Increased digitalization and connectivity have fuelled automation in OT sectors, such as power, oil and gas, water, and manufacturing. These industries also gain greater efficiency through adopting common protocols and operating systems.
However, as these sectors move from heterogeneous environments toward standardized software stacks, the homogeneity allows threat adversaries to achieve better scalability, said Robert M. Lee, CEO of US-based cybersecurity vendor Dragos, which specializes in OT and industrial controls systems.
This will lead to more repeatable and cross-industry OT attack toolkits, he noted. Coupled with a wider attack surface from increased connectivity, OT networks face greater odds of falling victim to an attack, cautioned Lee, who was speaking Tuesday via video link at the OT Cybersecurity Expert Panel Forum held in Singapore.
Even now, OT sectors are increasingly targeted. Just five years ago in 2018, Dragos identified six to seven state-actor groups that were explicitly focused on OT and industrial control systems. This number has since climbed to at least 22 groups and more state-actor networks are realizing the viability of targeting OT sectors, said Lee, who has testified at several US congressional briefings.
While the general IT threat landscape has seen higher frequency of attacks than OT, there are more costly consequences if OT systems are compromised, potentially impacting lives and economies, he said.
There were 605 ransomware attacks against industrial organizations last year, up 87% over the previous year, according to Dragos.
Amid the evolving threat landscape, it is imperative that governments work to beef up the resiliency of their CII and OT sectors.
However, the country still needs to further ramp up such efforts as the threat OT sectors face is "unrelenting and constantly evolving", said David Koh, cybersecurity commissioner and chief executive of Singapore's Cyber Security Agency (CSA), which has hosted the annual forum since 2021.
"Threat actors have demonstrated persistence and improved capabilities to conduct malicious cyber activities against OT systems," Koh said.
"Successful compromise of these systems, of which the delivery of essential services depends on, would jeopardize our national security, public and environmental safety, and the economy. The stakes are too high for us to ignore, and we need to do more."
The collaboration will include architecture reviews and risk assessments of the Asian country's OT CII sectors, as well as threat-hunting initiatives. The partnership will also look to strengthen these sectors' and CSA's ability to detect and respond to OT cybersecurity attacks.
Singapore is also working with the US Cybersecurity and Infrastructure Security Agency (CISA) this week to run a four-day training course on OT security, which gathered some 40 participants from Asean, Bangladesh, and Maldives.
The Singapore-Industrial Control Systems Cybersecurity 301 program touches on theories, concepts, and hands-on experience for securing OT networks and CII systems, including energy and manufacturing.
Running through the entire week, the training course will include "red and blue" teams or offensive-defensive security exercises based on a secure water testbed, held at Singapore University of Technology and Design's iTrust laboratory. These exercises aim to enable participants to analyze cybersecurity attacks using real-world scenarios involving OT systems.
The course instructors are cybersecurity experts and educators from CISA, CSA, polytechnic, and CSA's training partner Tegasus.
CSA in 2016 signed its first memorandum of understanding on cybersecurity cooperation with the US Department of Homeland Security, which was renewed in 2021. The partnership agreement covers various areas, including intelligence sharing, incident response, CII protection, and capacity building.
Koh added that emerging technologies are paving the way for new possibilities in cybersecurity, including AI-powered threat detection and quantum-resistant encryption. "[These] present tremendous potential to drive innovation that can bring significant improvements to our cyberdefence capabilities," he said.
What works in IT may not work in OT
Noting that IT security best practices do not necessarily function as well in OT environments, Lee cautioned OT organizations against blindly "copying and pasting" IT security measures. Doing so is more likely to cause significant disruption and bring down OT systems than safeguard them against threat actors, he said.
Singapore's Minister for Communications and Information Josephine Teo added that OT systems had been traditionally placed in air-gapped environments, managed, and monitored separately from internet-facing IT systems. This approach changed with the acceleration of digitalization in OT industries, with companies tapping IT products and services to streamline and enhance operational efficiencies.
Teo said at the forum: "Unfortunately, the same technologies that enable OT operators to readily control their systems via a web interface can also allow bad actors to hijack OT systems and manipulate them to cause damage and disruption."
Singapore aims to address these issues by focusing on three key areas spanning technology, talent, and collaboration, the minister said. Advances in artificial intelligence and machine learning, for instance, may present new threats as cybercriminals can use tools such as ChatGPT to craft more convincing phishing email messages at scale.
However, AI also offers opportunities to enhance a country's defensive capabilities, she said, adding that quantum computing can provide better ways to encrypt data and secure communications for both IT and OT systems.
"As a community, we should harness these technologies to improve our collective defences," she said.
Teo added that Singapore also will need to beef up its skillsets in OT and IT security, as well as drive collaboration across government, industry, and academia. This focus is necessary to strengthen interdisciplinary expertise and partnership mechanisms to respond effectively to emerging threats, Teo said.
"Cybersecurity is, after all, an international team sport and we can only win if we're playing as one against our common enemy," she said.
This approach should also encompass cooperation in the creation of technical standards, she noted: "Technical standards are important to any industry, [helping] companies to promote public trust in the industry's products and services."