Ever heard of the GRF or OT-ISAC? They crowdsource security intelligence that could well save our lives during synchronized cyberattacks!

In December 2016, a substation in Kiev, Ukraine went down, cutting out 20% of Kiev’s power grid. An investigation into the blackout confirmed that it was due to a cyberattack. Despite its limited duration, the attack raised worldwide concern over the potential of cyberattacks that impact the physical world and in a way that can put lives at risk, given the outage occurred during the winter. 

Then, in June 2017, a ransomware caused outages on Maersk’s computer systems across the world in June 2017. With Maersk reportedly handling one out of seven containers shipped globally and around 25 percent of all containers shipped on the key Asia-Europe route, the attack resulted in significant disruption of global shipping, and ended up costing the company millions. This is the infamous NotPetya ransomware incident.

These two incidents are prime examples of how such facilities (critical information infrastructures, CII) and vital operations can be compromised when poorly secured against cyber threats, resulting in business paralysis, financial and reputational loss, and even physical danger. 

To find out how such vital operational technologies and CIIs around the world toughen their defences in a united, coherent way that Singapore also taps into, CybersecAsia had a chat with Mark Orsi, the President of Global Resilience Federation (GRF), which runs the Operational Technology Information Sharing and Analysis Centers (OT-ISAC) around the world.

CybersecAsia: How is the GRF implementing the OT-ISAC across Singapore, and what are the processes involved in shoring up cyber defences for Operational Technology infrastructure across Singapore’s critical sectors?

The Operational Technology Information Sharing and Analysis Center (OT-ISAC) was established to boost the resilience of Operational Technology (OT) and Critical Information Infrastructure (CII) organizations in Singapore through the sharing of cyber threat intelligence, proactively reducing cyber risks to members of the OT-ISAC community and greater Global Resilience Federation network. The OT-ISAC platform is operational, and is being updated daily with relevant threat intelligence.

We are currently engaged in membership talks with dozens of Critical Information Infrastructure (CII) operators from industry verticals such as water, energy, transport, and related manufacturers and security vendors. Our longer-term plans are to continue growing this information sharing network in line with local industry demands, developing the network to more effectively meet the needs of our members.

Malicious actors often work together to develop tools, identify vulnerable organizations, and launch attacks. When a member of the OT-ISAC learns of a threat to themselves or the community, they can initiate the information sharing process summarized with the following steps:  

1. A member of the OT-ISAC receives intelligence about an imminent threat or is targeted by a cyberattack. 

2. The member notifies the OT-ISAC and shares attack methods and threat information.

3. OT-ISAC analysts determine the threat severity, provide additional enrichment of the intelligence, and alert the community for proactive defence.

4. Members continue to collaborate, with support from analysts, to develop and socialize mitigation, detection and preventative measures.

5. If the issue warrants wider distribution, OT-ISAC may share the information, redacted for sensitivity, with a global group of sharing partners through the Global Resilience Federation network. 

6. The greater network is now protected from an attack that may have begun in one organization but with the potential to grow globally. 

7. This information flow is constant both to and from OT-ISAC and its members, as well as its global sharing partners. 

The information shared can include details of attacks or incidents that organizations have experienced, countermeasures that have been determined to be effective, technical indicators, as well as general best practices. Due to potential business sensitivities involved, the information sharing process also has protocols in place to ensure distribution of information can be limited to certain audiences, as intended by the sharer.

Member organizations can “crowdsource” intelligence among a vetted, trusted group of professionals with a common interest, using common technology and with supporting analysis from OT-ISAC staff who enrich alerts and redact sensitive information. Members can also leverage pre-established vendor relationships to obtain Deep and Dark Web reports, non-public vulnerability warnings and other sensitive security details.

CybersecAsia: Why does cybersecurity for Operational Technology infrastructure represent the foundation for long term success in Singapore’s Smart Nation vision, and why will this be a foremost priority for infrastructure owners and operators?

The security of digital assets and infrastructure is the foundation that undergirds every smart city. Recognised by the World Economic Forum as the most competitive economy for long term economic growth and productivity, Singapore is at the forefront of digital transformation in Southeast Asia. Coupled with a highly educated population living and working in a digitally advanced, business-oriented area of geopolitical significance, Singapore represents a natural choice for OT-ISAC.

There is a darker side of digitalization evidenced by cyberattacks in Saudi Arabia, Germany, the U.S., and Norway which resulted in significant disruptions to regular operations and production. This double-edged sword of digitalization creates tremendous efficiencies and progress, but also creates an expanding attack surface of cyberattacks that can impact the physical world. 

Boosting the security of Operational Technology infrastructure is thus a vital step in preventing Singapore’s essential functions, like the electricity grid or transportation network, from being compromised. This reduces economic costs associated with operational disruptions and supports long term stability. While business leaders have a personal responsibility to secure their organizations against cyber threats, a collaborative approach to information sharing is the most effective way to multiply overall security awareness and reduce cyber risk on a large scale. 

CybersecAsia: How do information sharing and collaboration represent a vital weapon for organizations in an age where cyber threat actors are utilizing ever-sophisticated attack methodologies?

Just as malicious actors exchange tools or advice on forums, the aim of information sharing within an Information Sharing and Analysis Center (ISAC) community is for mutual defence, to achieve the following: 

  • Prevention: Identify emerging threats witnessed by or impacting other businesses, sectors, or regions, and work with peers to develop detection patterns and protective measures.
  • Mitigation: When incidents occur, leverage the experience of the community for response processes, mitigation strategies, recovery options, and lessons learned.

Built upon the tenet of strength in numbers, the sharing of threat intelligence enables organizations to be more effective, collectively identifying and responding against malicious actors and their exploits in real time.

This ability to refine security information and procedures and proactively defend against identified threats through threat intelligence sharing is central to the OT-ISAC. For less than the cost of employing a security analyst, a business can join OT-ISAC and become part of a local and international network to obtain threat intelligence and support the resiliency of the sector. 

CybersecAsia: What other latest insights or news trends on operational technology can you share with our readers?

Research by the Cyber Security Agency of Singapore (CSA) found that cybercrime accounted for about 19% of crime in Singapore in 2018. This led to businesses in the city-state suffering losses of nearly S$58 million. 

Strategically positioned at the center of Asia Pacific’s trade flows, Singapore’s status as a regional business and financial hub makes it an extremely attractive target for cyber-criminals. This elevates the cyber risks for businesses operating in Singapore, and also means that the potential fallout from a successful attack can have a devastating impact that will reverberate across business links throughout Asia Pacific. Accelerating digitalization stands to exacerbate this risk, making proactive defense measures such as threat intelligence sharing a key priority.