Protecting Critical Information Infrastructure through an understanding of Safety, Availability and Maintainability
Above photo: ST Electronics’ booth at SICW 2017/ Credit: ST Electronics
As cyber threats continue to escalate in number and complexity, one of the primary areas of concern is the protection of critical information infrastructure (CII) with complex operational environments. Disruption or damage to CIIs in our increasingly digitised world will have serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of the government or the entire economy.
A recently proposed Cybersecurity Bill in Singapore has a strong focus on protection of CIIs. The Cyber Security Agency of Singapore (CSA) has classified 11 critical sectors as CIIs: (1) Aviation, (2) Banking & Finance, (3) Energy, (4) Government, (5) Healthcare, (6) Infocomm, (7) Land Transport, (8) Maritime, (9) Media, (10), Security and Emergency Services, (11) Water.
On the sidelines of Singapore International Cyber Week (SICW) 2017, OpenGov had the opportunity to speak to Mr. Goh Eng Choon, Senior Vice President and General Manager of ST Electronics (Info-Security) and Mr. Hoo Chuan-Wei, Chief Cyber-Security Technology Officer (CCSTO) of ST Electronics (Info-Security), regarding the protection of CIIs.
Singapore Technologies Electronics Limited (ST Electronics), is the electronics arm of Singapore Technologies Engineering Ltd. ST Electronics is a global engineering company specialising in the design, development and integration of advanced electronics and ICT systems. Its core business areas include rail & intelligent transportation, satellite and broadband communications, info-communications technologies, command & control operations, training & simulation, intelligent building & security systems and cyber security.
Challenges in securing critical information infrastructure
Mr. Goh (below) explained that the primary challenge in securing most of these domains is that they are operations-centric. In enterprise IT systems, the focus is on the confidentiality, integrity and availability (commonly referred to as CIA) of information. But for operational technology (OT), the focus is on their availability.
“If any of these systems is shut down, power, financial, healthcare, everybody is going to be affected. So they need to keep the system alive. Then only they think about integrity and confidentiality of information,” Mr. Goh said.
So, how do you change the mindset to where you are really focused on keeping it safe, and available at the same time? To deal with the challenge, ST Electronics came up with a new framework for looking at the security of CIIs. It has three components: Safety, Availability and Maintainability, abbreviated as SAM. Governing all this is extensive domain knowledge, systems assurance and deep engineering expertise.
Image credit: ST Electronics
Mr. Hoo (below) added, “A lot of people try to use a traditional enterprise IT security framework to look at an OT issue. Then there is a mismatch and misunderstanding. At ST Electronics, we adopt an engineering mindset. That’s where SAM came from.”
“ST Electronics wants to provide technical thought leadership in the industry. SAM is a forward-thinking way for addressing certain things. People say just do CIA. But SAM is actually inclusive of CIA.”
The proposed cybersecurity bill in Singapore provides a framework for the regulation of Critical Information Infrastructure (CII) and formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs.
When asked about their thoughts on the potential impact of the bill, Mr. Goh replied that biggest issue will be to jumpstart from where they are now. The CIIs that use OT tend to become very conservative. They have a large number of highly complex systems, which cannot be upgrade overnight.
Mr. Goh said, “You want to upgrade the system and make it cybersecurity safe but how do you know that it will not affect the operations? How do you know that it will not affect safety? Before you implement the cybersecurity protection or system, you have to check that it doesn’t break the system. You need time to do it and there must a strategy to implement it. It should not be like when the bill comes, within a short span of time they are trying to transform the protections.”
People, process and technology
This journey is not just about technology. Technology is only part of the solution. The other two essential components are processes and people.
Mr. Goh used an analogy, “If I give you a racing car, you still need to have the processes in place to control the performance of the car and you need a skilled driver to take the car to the next level of performance. You can’t just look at technology, and forget about processes and people. We have always focused on all 3 of these.”
