SINGAPORE - Governments and agencies must proactively upgrade and redesign the control systems that operate key infrastructure to counter the rising threat of malware designed to disrupt such systems and cause harm, said cyber-security expert Robert Lee on Tuesday (July 12).
The authorities also need to develop the capabilities to detect if incidents are indeed due to a cyber attack or other factors such as outages or maintenance issues, he added.
Mr Lee, who is chief executive and co-founder of the cyber-security firm Dragos, said Singapore's Cyber Security Agency is doing well in proactively preparing for specific scenarios by ensuring relevant parties are aware of their roles and responsibilities in the event of an attack, instead of merely reacting to attacks.
He noted that many governments suffer from "analysis paralysis", preferring to wait and see how other countries handle such threats.
"There are very few countries like Singapore that have chosen a direction and said this is a national security priority."
Mr Lee was speaking at the Operational Technology Cybersecurity Expert Panel Forum 2022, a two-day event which ends on Wednesday.
While traditional cyber attacks target information systems like databases, malicious attackers are increasingly targeting the operational technology (OT) behind physical systems such as power plants, gas pipelines and manufacturing facilities.
Mr Lee cited the example of the Pipedream suite of malware tools discovered earlier this year, which was found to have the potential to target a range of sectors from power grids and factories to water utilities and oil refineries.
The attackers behind the tools exploited a common software module and aimed to disrupt specific targets in the energy sector, but could potentially have adapted the malware to target other sectors as well.
"A foreign government had developed this capability, and in our assessment, was within a couple of months from deploying it on a number of key electric and energy sites that handle liquid natural gas especially in the United States," said Mr Lee.
"Its purpose was to be disruptive, with a potential to physically disrupt the infrastructure."
Fortunately, cyber-security experts were able to identify and create defences against the malware before any attacks could be carried out.
Failing to anticipate and respond to an attack on OT could have serious consequences, including civilian deaths, Mr Lee said.
Minister for Communications and Information Josephine Teo, who also spoke at the event, noted that some attacks are intended to cause direct harm to people, such as an April 2020 attack on several water facilities in Israel, which was aimed at raising the chlorine concentration to dangerous levels and causing widespread poisoning.
This incident did not result in lasting harm as the authorities were able to respond appropriately, but it demonstrates the potential harm that can be caused by attacks on OT systems, Mrs Teo said.
"Most of the time, operational technologies work well enough that we have no need to question their reliability or resilience," added Mrs Teo.
"However, in recent years, they have also become vulnerable to cyber attacks. This is because many OT systems are now interconnected with IT systems. Cyber attacks that used to disrupt IT systems only can now impact physical operations."
More sophisticated attackers have also begun selling their services to less sophisticated criminals, making it easier to mount an attack using the latest tools.
"There is no way of avoiding the risks without systematic efforts to find and patch vulnerabilities," said Mrs Teo.
"We must also keep abreast of new cyber-security threats, share our knowledge and collaborate to help each other."
Mrs Teo added that Singapore is investing in developing OT cyber-security professionals while also improving the processes and technology that safeguard OT systems.