THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND ... · THE DEFINITIVE CYBERSECURITY GUIDE FOR...

THE DEF IN IT IVE CYBERSECURITY GU IDEFOR D IRECTORS AND OFF ICERS

S INGAPORESecurityRoundtable.orgSecurityRoundtable.org

CONTRIBUTORS

SINGAPORENAVIGATING THE DIGITAL AGE |

• Khoo Boon Hui Former Interpol President; retired Singapore Police Commissioner

• Professor Yu Chien Siang Chief Innovation Officer, Quann

• Huang Shao Fei Director, IT Security, Governance & Risk Management, Land Transport Authority

• Baey Chin Cheng Chief Information Security Officer, Singtel

• Seah Kian Peng Chief Executive Officer, NTUC FairPrice

• Professor Lam Kwok Yan Professor of Computer Science, School of Computer Science & Engineering, College of Engineering, Nanyang Technological University

• Dr. Yaacob Ibrahim Minister for Communications & Information and the Minister-in-charge of Cyber Security

• Bruce H. Rogers Chief Insights Officer, Forbes

• Sean Duca Vice President, Regional Chief Security Officer, Palo Alto Networks

• David Koh Chief Executive, Cyber Security Agency of Singapore

• Richard A. Clarke Chairman, Good Harbor Security Risk Management; former White House Advisor on Cybersecurity & Counterterrorism

• Bill Chang Chief Executive Officer, Group Enterprise, Singtel

S U P P O RT E D B Y

NAVIGATING THE DIGITAL AGE

THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

SINGAPORE

Published by

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – Singapore

Printing and Binding: Timesprinters

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – Singapore

is published by: Forbes Media499 Washington Blvd.Jersey City, NJ 07310 USA First published: 2016

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – Singapore© 2016 Palo Alto Networks Inc. All rights reserved.

Cover illustration by Tim Heraldo

DISCLAIMER

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (the Guide) contains sum-mary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial publication (October 2016). Although the Guide may be revised and updated at some time in the future, the publishers and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to update such information. The publishers and authors make no representation as to the completeness or accuracy of any information contained in the Guide.

This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional advice. Professional advice should always be sought before taking any action based on the information provided. Every effort has been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions con-tained herein. It is your responsibility to verify any information contained in the Guide before relying upon it.

iii ■

ForEworD

ForewordDr Yaacob Ibrahim, Minister for Communications & Information and the Minister-in-charge of Cyber Security

Cybersecurity is an important enabler, allowing us to connect, interact, and transact confidently and securely. Cybersecurity professionals work tirelessly behind the

scenes to ensure that our critical infrastructure is resilient and services remain safe from cyber-attacks.

Notwithstanding our efforts, cyber threats are grow-ing exponentially in scale and complexity. Cyber-attackers are getting smarter, and they continue to target the weak-est link. They can be anywhere, coordinating attacks with fellow perpetrators across the globe. Governments and businesses find themselves fighting to stay one step ahead of these attackers. It is a serious situation, and there is no quick solution. That is why everyone must play his or her part to build a resilient, sustainable, and secure cyberspace so as to uphold Singapore’s reputation as a reliable and trusted partner.

Together with its partners, the Cyber Security Agency of Singapore (CSA) has developed a national cybersecuri-ty strategy for Singapore. Singapore’s Cybersecurity Strat-egy—launched by our Prime Minister at the inaugural Singapore International Cyber Week in October 2016—is a statement of Singapore’s vision, goals, and priorities in cybersecurity. It underscores the Government’s commit-ment to build a trusted and resilient cyber environment for Singapore.

Cybersecurity deserves attention at the highest level at every organisation. Consequences of a breach can be dire, ranging from the high costs of resolution to damaged rep-utations and loss of customer trust. For these reasons, cy-bersecurity issues can no longer be regarded as the prov-ince of experts and technicians. Boards and management should devote adequate attention and invest sufficient re-sources to ensure cybersecurity measures are deployed to protect their systems and networks. I believe that mind-sets are gradually shifting, and companies are beginning

■ iv


to take cybersecurity more seriously. The Singapore Government is also taking steps and investing 8% of the budgets set aside for IT on cybersecurity.

