February 26, 2024

We are creating some awesome events for you. Kindly bear with us.

Protecting Critical Information Infrastructure through an understanding of Safety, Availability and Maintainability

Protecting Critical Information Infrastructure through an understanding of Safety

Above photo: ST Electronics’ booth at SICW 2017/ Credit: ST Electronics

As cyber threats continue to escalate in number and complexity, one of the primary areas of concern is the protection of critical information infrastructure (CII) with complex operational environments. Disruption or damage to CIIs in our increasingly digitised world will have serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of the government or the entire economy.

A recently proposed Cybersecurity Bill in Singapore has a strong focus on protection of CIIs. The Cyber Security Agency of Singapore (CSA) has classified 11 critical sectors as CIIs: (1) Aviation, (2) Banking & Finance, (3) Energy, (4) Government, (5) Healthcare, (6) Infocomm, (7) Land Transport, (8) Maritime, (9) Media, (10), Security and Emergency Services, (11) Water.

On the sidelines of Singapore International Cyber Week (SICW) 2017, OpenGov had the opportunity to speak to Mr. Goh Eng Choon, Senior Vice President and General Manager of ST Electronics (Info-Security) and Mr. Hoo Chuan-Wei, Chief Cyber-Security Technology Officer (CCSTO) of ST Electronics (Info-Security), regarding the protection of CIIs.

Singapore Technologies Electronics Limited (ST Electronics), is the electronics arm of Singapore Technologies Engineering Ltd. ST Electronics is a global engineering company specialising in the design, development and integration of advanced electronics and ICT systems. Its core business areas include rail & intelligent transportation, satellite and broadband communications, info-communications technologies, command & control operations, training & simulation, intelligent building & security systems and cyber security.

Challenges in securing critical information infrastructure

Mr. Goh (below) explained that the primary challenge in securing most of these domains is that they are operations-centric. In enterprise IT systems, the focus is on the confidentiality, integrity and availability (commonly referred to as CIA) of information. But for operational technology (OT), the focus is on their availability.  

“If any of these systems is shut down, power, financial, healthcare, everybody is going to be affected. So they need to keep the system alive. Then only they think about integrity and confidentiality of information,” Mr. Goh said.

So, how do you change the mindset to where you are really focused on keeping it safe, and available at the same time? To deal with the challenge, ST Electronics came up with a new framework for looking at the security of CIIs. It has three components: Safety, Availability and Maintainability, abbreviated as SAM. Governing all this is extensive domain knowledge, systems assurance and deep engineering expertise.

Image credit: ST Electronics

Mr. Hoo (below) added, “A lot of people try to use a traditional enterprise IT security framework to look at an OT issue. Then there is a mismatch and misunderstanding. At ST Electronics, we adopt an engineering mindset. That’s where SAM came from.”

“ST Electronics wants to provide technical thought leadership in the industry. SAM is a forward-thinking way for addressing certain things. People say just do CIA. But SAM is actually inclusive of CIA.”

The proposed cybersecurity bill in Singapore provides a framework for the regulation of Critical Information Infrastructure (CII) and formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs.

When asked about their thoughts on the potential impact of the bill, Mr. Goh replied that biggest issue will be to jumpstart from where they are now. The CIIs that use OT tend to become very conservative. They have a large number of highly complex systems, which cannot be upgrade overnight.

Mr. Goh said, “You want to upgrade the system and make it cybersecurity safe but how do you know that it will not affect the operations? How do you know that it will not affect safety? Before you implement the cybersecurity protection or system, you have to check that it doesn’t break the system. You need time to do it and there must a strategy to implement it. It should not be like when the bill comes, within a short span of time they are trying to transform the protections.”

People, process and technology

This journey is not just about technology. Technology is only part of the solution. The other two essential components are processes and people.

Mr. Goh used an analogy, “If I give you a racing car, you still need to have the processes in place to control the performance of the car and you need a skilled driver to take the car to the next level of performance. You can’t just look at technology, and forget about processes and people. We have always focused on all 3 of these.”

