Move to protect S'pore's critical infrastructure against cyber strikes
This comes as hackers have been using increasingly sophisticated tools to target operational technology systems, such as those in the energy, water and transport sectors.
Although the threat of a cyber attack on Singapore's critical infrastructure services remains low, the maritime sector has been in the cross hairs of hackers, members of an international panel appointed by the Cyber Security Agency of Singapore (CSA) said.
In an interview with The Straits Times, Mr Kazuo Yamaoka, senior solution architect at NTT Security Japan, the information security arm of the Japanese telco, said hackers have been using increasingly sophisticated tools to target operational technology systems.
These systems run critical infrastructure services, such as those in the energy, water and transport sectors. They control everything from the electricity grid, traffic lights, train-signalling systems and even sensors detecting the chemical content in drinking water.
In 2017, hackers attacked a petrochemical plant in Saudi Arabia with the intent to cause a fatal blast and cripple the facility. That strike failed because of a glitch.
In February, a hacker tried but failed to poison the water supply in Florida, United States, after accessing a water plant's controls.
"Considering the situation in other countries, we believe operational technology cyber-security threats in Singapore are relatively low at present," Mr Yamaoka said in the interview last week.
"The damage created by (such) cyber attacks... has not surfaced in Singapore. But it's important that businesses do not become complacent and should ensure they have an effective incident response or business continuity plan in place," added Mr Yamaoka, who has expertise in utilities and operational technology and industrial automation systems in factories.
With cyber threats to operational technology, especially industrial control systems, increasing in frequency and sophistication, the CSA announced yesterday that it has established an operational technology cyber-security expert panel to "strengthen local cyber-security capabilities and competencies in the operational technology sector".
The panel will allow Singapore's operational technology cyber-security practitioners, operators, researchers and policymakers from the Government, critical information infrastructure sectors, academia and other operational technology industries to have direct access to experts, said CSA.
The 11 panel members, who come from both public and private sectors, locally and internationally, include American Robert Lee.
The chief executive of industrial cyber security company Dragos said his US firm had tracked a state-linked hacking group which has been targeting the Singapore and Japan maritime sectors and port authorities.
"They're not to the point of causing physical impact and... trying to hurt people. But it's early reconnaissance and you can tell that they are trying to go after industrial systems," said Mr Lee, who also serves on the US Department of Energy's electricity advisory committee.
"But until we get more insight into operational technology systems and networks, we won't know the full picture."
Mr David Koh, commissioner of cyber security and CSA's chief executive, said that while operational technology systems were traditionally separated from the Internet, increasing digitalisation has led to more IT and operational technology integration.
"Hence, it is crucial for operational technology systems to be better protected from cyber threats to prevent outages of critical services that could result in serious real-world consequences," said Mr Koh.
"To this end, we are glad to have notable operational technology experts join us in sharing their expertise to develop and strengthen localised capabilities in operational technology cyber security."
CSA said the experts will discuss issues ranging from governance policies and processes, evolving operational technologies, emerging trends, capability development, supply chain, threat intelligence information sharing as well as incident response.
They will recommend best practices to address cyber-security challenges and gaps in the sector.
The panel complements CSA's operational technology cyber-security masterplan announced in 2019 to protect Singapore from cyber attacks on critical sectors like transport and water supply.
Insights and recommendations from the panel will help shape initiatives under the plan, such as a code of practice and training programmes, said CSA.
Data breach alerts in S'pore up on new reporting rules, more cyber threats: Experts
The number of data breach alerts received by Singapore's data protection watchdog tripled in the February-March period compared with the previous two months.
This comes amid a string of potential personal data leaks reported in recent months.
Legal and IT security experts said the increase could have been due to a new data breach notification requirement that companies must follow from Feb 1, as well as rising cyber-security threats.
The Personal Data Protection Commission (PDPC) told The Straits Times late last month that the February-March breach alerts it received involved firms such as those from the finance, retail and manufacturing sectors.
The data compromised in those cases included names, e-mail addresses, personal identity numbers, financial details, phone numbers and postal addresses.
Experts said the data could be used for attempts to, for instance, take over victims' online accounts to spread malware or transfer money to hackers.
PDPC said "data breaches are often caused by human error as well as malicious activities such as phishing or cyber attacks".
While PDPC could not give more details, technology, media and telecoms lawyer Bryan Tan said the rising notifications are in line with the number of data breach cases his firm has seen.
Mr Tan, the cyber-response lead for law firm Pinsent Masons Singapore, said his firm typically sees 10 Singapore data breach cases a year.
But from March to April, it has already received four cases, and this is also double the figure in the same year-ago period.
Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers with the rapid move to work from home due to Covid-19, said Mr Yeo Siang Tiong, general manager for South-east Asia at cyber-security firm Kaspersky. His company's products detected and blocked nearly 2.3 million Web threats here in the first quarter, a nearly 263 per cent jump from a year ago, which Mr Yeo said means data breaches will continue to happen.
United States-based cyber risk analytics firm Risk Based Security said that while it does not have comprehensive data for Singapore, it still recorded at least three data breaches in the first quarter. This is already a third of at least nine cases it logged for Singapore for the whole of last year.
The biggest case that Risk Based Security recorded in Singapore for January to March involved furniture retailer Vhive. In that breach, which happened in March, a hacker group claimed to have stolen the data of more than 300,000 customers.
Other cases reported in the past three months include those that affected third-party vendors of Singtel, Singapore Airlines and the National Trades Union Congress' Employment and Employability Institute, as well as a breach that hit local security firm Certis.
The Cyber Security Agency of Singapore said that, for now, the Certis and Singtel incidents, as well as one affecting Microsoft Exchange e-mail servers reported in March, have not affected Singapore's critical information infrastructure, like those in the transport and telecoms sectors.
Mr Tan said that the Feb 1 mandatory requirement for companies to report data breaches to PDPC within three days likely helped to push up notifications.
This is similar to the situation in Europe 12 months after the European Union's General Data Protection Regulation, which has breach reporting requirements, came into force in 2018, he noted.
Before Feb 1, it was voluntary for Singapore firms to report data breaches. Now, they must report breaches that pose a significant risk of harm, such as financial or physical harm, or if it affects the data of 500 people or more.
"Covid-19 complicates matters as there are now additional risks because people are working from home. So that factor alone means that more breaches will likely happen," added Mr Tan.
Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers with the rapid move to work from home due to Covid-19, said Mr Yeo Siang Tiong, general manager for South-east Asia at cyber-security firm Kaspersky.
His company's products detected and blocked nearly 2.3 million Web threats here in the first quarter, a nearly 263 per cent jump from a year ago, which Mr Yeo said means data breaches will continue to happen.
Mr Kevin Reed, chief information security officer of cyber-security firm Acronis, also noted an increase in cases of ransomware, which locks up digital files until firms pay hackers.
For Singapore, the ransomware detection number rose by 45 per cent in the second half of last year compared with the first half.
Firms can soon be fined more for data breaches - up to 10 per cent of their annual turnover in Singapore or $1 million, whichever is higher. The maximum fine is $1 million now.
The higher fine is slated to take effect at least a year from Feb 1.
Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.