National agencies defend simulated attack on water and power plants in cyber drill

The inaugural Critical Infrastructure Defence Exercise is the first cyber-defence exercise held by the Singapore Armed Forces since the SAF’s Digital and Intelligence Service was formed in October. PHOTO: LIANHE ZAOBAO

SINGAPORE - Malicious cyber attacks could poison Singapore’s water supply or cause a massive blackout, and over the last two days more than 100 people engaged in an exercise to learn how to defend the Republic against these threats.

On Tuesday and Wednesday, about 55 employees from the cyber-security teams of 16 organisations including Singtel, SMRT, Sembcorp and ST Engineering joined specialists from the newly formed fourth arm of the Singapore Armed Forces (SAF) in the inaugural Critical Infrastructure Defence Exercise (Cidex).

It was the first cyber-defence exercise held by the SAF since the Digital and Intelligence Service (DIS) was formed in October, and was likely the largest drill of its kind in Singapore.

Staff from the DIS and the Cyber Security Agency of Singapore (CSA) took on the roles of state-sponsored hackers or ransomware criminals to attack water treatment and distribution plants and the power grid system of a fictional “Mystira” state, while other exercise participants defended against the attacks.

Not all of the exercise took place in cyberspace, however, as it included physical structures – with real pipes, generators and solar panels equipped with more than 100 sensors – representing water and power plants.

The structures were linked to more than 300 websites and virtual private networks, so that when a wave of attacks against a water plant began, light switches on a real tap would blink – a warning that was fed back live to the 55 defenders in a separate room.

The Ministry of Defence said the structures were built in the last seven years, and preparations for the exercise began nine months ago. More of such exercises with other national agencies are planned, simulating attacks on other critical infrastructure.

“We cannot defend Singapore alone, and we will continue to work with partners to make sure our national cyberspace is safe,” said Military Expert 6 William Teo, head of the organising secretariat of Cidex.

Other entities that participated included the Infocomm Media Development Authority, Land Transport Authority, M1, Maritime and Port Authority of Singapore, Pavilion Energy, national water agency PUB, Senoko Energy, Singapore LNG Corp, SP Group, Tuas Power and YTL PowerSeraya.

Each sent between two and five participants, who were then put into groups to identify attacks in real time, before recommending mitigating strategies to take.

In a real-world scenario, these staff would have to work with their system administrators and management, largely independent of the DIS, to defend against any attacks.

Chief of Defence Force Melvyn Ong said threats in the digital space have been increasing in regularity and scale, and Singapore needs to be better at dealing with and mitigating them.

The setting up of the DIS and the inaugural Cidex are positive steps that Singapore has taken, he said.

“Any breach of critical infrastructure could have potentially severe consequences,” Lieutenant-General Ong added.

“The way systems are connected with one another today, any breach of one could potentially also affect other systems. This is the nature of the hyper-connected world that we live in.”

On the sidelines of Cidex, the DIS and CSA signed a joint operations agreement to establish a framework for closer cooperation.

The SAF’s defence cyber chief Edward Chen said platforms like Cidex allow cyber defenders from national agencies to train together, strengthening the country’s ability to protect its critical infrastructure systems.

Join ST's Telegram channel and get the latest breaking news delivered to you.