EXCLUSIVE - OpenGov Breakfast Insights session on tackling cybersecurity for critical infrastructure ecosystems
On January 25, around 30 representatives from various ministries and agencies of the Government of Singapore gathered for OpenGov’s Breakfast Insights session on Tackling Cybersecurity for Critical Infrastructure Ecosystems. This was the second cybersecurity gamification event organised by OpenGov in collaboration with Kaspersky.
Mr. Mohit Sagar, Editor-in-Chief of OpenGov Asia, kicked off the discussion using examples of public wifi at airports to highlight our common vulnerability to cybersecurity threats. He highlighted that the government cannot outsource cybersecurity risks and emphasised that the government will continue to bear the responsibility to safeguard cybersecurity of critical infrastructure.
Mr. Stephan Neumeier (above), Managing Director at Kaspersky Lab, spoke about the significance of industrial cybersecurity. Using the example of software engineering in connected cars, he illustrated the high potential cost to human lives and properties if these connected vehicles are hacked while on the highway. Cybersecurity incidents are estimated to cost enterprises a damage of $1.4 million on average.
Citing reports by Kaspersky, 55% of the surveyed firms have been recently attacked and only 29% of them considered the firm well-prepared for future cyberattacks. Using a few real-life examples, Mr Neumeier pointed out the complex nature of cybersecurity incidents, as they could be state-sponsored attacks, ransomware that aims at monetary returns, or cyberterrorists whose objective is to cause maximum damage to the society.
Gamification through Kaspersky Interactive Protection Simulations (KIPS)
To foster interactive learning and active participation, the Breakfast Insight session introduced an element of gamification through the KIPS.
KIPS is an effective way of building cybersecurity awareness. It is an exercise that creates a simulated environment in which teams of participants play the role of IT specialists and face a series of unexpected cyber threat scenarios, while trying to protect the critical infrastructure and maximise revenue.
The idea is to build a holistic cyber defence strategy by making choices from amongst the best proactive and reactive controls available. The best choice of actions balances strategic, managerial and technical security priorities.
Each turn begins with an unfolding event which poses cybersecurity threats to the infrastructure. Like in real-life, the team is only given limited information and time to make strategic decisions and actions.
Each action impacts the way the scenario plays out, the systems’ subsequent vulnerability to cybersecurity threats, and ultimately the revenue made. To help participants better understand the consequences of their choice of action, feedback is provided to each team after their turn. This allows the teams to learn from the experience and modify their strategy.
At the end of the exercise, teams get to see the final results which is measured in both the total revenue generated by the facility and the ability to protect the computerised assets.
Delegates from various ministries and agencies of the Singapore Government were divided into teams of 6 or 7 for this simulation exercise.
During the exercise, one of the scenarios presented was an emergency shutdown of the facility due to industrial sabotage. In the discussion of what is the best action to be taken, delegates discussed on the need to balance prevention and response. While it is important to react to immediate cybersecurity emergencies, delegates also recognise the need to strengthen the cybersecurity defence of critical infrastructure to prevent future attacks. These preventive actions include the installation of antivirus programs and regular audits of hardware and software.
In another scenario, teams are faced with warnings on malicious cyberattacks, delegates were able to identify that it is an evolving situation that requires immediate action to detect breaches into the system, strengthen vulnerable segments of the system, and control the damage.
In the polling exercise, delegates from the Singapore Government shared their priorities and concerns in their everyday work.
When asked about what cybersecurity measure is considered most important for their organization, a majority of 60% considered conducting awareness training for all staff as the most important cybersecurity measure.
In identifying the major factor that affects an organisation most in securing their assets, 35% of the participants considered adopting a mix of reactive and proactive approach as the major factor. Around 25% of them voted for an appropriate amount of budget and ensuring its effective utilisation, while another quarter of delegates chose risk prioritisation.
For priority focus areas in 2018, the top identified priority was managed security services, with nearly half (47%) of the delegates choosing it as their top priority. It was followed by endpoint detection and response (32%) and network security solution (21%).
In terms of appropriate annual budget for security solutions to combat APT (advanced persistent threat) or sophisticated attack dark energy malware, 47% of the delegates would dedicate up to 3% of the revenue or budget to deal with the cybersecurity threat.
After the exercise, some key observations and takeaways were shared.
It was noted that cybersecurity resources, including budget, is usually limited. Given limited resources, it is important that IT managers use available resources wisely to prevent a potential loss in revenue or harm to public good in case of a cybersecurity incident.
To ensure long-term security in a fast-changing and uncertain cyber environment, delegates shared the importance of preventive actions and risk management. Some of the risk management and preventive measures include regular audits of system to identify vulnerable points, segmentation of systems within the critical infrastructure and regular training of IT personnel to increase their competency in cybersecurity defence.
To address more complex threats in the increasingly uncertain cyberworld, more complex solutions are needed. This suggests that an ideal cybersecurity defence takes a holistic approach, by combining both proactive and reactive actions. In building an adaptive cybersecurity framework, the system should encompass the 4 elements of Predict, Prevent, Detect and Respond.