Our vision of a dynamic cybersecurity eco-system is one that comprises strong local cy-bersecurity firms co-existing with established global companies, fed by a talented workforce and strong research and development. Across the economy, businesses must also be sensi-tive to cyber threats and adopt the right level of cybersecurity measures, regardless of size. Similarly, employees need to remain vigilant by staying informed of cyber risks and taking preventive measures to secure their computer systems and digital devices.

With the right knowledge, expertise, and attitude, we can reap the full benefits and

possibilities of the vast cyberspace. Yet we recognise that the landscape remains uneven across cyber defenders, be it at the national, sectoral, or company level. We need more people to come forward to share their exper-tise and experience. This practical guide to cybersecurity—the first of its kind in Singa-pore—is a good step in this direction, with invaluable lessons and insights from real-world experience. I trust this initiative by Palo Alto Networks will inspire others to fol-low in their footsteps.

I look forward to continuing to work with all our partners and stakeholders to strengthen Singapore’s cybersecurity pos-ture and realise Singapore’s Smart Nation vision together.

v ■

PrEFAcE

PrefaceForbes Media – Bruce H. Rogers, Chief Insights Officer

We have never been so connected. The Fourth Indus-trial Revolution is transforming industry with its bil-lions of connected endpoints and blurring the lines

between the cyber and physical worlds. Smart city initia-tives around the globe, such as Singapore’s Smart Nation Platform, revolve around pervasive connectivity and the efficient sharing of sensor data. But when everything is con-nected, everything is hackable—in theory and, as it turns out, in practice. Many of the devices, sensors and machin-ery that are now integrated into enterprise systems were designed to perform a specific function; they were not de-signed for security.

This hyper-connectivity is not lost on cybercriminals. Bad actors can now find a way into a system through an industrial control system, an MRI machine—even a printer that is operating offline or a device that is proper-ly air gapped. Cybercriminals are themselves a well-con-nected bunch. They rely on social media and a thriving underground network to ply their trade, buy malware, and sell stolen data. Yet most of the organisations they at-tack tend to see security as an internal matter to be sorted out behind closed doors—sometimes by designated se-curity personnel alone. It is easy to see how a go-it-alone policy could put any organisation at a clear disadvantage against a well-connected criminal network in a hyper-connected world.

One thing is clear: cybersecurity is not merely a com-petitive advantage. A successful attack against one organ-isation can ripple through the entire network of that or-ganisation and affect confidence across related industries. The theft of data is easy enough to understand. But as the number of connected endpoints proliferate, so do the pos-sibilities to do damage. A competitor could gain access to vital equipment and quietly rewrite the quality controls to sabotage production or destroy machinery. A hacker network could ransom the data of a healthcare company.

■ vi


A state actor could threaten power plants or transportation systems to make a point. The effects of such attacks are felt far beyond the walls of any one organisation.

Bad actors may seem to have the advan-tage, but it is possible to shape an organisa-tion’s culture around cyber awareness and to build security into every product, service, and investment by design. This takes a good plan, the right expertise and leadership from the top. Today there are sophisticated means to protect, identify, and defend against cyber

threats, even in a hyper-connected enterprise. That is why cybersecurity decisions are best made with a plan and a purpose about what to protect, how much to invest in security, and what to do in case of a cyber event. For boards and C-suites, it is a question of finding the right balance between accessibility and pro-tection, and of setting standards that ensure good practice from all partners and extend be-yond the walls of their organisation—just as their enterprise now extends far beyond their on-premise systems.

vii ■

INTroDucTIoN: THE ImPorTANcE oF cybErsEcurITy For ExEcuTIVEs IN sINGAPorE

Introduction: The Importance of Cybersecurity for Executives in SingaporePalo Alto Networks Inc. – Sean Duca, Vice President, Regional Chief Security Officer

For years, every time a new security challenge impacted an organisation, this forced it to spend valuable capital on cybersecurity products that focus on narrow cyber

risks or the specific ‘threat-du-jour’. It’s IT staff cobbles to-gether products and services from one legacy vendor to the next with little strategic planning or thought about what the business core risks are. And they hope that their moun-tain of legacy technology is updated often enough to pro-vide some defence against the fear, uncertainty, and doubt being spread about cyberthreats in the daily headlines.

