through an OT Cybersecurity Information Sharing and Analysis Center;
- Strengthening OT owners' policies and processes through the issuance of an OT Cybersecurity Code of Practice;
- Adopting technologies for cyber resilience through public-private Partnerships.
The agency is encouraging OT equipment manufacturers and service providers to implement cybersecurity in the developmental phase, Koh says
A critical challenge, some observers say, is to secure industrial control systems responsible for data acquisition, visualization and control of industrial processes.
Koh acknowledges these systems have become increasingly attractive targets for cyberattacks, which can significant consequences in the physical world.
The Need for Training
To effectively manage OT security risks, the Cyber Security Agency's plan recommends an intensive focus on cybersecurity training.
Organizations need to train teams of skilled defenders, both engineers and IT analysts, who can cover the entire system cycle of cyber protection, threat detection and incident response and system recovery.
Singapore-based Andrew Koh, CISO at Habib Bank, argues that there needs to be a systematic training process for all functions.
"Simulation exercises will be the most effective way to train all stakeholders, from the board to end-users, to make decisions for resource reallocation based on cyber threats and attacks," he says.
Optimal industrial control system security can be achieved by strengthening the network as well as implementing appropriate policies and procedures to prevent infiltration, security experts say. Another key step, they say, is preparing and practicing incident response plans.
On Oct. 1, the CSA launched the OT Cybersecurity Information Sharing and Analysis Center in collaboration with the Global Resilience Federation Asia Pacific.
According to CSA's Koh, the OT-ISAC will involve representatives of the government, as well as the critical information infrastruture and OT industries, to head efforts to boost information exchange as well as adopt OT cybersecurity best practices.
The OT-ISAC will use a 12-step process to help strengthen defenses, according to Global Resilience Federation.
The 12-step process in OT-ISAC:
"Cybersecurity incidents continue to grow in volume, complexity, and impact across all industries, says Singapore-based Donnie W. Willburn, IT risk management manager, ExxonMobile Global Services Co., American Oil and Gas Co. "Similar to safety sharing, we believe cybersecurity information sharing is a key component to improving our industry's overall cybersecurity resilience."
The CSA introduced the Co-innovation and Development Proof of Concept scheme in 2018 to support cyber innovation via seed funding for promising security proposals and solutions.
"This is to encourage the trial and adoption of innovative solutions through partnerships between users and cybersecurity companies," says CSA's Koh.
CSA has funded projects that include solutions leveraging artificial intelligence and machine learning to address OT challenges, he adds.
To help protect critical infrastructure, CSA is encouraging all organizations that operate OT systems to develop or have in place sectoral SoCs.
For example, the Maritime and Port Authority of Singapore launched the Maritime Cybersecurity Operations Center this year to conduct round-the-clock detection, monitoring, and correlation and analysis of data activities across all maritime critical information infrastructure.
The Energy Market Authority has collaborated with CSA on systems to strengthen the cybersecurity of the power sector, including a Sectoral Detection & Early Warning System to detect cyberattacks. That system analyzes and monitors security logs sent from the power sector's critical information infrastructure for anomalous behavior in the OT environment.
One way to build a resilient framework, says Habib Bank's Koh, is to adopt a combination of cyber threat analysis, artificial intelligence, and machine learning capabilities to speed incident reporting.
Cheang of the Center for Strategic Cyberspace and International Studies argues that organizations need to address risks involved in industrial IoT and develop an industry- and application-specific baseline for cybersecurity.
Some observers suggest that CSA needs to work on a strategy for helping organizations get buy-in from management for sufficient resources to support the security team.
Lee of the Cloud Security Alliance says the same best practices and policies that are used to secure critical systems need to be adopted to secure OT.