Introduction
The updated national Operational Technology (“OT“) Cybersecurity Masterplan (“OT Masterplan 2024“) was launched by Mrs Josephine Teo, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity, at the fourth edition of the Singapore Operational Technology Cybersecurity Expert Panel Forum on 20 August 2024. It outlines Singapore’s plans to boost the technical cybersecurity capabilities and competencies of the OT sector.
Operational technology is integral to the functioning of critical information infrastructure (“CII“) sectors such as energy, transportation, and manufacturing, enabling the efficiency and reliability of functions that are foundational to modern society. However, the growing sophistication of cyber threats poses significant risks to OT systems, and can lead to disruptions to essential services, economic losses, and safety hazards. Since the OT Masterplan was initially introduced in 2019, the cyber risk environment has become increasingly hazardous. The updated OT Masterplan 2024 thus aims to tackle new cyber threats to OT systems and to further enhance the security and resilience of stakeholders.
The OT Masterplan 2024 outlines main initiatives under the three areas – People, Process and Technology. The key thrusts in the updated OT Masterplan 2024 are as follows:
- Improve OT cybersecurity professional competency and pipeline;
- Enhance information sharing and reporting;
- Uplift OT cybersecurity resilience beyond CII; and
- Establish an OT cybersecurity centre of excellence and promote Secure-by-Development principles throughout the life cycle the OT system.
This Update provides a summary of the key features of the OT Masterplan 2024.
Background
The OT Masterplan was first launched in 2019. Its aim was to:
- Create awareness on the People, Process and Technology challenges faced by the OT community in relation to cybersecurity;
- Align efforts of OT stakeholders to enhance cyber resilience; and
- Strengthen partnerships with the industry and stakeholders via OT cybersecurity initiatives.
Since then, the OT cyber threat landscape has undergone much change. The key shifts include:
- Evolution and escalation of attacks against OT, with increased targeting and vulnerability of OT systems;
- Evolving tactics and strategies of Advanced Persistent Threats;
- Rise in cyber criminals exploiting OT systems for financial gain;
- Intensified activities and improved capabilities of hacktivist groups;
- Expanded attack surfaces and new risks with the adoption of new technologies such as edge computing and Internet of Things (IoT) integration;
- Growing cyber-physical risks with the prevalence of OT systems becoming more digitally connected in critical sectors; and
- Growing recognition that OT cyber threats impact both CII and non-CII stakeholders.
The updated OT Masterplan 2024 thus seeks to keep up with evolving cyber threats and risks, as well as to expand its scope to uplift the cyber resilience of the non-CII organisations.
Key Thrusts and Areas of Focus
The OT Masterplan 2024 outlines the updates of efforts to uplift cybersecurity posture under the following key thrusts:
- Enhancing the OT cybersecurity talent pipeline
The OT Masterplan 2024 has identified a lack of OT cybersecurity manpower and the need to ensure a competent OT cybersecurity workforce. The Cybersecurity Agency of Singapore (“CSA“) thus intends to improve the OT cybersecurity professional competency and pipeline through initiatives such as:
- Including OT cybersecurity in the professionalisation framework that CSA is developing for Singapore;
- Profiling OT cybersecurity in CSA’s Cybersecurity Education & Learning Guide to aid assessment and planning for a cybersecurity career;
- Expanding OT cybersecurity training to include foundational and management-level courses; and
- Encouraging the use of the OT Cybersecurity Competency Framework as a competency and career pathway.
- Enhancing information sharing and reporting
The OT Masterplan 2024 highlights the importance of strengthening the situational awareness of Singapore’s cyberspace so as to protect Singapore’s CII and other OT infrastructure. CSA intends to pursue efforts including:
- Accelerating information sharing by streamlining the sharing process and enhancing collaboration with the OT Cybersecurity Information Sharing and Analysis Center (OT-ISAC) and sector regulators to create a comprehensive and effective threat intelligence ecosystem; and
- Exploring mechanisms to facilitate cybersecurity incident reporting (e.g. confidentiality or protection from liability) to encourage businesses to come forward.
- Uplifting OT cybersecurity resilience beyond CII
Cyber risks impact not only CII, but other important OT systems as well.The OT Masterplan 2024 will focus on both CII and non-CII sectors in recognition of the widespread and complex nature of cybersecurity dependency. Some of the initiatives CSA intends to pursue include:
- Developing a data-driven model to increase visibility into the cyber supply chain ecosystem that is applicable to both CII and non-CII sectors;
- Updating guidelines such as the “Guide to Conducting Cybersecurity Risk Assessment” to highlight consequence-based scenarios to assist organisations in handling adverse events more resiliently;
- Promoting relevant technical references (e.g. TR 111:2023) to secure cyber-physical systems for building infrastructure; and
- Encouraging non-CII OT operators to consider relevant sections of the Cybersecurity Code of Practice to manage OT cybersecurity risks.
- Promoting Secure-by-Development principles
The OT Masterplan 2024 acknowledges the importance of adopting the Secure-by-Deployment principles in safeguarding the lifecycle management of OT systems. In light of this, CSA intends to:
- Collaborate with Original Equipment Manufacturers (“OEMs“) to establish an OT Cybersecurity Centre of Excellence to support research into OT cybersecurity technologies and develop appropriate solutions; and
- Collaborate with OEMs, solution partners, system integrators and asset owners to incorporate Secure-by-Development principles from product design, configuration, deployment, and maintenance.
Concluding Words
Amidst the constantly changing landscape of cyber risk and threats to OT systems, the OT Masterplan 2024 provides an insight into Singapore’s progressive efforts at keeping ahead of the curve, as well as an indication of the initiatives and developments that may be expected in this field. It highlights the importance of OT cybersecurity throughout all sectors, and not just for CII. Organisations should thus be aware of the rising cyber threats towards OT systems, the measures that may be taken to address such risks, and the resources available to them.
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.