Singapore's emphasis on the security of its critical infrastructures is necessary to safeguard general public safety and compel these systems to keep pace with current security landscape.
The country's proposed cybersecurity bill, unveiled last month, outlined measures to protect local critical information infrastructures (CIIs) and ensure swift response to threats and incidents. It listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.
The bill formalised the duties of CII operators, detailing their responsibilities that included providing information on the technical architecture of the CII, carrying out regular risk assessments of the CII, complying with codes of practice, and reporting of cybersecurity incidents "within the prescribed period" after the event.
The focus on CII was important especially since many such systems such as water and power typically were built to last a long time, said Foo Siang-Tse, managing director of Singapore-based cybersecurity vendor Quann. He pointed to 2016 reports that the US Pentagon still was using computing systems that required eight-inch floppy disks.
Infrastructures in these industries often had not caught up with the technology currently used in other sectors, even though system availability for these networks was especially critical, Foo said in an interview with ZDNet.
He underscored the need of heightened awareness of where vulnerabilities were and for CII owners to perform vulnerability assessments of their systems, so potential leakages could be identified and plugged.
He also pointed to the need to monitor operational technology (OT) systems, so operators were aware of abnormalities. "OT systems are expected to run in a stable and consistent manner, so if something is out of the ordinary, sensors should be able to pick it up, including things like port scanning," he said. A big part of Quann's products and services focused on OT, which Gartner defined as hardware and software that detected or triggered a change through direct monitoring or control of physical devices within an organisation.
In addition, CII systems such as telecommunication infrastructures were critical in ensuring public safety networks, used by first responder and emergency services, remained up and running.
In recent years, such networks had advanced alongside improvement in LTE coverage. Citing ABI Research, Sandeep Girotra, Nokia's Asia-Pacific Japan senior vice president, said LTE-based public safety networks already were in more advanced stages in developed nations expected to be in most markets by 2020.
Public safety networks required special considerations that were not necessarily supported by regular enterprise mobile networks, such as mission critical communications after a natural disaster, Girotra told ZDNet. Instant video connectivity needed for CCTV surveillance, too, had much higher requirements for capacity and speed.
"Public safety communications need to be given priority over any other voice or data traffic in busy 4G LTE networks," he said. "A vital step in the transition towards LTE-based public safety networks is to give priority to first responders and their command centres, allowing them to share mission-critical information in emergency situations."
He added that LTE-based public safety networks would further benefit from running on the same frequency bands as commercial LTE networks, so devices that supported the latter could continue to operate in an emergency situation.
Never assume you won't be breached
Girotra noted that while Singapore had been ramping up its efforts in cybersecurity, recent breaches involving the Ministry of Defense and local universities indicated the country would continue to face continuous threats.
Vulnerabilities could emerge from lack of comprehensive security strategy that encompassed all network layers, applications, and devices. These, he said, should include network design and integration, optimisation, and management. Scalability, in particular, was critical, he said, adding that public safety features should be available as software upgrades, so networks could support future requirements.
More importantly, Foo urged, countries and organisations must adopt a security-by-design mindset and ensure any IT or operating system was developed with cybersecurity topmost in mind.
"You can design an architecture so that it reduces the threat surface and build in sensors to monitor critical systems as well as put in place emergency response plans," he explained, adding that such plans also should be regularly practised and tested.
He also stressed the need for Asia-Pacific markets, in particular, to change and stop assuming they could prevent breaches. He noted how, in matured digital economies such as North America, there was general acceptance that security breaches would occur and the focus then was on how to deal with such incidents.
Asia, though, mostly took on a different mindset and focused instead on prevention, he said. This could have harmful spillover effects where, for instance, organisations that adopted such thinking might not put sufficient effort in ensuring they implemented a well though-out emergency response action plan, Foo warned.
He revealed that he still encountered customers in Singapore that subscribed to the mantra to "make sure we don't get breached".
He further underscored the need to adopt a security-by-design as the country pushed on with its smart nation efforts, especially as testbeds and trials were rolled out.
The challenge here would be that security might end up as an afterthought, Foo said, noting that various government agencies and companies would be involved in such pilots--each with different priorities and considerations for security.
Girotra also stressed the need for Singapore to regard security as a critical factor in driving its smart nation vision, especially since robust networks were needed to support millions of connected devices and user experience across different industries.
Emerging technologies, too, could be integrated to beef up capabilities in public safety. Drones, for instance, could be used in floods and earthquakes to stream video and other sensor data in real-time from the disaster area to control centres as well as assist in rescue operations, said Girotra.
He noted that wearable technology also could help ensure the safety of first responders and emergency services personnel, providing valuable information about their surroundings and improving their situational awareness where visibility might be limited.
In addition, data sensors would facilitate real-time monitoring and predictive maintenance of equipment, while remotely controlled autonomous robots could be deployed to identify problems that would otherwise by challenging or dangerous for humans to perform.