Last year in June, cyberattacks swamped Ukrainian banks, government departments, public utilities and newspapers. Their computers froze and thousands of employees were locked out of the company networks.

Very soon reports of similar attacks began coming in from Europe, with a few cases reported from the US as well. Everyone feared a WannaCry redux in which more than 400,000 computers were affected globally in a matter of days just a few months earlier.

However, things seem to die down after the initial flurry of infections. Once forensic teams began to sift through the details, they noticed something interesting. Almost 80% of targets were in Ukraine and its critical information infrastructure (CII) seemed to be the target. It appeared that other parts of Europe were affected due to collateral damage.

Another intriguing point was the ransom demand that followed, for what was by then being called the notPetya attack. It seemed almost half-hearted and sent as an afterthought.

Some experts began to suspect that the notPetya could have been a targeted attack on Ukraine that was disguised as a ransomware demand to fool investigators. This year these suspicions have been confirmed with the UK foreign office claiming that Russia was behind the cyberattack on Ukraine’s banks, government and power grid. The US has also blamed Russia for the attack.

Attacks are real

Irrespective of who carried out the attack, it is important to keep the Ukrainian incident in mind for a couple of reasons. One is that targeted attacks are real, are happening and not all of these need government sanction or backing, there are plenty of private entities which are capable of mounting such attacks.

The other crucial point is that with digitalisation of almost all infrastructures, it is easy to cripple CIIs with a well-targeted cyberattack unless they are well defended. The general definition of CII is any information system that is required for uninterrupted delivery of essential services.

Protecting CII is vital to national security, notes Foo Siang-tse, Managing Director of Quann, a Singapore-based managed security services provider.

“Hitherto, the focus of cybersecurity has been on IT and digital assets,” he says. “While a data breach can result in reputational impact and financial loss, the consequences of a data breach are largely confined to the ‘virtual’ world. On the other hand, a successful attack on CIIs can result in ‘real’ world consequences – loss of property and lives.”

Abdallah Zabian, DXC Technology’s Asia General Manager for Security, adds that CIIs are essential for the viable operation of a nation. Technology is now “pervasively used” to deliver power, water and transportation efficiently, he says.

“These infrastructures are likely more susceptible to cyber-attacks as they are more complex to protect than core information technology assets. Society expects basic services to function normally, so any disruption could have grave economic, welfare and potentially political repercussions,” he adds.

Singapore’s cyber law

Singapore recently passed a cybersecurity law, identifying 11 critical sectors as CII. They are aviation, financial sector, energy, public sector, healthcare, information and communications (infocomm) services, land transport, maritime, security and emergency services, water supply and media.

David Koh, Cyber Security Agency of Singapore (CSA) CEO and Singapore’s Cybersecurity Commissioner, notes that the new Cybersecurity Act defines the roles and responsibilities of CII owners in ensuring the cybersecurity of their respective CIIs, as well as empowers CSA to take pre-emptive action and investigate cyber incidents.

As Koh says, this “strengthens our [Singapore’s] ability to prevent and respond effectively to national cybersecurity threats.”

The law now also requires cyber security vendors to have a licence to operate. This will provide some level of assurance on the quality of service providers, and the cybersecurity professionals that support these services, Quann’s Foo explains. This will fundamentally address the information asymmetry between buyer and supplier.

“The Act also rightly places the responsibility of cyber security on CII owners by clarifying their responsibility to conduct audits, risk assessments and participate in exercises. These are critical for the effective implementation of good cybersecurity policies and practices,” he notes.

The basics

Telecommunications is a crucial element of a nation’s infrastructure, not only because of communications needs but also because malicious attacks usually come in through a telco network.

Breaking things down to the basics, Lim Woo Lip, Vice President of Data Analytics & Cyber Security at StarHub, notes that CIIs are made up of assets, systems and networks connecting governments, companies, schools and homes. “CIIs if impacted could cripple the economy and jeopardise national security as well as public health and safety,” Dr Lim adds.

“All CII operators must put in place a prevention strategy to measure and enhance their cyber security posture regularly, and implement solutions to monitor, detect and mitigate cyber threats,” he advises. “It is also important for operators to raise their employees’ awareness about cybersecurity issues to promote safer computing.”

Meanwhile, the government “must always anticipate the emergence of cybersecurity risks, and closely monitor the situation as we continue to take proactive measures to mitigate them”, a spokesperson of Singapore’s GovTech notes.

“Hence, the need to maintain a high level of vigilance, including regular prompt updating of system software and Internet Surfing Separation that was fully implemented in government systems since May 2017,” the spokesperson adds.

Adopting AI

Cybersecurity has often been viewed as the responsibility of individual businesses to undertake and not a critical one at that – largely due to the lack of a perceived tangible correlation to a business’ profit and loss – observes, Robin Schmitt, General Manager, APAC at Neustar, which provides clearing house and directory services to the global communications and internet industries.

“Nationwide efforts like Singapore’s Cybersecurity Act to centralise defences under a common denominator and vulnerability remediation is a nod in the right direction that it is in everyone’s interest to safeguard critical infrastructure”, he adds.

However, cybersecurity legislation is just one of the ways to stay ahead, he says. Countries must also “introduce initiatives that strengthen incident response plans”, with concerted efforts from industry leads, government bodies such as CSA, and businesses alike.

Sanjay Aurora, Asia Pacific MD of Darktrace, a cybersecurity company, feels that governments and CII-providers are increasingly adopting AI (artificial intelligence) based cyber technology to defend some of the most complex environments in the world. Darktrace uses machine learning to identify and respond to cyber threats.

Singapore has “latched-on early to the power of AI for cybersecurity with local enterprises and industrial organisations already deploying the technology and strengthening their cyber resilience,” he adds.

CII obligations

The obligations imposed on the CII owners in Singapore’s Cybersecurity Act, such as regular and frequent audits and risk assessments, are not to be taken lightly, adds Quaan’s Foo. “These assessments are the first steps to develop and calibrate an organisation’s cyber security strategy, which, by nature, is very dynamic”. CIIs must continue to keep pace with increasingly complex threats.

However, there is a need to strike a balance between privacy and security. “Personally, I think it is critical for the CSA to have good visibility of the cyber threat situation of all the CIIs, and with proper data and info management, we would be able to defend Singapore against cyberattacks more effectively,” StarHub’s Dr Lim notes. Due to the impact that a cyber-attack could have, many countries have started to elevate cyber-attacks targeting CII as a national security issue, he says.

DXC’s Abdallah adds: “It is important that we as individuals are also aware that it is also our responsibility to protect the digital assets we interact with on a daily basis. If all citizens remain vigilant, and follow and maintain good security practices when navigating in and out of the digital world, we will all be contributing towards a safer and more digitally-secure Singapore.”

The consensus among professionals is that cybersecurity is a continuous process and protecting CIIs is an important element to building up a robust cyber defence.

Amit Roy Choudhury is a senior technology journalist who writes a weekly piece for GovInsider.

Images:
Singpore Port by ZaironCC BY-SA 4.0
Exercise Cyber Star by Ministry of Communications and Information, Singapore