National cyber-security strategy to protect critical systems gets update as cyber threats rise

Plans are under way to train cyber-security professionals and students here through more courses on how to maintain the systems that run Singapore’s energy grids and water supplies amid heightened cyber-security threats.

Announced at the yearly Operational Technology Cybersecurity Expert Panel Forum by Digital Development and Information Minister Josephine Teo on Aug 20, the renewed focus is part of Singapore’s Operational Technology (OT) Cybersecurity Masterplan.

The plan is being updated for the first time since it was announced in 2019 as critical physical systems are increasingly connected to internet-linked devices for remote control or maintenance.

While OT systems are more convenient and efficient, they can also lead to more cyber-security risks that can cripple important networks – like those supporting manufacturing plants, logistics companies or building management systems – or even harm people.

Mrs Teo said in her opening address to at least 1,000 industry professionals and guests: “(Operational technology) is what keeps the lights on, our water flowing, our trains running and many of the modern conveniences we depend on.”

OT systems are increasingly under threat, said Mrs Teo, pointing to a series of cyber attacks on operational systems globally, including an attack in early 2024 on Ukraine’s heating services using malicious software called FrostyGoop. As a result of the malware, which targets systems common among industrial users, civilians in more than 600 apartment buildings were left out in the cold.

Though not a cyber attack, the recent CrowdStrike disruption, which took out millions of computers globally on July 19 after a faulty software update from the cyber-security firm, showed the importance of securing computers, said Mrs Teo.

Some businesses in Singapore were affected by the CrowdStrike outage, including passenger check-ins for airlines and gantry operations at public housing carparks. 

Refreshed strategy

The refreshed Operational Technology Cybersecurity Masterplan 2024 outlines the broad strokes that the Cyber Security Agency of Singapore (CSA) will take in the next five years by enhancing the talent pool, best practices and technology, said CSA chief executive David Koh. The plan was drafted in consultation with more than 60 organisations in the past 10 months, he added.

Among the measures, CSA will collaborate with more institutes of higher learning, including universities and polytechnics, to incorporate a cyber-security syllabus into computer science and engineering courses to improve the level of expertise here. 

Later in 2024, CSA will also publish a Cybersecurity Education And Learning Guide for those keen on a career in OT cyber security. 

Details of the new training initiatives and schools are still in the works, said Mr Christopher Anthony, director of CSA’s critical information infrastructure division.

A different skill set is required of cyber-security professionals overseeing operational technology, said Mr Robert M. Lee, founder and chief executive of Dragos, which offers cyber-security threat insights to the authorities.

Mr Lee is also a certified trainer under global cyber-security training provider Sans Institute.

Attackers targeting operating technology systems have a physical target, for instance, a valve linked to water pipes or relays to an energy supply, said Mr Lee.

Cyber-security professionals need to learn the different tactics deployed by bad actors and how they can mitigate the damage done to a community in case of an attack, as compared with traditional information technology systems where sensitive information is concerned, he said.

Sans Institute on Aug 20 signed an agreement with CSA to lead a key effort to boost cyber-security education here by making training materials available to public servants and cyber-security professionals.

The institute aims to train at least 5,000 professionals and those new to the industry over the next five years in various cyber-security disciplines, including OT security, its director of strategy Matthias Chia told The Straits Times.

“OT security is a different approach to traditional IT,” said Mr Chia. “For example, in the event of a data incident, you may decide to quarantine an IT system as a whole. But, for example, OT professionals would need to consider how to keep water supply flowing even during an attack.”

The renewed masterplan expands the scope of the 2019 strategy, which pulled together critical information infrastructure providers like telcos, energy suppliers and government agencies to share information, conduct table-top exercises and implement cyber-security measures. 

According to CSA’s latest cyber-security landscape report, the number of cyber threats reported have dipped in 2023 but remain high. A total of 132 ransomware cases were reported, many among the manufacturing and construction sectors, CSA reported. 

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

ADV: Corporate Law 2nd edition - Book launch seminar New generative AI feature to help lawyers summarise court judgments from September