Speech by Minister Josephine Teo at the Operational Technology Cybersecurity Expert Panel Forum

KEYNOTE ADDRESS BY MINISTER JOSEPHINE TEO AT THE OPERATIONAL TECHNOLOGY CYBERSECURITY EXPERT PANEL FORUM ON 20 AUG 2024

Distinguished panellists

Colleagues and Friends

Introduction

1. Thank you for inviting me to join you again at the OTCEP forum.

2. For several years now, we have met annually to talk about the cybersecurity of Operational Technology, OT. Life as we know it today is supported by OT in multiple ways. OT does not make headlines like Artificial Intelligence or Quantum technology, but it is what keeps the lights on, our water flowing, our trains running and many of the modern conveniences we depend on.

3. We know that OT systems are increasingly under threat. They have traditionally been safe from cyber-attacks because they were placed in protected environments and had limited connection to other networks. However, this is no longer the case and will need to do more to protect their safety and resilience.

4. While the recent CrowdStrike disruption was not a cyber-attack, it demonstrated the criticality of OT systems, and the importance of resilience. Around the world, critical infrastructure such as airports and metro systems were disrupted to varying degrees.

5. In Singapore, while government and most essential services were unaffected by the outages, some businesses’ operations were affected. These included disruptions to passenger check-in for some airlines at Changi Airport Terminal 4 and gantry operations at some public housing carparks.

6. My Ministry has set up a Taskforce to draw lessons from this incident to improve our security and resilience. Even before we conclude our findings, one thing is already clear. As is true in an increasing number of cases, an IT issue has spilled over to the OT space.

7. It is no longer a surprise that malicious actors target OT systems. Following the discovery of PipeDream and other Industrial Control Systems, or ICS, malware, Dragos recently shared information on a new ICS malware called FrostyGoop.

8. FrostyGoop was apparently used earlier this year to disrupt heating services in Ukraine. As a result, many people had to endure sub-zero temperatures within homes and workplaces. FrostyGoop is the ninth dedicated ICS malware discovered to date, and we expect many more to come.

9. OT cybersecurity poses a real challenge to all of us. This is why the Cyber Security Agency of Singapore launched the first OT Cybersecurity Masterplan in 2019, to set out the key initiatives that Singapore would take to strengthen OT cybersecurity.

10. Since then, we have deepened our bench of cybersecurity professionals. CSA developed the OT Cybersecurity Competency Framework and has successfully organised more than 10 OT cybersecurity training courses, benefiting more than 400 OT cybersecurity professionals from across the local ecosystem and in the region.

11. We have also strengthened intelligence sharing through the joint establishment of the OT Cybersecurity Information Sharing and Analysis Centre (OT-ISAC) with the Global Resilience Federation Asia-Pacific. The Centre currently has more than 40 members from the government, critical system owners and industry providers.

12. But we must do more to keep pace with the changes in the OT threat landscape.

OT Cybersecurity Masterplan 2024: Charting the next bound of Singapore’s OT Cybersecurity

13. Today, I am happy to announce the launch of the OT Cybersecurity Masterplan 2024, and to share three key areas in this updated Masterplan. They are:
    a. To uplift the cybersecurity posture of all OT operators,
    b. To deepen our cybersecurity capabilities, and
    c. To reduce risks and vulnerabilities through security by design and deployment.

14. Let me say more about each of these areas.

Uplift the cybersecurity posture of all OT operators

15. First, we will uplift the cybersecurity posture of all OT operators, not just CII operators.

16. As organisations leverage new devices – such as Industrial Internet of Things (IIoT) devices, to support their OT operations – the Government will do its part to provide guidance on addressing OT-related cybersecurity risks. CSA has contributed to the development of international technical references that set out best practices to secure cyber-physical systems for buildings infrastructure.
    a. CSA will be updating our existing guidelines and handbooks for organisations to include these best practices to address OT-related risks.
    b. I encourage everyone to make use of these resources. We also welcome feedback from the industry on how we can continue to update and refine our best practices.

Deepen cybersecurity capabilities

17. Second, we will strengthen the capabilities of cyber-defenders. Malicious actors will continue to evolve their tactics, and our best defense is to nurture a critical mass of OT cybersecurity talent with deep skills who can mount effective counter measures.
    a. CSA has worked with partners such as cybersecurity training providers and Institutes of Higher Learning to expand the suite of available courses to cater to the needs of existing and aspiring OT cybersecurity practitioners.
    b. The target audience includes professionals working in government agencies as well as the private sector, those operating CIIs as well as non-CIIs.

18. I am pleased to announce today that CSA will be partnering with SANS Institute, to provide more training opportunities for Singapore-based cybersecurity practitioners. With this partnership, in place, the community will have access to expert knowledge on training, workforce professionalisation and cyber exercises.

19. Additional initiatives include providing greater clarity on the career pathways in OT cybersecurity. More updates will be provided in due course.

20. Partnerships are also key to sharpen our technical capabilities and situational awareness of the threat landscape.
    a. I am therefore pleased that CSA will be partnering with global cybersecurity solutions provider Fortinet on cyber threat intelligence sharing and capability development.

Systematically reduce risks and vulnerabilities through design and deployment parameters

21. Third, to improve OT cybersecurity, it is important for security to be incorporated upstream in the design and deployment of OT systems.
    a. An OT system typically comprises different products, each produced by different Original Equipment Manufacturers (OEMs). These different products are subsequently assembled and maintained by yet another different entity!
    b. It is therefore important that OT systems come with security features and controls. They must also be designed, implemented and subsequently maintained in a systematic and holistic manner which reduces vulnerabilities and risks throughout their lifecycles. In other words, OT systems need to be “Secure by Design” and “Secure by Deployment”.

22. To be “Secure by Deployment”, the different parts of the supply chain must come together.
    a. I am heartened that 14 OEMs and cybersecurity solution providers have committed to adopt “Secure by Deployment” principles.
    b. They are international players, so we hope that this initiative will not just benefit Singapore but will have a wider impact subsequently as the best practices become more widely adopted.
    c. You will be introduced to these 14 OEMs later, and I look forward to even more industry players stepping forward to join this endeavour.

Conclusion

23. Let me conclude. We have said often enough that cybersecurity is a team effort. Our updated Masterplan is the product of extensive consultations with over 60 partners and experts in the OT ecosystem.

24. In fact, many of you in this room have been part of this co-creation journey with us. On behalf of the Government and CSA, I want to express our appreciation to all of you.

25. There will be risks and opportunities in tackling the OT cybersecurity challenge, but I am confident that we can make progress by pooling our efforts and partnering one another.

26. I wish all of you an enriching Forum. Thank you.