However, with the number and severity of breaches on the rise around the world, this approach to cybersecurity clearly isn’t working today. What may seem like fear-mon-gering is in fact a new reality: the falling price of comput-ing power has allowed cybercriminals to launch low-cost, low-risk attacks yielding high returns. Hacker toolkits—easy-to-use, highly effective malware that’s growing in popularity—enable novices with minimal technical knowledge to understand your digital environment better than you do, and breach your increasingly expensive and complex legacy cyber defences.

The traditional answer to these challenges have us add-ing more legacy technologies one on top of another. Yet the point products were never designed to interoperate or share information as they worked in their own respective silos. Ultimately, this becomes a gap that only human operations can fill by manually getting the relevant information from each source. Rather than protecting us, these additional lay-ers force organisations to feed threat information into indi-vidual products, analyse what is happening, and then take action—slowing down the ability to keep up with attackers as they go deeper into our networks.

With the rise in successful cyberattacks, cybersecurity is becoming an increasingly strategic concern that threatens the foundations of enterprise value for business leaders in Singapore and the Asia-Pacific region. Although Singapore

■ viii


is one of the leading countries to build a ro-bust digital infrastructure, it also means that Singapore is at a high risk of facing cyberat-tacks to its infrastructure.1 Most public-sector services are available online, and people rely on online banking services for their day-to-day banking needs. Singapore is also home to major global and local banks in the region. It is no surprise that cybercriminals have been targeting banking customers in Singa-pore by infecting their devices used for bank-ing transactions.2 Indeed, Singapore has seen an increase in the number of cyberattacks in the past couple of years, and the Singapore Government and the public sector have both been the victim of such attacks.3

No leader wants his or her organisation to be splashed on the front page of a newspaper due to a cybersecurity breach that hurts its reputations and profitability and undermines its business model, but this is the reality we face today.

In light of how our businesses are evolv-ing, our approach to solving security chal-lenges needs to evolve as well. We need to look at how these manual processes can be automated and move beyond technical point product solutions, towards deploying defenc-es to protect what is of most value to compa-nies (and attackers). By increasing the speed and automation of our defences, we can slow down and potentially deter the adversaries by reducing their success rate.

How then can you forestall and thwart an attack?

J Lessons from abroadMany companies—particularly those in Singapore—believe that their current strat-egies around the technologies they have deployed, the teams of people they have to manage and operate them, and the process-es they use aren’t perfect, but seem as if they are good enough; and many companies are confident that any problem will right itself eventually. Some may even believe that a major breach could never happen to them, impacting only large enterprises, the gov-ernment, or companies in the United States and Europe. However, history—and the

range of stolen data —has shown that any company, irrespective of size and location, is vulnerable.

Breaches tend to hit the news only when someone outside the organisation discovers and exposes them. What may be contribut-ing to this perception is the lack of manda-tory data breach disclosure laws in Asia-Pacific. Because no regulation in Singapore forces public disclosure of data breaches—and the public discussion that usually fol-lows disclosure—companies, consumers, and regulators may underestimate the full scope of the threat and damage. Though no regulation is a panacea, organisations in Singapore, and elsewhere in Asia-Pacific, do not need to reinvent the wheel: rather, they can look to neighbouring continents that have dealt with these pressing issues before and answered them in the context of regu-lation. These countries, such as the United States and those in the European Union, have multiple data breach notification laws and have explored mandatory data breach reporting and notification when personal data is compromised.

So how should companies in Asia-Pacific approach instituting a security approach that is up to par with global standards? Not all les-sons from abroad are mandates. For this rea-son the National Institute of Standards and Technology (NIST) Cybersecurity Framework was developed in an open, collaborative part-nership in the United States between NIST, a US Government agency, and the private sec-tor. This framework helps guide executive management and boards of directors; points to globally accepted, industry-driven stan-dards for risk management; and provides a common language and benchmarks for cyber resilience across an organisation (from board-room to IT analyst), when dealing with stake-holders and third parties, or when operating across borders.

Regardless of how executives and boards structure their strategies for managing cyber-security risk, they should not be merely lists of technology check boxes, but rather should be solution agnostic and interoperable among different systems.

ix ■


J Three investments to mitigating riskThere is no doubt cybersecurity provides longevity to a business and can help dif-ferentiate it from its competitors—for both good and not so good reasons. Strong cyber-security is fundamental to the growth and prosperity of all organisations in the public and private sector; to make Singapore’s on-line systems and networks more resilient; and to provide trust and confidence to its citizens, businesses, and customers alike.

