Five years after the country introduced its cybersecurity strategy, Singapore unveils a revised national plan that aims to assume a more proactive stance in addressing threats and drive its cybersecurity posture, including a new operational technology competency framework.
Singapore has tweaked its cybersecurity strategy to beef up its focus on operational technology (OT), offering a new competency framework to provide guidance on skillsets and technical competencies required for OT industry sectors. The revised national cybersecurity roadmap also looks to bolster the overall cybersecurity posture and foster international cyber cooperation.
The 2021 cybersecurity strategy also would build on efforts to safeguard Singapore’s critical information infrastructure (CII) and other digital infrastructure, said Cyber Security Agency (CSA). The government organization said it would work with CII operators to beef up the cybersecurity of OT systems where cyber attacks could pose physical and economic risks.
CSA defines OT systems to include industrial control, building management, and traffic light control systems that encompass monitoring or changing “the physical state of a system”, such as controlling railway systems.
“Many OT systems are historically designed to be standalone and not connected to the internet or external networks. However, with the introduction of new digital solutions in OT systems to increase automation and facilitate data collection and analysis, this has introduced new cybersecurity risks to what used to be a relatively ‘safe’ air-gapped operating environment,” it said.
To address such risks, it noted, enterprises needed a framework from which they could get guidance on processes, structures, and skills required to manage their OT cybersecurity.
Called the OT Cybersecurity Competency Framework, it is touted to provide a “more granular breakdown” and reference of cybersecurity skills and technical competencies required for OT industry sectors. It aims to plug existing gaps in OT cybersecurity training, according to CSA. Previously, OT systems owners including those in CII sectors would take guidance from the Skills Framework for ICT, parked under SkillsFuture Singapore, to identify skills gaps and develop training plans.
Jointly developed with Mercer Singapore, the new OT security framework offered roadmaps of various job roles and the corresponding technical skills and core competencies required. Both OT and IT systems owners could refer to the reference guide to provide adequate training and plot employees’ career progression, while training providers could use it to identify technical competencies and certifications needed to support local training needs, CSA said.
In addition, the CSA Academy would host roadshows to help organisations adopt the OT security framework based on their business requirements.
The increased focus on OT cybersecurity was in line with Singapore’s updated cybersecurity strategy, announced earlier this week. It detailed efforts to assume a more proactive stance in addressing digital threats, drive the nation’s cybersecurity posture, and push international norms and standards on cybersecurity.
ADJUSTED FOCUS NEEDED TO ADDRESS GROWING CYBER THREATS
These were essential amidst increased connectivity, digitalisation, and complexity in cyber threats, said Senior Minister and Coordinating Minister for National Security Teo Chee Hean, at the opening of the conference Tuesday night.
Telecommuting, video calls, online shopping, and digital payment had become the “new normal”, as populations worldwide turned to online technologies to cope with physical restrictions around the global pandemic. These provided benefits and opportunities, and impact on businesses, jobs, and lives would be permanent, Teo said.
He added that, each day, more companies and people were engaging in the digital space and such interactions were becoming more pervasive. New apps and services were launched every day, and technologies such as 5G, cloud, Internet of Things (IoT), artificial intelligence (AI), and data analytics were taking digitalisation to a new level.
“But connecting more people, bringing in new services, and rolling them out fast, bring added risks. They open up a wider attack surface, and raise the likelihood, impact and cost of a breach,” Teo said. “Strategies to enhance security, on the other hand, are inherently aimed at stability, conservatism, and reducing risk. Instinctively, the two seem mutually exclusive. These are real dilemmas that all of us face.”
Geopolitical tensions further compounded this growing landscape, threatening to bifurcate the technology world and increase digital risks, the minister said. Pointing to Operation HAECHI-I, a transnational joint operation targeting five types of cyber-enabled financial crimes, including voice phishing and money laundering, he said more than 1,600 bank accounts linked to these crimes were frozen, and $83 million intercepted.
More than 585 individuals were arrested and at least 890 cases solved, he said, noting that the successful operation demonstrated what was possible if the global community worked together to make the cyber space safer and more secure.
According to the Interpol, Operation HAECHI-I involved specialist law enforcement officers across nine Asian economies including Singapore, China, Indonesia, South Korea, and Thailand.
Recent supply chain attacks including the SolarWinds and Kaseya breach also underscored the urgency for Singapore to invest in its capabilities and bolster the “trust, but verify” approach in its digital systems, said Teo. The need to continuously verify and validate all activity on the country’s networks would provide greater confidence to trust its digital technologies and devices, he said.
These considerations drove Singapore’s updated cybersecurity strategy, which outlined its approach to safeguarding its wider cyberspace in an increasingly complex environment, the minister said. Amongst such requirements were the need to develop and roll out cybersecurity standards on a national level, and raise the minimum standard of cybersecurity in ICT products and services the country used.
Teo said: “One key element of the revised strategy is going beyond protecting merely our critical information infrastructure, and working to secure our wider cyberspace given the increasingly widespread and interconnected use of digital technology in all domains. This needs to be underpinned by building organisational capability and talent development.”
Singapore’s 2021 cybersecurity strategy further recognised the need to build consensus and deepen collaboration, in which it would look to advocate for a rules-based multilateral order in cyberspace and an interoperable ICT environment.
Teo said: “Difficult as it may seem, we should work to reach consensus on rules, norms, principles, and standards. Given the borderless nature of the digital domain–some have likened it to a digital global commons–we need to aspire for global consensus. Singapore supports the creation of such a multilateral order in cyberspace. Countries need to work together to develop new governance principles, frameworks, and standards for the digital commons to preserve trust and confidence, and for it to work well, safely and securely for all of us.
“Consensus-building is crucial to maintain an open, secure, and interoperable digital domain,” he added.
Currently the chair of United Nations’ (UN) Open-Ended Working Group on Security, from 2021 to 2026, Singapore said it would contribute and drive discussions on international cyber norms as well as support global efforts to augment nations’ capacities to protect themselves against cyber threats. Here, CSA added, Singapore would call on the development and adoption of cybersecurity standards so a minimum level of cybersecurity was implemented in ICT products and services used by citizens and businesses.
Earlier this week, Singapore inked an agreement with Finland to mutually recognise each country’s cybersecurity labels for IoT devices, and help consumers assess the level of security in such products. Touting it as the first of such bilateral recognition, Singapore said the partnership aims to reduce the need for duplicated testing.
Asean also was the first regional group to subscribe, in principle, to the UN’s 11 voluntary, non-binding norms of responsible state behaviour in cyberspace, Teo noted. Asean member states currently were working to implement these norms and translate principles into tangible outcomes, he said, adding that cooperation at such regional level was an important building block and stepping stone towards global consensus.
“Cyberspace transcends physical boundaries and many systems span different countries and jurisdictions,” he said. “Countries, therefore, need to collaborate closely to align our policy approaches to deal with and police cross-border cyber threats. We also need to collaborate at the operational level to respond to cyber threats rapidly and in a coordinated manner.”
Singapore’s revised 2021 cybersecurity strategy comes five years after its first such plan was introduced in 2016. Moving forward, CSA said it would “explore expanding” regulations under the country’s Cybersecurity Act to include entities and systems beyond CIIs.
Credits: Eileen Yu