#WorkinginCSA: Strengthening the Cybersecurity Resilience of Operational Technology Stakeholders in the Energy Sector

Kelvin Loh is a Senior Consultant with CSA’s Critical Information Infrastructure Division (CIID), where he works closely with Operational Technology stakeholders in the energy sector to strengthen their systems’ cybersecurity resilience against cyber threats and ensure the continuation of the essential services.

1. Can you tell us more about your background, academic and career-wise, and how you came to be interested in cybersecurity?

I am an electrical engineer by training and before joining CSA, I was with the Public Utilities Board (PUB) for nine years, managing both sides of the house – clean and “dirty” water (i.e. reclaimed water). Having done stints in various departments, I have had experience with a wide spectrum of water-related work including policy, operations and maintenance, technology development, and project management.

It was around three years ago when I first developed an interest in cybersecurity. At the time, I had been managing the Supervisory Control and Data Acquisition (SCADA) project for one of PUB’s water reclamation plants. This project was relatively complex and also very large in scale, as it required not only the comprehensive replacement of the SCADA system, but also a multitude of servers and field equipment for the plant.

One of the key challenges was to ensure that the plant was still able to monitor, control and analyse the field devices and processes during the system migration process. Cybersecurity was a big part of the project, but given that my knowledge and know-how was rather limited at the time, I was constantly Googling things, and trying to learn and understand different cybersecurity concepts. I also ploughed through various documents to familiarise myself with the technical jargon, codes, and standards. This was ultimately helpful as it enabled me to have fruitful technical discussions with my vendors and consultants, and also helped to build up my skillset and knowledge over time.

To sharpen my competencies in cybersecurity, I embarked on a journey of courses and certifications, which eventually allowed me to pivot into this role at CSA.

2. What does a typical day at work look like? What are some of the challenges of working in the Critical Information Infrastructure field?

As CSA’s Sector Officer for the energy sector, I oversee the governance, risk management, and compliance aspects, and also work closely with Operational Technology (OT) stakeholders from government and private companies. Through review of risk assessments and audits, as well as other cyber resilience programmes (such as workshops, industry conferences and participating in joint exercises), we ensure that our stakeholders OT systems are cyber resilient in this current threat landscape, and help to increase their odds as defenders against sophisticated threat actors.

Those who work in the OT sector will agree that it is increasingly challenging to keep up with the new developments in the threat landscape, in addition to also staying abreast of the latest tactics and techniques in defending these systems. The existing OT systems have become increasingly vulnerable to cyber threats. For example, Industrial Control System (ICS) devices were purpose-built, stand-alone systems designed for reliability rather than security. Therefore, most ICS-related attacks do not need to exploit software vulnerabilities given the lack of basic security controls like authentication and encryption.

While engineers and vendors are always racing against the clock to keep up with current developments, the challenges we face have also been exacerbated by the convergence of IT and OT systems, emerging technologies such as 5G, Artificial Intelligence (AI) and Machine Learning (ML), supply chain risks, and the ever-evolving threat landscape.

3. What has been your most memorable experience in CSA? Any interesting projects you were involved in?

One memorable experience was my involvement in the Operational Technology Cybersecurity Expert Panel (OTCEP) Forum in 2022. The event was a cross-division collaboration with CSA’s Ecosystem Development Division (EDD), the Cybersecurity Engineering Centre (CSEC), the Cybersecurity Programme Centre (CSPC) and the Communications & Engagement Office (C&EO), alongside other industry partners and government agencies. For those who are unfamiliar with the OTCEP Forum, it was developed with the purpose of providing the Government, the OT community and industry stakeholders with expert knowledge on cybersecurity domains in areas such as operations, engineering and governance, so as to uplift the overall cyber resilience and capabilities of Singapore’s OT ecosystem.

I must admit that the journey leading up to the event was arduous, demanding and nerve-wrecking. It was also challenging as there were many moving parts that the team had to plan, coordinate and execute concurrently. Just to name some of our key tasks, our day-to-day work included coordinating logistics (e.g. flights and accommodation for guests), curating the programme’s contents, and working closely with C&EO to manage media and outreach efforts. In addition, we also had numerous meetings with the Event Organiser and key stakeholders.

We were fortunate that the event was executed as planned, despite the fluid and uncertain situation caused by the COVID-19 pandemic. Overall, I would say that the success of the OTCEP Forum was largely due to the dedication and passion of the team, which allowed us to take the bull by its horns and overcome various obstacles and challenges. This experience was indeed enriching and fulfilling, and I look forward to working with the team in planning next year’s OTCEP Forum in 2023.

4. Any advice for those looking to join the cybersecurity industry?

To break into the cybersecurity sector, the first step is to understand the basics of IT systems and networks. Once you are familiar with the fundamentals, you can then dive into various topics such as Linux/Windows command line prompts, networking and communication principles, and basic coding knowledge.  

The next step would be to consider enrolling for an entry-level security certification (e.g. Comptia Security+, SANS SEC301) to understand the foundational cybersecurity domains and concepts. Cybersecurity is a broad umbrella term that covers a spectrum of specific practice areas, and requires diverse skillsets and experiences. Therefore, after being introduced to the foundational domains, you can gain insight into what to expect and find your interest in a specific field (e.g. Incident Response, Threat Intelligence, Risk Management). Scanning the job market will also help you learn more about the available roles and their pre-requites, and from there, you can work towards attaining the right experience and more advanced certifications.

My last piece of advice would be to “kee chiu” for cyber-related projects/tasks in your organisation when the opportunity arises, as this will get you exposure to the domain, as well as a chance to learn and build up your capabilities. This experience, coupled with your certifications, will value-add to your CV and give you an edge in securing your new job in the cybersecurity sector.

5. How do you unwind from work?

Having a vacation is how I would relax, unwind and recharge. Now with the re-opening of borders, I am one of the many Singaporeans who has booked my travel plans for 2022 and 2023 😊