All critical information infrastructures (CIIs) in Singapore must continuously transform to keep up with the changing threat landscape and this means going beyond “generic” cybersecurity practices. It requires a strong focus on operational technology (OT) security, encompassing the right skillsets and OT-specific cybersecurity practices for CII operators.
Singapore last year tweaked its cybersecurity strategy to emphasise OT and provided guidelines on the skillsets and technical competencies OT organisations needed. The country defines OT systems to include industrial control, building management, and traffic light control systems that monitor or change the physical state of a system, such as railway systems.
Cyber Security Agency of Singapore (CSA) has pushed the need for CII operators to beef up the cybersecurity of OT systems, where attacks could pose physical and economic risks.
The need for efficiencies and functionalities had fuelled the convergence of IT and OT systems, the latter of which were traditionally designed as standalone infrastructures and not connected to external networks or the internet.
No longer operating in such air-gapped environments, OT systems now run on a wider attack surface and are open to potential cyber attacks that can have real-world impact.
Asked which CII sectors most needed cybersecurity transformation, CSA noted that as the threat landscape was constantly evolving, every CII sector should continuously “adapt and transform” their processes to combat existing as well as emerging threats.
CII industries vary in size, function, and reliance on technology, all of which shape their respective cybersecurity strategies, the CSA spokesperson told ZDNET.
He added that some sectors tapped OT and IT alongside IoT (Internet of Things), and this not only introduced additional industry-specific challenges, but also further increased the surface area that had to be protected against cyber threats.
According to Keith Lunden, manager of analysis at Google’s Mandiant Intelligence, compared to IT assets, OT assets had experienced very limited amount of threat activities, primarily due to traditional air-gaps and internal network segmentation that minimised mainstream malware incidents.
“However, this also served to minimise drivers of OT cybersecurity efforts, [so] instead of threat activities, regulatory requirements have been the primary driver of OT security efforts,” Lunden noted. “Correspondingly, unregulated industries such as water and wastewater, are most in need of transformation.”
He added that these industries should develop risk-based cybersecurity countermeasures based on industry standards.
Group-IB’s founder and CEO Dmitry Volkov also underscored the need for all CII sectors to constantly improve their cybersecurity posture, as their ability to operate without interruptions was critical to national security.
He said sectors including healthcare, transportation, and government were frequent targets, pointing to how a ransomware attack had prompted the Costa Rica government to declare a state of emergency for the first time in April. Hackers had exfiltrated more than a terabyte of data, breaching 27 ministries in the attack.
Building automation and oil and gas sectors also see high percentages of ICS (industrial control system) computers where malicious objects are blocked, according to Vitaly Kamluk, Kaspersky’s Asia-Pacific director for global research and analysis.
The block rates for these industries continued to be above the global average, Kamluk said, noting that a higher usage of online resources and email amongst companies in building automation might have resulted in the sector leading others in the variety of malware attacks blocked.
Lunden said cybercriminals had made significant advances in operational tradecraft in the last several years, with ransomware emerging as an effective business model and resulting in a large number of security incidents impacting critical infrastructures, often including OT environments.
Pointing to state-sponsored attacks, he said Mandiant continued to see adversaries keen to exploit insecure by-design features of OT.
“[These] aimed to maliciously leverage the native functionality of OT devices, rather than exploit vulnerabilities in these systems,” he noted. “As a result, we expect state-sponsored malware targeting these features of OT to remain a threat for the foreseeable future, as it is much more difficult to redesign these devices, rather than simply patch vulnerabilities in them.”
Supply chains heighten potential OT threat
In addition, supply chains in some OT sectors, such as manufacturing and maritime, typically are expansive and involve multiple parties.
And it can prove challenging to secure supply chains, CSA said, noting that organisations take on unknown cyber risks from third-party vendors since they do not have full visibility of their supply chain. “Organisations can only be as strong as their weakest link,” the spokesperson said.
He pointed to CSA’s CII Supply Chain programme, which outlines five foundational initiatives to help these sectors address cyber supply chain challenges across different layers, including organisation, sectoral, national, and international. The programme includes a toolkit, handbook, certification scheme, and learning hub.
In particular, all CII and OT sectors should improve their visibility since organisations would not be able to secure and defend assets they did not know existed, said Fabio Fratucello, CTO of CrowdStrike Asia-Pacific Japan.
