Ministry of Digital Development and Information
By Jane Lo
Singapore is doubling down on its commitment to safeguarding Operational Technology (OT) systems with the launch of the “Operational Technology Cybersecurity Masterplan 2024.”
David Koh, Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency (CSA), captured the essence of the Masterplan’s collaborative approach with a powerful message: “If you want to go fast, go alone; if you want to go far, go together.”
This spirit of teamwork shaped the Masterplan, developed through consultations with over 602 organizations across the OT landscape – including Critical Information Infrastructure (CII) owners, government bodies, educational institutions, OEMs, solution providers, and cybersecurity professionals.
The result? A robust plan that builds on the successes of the 2019 initiative, launched by Josephine Teo, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity, during the OT Cybersecurity Expert Panel (OTCEP) forum on August 20-21, 2024.
Teo reflected on Singapore’s strides since 2019, noting significant progress. “We have deepened our bench of cybersecurity professionals,” and “strengthened intelligence sharing through the joint establishment of the OT Cybersecurity Information Sharing and Analysis Centre (OT-ISAC).” But the evolving threat landscape demands even stronger measures, with Mrs Teo emphasising that “we must do more to keep pace with the changes in the OT threat landscape.
Facing the cyber threat head on
In recent years, the OT cybersecurity landscape has been rocked by the emergence of advanced threats like Industroyer2 (which cut power to a fifth of Kyiv for an hour in 2016), Pipedream (2022) in 2022 and recent discoveries of Fuxnet9 (May 2024) and FrostyGoop10 (July 2024).
These ICS-specific malwares, though rare, have the potential for catastrophic consequences. The stakes are higher than ever, with threat actors increasingly motivated by financial gain, as seen in the EKANs ransomware family which disrupted Honda’s factory plants.
More recently, the CrowdStrike event, which impacted nearly 8.5 million Microsoft devices, underscores how IT issues can spill over to OT systems, grounding flights14 and disrupting train operations.
These developments and the rapid digital transformation and adoption of IIoT systems further expand the attack surface, emphasize the need for a revised cybersecurity Masterplan to enhance cyber defences.
Revisiting Masterplan 2019 – a foundation for success
Launched in 2019, the original OT Cybersecurity Masterplan laid the groundwork for securing Singapore’s essential services.
Focused on enhancing people, process, and technology, the plan delivered key initiatives like OT cybersecurity training, threat intelligence sharing via OTISAC, strengthened policies, and adoption of cutting-edge technologies through public-private partnerships.
Masterplan 2024 – building on success
Recognising the shifts in the threat landscape, the Masterplan 2024 builds on the achievements of the 4 key thrusts from the inaugural plan. These are some highlights:
-
Thrust 1: OT cybersecurity training – Expanded programs to cover management and foundational courses, ensuring a sustainable pipeline of OT cybersecurity professionals through specialized education and accreditation.
-
Thrust 2: OT-ISAC enhancement – Improved threat intelligence exchange and streamlined incident reporting to boost greater participation and collaboration.
-
Thrust 3: Strengthening policies and processes – Encouraging non-critical information infrastructure (non-CII) organizations to adopt relevant sections of the Cybersecurity Code of Practice (CCoP) to enhance their defences.
-
Thrust 4: Adopting technologies for cyber resilience – Establishing an OT Cybersecurity Centre of Excellence (OT CoE) for real-world cybersecurity testing and promoting secure-by-deployment principles throughout the OT system lifecycle.
Looking ahead – securing the future together
The 2024 Masterplan introduces forward-looking strategies, such as the co-created secure-by-deployment approach, engaging 1418 OEMs and system integrators to ensure cybersecurity from design to deployment.
It also places a renewed focus on consequence management, adapting guidelines to prepare for the worst-case scenarios, ensuring that OT systems can withstand and recover from potential breaches.
The plan’s expanded scope now includes operators of OT technologies supporting physical control functions, like IoT and IIoT devices, reflecting the complex nature of supply chain risks.
Strategic partnerships, like those with the SANS Institute20 and Fortinet21, further deepen capabilities, ensuring that Singapore remains at the forefront of OT cybersecurity.
The evolving cyber threat landscape poses global challenges that demand a unified response. According to Dragos, Inc.’s 2023 Cybersecurity Year in Review, the number of threat groups has nearly doubled since 201923, highlighting the urgent need for coordinated action.
As cyber threats continue to evolve, Singapore’s Masterplan 2024 stands as a global example of what’s possible through collective action. It’s not just about responding to current threats; it’s about proactively shaping a resilient future. Success will require everyone, government, industry, and individuals alike, to step up and lead the charge.
