Cyber Security
Dr Vivian Balakrishnan, Minister for Foreign Affairs and Minister-in-charge of the Smart Nation Initiative, speaking at KeyNote at IoT Asia 2017. Photo Credit: IoT Asia 2017
of innovation, competitive pressures and technological complexities, and require lengthy consultation time to be passed. Managing to the timeline of regulations or legislations may not adequately prepare organization for preventing major industrial incidents to occur. People, Policy, Technology – Weakest Link? While a single point of compromise in the network may open up extended access due to legacy access-controls linking the interconnected assets, it is also important to consider the “People” aspect. This was among the points brought up by Mr. Manuel Diez, TÜV Rheinland, speaking at the Asia ICS Cyber Security Conference. Clear roles and responsibilities (“who is doing what”) and training on “what not to do” are critical governance elements in a robust cyber security framework, said Mr Manuel Diez. Whilst technology and policies can be tirelessly reviewed, assessed and updated, human factor remain the weakest links. Establishing a mutual understanding of “IT” and “OT” teams (information technology and operational technology) is critical to combine Cyber Security and Functional Security in the long run. For effective collaboration to take place between the two, a shared ideology in security, anchored by a strong culture in communication will be necessary. Reconnaissance campaigns are getting more sophisticated and well-organised, and malware growing more complex, with obfuscations and anti-spam detection techniques such as embedding code in legitimate-looking displays, other codes or even music lyrics. Once these are embedded in the organization, it is often too late to eradicate. The first line of defense, therefore, is preventing the malware from penetrating and blending into the organization’s assets. Training on social engineering tactics, and phishing attack scenarios – such as not enabling macros in documents, opening attachments from unverified sources, checking the addresses when replying to emails should form part of the formal Cyber awareness policies. And these lessons are equally relevant to the operational technology teams who use tools which are highly susceptible to phishing attacks – such as the HMIs or other diagnostic tools to control the industrial processes. Without training on specific ICS threats and cyber security standards, they cannot be expected to maintain a secure ICS environment. Building a Resilient Infrastructure in Singapore The Ukraine incident highlights the need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures to reduce risks of Cyber-Physical attacks. Singapore has launched the Singapore’s Cyber Security Strategy, in which “Building a Resilient Infrastructure in Singapore” forms a key pillar. As an international financial, shipping and aviation hub, Singapore also houses critical systems that transcend national borders, such as global payment systems, port operations systems, and air-traffic control systems. Successful attacks on these supra-national
20 | Asia Pacific Security Magazine
CIIs can have disproportionate effects on the trade and banking systems beyond Singapore’s shores. Mr Lim Thian Chin, Head of Critical Information Infrastructure (CII) Protection at the Cyber Security Agency of Singapore (CSA) referred to the Cybersecurity Act within the Singapore’s Cyber Security Strategy, to be introduced later this year, which will: • Require CII owners and operators to take responsibility for securing their systems and networks. This includes complying with policies and standards, conducting audits and risk assessments, and reporting cybersecurity incidents. CII owners and operators will also be required to participate in cybersecurity exercises to ensure their readiness in managing cyber incidents; and • Facilitate the sharing of cybersecurity information with and by CSA. Recognising that cybersecurity breaches will happen despite our best efforts, the Act will empower CSA and sector regulators to work closely with affected parties to expeditiously resolve cybersecurity incidents and recover from disruptions. CSA has been and will continue to work closely with sector regulators, CII stakeholders and industry players in formulating detailed proposals for the new Act. A key principle is to adopt a risk-based approach to cybersecurity, and to build in sufficient flexibility to take into account the unique circumstances and regulations in each sector. In his concluding remarks at IoT Asia 2017 at the Singapore Expo, Dr Vivian Balakrishnan, Minister for Foreign Affairs and Minister-in-charge of the Smart Nation Initiative, he noted that, while the nation is embarking on a digital revolution, “we need to be mindful that cybersecurity is still the biggest elephant in the room. We have all heard of the cyber-attack on Dyn last year which brought down Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and many other popular sites and services. In Singapore, StarHub told us that their subscribers experienced a similar attack. Internet-connected devices of StarHub customers, such as video cameras, routers and DVR players, were taken over by hackers and used for an attack on the domain name system. So critical control systems need to be protected even as we make them smarter. We need to ensure that our digital identity framework, our e-transaction platforms are secure and robust.”