Towards that end, we need to look at how we become efficient with our security ef-forts. Instead of chasing after a silver-bullet security product, organisations in Singapore

should target investment in three areas to re-duce cybersecurity risk:

J Prevent and respondIn Singapore and beyond, the prevailing perception is that cyberthreats are becoming so advanced that companies can’t keep up. The logic goes that if getting compromised is inevitable, efforts should be focused on clean-up after a data breach. Yet isn’t an ounce of prevention worth a pound of the best cure? If we continue to focus on reacting to each se-curity challenge, how have we evolved, and how will that impact our businesses in the fu-ture? We need to protect our digital way of life

THREE INVESTMENTS TO MITIGATING RISKS

JJ strong cyber defences. Companies should practice good cyber hygiene to protect and maintain their systems and devices appropriately, ensuring they are up to date. By taking an inventory of your environment and applications, you can ferret out gaps or deficiencies and note where you lack visibility in your network. Organisations should conduct regular health checks around where and how their data is secured, what applications are in use in their network, who are the users, what do they have access to, as well as the risks and exposures that exist in their organisation.

JJ A well-trained workforce. According to the 2014 IBM Chief Information Security Officer Assessment,4 human-related errors lead to nearly 95% of all security issues. Com-panies should therefore educate employees on how to identify and protect their organisations from threats such as phishing, when hackers pretend to be a legitimate entity in an email. Cybercriminals may search online for an employee’s interests and hobbies to craft an attack, in the hopes of luring the worker into opening an infected attachment. Organisations should look to move beyond a compliance check for this training and see how they can invoke change to better defend themselves. Busi-nesses should encourage users to protect their data and their systems at home, as this will naturally flow into the workplace.

JJ Automated platform. With adversaries using automated tools, organisations should seek out automated defence technology that has been built to act seamlessly behind the scenes—part of a platform smart enough to take actions on your behalf, with a minimum of manual effort by your security professionals.

■ x


by believing that prevention is possible. This doesn't mean that you must expect to be 100% perfect all the time, but we need to make it fundamentally harder for attackers each time, so they are not successful. With this approach to defence, attackers will need to design and develop unique tools every single time they want to attack an organisation.

The defeatist thinking is due in part to our over-reliance on siloed legacy security products. Companies are forced to chase af-ter each problem coming in, treating every-one at the same level of risk, and potentially allowing the gravest ones to slip through the net. In this stacked security model, products such as legacy firewalls, intrusion preven-tion systems, antivirus software, and the like are purchased in isolation, from differ-ent vendors. Piled on top of one another, the pieces fail to tie together and it’s easy to lose visibility on potential threats.

While more products may seem to be get-ting you closer to solving the problem, in fact they are creating unnecessary complexity. Ironically, the more technologies deployed in an organisation, the more complex they be-come to manage, and the less secure you be-come. The more complex a system, the more room there is to overlook gaps or miss criti-cal alerts, making it more likely an adversary will discover a way to bypass it. Complexity is the enemy of any security program.

For years we believed that simply blocking attacks at ‘the front door’ to your organisa-tion was enough, but in fact, that’s when the clock starts ticking. From that point on, how can you limit your attackers’ ability to move around your network and reach their objec-tive—stealing your information, disrupting your services, or undermining the integrity of the data held by your organisation? After gaining entry on one computer, an adversary will look to move around an organisation’s network like most users would, ultimately mapping out a route to the servers that store your organisation’s crown jewels. Tools will be installed to allow the attackers to remote-ly control systems from afar. Cybercriminals then hide or encrypt your data before send-ing the data out of the organisation. So if all

of our efforts are focussed on protecting the entry to our organisation, we lose the ability to block the attackers at any stage of the at-tack lifecycle, allowing the attackers to reach their objective. Organisations can, in fact, develop prevention controls to disrupt the entire attack lifecycle and prevent a negative material impact from a cyber incident.

In order to accomplish the disruption of the attack lifecycle, these are the elements of prevention your organisation needs: threat prevention, threat detection, and threat eradication.

