Industrial networks need better security as attacks gain scale
Nations will need to beef up security of their critical information infrastructures (CII) and operational technology (OT) systems as a move toward common standards gives hackers greater ability to scale up their attacks.
Increased digitalization and connectivity have fuelled automation in OT sectors, such as power, oil and gas, water, and manufacturing. These industries also gain greater efficiency through adopting common protocols and operating systems.
Also: The best VPN services (and tips to choose the right one for you)
However, as these sectors move from heterogeneous environments toward standardized software stacks, the homogeneity allows threat adversaries to achieve better scalability, said Robert M. Lee, CEO of US-based cybersecurity vendor Dragos, which specializes in OT and industrial controls systems.
This will lead to more repeatable and cross-industry OT attack toolkits, he noted. Coupled with a wider attack surface from increased connectivity, OT networks face greater odds of falling victim to an attack, cautioned Lee, who was speaking Tuesday via video link at the OT Cybersecurity Expert Panel Forum held in Singapore.
Even now, OT sectors are increasingly targeted. Just five years ago in 2018, Dragos identified six to seven state-actor groups that were explicitly focused on OT and industrial control systems. This number has since climbed to at least 22 groups and more state-actor networks are realizing the viability of targeting OT sectors, said Lee, who has testified at several US congressional briefings.
Also: Singapore cautions against security risks ahead of presidential election
While the general IT threat landscape has seen higher frequency of attacks than OT, there are more costly consequences if OT systems are compromised, potentially impacting lives and economies, he said.
There were 605 ransomware attacks against industrial organizations last year, up 87% over the previous year, according to Dragos.
Amid the evolving threat landscape, it is imperative that governments work to beef up the resiliency of their CII and OT sectors.
Singapore in 2021 updated its cybersecurity strategy with heightened focus on OT, providing a framework to build up skillsets and technical competencies. The national security roadmap also included efforts to work with CII operators to better safeguard local critical infrastructures.
However, the country still needs to further ramp up such efforts as the threat OT sectors face is "unrelenting and constantly evolving", said David Koh, cybersecurity commissioner and chief executive of Singapore's Cyber Security Agency (CSA), which has hosted the annual forum since 2021.
Also: What is phishing? Everything you need to know
"The growing convergence between IT and OT systems expands the attack surface and introduces new risks that must be mitigated," Koh said.
"We cannot rely on old answers to address new challenges we face. We need to look to innovation and creativity to come up with novel solutions to solve new and emerging cybersecurity challenges."
He pointed to the Stuxnet worm discovered in 2010, the Ukraine power grid attack in 2015, and the discovery of the Pipedream malware toolkit last year.
"Threat actors have demonstrated persistence and improved capabilities to conduct malicious cyber activities against OT systems," Koh said.
"Successful compromise of these systems, of which the delivery of essential services depends on, would jeopardize our national security, public and environmental safety, and the economy. The stakes are too high for us to ignore, and we need to do more."
Also: How to stay safe on public Wi-Fi: 5 important tips
CSA on Tuesday inked a three-year partnership with Dragos to beef up Singapore's capabilities in OT security, encompassing threat intelligence, risk assessment, incident response, and training.
The collaboration will include architecture reviews and risk assessments of the Asian country's OT CII sectors, as well as threat-hunting initiatives. The partnership will also look to strengthen these sectors' and CSA's ability to detect and respond to OT cybersecurity attacks.
Singapore is also working with the US Cybersecurity and Infrastructure Security Agency (CISA) this week to run a four-day training course on OT security, which gathered some 40 participants from Asean, Bangladesh, and Maldives.
The Singapore-Industrial Control Systems Cybersecurity 301 program touches on theories, concepts, and hands-on experience for securing OT networks and CII systems, including energy and manufacturing.
Running through the entire week, the training course will include "red and blue" teams or offensive-defensive security exercises based on a secure water testbed, held at Singapore University of Technology and Design's iTrust laboratory. These exercises aim to enable participants to analyze cybersecurity attacks using real-world scenarios involving OT systems.
The course instructors are cybersecurity experts and educators from CISA, CSA, polytechnic, and CSA's training partner Tegasus.
Also: Best secure browsers to protect your privacy online
CSA in 2016 signed its first memorandum of understanding on cybersecurity cooperation with the US Department of Homeland Security, which was renewed in 2021. The partnership agreement covers various areas, including intelligence sharing, incident response, CII protection, and capacity building.
Koh added that emerging technologies are paving the way for new possibilities in cybersecurity, including AI-powered threat detection and quantum-resistant encryption. "[These] present tremendous potential to drive innovation that can bring significant improvements to our cyberdefence capabilities," he said.
What works in IT may not work in OT
Noting that IT security best practices do not necessarily function as well in OT environments, Lee cautioned OT organizations against blindly "copying and pasting" IT security measures. Doing so is more likely to cause significant disruption and bring down OT systems than safeguard them against threat actors, he said.
Singapore's Minister for Communications and Information Josephine Teo added that OT systems had been traditionally placed in air-gapped environments, managed, and monitored separately from internet-facing IT systems. This approach changed with the acceleration of digitalization in OT industries, with companies tapping IT products and services to streamline and enhance operational efficiencies.
Teo said at the forum: "Unfortunately, the same technologies that enable OT operators to readily control their systems via a web interface can also allow bad actors to hijack OT systems and manipulate them to cause damage and disruption."
Also: The easiest thing you can do to keep your phone secure
Singapore aims to address these issues by focusing on three key areas spanning technology, talent, and collaboration, the minister said. Advances in artificial intelligence and machine learning, for instance, may present new threats as cybercriminals can use tools such as ChatGPT to craft more convincing phishing email messages at scale.
However, AI also offers opportunities to enhance a country's defensive capabilities, she said, adding that quantum computing can provide better ways to encrypt data and secure communications for both IT and OT systems.
"As a community, we should harness these technologies to improve our collective defences," she said.
Teo added that Singapore also will need to beef up its skillsets in OT and IT security, as well as drive collaboration across government, industry, and academia. This focus is necessary to strengthen interdisciplinary expertise and partnership mechanisms to respond effectively to emerging threats, Teo said.
"Cybersecurity is, after all, an international team sport and we can only win if we're playing as one against our common enemy," she said.
This approach should also encompass cooperation in the creation of technical standards, she noted: "Technical standards are important to any industry, [helping] companies to promote public trust in the industry's products and services."