OT Cybersecurity and Interconnectivity
As Singapore embraces interconnectivity, the volume of malicious cyber activities is growing. Gartner, the world’s leading research advisory company predicts worldwide spending on OT cybersecurity management to reach $133.7billion by 2022. Singapore remains one of the most targeted countries in the world therefore have an increased risk to Operational Technology (OT).
The government of Singapore has taken steps to address the inadequate measures that most organisations have in place to mitigate these risks setting new stringent standards. These requirements can be best be met with an integrated solution, like Asset Guardian, that would allow organisations to leverage the benefits of a cybersecurity management system (CSMS) around key areas such as configuration change, compliance management, obsolescence management, version control and disaster recovery.
The Increasing Threat to Smart Cities
A smart city is a municipality that uses both information and interconnected technologies to improve operational efficiency across all industry sectors.
Operational Technology interfaces with the physical world through Industrial Control Systems (ICS) therefore it’s hard to imagine what life would be like without it. Smart robotics would no longer guarantee the accuracy of movements across pharmaceutical industries. Smart energy technology would no longer provide improved connectivity across the power network. Without precision farming, there would be lower crop yields.
Therefore OT systems have a significant impact on our everyday lives.
In 2019, over 11 million cyber-attacks launched against Singapore from servers operating inside the country and some of these attacks compromised its infrastructure. In 2019, personal data belonging to over 2400 Ministry of Defence and Singapore Armed forces (SAF) personnel was compromised. This was due to a series of email phishing scams. The threat facing the country, and the global OT environment is real.
OT systems are an attractive target as they are essential to the running of critical infrastructure. According to McAfee findings there is an average cost of $1.7 million per cyber-breach for organisations in Singapore. Consequently, they remain constantly on “high” alert.
Singapore’s OT Cybersecurity Masterplan
The global trend of malicious cyber-attacks is showing no sign of lessening yet Gartner reported that only 53% of businesses have an effective cybersecurity management strategy in place.
The Singapore Cybersecurity Agency (CSA) launched its OT Cybersecurity Masterplan in 2019. It provides guidance to professionals working in OT environments. The aim is to develop greater understanding of the cybersecurity landscape in Singapore.
The three objectives of the masterplan are to:
- Create awareness of the OT challenges faced across Industries within Singapore.
- Allign the efforts of OT cybersecurity initiatives and to address cyber-threats.
- Guide the development of effective cybersecurity initiatives, solutions, and to encourage partnerships with industry leaders and stakeholders.
The Masterplan highlights that people processes and technology are crucial to any organisation who are fighting the battle against cyber-threats. The government has set out four key thrusts in order to uplift the countries’ cybersecurity posture:
- OT Cybersecurity Training – Singapore’s Cybersecurity Academy (CSA) was set up in 2017 to train and prepare the Government and Critical Information Infrastructure (CII) sectors.
- OT Cybersecurity Information Sharing and Analysis Centre (ISAC)- The Singapore Cybersecurity Academy formed the Information Sharing and Analysis centre (ISAC) comprising members of the Singapore Government, CII, and OT industriesto drive knowledge and exchange.
- Strengthening Policies and Processes – Singapore’s Cybersecurity Act came into force in 2018. This sets out to CII owners their obligation to protect data and networks from cyber threats against OT systems. Adopting Technologies for Cyber Resilience
- Adopting Technologies for Cyber Resilience – The Masterplan encourages the development of innovative solutions and partnerships around the world.
The power of a Cybersecurity Management Systems (CSMS)
Singapore’s Masterplan highlights the need for improved cyber preparedness and serves as a blueprint providing strategic direction. Yet it fails to address the importance of a cybersecurity management system (CSMS).
A CSMS, defined by IEC 62443, the global standard for the security of Industrial Control Systems, directly addresses OT security issues for Industrial Automation and Control Systems (IACS). A CSMS regards ‘operation suspension’ as the most important event to avoid. It emphasises ‘Operational Availability, Integrity, and Confidentiality’ (AIC) whilst simultaneously putting ‘Health, Safety, and Environment’ (HSE) as a priority.
The Singapore Cybersecurity Act 2018 places emphasis on having a risk-management framework that complies with the legislation, regulations and guidelines defined by different Industries, and asset management and protection requirements.
An Asset Guardian CSMS would improve operations and reduce risk significantly, whilst allowing the Singapore government to meet the requirements set out by the Singaporean Masterplan.
OT systems are becoming more sophisticated therefore they are more prone to threats. The worrying realisation is that many organisations still don’t have an effective CSMS in place or are understand their importance.
Asset Guardian is a unique integrated software solution. Its core features include software repository, compliance management, configuration change and disaster recovery. With advanced functionality around obsolescence management and cyber security, it meets the needs of the control and automation industry.
As such, it is the leading partner of choice for industry leaders across industries. This includes oil and gas, chemical processing, power generation, renewable energy, pharmaceuticals, and food and beverage.
Asset Guardian’s core features allow it to act as a CSMS, designed to help organisations meet both national and international global standards, relevant to their own country. These include IEC 624430, NIST Cyber Security Framework, NIS Directive, OG86 and CIS CSC.
Recently, a number of Asset Guardian customers have chosen Asset Guardian to act as their cybersecurity risk management framework and additionally they have chosen to utilise the benefits the core features bring, giving them a fully integrated solution.
Furthermore, many customers have rolled Asset Guardian out as a global CSMS solution especially those managing a large number of OT assets around the world. The benefit they have is assessing and mitigating risk globally. Having the same global strategy allows Asset Guardian customers to reduce their costs while ensuring robust protection of their OT assets.
IEC 62443 Compliance
An effective cybersecurity management system (CSMS) will protect the entire IACS and it should contain all cyber inventory. This includes devices, network zones, connections, operating systems, firmware versions, and installed applications.
The core features of Asset Guardian allow it to act as a CSMS for organisations. It retains all information and cross-links to installed software versions. Asset Guardian then cross references the cyber inventory against known vulnerabilities. Users will receive automatic notifications and reports highlighting risks.
Asset Guardian employs a phased approach towards compliance. Audit and Assess, Stabilise and Secure, Manage and Maintain, Review and, Revise. Findings and resolutions from one phase are then employed into the next.
Asset Guardian also works with front line network monitoring tools such as Claroty and Radiflow. These can scan and protect OT networks and the data then allows users to achieve asset inventory management and vulnerability tracking. It also includes software version control and change management, functional safety, disaster recovery, and obsolescence management.
Cybersecurity management is an opportunity for OT leaders to protect their entire IACS assets. It shouldn’t be looked at as an exercise that is going to bring great costs to organisations, but as a proactive measure to change all aspects of control system management , that are crucial to protecting OT systems.
For further information on Asset Guardian, please contact firstname.lastname@example.org