Singapore’s Permanent Secretary for Communications and Information, Yong Ying-I, wants to see updated policies and processes, and the adoption of security technologies by design to help the country fend off emerging operational technology (OT) cyber threats.
“I believe that we stand a better chance of thwarting cyberattacks on OT systems if we work together,” Yong said in a speech during the Cyber Security Agency of Singapore’s (CSA) inaugural Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on 29 September. “I suggest that we update our policies and processes, adopt security technologies by design and grow talent.
“We should share information and learn from each other so that we can benefit from the collective expertise and efforts in all these areas,” she added.
Indeed, collaboration and cooperation between industry and government also played a big role in Yong’s opening presentation at the event, as did the continuing issues around sourcing cybersecurity skills in the local market.
“Information-sharing is critical to the defence of the OT sector,” Yong said. “The more we learn about the tactics, techniques, and procedures that threat actors might use on OT, the better our chances of defending against their attacks.
“Since attackers are continually improving their craft, we too must learn fast to keep pace. And the best way to learn fast is to share information among ourselves.
“That is easier said than done, as information may have to be shared with external parties, including sector regulators and even business rivals. Enterprises are loathe to do this, so it requires mindset shifts – that our companies may be business rivals, but in the cyber arena, we are on the same side; the goal is to defeat the bad guys out there.
“Sharing information like threat intelligence and best practices for business continuity can enhance our collective resilience,” she added.
Although cyber security is often treated as a technical problem, policies and processes should not be ignored, Yong said, suggesting that industrial safety policies and enterprise risk management processes in particular are typically static, designed for stable risk environments.
However, the traditional incident response approach is no longer adequate when machines are connected, she stressed, noting that policies needed to be continually reviewed and revised to keep pace with threats.
“It is onerous and painful to continually revise procedures and make policies ‘living’ documents,” Yong said. “Unfortunately, we may have to manage cybersecurity policies like we manage software development.
“Cybersecurity policies need to be iteratively improved, with robust change management processes in place to control the pace of iteration, and non-cybersecurity professionals involved in security policy discussions to get their feedback.
“Sharing and adopting best practices through bilateral cybersecurity alliances, or multilateral cybersecurity coalitions can reduce the burden for individual organisations. That way, each organisation does not need to go it alone. Governments and sectoral regulators can be useful as neutral coordinators,” she added.
At the same time, Yong recommended that companies design cybersecurity into their OT investments from the very beginning of the process.
“I appreciate that we have to adapt existing equipment on the run, to manage cyber risks. But when we have an opportunity to upgrade our equipment, do design cybersecurity in from the beginning. The adoption of cybersecurity measures must not be an afterthought,” she said.
Deep cultural and operational change may be needed to bring such considerations into the early stages of the design process, Yong conceded, adding that the vendor-customer dynamic also needed to evolve to be more collaborative and less transactional.
“Organisations have to work closely with their vendors across their IT supply chains to identify vulnerabilities quickly and provide relevant and timely feedback,” she said. “I believe that the valuable lesson here is that security built into OT systems design will mitigate risks and costs down the line.
“Security architects need to be in the room when systems are being designed, to incorporate system security as a first principle,” Yong added.
Yong also flagged the problem of skills in the area of OT security and, indeed, cybersecurity more generally, noting that the market needed new professional skills to tackle the OT cybersecurity challenge.
“All of us face shortages finding people with the necessary skills,” Yong said. “Indeed, because this specialisation is nascent, employers are unclear what to look for, neither do training providers, and cybersecurity professionals are unclear how to chart career paths in OT. Tackling this requires parties to work together.
“This is where governments and industry associations should work together because none of us can do this effectively on our own. For Singapore, the Cyber Security Agency is working on this, and details will be announced in due course,” she added.
David Koh, CSA chief executive and Singapore Commissioner of Cybersecurity, echoed Yong’s sentiments, stressing that collaboration is essential in the country’s efforts to address OT security risks.
“At the national and global level, we need industry, researchers, and policy makers to regularly exchange views on governance best practices and technological developments, while recognising operational constraints and the realities on the ground,” Koh said.
“It is never easy to work across domains, especially when the other party’s priorities, skillsets, mental models, and languages are so different from yours. At times, it may feel like a chicken talking to a duck. This is a Chinese saying so I think some of it is lost in translation. Some of you here might have experienced this first-hand. But we need to be deliberate in fostering and facilitating such discussions,” he added.
Indeed, Koh pointed out that the inaugural OTCEP forum was created to help drive such collaboration and knowledge sharing.
In August, Singapore and the United States moved to jointly expand their cooperation on cybersecurity after signing a new memorandum of understanding (MoU) aimed at strengthening information sharing and fostering cyber security exchanges between the two countries
The MoU was signed by Koh and Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), which leads the country’s national effort to protect and enhance the resilience of its physical and cyber infrastructure.
“Singapore and the United States share deep mutual interests in enhancing cyber security cooperation, particularly as cyber security has become a key enabler for both countries to leverage the benefits of digitalisation to grow our economies and improve the lives of our people,” Koh said at the time.
“This expanded MoU is a testament of our shared vision to work together towards a stable, secure, resilient and interoperable cyberspace. We look forward to continuing our work with the US to strengthen cybersecurity cooperation between our countries,” he added.