#WorkinginCSA: Strengthening the Cybersecurity Resilience of Operational Technology (OT) Systems

25 Feb 2022

Raymond Ung is an officer with CSA’s Critical Information Infrastructure Division. He leads the Utilities clusters (i.e. Energy and Water Sectors) and works with his team to strengthen the Operational Technology (OT) cybersecurity resilience of critical sectors against cyber threats, ensuring the continuity of essential services in our day-to-day lives.

1. What sparked your interest in cybersecurity?

I started as an engineer working on industrial control systems. Early in my career, I witnessed first-hand how the lack of cybersecurity measures could affect OT operations and systems. While I understood the risks, I found that I lacked the knowledge and skills to mitigate them. This sparked my interest in the cybersecurity sector and I enrolled myself in a cybersecurity training course on supervisory control and data acquisition (SCADA) security.  

Training and certification enabled me to pivot into the cybersecurity sector. Attending hands-on technical courses also allowed me to learn more about OT security and pick up the requisite skills. Even after entering the sector, I have continued to build up my skillset in the OT domain by attending more courses on cyber risk management, ethical hacking, and forensics.

2. What is a typical day at work like for you, and what are some challenges you faced?

I lead a team of officers in overseeing governance, risk management and compliance relating to OT stakeholders from the Energy and Water sectors, and work hand in glove with them to uplift the cyber resilience of CII organisations. We communicate a lot to understand their businesses and processes, so that our policy intent remains relevant when the stakeholders are implementing the measures. 

One of the key challenges in OT is that legacy OT systems are usually running on obsolete software and hardware that lack the basic cybersecurity controls, such as encryption and authentication. With such legacy OT infrastructure in place, protecting OT systems against cyberattacks remains a challenge and is made worse by the increasing demand for such systems to be built at a faster pace, which often causes cybersecurity by design to be neglected. 

With more and more OT systems and devices being connected, there is also an increased attack surface, thus creating an impetus to explore innovative cybersecurity solutions in the OT domains, in order to better protect our systems and users. What this means is that we need to stay abreast of the latest developments, even as we race against time to update our security posture or enact mitigation against the latest threats.

3. What is operational technology and why is it critical to look into OT cybersecurity?

Operational technology refers to an arrangement of interconnected systems that are used in the monitoring and/or control of physical processes.

When OT systems fail, it is not just the essential services that are disrupted – there could also be safety issues that could lead to the loss of lives. For example, if an open electrical circuit has malfunctioned, the process of closing the circuit and enabling the electrical supply could electrocute workers performing electrical maintenance works or even cause unexpected explosions.

We have also seen cyber incidents where OT systems globally were compromised, which led to the disruption of electricity, as well as the alteration of water quality. This caused people to suffer inconveniences, when they fell sick or were poisoned due to contaminated water, or worse (e.g. death caused by unexpected circumstances, such as an explosion due to malfunction). In this context, it is crucial that OT cybersecurity be taken seriously in the OT environment/system.

4. What is your advice to those looking to work in the cybersecurity industry?

Continuing Education and Training (CET) or another phrase in short – “lifelong Learning”. It is never too late to pick up a new skill on this long, continuous learning journey. The technology landscape is fast moving, and novel technologies, tactics and techniques emerge every day. Training and upskilling are not only useful for entry into the cybersecurity sector, but also help you to keep abreast of new developments in field.

5. How do you unwind from work?

I am a “ball person” and am good with most games that involves a ball. My preference is to play games of basketball so that I can sweat it out and forget about work. However, since COVID-19 set in, such physical games are no longer possible, and my favourite activity now for “unwinding” is to be on Netflix at the summons of my wife. 😊