Singapore’s Teo highlights AI, quantum computing challenges, calls for embracing new perspectives in OT cybersecurity

Technologies like Artificial Intelligence (AI) and quantum computing, while exciting, also make the cyber threat landscape more challenging to navigate, Josephine Teo, Singapore’s minister for communications and information, said in a Tuesday speech at the Operational Cybersecurity Expert Panel (OTCEP) Forum 2023. She added that the OT cybersecurity sector has seen more than its fair share of disruption, as these systems were traditionally placed in protected environments, managed and monitored separately from Internet-facing IT systems.

“However, in recent years, digitalisation has accelerated in the OT industry, with more companies tapping on IT solutions to streamline and enhance the efficiency of their work processes,” Teo observed. “Unfortunately, the same technologies that enable OT operators to readily control their systems via a web interface can also allow bad actors to hijack OT systems and manipulate them to cause damage and destruction.”

Teo also highlighted that we live in uncertain times. “The geopolitical situation remains highly charged with an ongoing war in Europe. Inevitably, tensions in the physical world spill over into the cyber arena.” 

She also pointed to hacktivist groups attacking OT systems to gain public attention. “In April, water irrigation and wastewater treatment systems in Israel were hit by a cyber-attack as part of an annual hacktivist campaign ‘OpIsrael.’ The attack disrupted the treatment processes of some water processors and disabled the automated irrigation systems of some farms, forcing them to switch to manual irrigation.”

The OT cybersecurity sector faces challenges on many fronts, Teo pointed out. “Here in Singapore, we believe three lines of effort are critical. They are the 3Ts – technology, talent, and teamwork.”

Beginning with technology, Teo said that advances in AI and machine learning (ML) are threatening to disrupt the cybersecurity industry, as they can be weaponized by threat actors. “For example, cybercriminals could use AI chatbots like ChatGPT to craft convincing phishing emails at scale. It is already happening. Without human intervention, advanced malware could also tap on AI to alter the behaviour to evade detection. One example is Emotet, an advanced malware targeting banks. But AI also represents tremendous opportunities in enhancing our defensive capabilities.”

She also pointed out that companies have developed products that utilized AI and ML to detect abnormal behavioral patterns in control systems, thwarting malicious cyber activities before they create greater disruption. “AI-powered systems have been used to enhance available tools, such as firewalls, to bolster our defence capabilities.”

Teo also said that quantum computing is another area that carries both peril and potential. “The lightning computing speed of quantum computers means that good actors – like us – could also use it for public good – to create new, stronger cryptographic algorithms that are resistant to attacks from traditional computers. This could provide better, more secure ways for us to encrypt our data and communicate securely, for both IT and OT systems. “As a community, we should harness these technologies to improve our collective defences,” she added.

She also addressed the need to invest in building up talent for the OT cybersecurity industry.

“The best AI tools and quantum computers cannot fully replace the need for humans to be in the loop. The OT cybersecurity sector, specifically, requires a niche pool of talent with both IT and OT capabilities,” Teo said. “With this consideration in mind, Singapore launched the OT Cybersecurity Competency Framework two years ago. It provides guidance on the competencies that OT cybersecurity professionals need, and supports OT cyber talent attraction and development in Singapore.”

At the last OTCEP Forum, Teo announced the launch of the CSA-iTrust Master of Science in Security by Design Scholarship Programme, which seeks to encourage STEM professionals to enter the field of OT cybersecurity. “I am glad to announce the launch this week of the inaugural Singapore-Industrial Control Systems Cybersecurity 301 (or SG-ICS301) course,” she added.

“Singapore’s own CSA Academy has worked in partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), to design this programme,” Teo announced. “It equips participants with the concepts, theories, and practical hands-on experience for protecting OT networks and securing our CII systems from cyber-attacks. The inaugural run of the course will involve around 40 participants from Singapore, ASEAN, Bangladesh, and Maldives. It is a good beginning, and I am certain that the course – held alongside this Forum – will benefit many more batches of participants, thus enhancing OT security within this region.”

She also addressed the need to work as a team to tackle emerging challenges in OT cybersecurity.

“When attackers come at us on multiple fronts, it is even more important that we work together across government, industry, and academia, to build up the interdisciplinary expertise and partnership mechanisms to respond effectively,” according to Teo. “Cybersecurity is, after all, an international team sport, and we can only win if we’re playing as one against our common enemy.”

Teo also said that another area “where we should cooperate is in the creation of technical standards. Technical standards are important to any industry – they help companies to promote public trust in the industry’s products and services.”

“For rapidly developing sectors such as OT cybersecurity, there is an added challenge of needing to keep abreast of new developments,” according to Teo. “The Government, therefore, needs to work closely with industry experts and other stakeholders to develop standards that are relevant, accurate, and up to date. Most recently, CSA contributed to the development of the cybersecurity Technical Reference (TR) on ‘Securing Cyber-Physical Systems for Buildings.’”

She added that the development of the standards was industry-led, and involved a range of experts from the public and private sectors who contributed in their capacity. “The Technical Reference was published in May and is the first in Singapore which provides guidance on securing cyber-physical systems of buildings and facilities. These initiatives show CSA’s commitment in working with partners on all fronts.” 

Teo also announced two MOUs that will be signed at the ongoing Forum. 

The CSA will be signing an MOU (memorandum of understanding) with OT cybersecurity firm Dragos to fortify Singapore’s OT cybersecurity capabilities through collaborations in threat intelligence, consultancy, risk assessment, incident response, and training. The MOU will facilitate more information sharing and cross-fertilization of ideas, foster alignment with industry best practices and provide CII sectors access to expert knowledge. Local cybersecurity companies will also have opportunities to work collaboratively with Dragos through this MOU.

The other MOU will be signed between ST Engineering and Siemens Energy, Teo said. “Where Siemens Energy provides the experience and innovation as a global OEM, ST Engineering empowers regional integration and execution. The collaboration between these companies on OT cybersecurity will enhance the resilience of our national critical infrastructure in Singapore. The MOU will facilitate knowledge sharing, information exchange, and joint exploration or entry into new markets and use cases for both companies,” she added. 

In conclusion, Teo said that “we cannot be sure what new challenges we might face in the digital domain, and specifically in the field of OT cybersecurity. But by making better use of advances in technologies, nurturing the capabilities of our talent pool, and fostering stronger teamwork across the ecosystem, I am sure we can make the OT cyber arena – and by extension, the physical world – a safer one,” she added.

In June, the CSA announced that ever since the computer worm Stuxnet disabled Iran’s Internet-disconnected Natanz nuclear facility in 2010, threat actors have been researching and refining similar methods to strike targets. Given the high potential for disruption and destruction, they are widely regarded as national security concerns, the agency outlines that such threats have come a long way in the 13 years since Stuxnet first crossed the theoretical barrier that divided the cyber and physical worlds.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.