Singapore talks up OT security, looks to add medical devices to labelling scheme

Singapore reiterates the need to safeguard operational technology systems and is looking to expand its cybersecurity labelling scheme to include medical devices that handle sensitive data and connect with other systems.
Written by Eileen Yu, Senior Contributing Editor

Singapore is looking to expand its cybersecurity labelling programme to include medical devices, specifically, those that handle sensitive data and can communicate with other systems. It also reiterates the need to safeguard operational technology (OT) systems and build up the necessary skillsets to do so. 

OT systems traditionally were designed as standalone infrastructures and not connected to external networks or the internet. The need for better efficiencies and functionalities, however, had driven the convergence of IT and OT systems. 

Remote monitoring and data sharing for insights, for instance, brought about more efficiencies, but these also came at a cost as they widened the attack surface, said David Koh, Singapore's cybersecurity commissioner and chief executive of Cyber Security Agency (CSA).  

Once in a safe air-gapped operating environment, OT systems now were open to potential cyber attacks and breaches could have real-world impact, noted Koh, who was speaking at ISC2's Secure Singapore conference held Wednesday. To mitigate such threats, he underscored the need to build up the necessary skilsets to manage the convergence of IT and OT systems. 

With both sides traditionally run and managed separately, these teams now would need to understand how IT systems were deployed to support essential services, such as water and power plants. Such skillsets also should encompass knowledge of business processes and interdependencies that went beyond the technical aspects, he said. 

Zachary Tudor, associate laboratory director of Idaho National Laboratory's National and Homeland Security, concurred, pointing to the need for managers who understood the security risks from the convergence of IT and OT. 

C-suite executives also needed to be educated about the business risks and consequences of the interdependencies between the two realms, said Tudor, who also is ISC2's board chairperson. 

Koh said Singapore tweaked its cybersecurity strategy in recognition of the convergence, embedding an OT security masterplan that focused on bolstering processes, infrastructures, and talent to address potential risks. Its OT Cybersecurity Competency Framework provided guidelines of cybersecurity skills and technical competencies required for OT industry sectors, which included those in critical information infrastructure (CII) markets such as water, healthcare, maritime, and energy.

CSA earlier this week unveiled a scholarship programme for up to 80 qualified candidates enrolled in the Singapore University of Technology and Design's Master of Science in Security by Design. The initiative was part of the government's efforts to drive OT cybersecurity skills development. 

Plans to expand labelling scheme to healthcare

Koh also pointed to the need to help the general public make more informed choices with regards to security, in particular, in purchasing Internet of Things (IoT) devices. 

He noted that consumers would buy such products without much awareness because the device's security posture typically was opaque, with little information provided, and the spotlight placed instead on its features and price. 

CSA launched a Cybersecurity Labelling Scheme (CLS) to address this and adoption had been better than expected, with a range of manufacturers expressing interest in participating in the voluntary programme, he said. First introduced for home routers, the initiative later was expanded to include all consumer IoT devices, such as smart lights and door locks. 

Koh revealed that plans now were underway to further expand the CLS to medical and healthcare devices. Security was critical here as such devices could affect one's health and potentially result in personal injury, he said. 

According to a CSA document detailing the pilot CLS for medical devices, such devices would fall under the scheme if they handled sensitive data such as personal identifiable information and had the ability to "collect, store, process, or transfer data". They also would be connected to other systems and services, with the ability to communicate using wired or wireless networks either autonomously or manually. 

Singapore in May announced plans to set up a SG$19.5 million ($13.99 million) centre to facilitate vulnerability assessment of software and hardware products, physical hardware attacks, and security measures. The centre would work with CSA and Singapore Accreditation Council to develop relevant accreditation programmes, including IT testing programmes that facilitated initiatives such as CLS.

According to CSA, as of end-April, more than 200 products had been submitted for labelling under the programme. 

Koh added that countries such as Germany, Australia, the US, and the UK had approached Singapore to establish mutual recognition of similar labelling and certification schemes in the respective global markets. Such bilateral recognition would reduce the need for duplicated testing, he said.

Singapore and Finland last October inked an agreement to do so for each country's IoT cybersecurity labels.


Editorial standards