By Teck Wee Lim, Regional Director, ASEAN at CyberArk
Following several cyber attacks on critical infrastructure in the last few years that went undetected for months, Singapore has made stringent efforts to reinforce its national cybersecurity plan. It initiated a new program that aims to protect the supply chain of critical information infrastructure (CII) and its operators from any cybersecurity risks through partnerships with a range of relevant stakeholders.
Singapore also rolled out the Operational Technology (OT) Cybersecurity Masterplan in 2019 as part of its continuous efforts to enhance the security and resilience of its CII sectors in delivering essential services. The country recognises nine critical sectors, namely, Energy, Water, Banking and Finance, Healthcare, Transport, Infocom, Media, Security and Emergency Services, and Government.
All these critical sectors heavily rely on computerised OT to function.
OT systems were designed to have a long life span, with a focus on reliability and safety rather than security. These systems run on proprietary control protocols using specialised hardware and software and are often isolated from business networks and the internet. Therefore, OT systems were traditionally “secure through obscurity” as they were typically air-gapped from other systems. Today, however, the extensive linkages among enterprise IT and OT networks, businesses, operators, vendors, and other third-party systems have greatly increased the operational footprint of networks, putting them on the map as attractive targets for cybercriminals. As such, we need to ensure that cybersecurity measures safeguard our OT systems as they become exposed to evolving cyber threats.
The Convergence of Technologies Increases Surface Attack Areas – Creating A Blind Spot
As OT is fast converging with IT, critical industrial control system (ICS) endpoints and other assets are becoming exposed to aggressive cyber threats, making CIIs vulnerable to attacks.
With the addition of remote access, the Internet of Things (IoT) and the cloud, the attack surface increases significantly, allowing more opportunities for attackers to get into IT and OT systems. A successful attack on critical infrastructure could disable or destroy production lines and industrial processes, leave cities in the dark or shut off critical lifesaving technologies. The repercussions are grave and difficult to bounce back from.
Corporate IT executives are aware of the hazards. In 2020, the Ponemon Institute conducted the Industrial Security Survey and worked with more than 2,500 cybersecurity experts on OT systems worldwide. It found that 57% of the respondents believed that they will face one or more attacks, and almost half (48%) think that the risks are higher for OT systems than IT systems. Nearly half also said that the threat to OT systems is increasing. One-third even admitted that their companies suffered the loss of OT-related intellectual property as a result of previous attacks. On the whole, the cybersecurity practitioners identified the three biggest threats like phishing, ransomware and denial-of-service attacks.
In addition, most critical infrastructure companies operating with legacy security measures are in a position of relative blindness. As it is near impossible to defend against threats they cannot see, these companies only know if they have been attacked after the damage is done. It could take weeks, months or even years of suffering an initial intrusion before an attack gets detected.
One of the most significant concerns right now is the sharp rise of ransomware attacks targeting the critical infrastructure space. According to a report from The Institute for Critical Infrastructure Technology (ICIT), “If a Supervisory Control and Data Acquisition (SCADA) or ICS system in an energy, utilities or manufacturing organisation becomes infected with ransomware, then lives could be jeopardised in the time it takes to investigate the incident and return the systems to operation.”
A Zero Trust Playbook for Ransomware Protection
Just recently, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued guidance on protecting critical infrastructure from ransomware. Attacks on ICS often begin with identity compromise at the endpoint and subsequent abuse of privileged credentials. As such, the two organizations recommended CII owners to take the necessary precautions to mitigate or prevent risks should they ever be targeted by ransomware attackers. Among its recommendations, the CISA and the FBI reminded them to ensure that user and process accounts are limited through account use policies, user account control and privileged account management. Further, it advised organising access rights based on the principles of least privilege and separation of duties. Local businesses can also follow the guidelines for defence-in-depth ransomware protection.
Moreover, unusual user activity or unauthorised credentials used to access an ICS asset could also indicate signs of an attack. Understanding the context of a user’s actions helps add another layer of security. Users will typically interact with the company system at the usual time, accessing the usual files. Anything that breaks the pattern can be flagged, logged and blocked. It’s one thing to be logging on from Singapore at 12 noon on your usual laptop to begin work. It’s another to be logging on at midnight from a foreign country using a desktop PC. It is crucial to detect and identify all actions that are done beyond the par for the course.
Following the Zero Trust cybersecurity model of “never trust, always verify” helps organisations to secure individual identities throughout the cycle of accessing critical OT and IT assets. When identities can be authenticated accurately, authorised with the proper permissions and given access to privileged assets in a structured manner, organisations are better equipped to find attackers as they move throughout a network and stop them before they can disrupt critical systems, threaten uptime, compromise sensitive data and jeopardise consumer safety.
While we were fortunate to have escaped relatively unscathed so far, we have already seen our fair share of cyber-attacks. Our nation’s resilience against cyber threats will also attract opportunities offered by new digital technologies that appeal to investors as a strategic and secure location for their business.