Without visibility, they also had no threat detection or protection against adversaries who would work to locate blind spots, Fratucello said. To address such challenges, he said CrowdStrike had introduced its Falcon Discovery for IoT to help customers understand interconnected relationships between their IT, OT, and IoT assets, and mitigate potential risks across these environments.
“Once organisations have a deeper understanding of their attack surface, they are better equipped to make more informed, risk-based decisions by bridging the gap between OT environments and IT operations,” he noted. “It’s important for organisations to look externally as well as internally to understand security vulnerabilities. This includes risks via the supply chain, which in some industries can be an incredibly complex and lengthy chain.”
Citing CrowdStrike research, he said 48% of Asia-Pacific organisations had experienced at least one supply chain attack last years, while 60% were unable to claim all their software suppliers had been vetted.
To better manage their third-party ecosystems and safeguard their infrastructures, Volkov suggested OT sectors adopted isolation and segregation of IT, OT, and human processes and ensure the integrity of their infrastructure components.
A threat intelligence platform also would identify potential attackers and how they were attacking OT infrastructures, he said, adding that it would indicate areas of compromise so these could be plugged and security posture improved.
OT sectors should assess their suppliers’ external attack surface and work closely with their third-party suppliers to further ensure they had all the necessary security measures in place, such as an incident response team.
Plugging gaps in OT security
With demand for roles requiring competencies in IT and OT up amidst increased connectivity between both domains, CSA said it developed the OT Cybersecurity Competency Framework to offer guidelines on identifying skillsets and training for their engineers. It also maps out career paths for these engineers, the spokesperson said.
The spokesperson added that CSA established the cybersecurity code of practice to set out mandatory OT-specific cybersecurity practices for CII operators.
“These focus on network segmentation, patch management, detection, and continuous monitoring with the aim to reduce the probability of threat actors exploiting software vulnerabilities and gaining a foothold of OT systems,” he said. “It equips OT system owners with the know-how to mitigate emerging cyber threats more effectively.”
Asked about the role of regulations in OT, he said Singapore’s Cybersecurity Act provided a framework for the designation of 11 CII sectors, while the code of practice stipulated basic standards of cybersecurity and measures these CII owners should implement to ensure their resilience.
He noted that the code of practice recently was enhanced to help CIIs further strengthen their cyber resilience and defences against sophisticated cyber threats and be more agile in responding to emerging cybersecurity risks.
The code review also improved coordination between the Singapore government and private sectors, so cyber threats could be uncovered and response initiated in a timely manner, the CSA spokesperson said.
“Every CII sector faces cybersecurity risks that are specific to their digital terrains, such as migration to the cloud or use of 5G technologies,” he noted, stressing the importance of OT security. “Cyber hygiene practices that are generic across critical sectors would not be able to address such specific risks.”
Kamluk said it was important to set industry standards requiring companies to build security foundations into their systems. While essential, however, regulations are just one component of a holistic approach to OT security.
Collaboration also is key in integrating all elements within security, he said, urging organisations to band together and take a concerted approach to security as a sector. A clear roadmap provides a guiding plan everyone can work towards and this can ease friction within the sector, he added.
With a plan and systems in place, there should be regular sector-specific meetings and routine maintenance. These “health checks” will ensure potential pitfalls and threats are raised early and players in the sector can recalibrate and remain resilient, Kamluk said.
Volkov noted that new laws or amendments to existing ones should be “data-driven” and aim to address weaknesses identified during cybersecurity drills involving various parties.
Lunden said: “Regulations need to be performance-based, rather than prescriptive. This can give OT system owners flexibility when implementing cybersecurity countermeasures. They also need to be tailored to apply to only the most critical OT assets of an organisation, as not all OT should be considered equal.
“Regulators should learn from the experiences of other regulatory bodies that have improved the effectiveness of their regulations over time,” he added.
In July, Singapore expanded its cybersecurity labelling programme to include medical devices, specifically, those that handle sensitive data and can communicate with other systems.
Asked if the labelling scheme could be further expanded to include OT systems and applications, the CSA spokesperson said there currently were no plans to do so.
He noted that the initiative aimed to provide greater transparency for consumer-facing IoT products, which OT devices were not. The latter generally performed more critical functions, such as ensuring the delivery of essential services, he said, adding that CSA offered other certification schemes such as the Common Criteria Scheme to facilitate security evaluation of IT products.