WATER. DIGITAL. RESILIENCE

How do we keep water systems resilient to cyberattacks in Singapore?

Written by Ismail Weiliang and Jefnilham Jamaludin, Systems Engineer at Cyber Security Agency of Singapore

21 FEB 2022

3 MINS READ

ISMAIL WEILIANG

The Climatebender

JEFNILHAM JAMALUDIN

Systems Engineer at Cyber Security Agency of Singapore

Views are entirely ours

and not connected to any company

What is Cybersecurity?

Cybersecurity is the practice of defending assets from cyberattacks. It involves cyber risk management, threat intelligence and hunting, information sharing between entities, software and hardware dependency management and much more. Companies have to follow cybersecurity frameworks to balance business needs while managing cyber risk – risk being the likelihood of occurrence or the realization of a threat while threat being any event impacting the Confidentiality, Integrity or Availability (CIA) of an asset which could lead to its disclosure, modification or destruction.

Assets & CIIs

​Increasingly more companies are adopting cybersecurity frameworks to protect their assets – from private-sector owners to government affiliated operators of critical information infrastructure. Assets are generally items of economic value such as Personally Identifiable Information on secure databases or simply be the actual physical computers storing that information within the company. In strengthening Singapore’s cybersecurity landscape, Singapore has established 11 Critical Information Infrastructure (CII) sectors responsible (1) for the continuous delivery of essential services which Singapore relies on. CIIs are computer systems directly involved in the provision of essential services and any cyber-attacks on CIIs can greatly harm the impact on Singapore’s economy and society (2). One of these 11 sectors is Water.

Operational Technologies of Water Systems

In Singapore, utility operators are still using Industrial Control Systems (ICS) to remotely monitor and control its processes. ICS is a major subset of Operational Technology (OT) and such systems are usually thought to be relatively safe from cyberattacks due to its segregated air-gapped nature – the practice of ensuring a network is physically isolated from unsecured networks, such as the Internet. Singapore also employs its Smart Water Grid that PUB uses for remote monitoring and asset management functions on a separate network from the critical operational systems that provide the delivery of essential services (3). These are necessary measures being taken by Singapore utility operators as OT has its own common set of vulnerabilities such as outdated systems missing security updates and lack of segmentation within OT networks where a compromise of one device might expose the whole OT network.

Learning From Recent Attacks

While Singapore’s own Water CII has not been breached, we can learn from other incidents in this sector. Among many recently, a Florida water treatment plant supply system was being targeted by cybercriminals whereby an attempt to poison the water was made by hacking the OT systems to increase concentrations of sodium hydroxide to toxic levels (4). The hacker achieved this by obtaining the credentials of a former employee’s remote-control account for that OT system but was thwarted by an operator who could reverse the change in time. With that, PUB places a strong importance on digitalisation and continues to make cybersecurity at the cornerstone (5) of its policies – which is important as digitalisation introduces more risk by making a system more Internet-facing (such as use of IoT). PUB also engages research with iTrust, the Singapore University of Technology and Design’s centre for cybersecurity research, to establish the Secure Water Treatment (SWaT) and Water Distribution (WADI) testbed facilities aiming to secure water systems (6).

Cybersecurity: The Never-Ending Pursuit

Ultimately, Singapore must continue its efforts in keeping itself updated and abreast with the latest technologies while also paying close attention to tactics, techniques and procedures of attackers. As cybersecurity is an uphill battle of managing risks where people are the weakest link in the chain (7), Singapore should also continuously invest in educating its professionals and the layman on cyber hygiene.

Authors:

Jefnilham Jamaludin is a Systems Engineer at Cyber Security Agency of Singapore. He holds a ModularMasters in Cybersecurity from the Singapore University of Technology and Design (SUTD) and he is currently a Cisco Certified CyberOps Associate and Ec-Council Certified Ethical Hacker (CEH) Master.


Ismail Weiliang is a climate resilience consultant with over half a decade of experience and specialises in flood risk advisory for Asia. His work involves advising governments and development banks on strategies to transform climate risks into resilience. He also founded “The Climatebender” a non-profit organisation that provides humanitarian relief to communities vulnerable to the climate crisis.

Reference:

1) https://www.csa.gov.sg/news/press-releases/exercise-cyber-star-2019

2) https://www.csa.gov.sg/Legislation/Cybersecurity-Act

3) https://www.csa.gov.sg/singcert/publications/water

4) https://www.forbes.com/sites/jimmagill/2021/07/25/us-water-supply-system-being-targeted-by-cybercriminals/?sh=65acdc328e7c

5) https://www.pub.gov.sg/Documents/Digitalising-Water-Sharing-Singapores-Experience.pdf

6) https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/

7) https://www.infoguardsecurity.com/people-the-weakest-link-in-cybersecurity/

©2021 The Waterbender Sg