Move to protect S'pore's critical infrastructure against cyber strikes

Although the threat of a cyber attack on Singapore's critical infrastructure services remains low, the maritime sector has been in the cross hairs of hackers, members of an international panel appointed by the Cyber Security Agency of Singapore (CSA) said.

In an interview with The Straits Times, Mr Kazuo Yamaoka, senior solution architect at NTT Security Japan, the information security arm of the Japanese telco, said hackers have been using increasingly sophisticated tools to target operational technology systems.

These systems run critical infrastructure services, such as those in the energy, water and transport sectors. They control everything from the electricity grid, traffic lights, train-signalling systems and even sensors detecting the chemical content in drinking water.

In 2017, hackers attacked a petrochemical plant in Saudi Arabia with the intent to cause a fatal blast and cripple the facility. That strike failed because of a glitch.

In February, a hacker tried but failed to poison the water supply in Florida, United States, after accessing a water plant's controls.

"Considering the situation in other countries, we believe operational technology cyber-security threats in Singapore are relatively low at present," Mr Yamaoka said in the interview last week.

"The damage created by (such) cyber attacks... has not surfaced in Singapore. But it's important that businesses do not become complacent and should ensure they have an effective incident response or business continuity plan in place," added Mr Yamaoka, who has expertise in utilities and operational technology and industrial automation systems in factories.

With cyber threats to operational technology, especially industrial control systems, increasing in frequency and sophistication, the CSA announced yesterday that it has established an operational technology cyber-security expert panel to "strengthen local cyber-security capabilities and competencies in the operational technology sector".

The panel will allow Singapore's operational technology cyber-security practitioners, operators, researchers and policymakers from the Government, critical information infrastructure sectors, academia and other operational technology industries to have direct access to experts, said CSA.

The 11 panel members, who come from both public and private sectors, locally and internationally, include American Robert Lee.

The chief executive of industrial cyber security company Dragos said his US firm had tracked a state-linked hacking group which has been targeting the Singapore and Japan maritime sectors and port authorities.

"They're not to the point of causing physical impact and... trying to hurt people. But it's early reconnaissance and you can tell that they are trying to go after industrial systems," said Mr Lee, who also serves on the US Department of Energy's electricity advisory committee.

"But until we get more insight into operational technology systems and networks, we won't know the full picture."

Mr David Koh, commissioner of cyber security and CSA's chief executive, said that while operational technology systems were traditionally separated from the Internet, increasing digitalisation has led to more IT and operational technology integration.

"Hence, it is crucial for operational technology systems to be better protected from cyber threats to prevent outages of critical services that could result in serious real-world consequences," said Mr Koh.

"To this end, we are glad to have notable operational technology experts join us in sharing their expertise to develop and strengthen localised capabilities in operational technology cyber security."

CSA said the experts will discuss issues ranging from governance policies and processes, evolving operational technologies, emerging trends, capability development, supply chain, threat intelligence information sharing as well as incident response.

They will recommend best practices to address cyber-security challenges and gaps in the sector.

The panel complements CSA's operational technology cyber-security masterplan announced in 2019 to protect Singapore from cyber attacks on critical sectors like transport and water supply.

Insights and recommendations from the panel will help shape initiatives under the plan, such as a code of practice and training programmes, said CSA.

A version of this article appeared in the print edition of The Straits Times on May 04, 2021, with the headline 'Move to protect S'pore's critical infrastructure against cyber strikes'. Subscribe