The focus of the cybersecurity industry has been on developing solutions for the enterprise Information Technology (IT) systems. There is now increasing attention on Industrial Control Systems (ICS) or Operational Technology (OT) systems - the integration of hardware and software with network connectivity to control industrial processes. As Singapore moves towards a Smart City, the increasing integration of IT and OT systems means that any disruption of OT systems will potentially have a cascading impact across sectors.
In Singapore, eleven essential services have been identified and Critical Information Infrastructures (CIIs) within these services designated. The Cyber Security Act 2018 has mandated that CII Owners conduct annual risk assessments and compliance to codes of practice issued by the Cyber Security Agency (CSA) of Singapore. Singapore has recognised the need for robust defences for OT systems and launched the OT Cybersecurity Masterplan to consolidate and guide the development of OT cybersecurity initiatives.
Major OT systems attacks
While the objective is the pilferage or alteration of sensitive data on IT systems, in cyber attacks for OT systems, cyber attackers typically aim to destroy or bring down the availability of the systems.
| 2017 Petrochemical facilities Middle East |
Triton, a sophisticated malware, attacked safety instrumented systems, a critical component designed to protect human life. The initial vector of infection was likely a phishing attack. After gaining remote access, the attackers moved to disrupt, take down or destroy the industrial process. |
| 2016 Energy company Europe |
The SFG malware, was discovered on the networks of the energy company. It created a backdoor on targeted industrial control systems delivering a payload that was “used to extract data from or potentially shut down the energy grid”. Designed to bypass traditional antivirus software and firewalls, it contains all the hallmarks of a nation-state attack. |
| 2016 Dam attack USA |
The U.S. Justice Department claimed that U.S. infrastructure had been attacked by infiltration of the industrial controls of a dam in New York. The cyber attackers compromised the dam’s command-and-control system in 2013 using a cellular modem. It represents one of the first major efforts of a foreign government entity to commandeer U.S. infrastructure. |
| 2015 Power company Ukraine |
Investigators discovered that cyber attackers had facilitated a power outage that affected a large area by using BlackEnergy, a malware to exploit the macros in Microsoft Excel documents. The bug was planted into the company’s network using spear phishing emails. 30 substations were shut down resulting in more than 230,000 people without electricity for 1 to 6 hours. |
| 2014 Steel mill Germany |
Cyber attackers hacked into the IT networks of the mill, penetrated the production management software and took control of the mill’s industrial control systems. The cyber attackers destroyed the critical software components and prevented the blast furnace from shutting down, causing serious damage to the entire infrastructure. |
| 2010 Nuclear facilities Iran |
Stuxnet, a malicious computer worm, was believed to be responsible for causing substantial damage to Iran’s nuclear facilities. It specifically targeted Programmable Logic Controllers (PLCs) used to control centrifuges for separating nuclear material. The worm travelled via USB drives and reprogrammed PLCs to operate out of their controlled boundaries and sent false data to the operators to mask the activities. |
People
OT system operators are usually not cybersecurity trained and are not able to adequately appreciate the threats and risks. Cyber security professionals are usually more familiar with the IT environment and are not able to appreciate the different considerations and requirements of the OT environment.
Process
In the IT environment, the focus is on protecting the confidentiality and integrity of the data, with maintaining availability of the systems of a lower priority. In the OT environment, maintaining availability of the systems take on a higher priority than the data that resides in the system. In addition, OT system operators will place safety as a much higher consideration above any other factors such as availability, confidentiality and integrity.
Technology
OT systems have a typical life-cycle of more than 10 years. They are designed to execute an industrial process very well. Unless the system breaks down, there are unlikely to be changes or updates at all. As a result, there are many legacy equipment and software in OT systems with many known vulnerabilities. Even if patches or upgrades are available, OT system operators are unlikely to implement them as they may have unintended impact on the entire OT system. The system design and network protocols used in OT systems are very different from the typical IT network and consequently, cybersecurity products that work well in the IT environment are less effective in the OT environment.
How we can help
We have a global team of professionals with extensive experience in both cyber security and industrial control systems across multiple sectors such as manufacturing, pharmaceuticals, oil and gas, water, power and transportation. We help clients recognise and understand the threats and risks, and recommend mitigation controls against the security vulnerabilities that can potentially impact their OT systems through:
- Risk assessment
- Vulnerability assessment
- Audit compliance
- Training and education
- Security consulting
Risk assessment
Risk assessment and management of OT system
- Identify the various assets that could be affected by different cyber threats
- Estimate and prioritise the risk to the operations, and suggest possible mitigation controls
- Inform decision-makers and to support the proper risk responses
Vulnerability assessment
Vulnerability assessment and Penetration testing to identify potential damage from a cyber attack
- Identify key vulnerabilities and configuration issues in the OT system
- Identify various routes that an attacker could use to break into the OT system
Audit compliance
Audit Compliance for CIIs mandated under Cyber Security Act
- Identify compliance gaps and advise on measures/controls necessary to satisfy the requirements compliance to the Code of Practice and Performance Standards once every two years
Training and education
Training and Education
- Training for operators to senior management on cyber security for OT systems to provide an understanding of cybersecurity risks pertaining to OT systems and applying cybersecurity controls and best practices
Security consulting
Security Consulting
- Develop the strategy and roadmap in enhancing the cybersecurity posture of the OT systems
- Identify relevant technology and solutions for implementation
