OTCEP Forum 2022 kicks off in Singapore
The two-day Operational Technology Cybersecurity Expert Panel (OTCEP) Forum 2022 event began in Singapore on Tuesday (image: Dan Ehrenreich), focusing on the nation’s OT cybersecurity practitioners, operators, industry, researchers, and policymakers engaging with international experts in the field. The conference helps enhance mutual learning while bringing people with different experiences who share unique perspectives and put their minds together to address OT (operational technology) cybersecurity challenges.
The OTCEP conference will discuss key global OT technologies, analyze emerging cyber threats, share insights from their experience in handling global cybersecurity incidents, and recommend practices to address cybersecurity challenges and gaps in the OT sector.
Speaking at the keynote address at the event, Josephine Teo, Minister for Communications and Information, said that OT systems have become vulnerable to cyber-attacks, impacting physical operations in water, energy, and other critical sectors. Cybersecurity professionals must keep abreast of new cybersecurity threats, share knowledge, and collaborate to help each other. Singapore is also investing in people, processes, and technology to be effective in cybersecurity.
To uplift OT cybersecurity posture in Singapore, Teo said that it must improve its people, processes, and technology. “To be effective in OT cybersecurity, our people, processes, and technology are our critical assets. This is why we invest in them. Events such as this OT Cyber Experts Panel Forum are also important, to raise awareness and knowledge levels within Singapore’s OT community. For this reason, I want to thank the members of the OTCEP for making your way to join us again this year,” she added.
OTCEP added two new panelists this year. Daniel Ehrenreich brings to the table over 32 years of engineering experience from across a range of OT sectors, including energy and water. Sarah Fluchs is the CTO at admeritia GmbH and currently leading a government-funded research project on security by design for industrial control systems (ICS), in partnership with academia and industry representatives.
“Both Daniel and Sarah bring so much to the table. I am very excited by the new perspectives that they will be able to share with our participants,” Teo said. “I am certainly very confident that they will both be valuable contributors to the already remarkable expertise of the panel,” she added.
“The OTCEP 2022 is a well-organized and educating event for discussing critical ICS-OT-IIoT risks, defense measures, and challenges,” Ehrenreich told Industrial Cyber. “The organizer’s goal is to hear different opinions and approaches from the 12 participating international experts.”
Addressing what would be his initial proposals to the OTCEP panel to strengthen OT cybersecurity as vulnerabilities and cybersecurity incidents rise, amid a fluid geopolitical scenario, Ehrenreich said that ICS-OT-IIoT cyber security experts know that absolutely protecting industrial facilities is impossible. “However, educating ICS-OT operators, engineers, and service providers about risks and defense measures may help comply with the SRP Triad (Safety-Reliability-Productivity/Business Continuity) goals. Therefore, conducting well-adapted workshops shall be high on their priority list,” he added.
On the first day, Robert M. Lee, CEO and founder at Dragos, dug deep into Pipedream ICS malware, which has been tailored to target specific PLC (programmable logic controller) found across ICS that could be expanded to other similar targets in the OT sectors. Though the threat appears to target the U.S. liquid natural gas and electric power site, and have not employed its capability for its intended disruption, there is still potential for the capabilities to be deployed in Singapore.
Joel Thomas Langill, founder and managing member at Industrial Control System Cyber Security Institute (ICSCSI) and founder at SCADAhacker led a panel discussion on bringing in an incident response framework for embedded systems. Cybersecurity incident responding is commonly unheard of in the OT environment, and the main responders to issues are typically OT engineers/operators or vendors, often resetting the devices or processes to restore operations that may deny discovery of a cyber breach. While some of these may be caused by user interaction with Real-Time Operating System (RTOS) or software is not always simple and is limited in scope, and caused a lack of visibility or centralized data aggregation.
Addressing securing PLC code practices, Fluchs addressed how PLCs have been insecure by design. Several years into customizing and applying best practices from IT have given rise to secure protocols, encrypted communications, network segmentation, etc. So far, there has not been a focus on using the characteristic features in PLCs (or SCADA/DCS) for security, or on how to program PLCs with security in mind. In 2021, the Top 20 Secure PLC Coding Practices were published as the result of a community project.
At the OTCEP event, the Cyber Security Agency of Singapore (CSA) launched a new CSA-iTrust Master of Science in Security by Design Scholarship (CiMS) Programme at the OTCEP conference. The program aims to strengthen the OT cybersecurity workforce and support the sector’s continued growth. It will award scholarships to qualified candidates who are enrolled in the Master of Science in Security by Design (MSSD) program at the Singapore University of Technology and Design (SUTD).
The CSA will fund up to 80 scholarships over three years through the CiMS Programme, and the scholarships will be offered to qualified Singapore citizens and permanent residents who have been accepted into SUTD’s MSSD program on a full-time or part-time basis. Graduates from the CiMS program can look forward to exciting careers in cybersecurity research in iTrust or in a variety of technology domains in the critical infrastructure sectors.
Equipping students with a thorough understanding of cybersecurity fundamentals and the skillsets to apply security by design principles in various organizational domains, the MSSD program will give students access to the latest fundamental and applied research findings and OT testbeds that simulate critical infrastructure, all co-located in SUTD. Last week, the CSA published the Codes of Practice or Standards of Performance issued by the Commissioner of Cybersecurity for the regulation of owners of Critical Information Infrastructure (CII) under the Cybersecurity Act.
Day two of the OTCEP event is set to be as packed. One of the key sessions will be with Sharon Brizinov, director of security research at Claroty, covering the research into stealthy exploits and how researchers have been able to attack PLCs manufactured by ICS vendors, including Rockwell Automation and Siemens. He also looks into the ability to conceal malicious bytecode on a PLC, giving engineers the appearance that operations running as normal are highly sophisticated and pose an extreme risk to process safety and reliability.
Related