The ST Electronics Cyber Security Centre was set up in 2014 to provide cyber training tailored for new entrants and seasoned professionals to develop and hone their competencies in cyber security. Ever since ST Electronics has been training government agencies, statutory boards, private enterprises, as well as employees.

Security-by-design

Security-by-design is increasingly considered to be a mandatory approach for projects going forward. But what about legacy infrastructure?

Mr. Hoo said that security-by-design can be achieved there through failure analysis of existing solutions and putting in mitigating controls for potential pitfalls. That can make up for shortcomings in the original designs and set-up.

Mr. Goh added that ST Electronics has specifically designed a course to deal with this issue, for its engineers.

“We wanted all the engineers, the architects, when they first design any system to design the system with security in mind. When we say design the system with security in mind, it’s not just about future systems. They have to understand what is current, what are the legacy problems. When they design new things, they have to take into consideration all the existing systems and even some very old legacy systems.  How will it impact the legacy systems and the ways to combat it. So, we actually run this course for our own employees.”

Partnerships

During SICW 2017, ST Electronics announced a number of new partnerships to develop new cyber security technologies, next-generation products and solutions, and industry-wide capabilities and expertise that will transform the industry and help governments and enterprises secure their critical infrastructures. 

One is a collaboration with IBM Security to co-develop next generation cyber security operations equipped with cognitive capabilities driven by threat intelligence and Artificial Intelligence. The collaboration intends to introduce a new concept to ST Electronics’ Security Operations Centres (SOCs), transforming traditional SOCs into a cognitive Command and Control Centre.

In addition, ST Electronics has also partnered with Siemplify to deliver tools that will help security teams effectively triage and respond to cyber threats, while meeting Singapore’s regulatory requirements in cyber security.

Resulting from the two partnerships is the development of ST Electronics’ new Cyber Security Command and Control Centre (CSCCC). It leverages advanced data analytics and visualisation, deep machine learning, and automation capabilities to provide a holistic and comprehensive process of detecting external threats, responding to, and recovering from cyber threats. With its modular and scalable design, the CSCCC also provides customised solutions for enterprises in securing their day-to-day cyber operations.

Mr. Hoo said, “There’s a lot of talk about artificial intelligence, machine learning etc. But there is always this missing component of machine reasoning. That’s the value that ST Electronics sees in IBM Security.”

“In machine learning, the system learns by using certain datasets. Then you ask simple questions and the machine gives you the answers. When you talk about machine reasoning, the machine must be able to tell you that this is what is happening and over there something else is also affected.”

Another MOU was signed between ST Electronics and Cisco to deliver enhanced security capabilities, and provide Managed Detection and Response Security Services (MDRSS) comprising full-time, proactive, systematic threat monitoring and management to Singapore Government Agencies and enterprises.

Mr. Hoo explained that Cisco is well known for its networking environment. Almost every enterprise out there has some form of Cisco networking technology. Because of which Cisco is able to collect a lot of valuable information, which can be harvested and analysed to provide insights into the network layer.

Cisco’s investigators monitor customer networks 24×7 from a global network of security operations centres, providing proactive vigilance and in-depth analysis. In the event of a breach, the ST Electronics – Cisco MDRSS platform can ensure proper containment and actionable recommendations for remediation.

Mr. Goh explained how ST Electronics chooses whether to enter into a partnership.

“When we choose to enter into a partnership, two things must happen. One is we must value-add to the partnership. It’s not just partnerships to bring the technology in and then try to resell it. The value can come in two forms. One is to value-add to the partner so that they can provide a better offering to their customers. The second part is that our people must have the engineering capability to actually take the knowledge and use it, rather than just having a client relationship.”

“The second one is that we partner to grow certain capabilities to the next level. Otherwise it will be just another business relationship.”

“ST Electronics also conducts very strict due diligence before we go into partnership. We evaluate the technology. It has to be relevant, relevant to the society, to the economy,” Mr. Hoo said. 

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend