Singapore Lays Out Plans for Operational Technology Cybersecurity

Singapore’s Cyber Security Agency (CSA) on Tuesday unveiled the country’s Operational Technology (OT) Cybersecurity Masterplan, whose goal is to help enhance the security and resilience of organizations that house OT systems.

The Masterplan focuses on industrial control systems (ICS), which account for a majority of OT systems. While it’s mainly addressed to critical information infrastructure owners, it also applies to other types of enterprises that rely on OT systems, such as pharmaceutical firms, oil and gas companies, and semiconductor manufacturers.

The plan revolves around three factors — people, technology and processes — and it has four main objectives.

One of them is to enhance OT cybersecurity training to help organizations be better prepared to defend themselves against cyberattacks. Training courses are being offered by the CSA and its partners, including NSHC Singapore and the Singapore University of Technology and Design’s iTrust center.

Another objective is to set up a dedicated information sharing and analysis center whose role is to facilitate the sharing of threat data between public and private stakeholders.

Singapore also plans on strengthening policies and processes. This includes expanding the recently introduced Cybersecurity Code of Practice (CCoP) to cover OT systems as well — the CCoP currently focuses on IT systems.

The final goal of the Operational Technology Cybersecurity Masterplan is to promote the development of innovative solutions for defending OT systems.

In addition, manufacturers of OT equipment and service providers will be encouraged to implement cybersecurity mechanisms into their products and services from the development phase.

“The OT Cybersecurity Masterplan will serve as a strategic blueprint to guide Singapore’s efforts to foster a resilient and secure cyber environment for our OT CII, while taking a balanced approach between security requirements, rapid digitalisation and ease of conducting business-as-usual activities,” the CSA said.

Singapore also announced on Tuesday the launch of a Vulnerability Disclosure Programme (VDP) via the HackerOne platform. Singapore’s government has organized several bug bounty programs over the past two years, but it also wants to make it easier for white hat hackers to report vulnerabilities found in government systems outside of these projects.

The latest bug bounty program was announced recently by Singapore’s Ministry of Defence. The program will run until October 21 and 400 hackers have been invited to find vulnerabilities across 11 defense-related websites and online services.

The previous bug bounty program, for which results were announced this week, resulted in nearly $26,000 being paid out to participants for 31 vulnerabilities.

Singapore is host to the APAC edition of SecurityWeek’s ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial Internet stakeholders in the APAC region.

Related: Singapore Signs Cybersecurity Agreements With US, Canada