[ad_1]
All critical information infrastructures (CII) in Singapore must continuously transform to keep pace with the changing threat landscape, and that means moving beyond “generic” cybersecurity practices. It requires a strong focus on operational technology (OT) security, which includes the right OT-specific cybersecurity skills and practices for CII operators.
Last year, Singapore adjusted its cybersecurity strategy to emphasize OT and provide guidance on the skill sets and technical competencies needed by OT organizations. The country defines OT systems to include industrial control, building management and traffic light control systems that monitor or change the physical state of a system, such as railway systems.
The Cyber Security Agency of Singapore (CSA) has highlighted the need for CII operators to strengthen the cyber security of OT systems, where attacks can pose physical and economic risks.
The need for efficiency and functionality has driven the convergence of IT and OT systems, the latter of which have traditionally been designed as stand-alone infrastructures and not connected to external networks or the Internet.
No longer operating in such air-gap environments, OT systems now operate across a wider attack surface and are open to potential cyberattacks that can have real-world impact.
Asked which CII sectors are most in need of cybersecurity transformation, CSA noted that as the threat landscape continues to evolve, each CII sector needs to continuously “adapt and transform” its processes to combat existing as well as emerging threats.
CII industries vary in size, function and reliance on technology, all of which shape their respective cybersecurity strategies, a CSA spokesperson told ZDNET.
He added that some sectors were using OT and IT alongside IoT (Internet of Things), and this not only introduced additional industry-specific challenges, but also increased the surface area that had to be protected from cyber threats.
According to Keith Lunden, manager of analysis at Google’s Mandiant Intelligence, compared to IT assets, OT assets have experienced a very limited amount of threat activity, primarily due to traditional air gaps and internal network segmentation that has minimized major malware incidents.
“However, this has also served to minimize the drivers of OT cybersecurity efforts, [so] rather than threat activity, regulatory requirements have been the primary driver of OT security efforts,” noted Lunden. “Consequently, unregulated industries such as water and wastewater are the most in need of transformation.”
He added that these industries need to develop risk-based cybersecurity countermeasures based on industry standards.
Group-IB Founder and CEO Dmitry Volkov also emphasized the need for all CII sectors to continually improve their cybersecurity posture, as their ability to operate without interruption is critical to national security.
He said sectors including health, transportation and government are frequent targets, noting how the ransomware attack prompted the Costa Rican government to declare a state of emergency for the first time in April. Hackers exfiltrated more than a terabyte of data, breaching 27 ministries in the attack.
The building automation and oil and gas sectors also have a high percentage of ICS (industrial control system) computers where malicious objects are blocked, says Vitaly Kamluk, Kaspersky’s Asia Pacific director of global research and analysis.
Blocking rates for these industries remain above the global average, Kamluk said, noting that greater use of online resources and email among building automation companies may have led the sector to lead others in various blocked malware attacks.
Lunden said cybercriminals have made significant advances in operational commerce over the past few years, with ransomware emerging as an effective business model and resulting in a large number of security incidents affecting critical infrastructure, often including OT environments.
Pointing to state-sponsored attacks, he said Mandiant continues to see adversaries looking to exploit insecure features of OT.
“[These] aims to maliciously exploit the native functionality of OT devices, rather than exploit vulnerabilities in these systems,” he noted. “As a result, we expect state-sponsored malware targeting these features of OT to remain a threat for the foreseeable future, because it’s much harder to redesign these devices than to simply patch vulnerabilities in them.”
Supply chains increase the potential OT threat
In addition, supply chains in some OT sectors, such as manufacturing and shipping, tend to be expansive and involve multiple parties.
And it can prove a challenge to secure supply chains, the CSA said, noting that organizations are taking on unknown cyber risks from third-party suppliers because they don’t have full visibility into their supply chain. “Organizations can only be as strong as their weakest link,” the spokesman said.
He pointed to CSA’s CII Supply Chain Program, which outlines five core initiatives to help these sectors address cyber supply chain challenges at various levels, including organizational, sectoral, national and international. The program includes a toolkit, a manual, a certification scheme and a learning centre.
In particular, all CII and OT sectors need to improve their visibility because organizations would not be able to secure and defend assets they did not know existed, said Fabio Fratucciello, CTO of CrowdStrike Asia-Pacific Japan.