JJ Threat prevention uses known methods to thwart campaigns at each phase of the attack lifecycle. Because of the adversaries’ propensity to reuse the playbooks against multiple targets, many organisations are aware of these clues. However, if organi-sations prevent only known behaviour, they will likely miss an adversary’s attacks employing the newest hacking techniques.

JJ Threat detection automatically hunts for clues throughout the enterprise at each phase of the attack lifecycle—it inves-tigates unknown anomalous behaviour wherever it is found and takes the appro-priate actions. Detection uncovers attacks that security controls did not initially block, and also brings to light previously unknown malicious activity that organisa-tions must eradicate or minimise.

JJ Threat eradication blocks future attacks by analysing the new methods and installing additional means to thwart the adversary. In this two-pronged-strategy, organisations must first use newly dis-covered signs of an attack to protect their networks. Second, they must understand the adversary’s objectives to determine what else they can do to prevent the adversary from succeeding.

While similar, all three of these essential tasks are important in their own right, but indi-vidually are not sufficient to prevent material damage. With a strong security architecture in

xi ■


place, businesses will be positioned to prevent every threat that is known, discover new and unknown threats as they emerge, and quickly deploy countermeasures to prevent adversar-ies from reaching their objective.

Each of these tasks should be automated as much as possible. However, this is in-credibly difficult to pull off with multiple security solutions that were never designed to work together or share threat intelli-gence. One way to address is by having se-curity professionals work to make strategic investments across an integrated platform that automatically correlates intelligence collection and the deployment of preven-tion controls for their organisation.

J conclusionLike any business risk, cyberthreats are evolving—and so should your organisa-tion’s response. Security risk should be a top concern of executive management and the board of directors in order to protect your business and your customers. Too often, business leaders view security as a matter of compliance and control, which can set up a clash between the needs to protect assets and to foster productivity.

However, cybersecurity can support the goals of senior executives to keep the com-pany running and profitable. Executive lead-ership must set organisational strategy that builds cybersecurity considerations into the business planning process. Adopting a frame-work of standards and accountability will help organisations develop a plan that spells out who is responsible for responding to cy-ber incidents from a technical, legal, and ex-ecutive standpoint. Toward that goal, techni-cal and non-technical personnel should enter into a common lexicon to discuss cyber risk.

The chief information officer (CIO) and chief technology officer (CTO) are always looking for new ways to innovate and differ-entiate the company in the marketplace. By working closely with the chief security offi-cer (CSO) or chief information security offi-cer (CISO), they can achieve that innovation in a secure manner that mitigates cyber risks. Leaders can also learn from one another. By

joining communities such as the Security Roundtable,5 they can stay up to date with best practices from peers and experts in the cyber arena. The criminal underground shares the latest techniques to launch their attacks, so it only makes sense that we as de-fenders should share our lessons learned as well. The more we share, the better we can defend ourselves by driving up the cost of a successful cyberattack exponentially.

Armed with the expert insights in this practical guide, organisations can meet this global cybersecurity challenge. Security is a sport best played as a team, and the steps we take now will have a significant and long-last-ing impact on the Singapore economy now and in the future.

The insights in this guide include advice and best practices from Singaporean and international thought leaders who are chief executive officers (CEOs), chief innovation officers, CISOs, lawyers, consultants, and former and current government officials. At the heart of every business should be effec-tive risk management, a thorough under-standing of the risks, as well as pragmatic solutions, which include better training and awareness. In cybersecurity knowledge is the key to prevention. And knowledge starts right here.

Works Cited1. https://securityintelligence.com/news/

singapore-an-emerging-target-for-cyberthreats-and-banking-trojans/

2. http://www.cio-asia.com/resource/security/cybercrime/singapore-banks-under-malware-threat/

3. http://www.sgcybersecurity.com/list-of-cyber-hackings-in-singapore/

4. ‘Fortifying for the Future’ - Insights from the 2014 IBM Chief Information Security Officer Assessment

