Singapore announces Operational Technology Cybersecurity Masterplan 2019

Image courtesy of CSA.

According to a media release, the Cyber Security Agency of Singapore (CSA) has developed the Operational Technology (OT) Cybersecurity Masterplan, which serves to improve cross-sector response to mitigate cyber threats in the OT environment and to strengthen partnerships with industry and stakeholders. The focus of this Masterplan is on Industrial Control Systems (ICS), as ICS make up a majority of OT systems.

The OT Cybersecurity Masterplan outlines key initiatives covering the areas of People, Processes and Technology to uplift the cybersecurity postures of our CII owners and organisations that operate OT systems.

The plan defines OT as “technologies involving interconnected devices and computers for the monitoring and control of physical processes.” Today, OT is deployed in industrial sectors such as manufacturing, transportation, energy and water, among others.

“As a community we have moved beyond the land of theoretical cyber-attacks on industrial operations to a world where these attacks are a reality for denying power, disrupting operations, and even specifically targeting human life as was the case in the TRISIS cyberattack in 2017. The threat is worse than we realise but not as bad as we want to imagine, ” said Robert M. Lee, CEO and Founder, Dragos, commenting on the plan.

The focus on OT is because a “…worrying threat has developed with the increased connectivity between IT and OT systems. Adversaries are now able to compromise IT systems connected to the Internet, secure their footholds, and move to the OT systems to disrupt industrial processes,” says the press release.

Focus Areas

Key thrusts in the OT Cybersecurity Masterplan include:

  1. Providing OT cybersecurity training to develop human capabilities
  2. Facilitating the sharing of information through an OT Cybersecurity Information Sharing and Analysis Centre (OT-ISAC)
  3. Strengthening OT owners’ policies and processes through the issuance of an OT Cybersecurity Code of Practice (CCoP)
  4. Adopting technologies for cyber resilience through Public-Private Partnerships

In addition, the Masterplan encourages OT equipment manufacturers and service providers to implement cybersecurity in the developmental phase, so that products and systems are in-built with strong cybersecurity measures.

The OT Cybersecurity Masterplan will serve as a strategic blueprint to guide Singapore’s efforts to foster a resilient and secure cyber environment while taking a balanced approach between security requirements, rapid digitalisation and ease of conducting business-as-usual activities, according to the press release.

Scope and Reach

The Masterplan is primarily relevant to the Critical Information Infrastructure (CII) owners who operate OT systems. The Masterplan underscores the need for a cohesive cybersecurity effort within and across sectors, as well as lays out key initiatives that will help CII stakeholders augment the cybersecurity of their OT systems.

Notwithstanding, the Masterplan also applies to other enterprises running OT systems, which face the same OT threats and possess the same vulnerabilities. These include manufacturing plants in the oil and gas sector, semiconductor factories, and pharmaceutical companies, among others. Enterprises can leverage the capacity building mechanisms in the Masterplan to strengthen overall cyber resilience in their businesses.

In addition, the Masterplan will be useful for members of the OT cybersecurity industry, including equipment manufacturers, system integrators and penetration testers, to better understand OT cybersecurity challenges, and where feasible, develop products and technologies that can be used by owners or operators to strengthen the security of their OT systems.

“Building a Smart Port will require us to progressively integrate and unify IT and OT systems in order to exploit the benefits of digitalisation. Inadvertently, this provides new opportunities for cyber-attackers given that OT systems tend to be more vulnerable as they have traditionally been designed to be separated from IT systems. Any successful attack on individual OT or integrated IT-OT systems can cause major disruptions to port operations. Therefore, the integration of IT and OT cybersecurity strategies is critical to address such risks. As the maritime sector regulator for cybersecurity, MPA will partner CSA closely in
implementing the OT Cybersecurity Masterplan to ensure that Singapore remains a safe, efficient and sustainable global hub port,” said David Foo, Senior Director, Operations Technology, Maritime and Port Authority of Singapore.

According to Nilesh Jain, Vice President, Southeast Asia and India, Trend Micro, “The convergence of operational technology (OT) and information technology (IT) can make critical infrastructure susceptible to cyberattacks. Such exposed and vulnerable systems could have far-reaching effects, from endangering economic health by stopping production lines to threatening people by tampering with water purification plants.”

Operational Technology Information Sharing and Analysis Center (OT-ISAC)

Global Resilience Federation Asia Pacific (GRF APAC), in partnership with the Cyber Security Agency of Singapore (CSA), also announced the launch of the Operational Technology Information Sharing and Analysis Center (OT-ISAC) to reduce cybersecurity risks to Operational Technology Critical Information Infrastructure (CII) in the city-state.

OT-ISAC will serve as a threat information sharing hub for companies in energy, water and other CII sectors in Singapore. Using proven tools and technologies, member companies can securely exchange details of OT and IT threats and attacks on their organisations, to prevent and quickly mitigate and contain damage caused by malicious actors.

OT-ISAC is managed by GRF APAC, a regional business unit of Global Resilience Federation, leveraging existing cross-sector exchange, integrated intelligence sources, and extensive analysis experience. GRF APAC has hired and continues to train local staff to educate and assist member companies with how to share, monitor, analyze, and use relevant threat intelligence including that from members, government, partner sharing communities, and vendors.

CSA has provided guidance and the initial financial backing for the member-based community to enhance threat information sharing, allow timely responses to cyber threats and help achieve greater resilience among OT-using organisations.

The full document can be found here.