On January 25, around 30 representatives from various ministries and
agencies of the Government of Singapore gathered for OpenGov’s Breakfast
Insights session on Tackling Cybersecurity for Critical Infrastructure Ecosystems. This was the second cybersecurity gamification event organised by OpenGov in collaboration with Kaspersky.
Mr. Mohit Sagar, Editor-in-Chief of OpenGov Asia, kicked off the
discussion using examples of public wifi at airports to highlight our common
vulnerability to cybersecurity threats. He highlighted that the government
cannot outsource cybersecurity risks and emphasised that the government will
continue to bear the responsibility to safeguard cybersecurity of critical
infrastructure.
Mr. Stephan Neumeier (above), Managing Director at Kaspersky Lab, spoke
about the significance of industrial cybersecurity. Using the example of
software engineering in connected cars, he illustrated the high potential cost
to human lives and properties if these connected vehicles are hacked while on
the highway. Cybersecurity incidents are estimated to cost enterprises a damage
of $1.4 million on average.
Citing reports by Kaspersky, 55% of the surveyed firms have been
recently attacked and only 29% of them considered the firm well-prepared for
future cyberattacks. Using a few real-life examples, Mr Neumeier pointed out
the complex nature of cybersecurity incidents, as they could be state-sponsored
attacks, ransomware that aims at monetary returns, or cyberterrorists whose objective
is to cause maximum damage to the society.
Gamification through Kaspersky
Interactive Protection Simulations (KIPS)
To foster interactive learning and active participation, the
Breakfast Insight session introduced an element of gamification through the
KIPS.
KIPS is an effective way of building cybersecurity awareness. It is
an exercise that creates a simulated environment in which teams of participants
play the role of IT specialists and face a series of unexpected cyber threat
scenarios, while trying to protect the critical infrastructure and maximise
revenue.
The idea is to build a holistic cyber defence strategy by making
choices from amongst the best proactive and reactive controls available. The
best choice of actions balances strategic, managerial and technical security
priorities.
Each turn begins with an unfolding event which poses cybersecurity
threats to the infrastructure. Like in real-life, the team is only given
limited information and time to make strategic decisions and actions.
Each action impacts the way the scenario plays out, the systems’ subsequent
vulnerability to cybersecurity threats, and ultimately the revenue made. To
help participants better understand the consequences of their choice of action,
feedback is provided to each team after their turn. This allows the teams to
learn from the experience and modify their strategy.
At the end of the exercise, teams get to see the final results which
is measured in both the total revenue generated by the facility and the ability
to protect the computerised assets.
Process
Delegates from various ministries and agencies of the Singapore
Government were divided into teams of 6 or 7 for this simulation exercise.
During the exercise, one of the scenarios presented was an emergency
shutdown of the facility due to industrial sabotage. In the discussion of what
is the best action to be taken, delegates discussed on the need to balance
prevention and response. While it is important to react to immediate
cybersecurity emergencies, delegates also recognise the need to strengthen the
cybersecurity defence of critical infrastructure to prevent future attacks.
These preventive actions include the installation of antivirus programs and
regular audits of hardware and software.
In another scenario, teams are faced with warnings on malicious
cyberattacks, delegates were able to identify that it is an evolving situation
that requires immediate action to detect breaches into the system, strengthen
vulnerable segments of the system, and control the damage.
Polling
In the polling exercise, delegates from the Singapore Government
shared their priorities and concerns in their everyday work.
When asked about what cybersecurity measure is considered most
important for their organization, a majority of 60% considered conducting
awareness training for all staff as the most important cybersecurity measure.
In identifying the major factor that affects an organisation most in
securing their assets, 35% of the participants considered adopting a mix of
reactive and proactive approach as the major factor. Around 25% of them voted
for an appropriate amount of budget and ensuring its effective utilisation,
while another quarter of delegates chose risk prioritisation.
For priority focus areas in 2018, the top identified priority was
managed security services, with nearly half (47%) of the delegates choosing it
as their top priority. It was followed by endpoint detection and response (32%)
and network security solution (21%).
In terms of appropriate annual budget for security solutions to
combat APT (advanced persistent threat) or sophisticated attack dark energy malware,
47% of the delegates would dedicate up to 3% of the revenue or budget to deal
with the cybersecurity threat.
Key takeaways
After the exercise, some key observations and takeaways were shared.
It was noted that cybersecurity resources, including budget, is
usually limited. Given limited resources, it is important that IT managers use
available resources wisely to prevent a potential loss in revenue or harm to
public good in case of a cybersecurity incident.
To ensure long-term security in a fast-changing and uncertain cyber
environment, delegates shared the importance of preventive actions and risk
management. Some of the risk management and preventive measures include regular
audits of system to identify vulnerable points, segmentation of systems within
the critical infrastructure and regular training of IT personnel to increase
their competency in cybersecurity defence.
To address more complex threats in the increasingly uncertain cyberworld,
more complex solutions are needed. This suggests that an ideal cybersecurity
defence takes a holistic approach, by combining both proactive and reactive
actions. In building an adaptive cybersecurity framework, the system should
encompass the 4 elements of Predict, Prevent, Detect and Respond.
