Singapore Operational Technology (OT) Cybersecurity Competency Framework

08 Oct 2021

The Cyber Security Agency of Singapore (CSA) has launched the Operational Technology Cybersecurity Competency Framework (OTCCF) which will provide the foundation to attract and develop talent for the emerging OT1 cybersecurity sector in Singapore. 

2 OT cybersecurity talent development is one of the key thrusts under Singapore’s OT Cybersecurity Masterplan, first announced in 2019. Since 2017, the CSA Academy has been providing customised intermediate to advanced training courses in cybersecurity areas – including OT - that are not readily available in the market to the Government and Critical Information Infrastructure (CII) sectors. OT system owners, including those from CII sectors and OT training providers currently take reference from the Skills Framework for ICT under SkillsFuture Singapore (SSG) to identify skills gaps and develop training plans.

3 However, with the increased connectivity between IT and OT systems, the demand for job roles requiring competencies in both IT and OT domains has correspondingly increased. While the existing Skills Framework for ICT provides an overview of job roles, possible career tracks and technical competencies for cybersecurity professionals, it caters primarily for the ICT workforce. More granular breakdown of the OT cybersecurity capabilities and technical competencies is required to cater to the training needs of the OT engineers in terms of coverage and applicability, as training providers in the market find it difficult to roll out best-in-class certifications and courses that encompass different OT industry sectors without a reference to the common skillsets. CSA aims to address this growing need through the development of the OTCCF and provide guidance on the competencies required for the OT industry sectors.  

Framework to address and bridge existing gaps in OT cybersecurity training

4 The OTCCF - jointly developed by CSA and Mercer Singapore, and supported by SSG and Infocomm Media Development Authority (IMDA) -  maps out the various OT cybersecurity job roles and the corresponding technical skills and core competencies required.  It also captures the possible career pathways showing the options for vertical and lateral progression. The OTCCF aims to guide key stakeholders in the following ways:

a. OT and IT system owners can refer to the OT cybersecurity capabilities required to attract the right people, train them adequately, and map out their career pathways;

b. Training providers can refer to the technical competencies required by different job roles and be guided to develop best-in-class courses and certifications that cater to local training needs; and

c. OT professionals or potential jobseekers can identify skillsets for cross- and up-skilling for a meaningful career in the OT cybersecurity domain. The career pathways could apply to job roles inclusive of vertical and lateral advancement opportunities.

5 Additionally, CSA Academy has begun engaging stakeholders from the Institutions of Higher Learning and selected CII owners to garner their feedback for an upcoming OT Train-The-Trainer (OT TTT) programme. This programme, slated to commence in end 2021, aims to build a pool of OT trainers who will be able to conduct fundamental OT cybersecurity courses aligned to the OTCCF. The CSA Academy will also be rolling out a series of roadshows to engage organisations on how they can adopt the OTCCF based on their business needs.

6 For the latest update on the OTCCF, please refer to

1 OT systems include industrial control systems, building management systems and traffic light control systems et al which focus on monitoring or changing the physical state of a system, such as controlling railway systems, traffic lights etc. Many OT systems are historically designed to be standalone and not connected to the Internet or external networks. However, with the introduction of new digital solutions in OT systems to increase automation and facilitate data collection and analysis, this has introduced new cybersecurity risks to what used to be a relatively ‘safe’ air-gapped operating environment.

About the Cyber Security Agency of Singapore 

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. 

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit