Singapore Launches Updated National Operational Technology Cybersecurity Masterplan

Introduction

The updated national Operational Technology (“OT“) Cybersecurity Masterplan (“OT Masterplan 2024“) was launched by Mrs Josephine Teo, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity, at the fourth edition of the Singapore Operational Technology Cybersecurity Expert Panel Forum on 20 August 2024. It outlines Singapore’s plans to boost the technical cybersecurity capabilities and competencies of the OT sector.

Operational technology is integral to the functioning of critical information infrastructure (“CII“) sectors such as energy, transportation, and manufacturing, enabling the efficiency and reliability of functions that are foundational to modern society. However, the growing sophistication of cyber threats poses significant risks to OT systems, and can lead to disruptions to essential services, economic losses, and safety hazards. Since the OT Masterplan was initially introduced in 2019, the cyber risk environment has become increasingly hazardous.The updated OT Masterplan 2024 thus aims to tackle new cyber threats to OT systems and to further enhance the security and resilience of stakeholders.

The OT Masterplan 2024 outlines main initiatives under the three areas – People, Process and Technology.The key thrusts in the updated OT Masterplan 2024 are as follows:

1. Improve OT cybersecurity professional competency and pipeline;
2. Enhance information sharing and reporting;
3. Uplift OT cybersecurity resilience beyond CII; and
4. Establish an OT cybersecurity centre of excellence and promote Secure-by-Development principles throughout the life cycle the OT system.

This Update provides a summary of the key features of the OT Masterplan 2024.

Background

The OT Masterplan was first launched in 2019. Its aim was to:

1. Create awareness on the People, Process and Technology challenges faced by the OT community in relation to cybersecurity;
2. Align efforts of OT stakeholders to enhance cyber resilience; and
3. Strengthen partnerships with the industry and stakeholders via OT cybersecurity initiatives.

Since then, the OT cyber threat landscape has undergone much change. The key shifts include:

1. Evolution and escalation of attacks against OT, with increased targeting and vulnerability of OT systems;
2. Evolving tactics and strategies of Advanced Persistent Threats;
3. Rise in cyber criminals exploiting OT systems for financial gain;
4. Intensified activities and improved capabilities of hacktivist groups;
5. Expanded attack surfaces and new risks with the adoption of new technologies such as edge computing and Internet of Things (IoT) integration;
6. Growing cyber-physical risks with the prevalence of OT systems becoming more digitally connected in critical sectors; and
7. Growing recognition that OT cyber threats impact both CII and non-CII stakeholders.

The updated OT Masterplan 2024 thus seeks to keep up with evolving cyber threats and risks, as well as to expand its scope to uplift the cyber resilience of the non-CII organisations.

Key Thrusts and Areas of Focus

The OT Masterplan 2024 outlines the updates of efforts to uplift cybersecurity posture under the following key thrusts:

1. Enhancing the OT cybersecurity talent pipeline

The OT Masterplan 2024 has identified a lack of OT cybersecurity manpower and the need to ensure a competent OT cybersecurity workforce. The Cybersecurity Agency of Singapore (“CSA“) thus intends to improve the OT cybersecurity professional competency and pipeline through initiatives such as:

• Including OT cybersecurity in the professionalisation framework that CSA is developing for Singapore;
• Profiling OT cybersecurity in CSA’s Cybersecurity Education & Learning Guide to aid assessment and planning for a cybersecurity career;
• Expanding OT cybersecurity training to include foundational and management-level courses; and
• Encouraging the use of the OT Cybersecurity Competency Framework as a competency and career pathway.

2. Enhancing information sharing and reporting

The OT Masterplan 2024 highlights the importance of strengthening the situational awareness of Singapore’s cyberspace so as to protect Singapore’s CII and other OT infrastructure. CSA intends to pursue efforts including:

• Accelerating information sharing by streamlining the sharing process and enhancing collaboration with the OT Cybersecurity Information Sharing and Analysis Center (OT-ISAC) and sector regulators to create a comprehensive and effective threat intelligence ecosystem; and
• Exploring mechanisms to facilitate cybersecurity incident reporting (e.g. confidentiality or protection from liability) to encourage businesses to come forward.

3. Uplifting OT cybersecurity resilience beyond CII

Cyber risks impact not only CII, but other important OT systems as well. The OT Masterplan 2024 will focus on both CII and non-CII sectors in recognition of the widespread and complex nature of cybersecurity dependency. Some of the initiatives CSA intends to pursue include:

• Developing a data-driven model to increase visibility into the cyber supply chain ecosystem that is applicable to both CII and non-CII sectors;
• Updating guidelines such as the “Guide to Conducting Cybersecurity Risk Assessment” to highlight consequence-based scenarios to assist organisations in handling adverse events more resiliently;
• Promoting relevant technical references (e.g. TR 111:2023) to secure cyber-physical systems for building infrastructure; and
• Encouraging non-CII OT operators to consider relevant sections of theCybersecurity Code of Practiceto manage OT cybersecurity risks.

4. Promoting Secure-by-Development principles

The OT Masterplan 2024 acknowledges the importance of adopting the Secure-by-Deployment principles in safeguarding the lifecycle management of OT systems. In light of this, CSA intends to:

• Collaborate with Original Equipment Manufacturers (“OEMs“) to establish an OT Cybersecurity Centre of Excellence to support research into OT cybersecurity technologies and develop appropriate solutions; and
• Collaborate with OEMs, solution partners, system integrators and asset owners to incorporate Secure-by-Development principles from product design, configuration, deployment, and maintenance.

Concluding Words

Amidst the constantly changing landscape of cyber risk and threats to OT systems, the OT Masterplan 2024 provides an insight into Singapore’s progressive efforts at keeping ahead of the curve, as well as an indication of the initiatives and developments that may be expected in this field. It highlights the importance of OT cybersecurity throughout all sectors, and not just for CII. Organisations should thus be aware of the rising cyber threats towards OT systems, the measures that may be taken to address such risks, and the resources available to them.