Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. News & Events
  3. Speeches
  4. Permanent Secretary for Communications and Information Ms Yong Ying-I speaking at CSA’s Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on 29 Sep 2021
Speeches

Permanent Secretary for Communications and Information Ms Yong Ying-I speaking at CSA’s Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on 29 Sep 2021

29 September 2021

Permanent Secretary (Communications and Information) Ms Yong Ying-I’s OTCEP Forum Speech

Building Singapore’s Resilience in Operational Technology

Introduction

  1. Good morning and a warm welcome to our inaugural Operational Technology Cybersecurity Expert Panel Forum. We are glad to be able to convene this Expert Panel Forum amidst challenging times. That we have more than 500 delegates participating in the forum today, physically or virtually, is testament to the importance of Operational Technology cybersecurity.  

  2. Being a Government policymaker and not a tech expert, I would like to focus my remarks on Singapore’s keen interest in OT cybersecurity and share some thoughts on how we might tackle this growing challenge by working together.

    OT is a growing cybersecurity risk of major importance

  3. Operational technology is a mature area where companies have long learnt to manage safety and risks.  Whether power plants or manufacturing operations, aeroplanes or trains, autoclaves or big robots in factories – industry has had long experience in ensuring industrial and workplace safety.  Regulations are in place; likewise sophisticated corporate networks, processes and practices have been worked out for some time.

  4. Digitalisation and connectivity have created a totally new security challenge and risks.   Until recently, most machines in the OT space were not digital in nature and most importantly, they were not connected to the internet or connected digitally to other machines in global networks.  Operations might have been computerised but OT systems were generally designed to be air-gapped.

  5. The Fourth Industrial Resolution has seen the convergence of IT and OT networks, with business models and operational designs, that involve data and instructions being sent digitally.  Cars, aeroplanes and machines send back data to their manufacturers, and receive updates.  With this shift, a vast range of cybersecurity threats has been introduced to previously ‘safe’ operating environments.  As the asset footprint of OT systems tends to be expansive, and the cybersecurity implications unclear, the complexity of tackling OT cybersecurity has been ratcheted up. To use a present-day analogy from healthcare, it is as if heart patients after surgery were put in an infectious disease ward. The cardiac procedure might have gone smoothly, but none of us want to be the physician tasked with helping them recover safely in the ID ward.  And this is the difficult job that OT cybersecurity specialists like you are being tasked to do.  

  6. Digitally connected OT systems have provided means for cyberattacks with significant and destructive spill over effects in the physical realm. Some past examples:

    • In 2015 and 2016, a group of threat actors disrupted Ukraine’s power system, leading to power outages for hundreds of thousands of people. 

    • In 2018 the cyber-attack on the Tasnee petrochemical plant in Saudi Arabia avoided a massive explosion, which experts believe to be the intention, only because a code-glitch triggered the fail-safe to shut down the system.

    • Earlier this year, an attacker compromised controls at a water treatment plant in Oldsmar, Florida, and attempted to modify the chemicals in the water supply. Luckily, the intrusion was detected and the problem fixed before the city’s population was poisoned. So for us, failure is not an option.


    Coordination as a Key Response to Complexity of OT Cybersecurity challenges

  7. What can we do? There are no easy answers for complex challenges.  But I’d like to suggest that coordination can be a key response to tackling complex OT cybersecurity challenges. First, coordination within Government so that sectoral regulators are more aligned in their responses. Second, coordination between Government and industry, because industry is usually the front-line facing the threats. Third, coordination between governments, and with global industry associations.

  8. What could the conversation be about. I suggest 4 areas:
       a. Information Sharing;
       b. Changed approach to Policies & Processes;
       c. Designing security into OT new-builds; and
       d. Talent development

  9. Information-sharing is critical to the defence of the OT sector. The more we learn about the tactics, techniques, and procedures that threat actors might use on OT, the better our chances of defending against their attacks.  Since attackers are continually improving their craft, we too must learn fast to keep pace. And the best way to learn fast is to share information among ourselves.  

  10. That is easier said than done, as information may have to be shared with external parties, including sector regulators and even business rivals!  Enterprises are loathe to do this, so it requires mindset shifts -- that our companies may be business rivals, but in the cyber arena, we are on the same side; the goal is to defeat the bad guys out there.  Sharing information like threat intelligence and best practices for business continuity can enhance our collective resilience. 

    Policies & Processes

  11. Second, reconsidering policies and processes. One problem with cybersecurity is that we often treat it as a technical problem, and we focus our energies on technical solutions. We must of course address these, but we should not neglect policies and processes.  In particular, industrial safety policies and enterprise risk management processes are typically static, designed for stable risk environments.  This incident response approach is no longer adequate when machines are connected. Policies need to be continually reviewed and revised to keep pace with threats. 

  12. It is onerous and painful to continually revise procedures and make policies ‘living’ documents. Unfortunately, we may have to manage cybersecurity policies like we manage software development. Cybersecurity policies need to be iteratively improved, with robust change management processes in place to control the pace of iteration, and non-cybersecurity professionals involved in security policy discussions to get their feedback. Sharing and adopting best practices through bilateral cybersecurity alliances, or multilateral cybersecurity coalitions can reduce the burden for individual organisations. That way, each organisation does not need to go it alone.  Governments and sectoral regulators can be useful as neutral coordinators.

    Design cybersecurity into new OT solutions

  13. Third, do consider designing cybersecurity in from the beginning in your new OT investments. I appreciate that we have to adapt existing equipment on the run, to manage cyber risks.  But when we have an opportunity to upgrade our equipment, do design cybersecurity in from the beginning.  The adoption of cybersecurity measures must not be an afterthought. 

  14. This may require deep cultural and operational change for most organisations.  For example, OT environments tend to be highly customised with support processes specific to a given operation. This might make their inner workings a mystery, even to their owners, who have no visibility into security features or vulnerabilities.  Your engineering teams now need to go into this.  And when maintenance and operations of the system have been outsourced, the vendor-customer dynamic needs to evolve to be more collaborative and less transactional. Organisations have to work closely with their vendors across their IT supply chains to identify vulnerabilities quickly and provide relevant and timely feedback.  I believe that the valuable lesson here is that security built into OT systems design will mitigate risks and costs down the line. Security architects need to be in the room when systems are being designed, to incorporate system security as a first principle. 

    Talent

  15. Last but certainly not least, we need new professional skills to tackle the OT cybersecurity challenge. All of us face shortages finding people with the necessary skills.  Indeed, because this specialisation is nascent, employers are unclear what to look for, neither do training providers, and cybersecurity professionals are unclear how to chart career paths in OT.  Tackling this requires parties to work together.  This is where governments and industry associations should work together because none of us can do this effectively on our own.  For Singapore, the Cyber Security Agency is working on this, and details will be announced in due course.

    Conclusion

  16. To conclude, I believe that we stand a better chance of thwarting cyberattacks on OT systems if we work together.  I suggest that we update our policies and processes, adopt security technologies by design and grow talent. We should share information and learn from each other so that we can benefit from the collective expertise and efforts in all these areas.

  17. Today’s forum is part of our continuing efforts to catalyse important conversations within the Operational Technology cybersecurity sector, both for Singapore and for our friends around the world.  I hope you will find this platform useful. I wish all of you a fruitful learning experience from today’s Forum.

  18. Thank you. 


Back to top