#WorkinginCSA: Securing Singapore's 5G Networks

Published on 27 Feb 2023

In this edition of #WorkinginCSA, Paul Ng – an Assistant Director with CSA’s Telecom Cybersecurity Programme Office (TCPO) – speaks about securing Singapore’s 5G networks and working with different stakeholders to defend Singapore’s telecommunications systems against cyber-attacks.

1. What sparked your interest in cybersecurity?

I was fortunate to have access to the Internet at home during my secondary school days, and I spent a lot of time on chatrooms interacting with strangers from around the world on Internet Relay Chat (IRC). I chanced upon a channel where users freely shared information and tools to disrupt other users by disconnecting them from the servers or restarting their computers. Some of those tools actually contained viruses, and trying them out resulted in me having to format my PC and losing all my files. Curious to know how these tools could affect computers remotely, I began reading up about the vulnerabilities of computers and how I could better protect my PC. My interest eventually led me to take up an engineering degree at NTU, where I also took modules related to IT networking and communications.

2. Can you share more about the work that the Telecom Cybersecurity Programme Office does? What does a typical day at work look like and what challenges do you face?

I lead a team of officers to work with our stakeholders, such as the Infocomm Media Development Authority (IMDA), as well as the industry players who develop equipment, software and services used by our telecommunications sector. We also engage end users, such as Critical Information Infrastructure Owners who provide essential services to Singapore, in order to understand how their operations are supported by telecommunications services, and to provide recommendations on how their systems can be better secured against cyber-attacks over mobile networks.

3. What has been your most memorable experience in CSA? Any interesting projects you were involved in?

My team was involved in securing Singapore’s 5G mobile networks, which are vastly different from previous generations’ mobile systems, from a technical standpoint. For example, technologies such as virtualisation and software-defined networks form the backbone of 5G systems – these technologies are common in IT, but they are new to the telecommunications industry. At the time, the industry was grappling with these new changes – my team had the chance to be at the forefront of this technological leap, allowing us to engage leaders of the industry and learn more about the new 5G system.

The challenge was technical as the new 5G systems had to interface with networks deployed by mobile network operators from other countries for roaming to function seamlessly and securely. One such challenge was that mobile network operators from other countries used different equipment and products from different vendors than what was used in Singapore, meaning that our local mobile network operators had to work to source for compatible equipment. My team worked with IMDA to craft the necessary security requirements for local operators to adhere to.

Another challenge was that Singapore’s 5G networks were also one of the first in the world to be based primarily on the Standalone (5G SA) deployment model. This meant that our 5G networks were built without leveraging on our existing 4G/LTE infrastructure and that we could not rely on existing measures to secure our 4G/LTE networks. Globally, there were also very few references we could rely on, which actually gave us the opportunity to guide our operators in securing the 5G networks from the ground up.

In addition to securing the 5G mobile networks owned by the operators, our team has also published a set of guidelines for users of 5G services, where we recommend implementing measures that can reduce the risks of cybersecurity threats to their systems when they are connected to 5G services.

4. Any advice to those looking to work in the cybersecurity industry?

Be curious and stay curious about technology. Just as attackers are always finding new ways to compromise a system, the cybersecurity industry can also benefit from new ideas or concepts from other fields. But this will require a good understanding of the underlying technology, to be able to recognise and appreciate the similarities, and to apply the relevant ideas to cybersecurity.

5. How do you unwind from work?

I try to pick up hobbies unrelated to computers, such as learning to play the guitar (YouTube has been a valuable resource to help beginners like me). Being able to play the guitar along to my favourite songs in the background or nailing the challenging sections of the music always puts me in a better mood, regardless of how I was feeling before.