The ST Electronics Cyber Security Centre was set up in 2014 to provide cyber training tailored for new entrants and seasoned professionals to develop and hone their competencies in cyber security. Ever since ST Electronics has been training government agencies, statutory boards, private enterprises, as well as employees.
Security-by-design is increasingly considered to be a mandatory approach for projects going forward. But what about legacy infrastructure?
Mr. Hoo said that security-by-design can be achieved there through failure analysis of existing solutions and putting in mitigating controls for potential pitfalls. That can make up for shortcomings in the original designs and set-up.
Mr. Goh added that ST Electronics has specifically designed a course to deal with this issue, for its engineers.
“We wanted all the engineers, the architects, when they first design any system to design the system with security in mind. When we say design the system with security in mind, it’s not just about future systems. They have to understand what is current, what are the legacy problems. When they design new things, they have to take into consideration all the existing systems and even some very old legacy systems. How will it impact the legacy systems and the ways to combat it. So, we actually run this course for our own employees.”
During SICW 2017, ST Electronics announced a number of new partnerships to develop new cyber security technologies, next-generation products and solutions, and industry-wide capabilities and expertise that will transform the industry and help governments and enterprises secure their critical infrastructures.
One is a collaboration with IBM Security to co-develop next generation cyber security operations equipped with cognitive capabilities driven by threat intelligence and Artificial Intelligence. The collaboration intends to introduce a new concept to ST Electronics’ Security Operations Centres (SOCs), transforming traditional SOCs into a cognitive Command and Control Centre.
In addition, ST Electronics has also partnered with Siemplify to deliver tools that will help security teams effectively triage and respond to cyber threats, while meeting Singapore’s regulatory requirements in cyber security.
Resulting from the two partnerships is the development of ST Electronics’ new Cyber Security Command and Control Centre (CSCCC). It leverages advanced data analytics and visualisation, deep machine learning, and automation capabilities to provide a holistic and comprehensive process of detecting external threats, responding to, and recovering from cyber threats. With its modular and scalable design, the CSCCC also provides customised solutions for enterprises in securing their day-to-day cyber operations.
Mr. Hoo said, “There’s a lot of talk about artificial intelligence, machine learning etc. But there is always this missing component of machine reasoning. That’s the value that ST Electronics sees in IBM Security.”
“In machine learning, the system learns by using certain datasets. Then you ask simple questions and the machine gives you the answers. When you talk about machine reasoning, the machine must be able to tell you that this is what is happening and over there something else is also affected.”
Another MOU was signed between ST Electronics and Cisco to deliver enhanced security capabilities, and provide Managed Detection and Response Security Services (MDRSS) comprising full-time, proactive, systematic threat monitoring and management to Singapore Government Agencies and enterprises.
Mr. Hoo explained that Cisco is well known for its networking environment. Almost every enterprise out there has some form of Cisco networking technology. Because of which Cisco is able to collect a lot of valuable information, which can be harvested and analysed to provide insights into the network layer.
Cisco’s investigators monitor customer networks 24x7 from a global network of security operations centres, providing proactive vigilance and in-depth analysis. In the event of a breach, the ST Electronics - Cisco MDRSS platform can ensure proper containment and actionable recommendations for remediation.
Mr. Goh explained how ST Electronics chooses whether to enter into a partnership.
“When we choose to enter into a partnership, two things must happen. One is we must value-add to the partnership. It’s not just partnerships to bring the technology in and then try to resell it. The value can come in two forms. One is to value-add to the partner so that they can provide a better offering to their customers. The second part is that our people must have the engineering capability to actually take the knowledge and use it, rather than just having a client relationship.”
“The second one is that we partner to grow certain capabilities to the next level. Otherwise it will be just another business relationship.”
“ST Electronics also conducts very strict due diligence before we go into partnership. We evaluate the technology. It has to be relevant, relevant to the society, to the economy,” Mr. Hoo said.