Singapore Updates Operational Technology Cybersecurity Masterplan

Published on 20 Aug 2024

Updates aimed at providing a resilient and secure cyber environment for both Critical and non-Critical Information Infrastructure amidst growing threats in the OT cybersecurity landscape

     The updated national Operational Technology Cybersecurity Masterplan (“OT Masterplan 2024”) was launched by Mrs Josephine Teo, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity at the fourth edition of the Singapore Operational Technology Cybersecurity Expert Panel (OTCEP) Forum held on 20 August 2024. It outlines Singapore’s plans to boost the technical cybersecurity capabilities and competencies of Singapore’s OT sector. 

2     Rapid digitalisation has led to the creation of a vast and increasingly connected network of Information Technology (IT) and OT systems. This cyber-physical nexus means that a cyberattack on an OT system could result in severe damage, including mass disruptions, physical harm or even loss of lives. 

3     Since the launch of the OT Masterplan 2019, Singapore’s essential service sectors have taken steps to enhance their OT cybersecurity awareness and resilience.  This is done through the adoption of the Cybersecurity Code for Practice that included a set of mandatory cybersecurity measures applicable to OT systems, development of OT personnel’s cyber capabilities through attending several intermediate and advanced OT cybersecurity training courses, and participating in the national-level cyber exercise (Ex Cyber Star) and Critical Infrastructure Defence Exercise (CIDEX). Other initiatives to enhance Singapore’s OT cyber resiliency include the formation of the OT Cybersecurity Information Sharing and Analysis Center (OT-ISAC) to share information and facilitate timely responses against OT cyber threats, the development of the Operational Technology Cybersecurity Competency Framework (OTCCF) to support skills building and career pathways and the establishment of an OT Cybersecurity Expert Panel (OTCEP) amongst others.

4    Since then, the OT cyber landscape environment has become increasingly perilous due to the evolving tactics and strategies of threat actors. The updated OT Masterplan 2024 seeks to address these new and evolving cyber threats targeting OT systems in the wake of geopolitical and technological shifts e.g. significant increase in hacktivism attacks targeting OT assets of non-aligned countries and integration of new technologies such as Edge Computing and Internet of Things (IoT) which has increased the attack surface for OT systems. It was developed after extensive consultation with multiple stakeholders in the OT ecosystem, including government agencies, industry and academia.

5     The OT Masterplan 2024 outlines key initiatives under the three areas “People”, “Process” and “Technology” with the Government playing a catalytic role by implementing new policies and adopting best practices to enhance cyber resiliency and shape OT organisations’ behaviour.  Some of these new initiatives include:

i. Enhancing the OT Cybersecurity Talent Pipeline

Ensuring a competent OT cybersecurity workforce is key to respond swiftly to the  evolving cyber threats. CSA will include OT cybersecurity in the professionalisation framework that CSA is developing for Singapore’s cybersecurity workforce.  This will be supported by collaborations with Institutes of Higher Learning to incorporate relevant OT cybersecurity syllabus into computer science and engineering degree courses to allow graduates to be equipped with basic OT cybersecurity competencies which will enhance their employability upon graduation. Furthermore, OT cybersecurity will be profiled in CSA’s Cybersecurity Education & Learning Guide to aid assessment and planning for a cybersecurity career. The guide will comprise information such as the OTCCF, cybersecurity workforce data, trends, learning roadmaps, and skills frameworks to aid assessment and planning for a cybersecurity career. It will be published later this year.  

ii. Enhancing Information Sharing and Reporting

It is important to strengthen the situational awareness of Singapore’s cyberspace to better safeguard Singapore’s Critical Information Infrastructure (CII) and other important OT infrastructure. CSA will accelerate information sharing by streamlining the information sharing process and enhancing collaboration with OT-ISAC and the sector regulators to create a comprehensive and effective threat intelligence ecosystem for Singapore. CSA will also explore mechanisms to facilitate cybersecurity incident reporting to encourage businesses to come forward and report.

iii. Uplifting OT cybersecurity resilience beyond CII 

Cyber risks are widespread and impact CII and other important OT systems due to dependency or supply chain risks. CSA is developing a data-driven model to increase visibility into the cyber supply chain ecosystem that is applicable to both CII and non-CII sectors with accurate, up-to-date and analysis of vendor risk data as part of CII Supply Chain Programme launched in 2022 to protect CII and related systems managed by vendors. Doing so will enhance CSA’s visibility of cybersecurity risks that OT sectors face, monitor these risks and issue alerts and advisories to advise the sectors on the required remediation or mitigating controls. CSA will update existing guidelines such as the “Guide to Conducting Cybersecurity Risk Assessment” to place emphasis on consequence-based scenarios to help organisations handle adverse events more resiliently by ensuring that system failures do not result in disruption or complete shutdown of systems. CSA will also promote relevant technical references (e.g. TR 111:2023) to secure cyber-physical systems for buildings infrastructure so that operations of a building are not threatened by either a cyber and/or physical attack.

iv. Promoting Secure-by-Development Principles

Cybersecurity features for systems should not be an afterthought and the adoption of the Secure-by-Deployment principles is crucial in safeguarding the entire lifecycle management of OT systems, from product design, deployment and maintenance involving multiple stakeholders from Original Equipment Manufacturers (OEMs), System Integrators to asset owners across the whole lifecycle management of the OT systems. CSA will also collaborate with the OT ecosystem to establish an OT Cybersecurity Centre of Excellence to support research into emerging OT cybersecurity technologies in a realistic environment and develop solutions to alleviate industry players' concerns about the impact on business operations.

6     The updated Masterplan will serve as a strategic blueprint to guide Singapore’s efforts to foster a resilient and secure cyber environment for organisations in the CII and non-CII sectors, using OT systems to support business operations. The Masterplan is available on CSA’s website at www.csa.gov.sg/otcsmp2024

Commitment by the OEMs and Cybersecurity Solution Providers

7     At the launch of the OT Masterplan 2024, 14 organisations belonging to the group of OEMs and cybersecurity solution providers will commit to adopt the Secure-by-Deployment principles across the whole lifecycle management. Together, OEMs, System Integrators and OT operators all play an important role in contributing to the cyber resiliency of the entire OT ecosystem. The list of OEMs and cybersecurity solution providers can be found in the Annex. 

 


 

About the Cyber Security Agency of Singapore 

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. 

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Digital Development and Information. For more news and information, please visit www.csa.gov.sg.

 


 

Report a Cybersecurity Incident

SingCERT encourages the reporting of cybersecurity incidents as it enables us to better understand the scope and nature of cyber incidents in Singapore. This will enable us to issue alerts or advisories on relevant threats, and assist a broader range of individuals and organisations.
Report Incident