Without visibility, they also had no threat detection or adversary protection to work on locating blind spots, Fratucello said. To address such challenges, he said CrowdStrike introduced its Falcon Discovery for IoT to help customers understand the interconnected relationships between their IT, OT and IoT assets and mitigate potential risks in these environments.
“Once organizations have a deeper understanding of their attack surface, they are better equipped to make informed, risk-based decisions by bridging the gap between the OT environment and IT operations,” he noted. “It is important for organizations to look both externally and internally to understand security vulnerabilities.” This includes risks across the supply chain, which in some industries can be an incredibly complex and long chain.”
Citing CrowdStrike research, he said 48% of Asia Pacific organizations had experienced at least one supply chain attack in recent years, while 60% could not claim that all of their software suppliers had been vetted.
To better manage their third-party ecosystems and protect their infrastructure, Volkov suggested that OT sectors adopt isolation and segregation of IT, OT, and human processes and ensure the integrity of their infrastructure components.
A threat intelligence platform would also identify potential attackers and how they attack OT infrastructure, he said, adding that it would point out areas of compromise so they could be addressed and improve the security posture.
OT sectors should assess their vendors’ external attack surface and work closely with their third-party vendors to further ensure they have all the necessary security measures in place, such as an incident response team.
Filling the gaps in OT security
With demand for roles requiring IT and OT competencies amid increased connectivity between both domains, CSA said it has developed the OT Cyber Security Competency Framework to offer guidance on identifying skill sets and training for their engineers. It also outlines career paths for these engineers, the spokesperson said.
The spokesperson added that the CSA has established a cyber security code of practice to set out mandatory OT-specific cyber security practices for CII operators.
“They focus on network segmentation, patch management, detection and continuous monitoring with the goal of reducing the likelihood that threat actors will exploit software vulnerabilities and gain a foothold in OT systems,” he said. “It equips OT system owners with the knowledge to more effectively mitigate emerging cyber threats.”
Asked about the role of regulation in the OT, he said Singapore’s Cyber Security Act provides a framework for the designation of 11 CII sectors, while the code of practice sets out basic cyber security standards and measures that these CII owners should implement to ensure their resilience.
He noted that the code of practice has recently been enhanced to help CIIs further strengthen their cyber resilience and defenses against sophisticated cyber threats and be more agile in responding to emerging cyber security risks.
The code revision also improved coordination between the Singapore government and the private sector so that cyber threats could be detected and responses launched in a timely manner, said a CSA spokesperson.
“Each CII sector faces cybersecurity risks specific to their digital terrain, such as migrating to the cloud or using 5G technologies,” he noted, emphasizing the importance of OT security. “Cyber hygiene practices that are generic in critical sectors would not be able to address such specific risks.”
Kamluk said it’s important to set industry standards that require companies to build a security foundation into their systems. However, while essential, regulations are only one component of a holistic approach to OT security.
Collaboration is also key to integrating all elements within security, he said, urging organizations to come together and take a concerted approach to security as a sector. A clear road map provides a guiding plan that everyone can work towards and that can ease friction within the sector, he added.
With a plan and systems in place, there should be regular sector-specific meetings and routine maintenance. These “health checks” will ensure that potential pitfalls and threats are identified early and that players in the sector can recalibrate and remain resilient, Kamluk said.
Volkov noted that new laws or amendments to existing ones should be “data-driven” and aim to address weaknesses identified during cybersecurity exercises involving various parties.
Lunden said, “Regulations should be performance-based, not prescriptive. This can give OT system owners flexibility when implementing cybersecurity countermeasures. They should also be tailored to apply only to the organization’s most critical OT assets, as not all OT should be considered equal.
“Regulators should learn from the experiences of other regulatory bodies that have improved the effectiveness of their regulations over time,” he added.
In July, Singapore expanded its cybersecurity labeling program to include medical devices, especially those that handle sensitive data and can communicate with other systems.
Asked if the labeling scheme could be extended further to include OT systems and applications, a CSA spokesman said there were no current plans to do so.
He noted that the initiative aims to provide greater transparency for consumer-facing IoT products, which OT devices are not. The latter generally performed more critical functions, such as ensuring the provision of essential services, he said, adding that the CSA offered other certification schemes such as the Common Criteria Scheme to facilitate the security evaluation of IT products.
RELATED COVERAGE
[ad_2]
Source link