It takes two hands to clap when protecting critical utilities such as the national energy grid and water sanitation system.
Watch enough blockbuster cybercrime movies such as the Die Hard series, and we know that a country’s public utilities are prime targets for terrorist and political offensives. Digital transformation has knitted these critical services – classified as operational technologies (OT) – digitally and thus opened up ever-evolving cyberattack surfaces.
While public OT is run by governments, the latter depend in turn on private sector suppliers for sustainability. While both the private and public sector OT players observe diligence in securing their own IT systems, what coordinates the overall intelligence for preventing, detecting and mitigating OT threats?
In Singapore, its government’s Cyber Security Agency (CSA) is particularly concerned with the little island’s acute OT vulnerabilities due to the pervasive use of technology and dense population. Tasked with tightening cybersecurity within government and national infrastructures, CSA had just launched a Vulnerability Disclosure Programme (VDP) for Singapore with HackerOne – a prominent bug bounty and pentesting platform.
Through the disclosure programme, members of the public who have identified government internet-facing and mobile resources can report their findings through the HackerOne platform for investigation and payout.
Similarly, CSA has also announced its partnership with a non-profit organisation — Global Resilience Federation Asia Pacific (GRF APAC) – in the latter’s launch of the Operational Technology Information Sharing and Analysis Center (OT-ISAC). The center will serve as a threat-information sharing hub for companies in energy, water and other Critical Information Infrastructure (CII) sectors in the country.
OT-ISAC benefits from the institutional experience of Global Resilience Federation, an operator and connector of similar information sharing and analysis centers and member companies around the world.Building on this experience, OT-ISAC is able to facilitate sharing of tactical and strategic security details, providing early insight into emerging threats, detection techniques, and containment measures. Exchanged information includes vulnerabilities and attacks to OT systems and relevant IT applications affiliated with OT systems.
Information sharing through public-private synergies
Singapore offers a strong economy, a highly educated workforce, a central location, and an environment friendly to trade and investment. Because of its status as a commercial hub and geopolitical factors, it is a target for cyberthreats.– Mark Orsi, President of GRF
CSA’s chief executive, David Koh has noted that OT-ISAC is the first cyber intelligence and analysis sharing platform focusing on the OT space in the region.
Information sharing is critical when we are dealing with sophisticated, fast-evolving cyber threats. This initiative will help to fill an important gap – cyber threats targeting OT systems. It will enhance our sectors’ cyber defences, allowing them to monitor, analyse and take prompt action to respond to cyber incidents when they occur.– David Koh, CSA’s chief executive
According to Orsi, malicious actors actively share company, industry and technological weaknesses on forums. They build and sell attack tools and discuss their own criminal best practices.
To defeat these dynamic threats, we must be vigilant and proactive in our approach. We must build trusted communities and facilitate intelligence sharing to multiply our collective security awareness and reduce risk.
The ’trusted communities’ alluded to in the OT-ISAC revolves around protecting privacy and trust via the Traffic Light Protocol (TLP). This protocol helps ensure that circles of trust are established to facilitate selected sharing with other member companies, government partners, sharing communities and vendor partners.
OT-ISAC members can determine whether their information is shared anonymously or with attribution, and with whom their information is shared. The protocol binds readers and disseminators, effectively acting as a private sector security classification system to further community engagement and information exchange, to the advantage of CII resilience.
In similar initiatives, CSA has worked with white hat hackers from the public sector to identify and monitor for security vulnerabilities in both IT and OT. Nearly 300 white hat hackers from around the world participated in the second Government BBP, helping to discover vulnerabilities in nine public government Information and Communication Technology (ICT) systems and digital services with high user touch points from July 8 to July 28, 2019, in exchange for monetary rewards also known as bounties.
Thirty-one vulnerabilities were discovered and US$25,950 were paid out in bounties for successful findings. Of the vulnerabilities reported, four were considered “high severity” and the remaining 27 were “medium/low severity”. In addition to the VDP, GovTech will conduct a third government bug-bounty program in November 2019 to continue strengthen and enhance the cybersecurity of government systems and applications.
Such ongoing and time-bound hacker-powered security initiatives continually stress the effectiveness of cybersecurity programs, and in maximising hacker engagement, reduce risk and increase public-private stakeholdership in cyber defence.