Singapore doubles down on OT security

Singapore is shoring up its defences against a growing number of cyber security threats aimed at operational technology (OT) systems used in critical sectors such as healthcare and utilities.

Speaking at the OT Cybersecurity Expert Panel (OTCEP) Forum 2022 on 12 July, Singapore’s minister for communications and information, Josephine Teo, outlined the government’s approach in countering OT threats, starting with building a talent pool of OT security professionals.

To that end, she said the Cyber Security Agency of Singapore (CSA) will be funding 80 scholarships over three years for science, technology, engineering and maths (STEM) professionals to pursue the Master of Science in Security by Design at the Singapore University of Technology and Design (SUTD).

SUTD operates a cyber security research centre that hosts industrial testbeds to simulate critical infrastructure, providing scholars with access to some of the world’s best research, design, and training facilities for cyber-physical systems, she added.

The scholarship programme follows the launch of the OT Cybersecurity Competency Framework last year that details OT security roles with the corresponding technical skills and core competencies. Teo said through the framework, “we can better design programmes to support the training of cyber security professionals in OT, and the training of OT professionals in cyber security”.

Amid the rapidly evolving threat landscape, processes to mitigate threats against OT systems must be updated regularly. In that regard, the CSA recently revised the Cybersecurity Code-of-Practice, which specifies the minimum security requirements that operators of critical infrastructure should implement under Singapore’s Cybersecurity Act.

“Applicable to both IT and OT systems that are designated as critical information infrastructure, the Code-of-Practice has been updated to keep pace with developments in the cyber threat landscape, taking into account learning from its first iteration,” Teo said.

One of the challenges with OT security is that OT systems cannot be patched easily and readily because of the applications that come with them, especially those that still use outdated operating systems. Security evaluation is thus important to ensure that OT systems are not rife with vulnerabilities.

Noting that researchers and product evaluators need to work together to figure out how they can improve security evaluation technology, Teo said CSA and Nanyang Technological University launched Singapore’s National Integrated Centre for Evaluation in May 2022 to provide a one-stop facility for cyber security evaluation and certification.

Besides providing advanced equipment and conducting professional training courses, Teo added that the facility brings together different players in the security evaluation ecosystem to form a community of practice that will learn together and advance the field.

John Lee, managing director of Singapore-based Operational Technology Information Sharing and Analysis Center (OT-ISAC), which facilitates sharing of information related to OT security threats, noted that even as countries like Singapore have mandated minimum baseline security for critical sectors, there are still ways for attackers to compromise OT systems under the guise of third-party suppliers or by compromising other parts of the supply chain.

“Cyber security is a continuous process. OT operators should always be prepared to assume that a breach has occurred – which means that they are in response mode and will have to put in the controls that they may not have considered before,” he said.