5. https://www.securityroundtable.org

https://www.securityroundtable.org

xiii ■

TAbLE oF coNTENTs

TABLE OF CONTENTS

iii. FOREWORDDr Yaacob Ibrahim, Minister for Communications & Information and the Minister-in-charge of Cyber Security

v. PREFACEForbes Media – Bruce H. Rogers, Chief Insights Officer

vii. INTRODUCTION: THE IMPORTANCE OF CYBERSECURITY FOR EXECUTIVES IN SINGAPOREPalo Alto Networks Inc. – Sean Duca, Vice President, Regional Chief Security Officer

Navigating the Digital Age

3. 1. CYBERSECURITY STRATEGY: COLLECTIVE DEFENCE IS THE KEYCyber Security Agency of Singapore – David Koh, Chief Executive

7. 2. WHAT CORPORATE LEADERS NEED TO KNOW AND DO ABOUT CYBERSECURITYGood Harbor Security Risk Management – Richard A. Clarke, Chairman; former White House Advisor on Cybersecurity & Counterterrorism

9. 3. CLEAR AND PRESENT DANGERSingtel – Bill Chang, Chief Executive Officer, Group Enterprise

13. 4. BUILDING AN INTEGRATED, WORLDWIDE RESPONSE TO GLOBAL CYBERSECURITY THREATSKhoo Boon Hui, former INTERPOL President; retired Singapore Police Commissioner

21. 5. THE FOURTH INDUSTRIAL REVOLUTION – WHY SECURITY CANNOT WAIT!Quann – Professor Yu Chien Siang, Chief Innovation Officer

■ xiv


25. 6. SAFE TRAVELS: CYBERSECURITY FOR PUBLIC TRANSPORT, FROM OPERATING TECHNOLOGY TO INFORMATION TECHNOLOGYLand Transport Authority – Huang Shao Fei, Director, IT Security, Governance & Risk Management

29. 7. WHAT 30 YEARS OF CYBERSECURITY HAS TAUGHT SECURITY PROFESSIONALSSingtel – Baey Chin Cheng, Chief Information Security Officer

32. 8. BUILDING CYBER RESILIENCENTUC FairPrice – Seah Kian Peng, Chief Executive Officer

35. 9. SECURING THE INTERNET OF THINGS: CYBERSECURITY FROM IT TO OTNanyang Technological University – Professor Lam Kwok Yan, Professor of Computer Science, School of Computer Science and Engineering, College of Engineering

45. CONTRIBUTOR PROFILES •Dr. Yaacob Ibrahim •Bruce H. Rogers •Sean Duca •David Koh •Richard A. Clarke •Bill Chang •Khoo Boon Hui •Professor Yu Chien Siang •Huang Shao Fei •Baey Chin Cheng •Seah Kian Peng •Professor Lam Kwok Yan

Navigating the Digital Age

3 ■

cybErsEcurITy sTrATEGy: coLLEcTIVE DEFENcE Is THE KEy

Cybersecurity Strategy: Collective Defence Is the KeyCyber Security Agency of Singapore – David Koh, Chief Executive

The world has become increasingly interconnected. The advancement of digital technologies and the pervasive use of the Internet have brought about major changes

to people’s work and lives and opened up new opportuni-ties for businesses. Information is readily available with the click of a mouse, and organisations can now reach out to their customers with ease. Productivity has increased, and possibilities are limitless.

Here in Singapore, we have begun our journey towards the vision of a Smart Nation with the aim of improving the lives of citizens, creating more opportunities, and building stronger communities. Connectivity is the crucial piece of this vision. While a connected nation brings countless new possibilities and conveniences, being open is not without its challenges. People are now more vulnerable to cyber threats, as connectivity has created a new frontier for cybercrimes and malicious activities. These threats are multifaceted and extremely challenging, in particular with the emergence of sophisticated Advanced Persistent Threats, Distributed De-nial of Service attacks and the myriad of cybercrime tools. The stakes got higher with the recent news about the online auction of US$500 million of cyber weapons, fanning talks of a Cyber Cold War between two superpowers.1

According to the findings by Cybersecurity Ventures,2 an average of one new zero-day vulnerability was discovered every day in 2015. New malware samples are produced by cybercriminals at an alarming rate of 230,000 per day, and targeted social engineering tactics, such as spear-phishing campaigns, have increased drastically, by 55 percentage points from 2014 to 2015.3 These techniques have been consistently used by criminals to deploy malware, and the impact has been felt in government organisations as well as private companies, from small businesses to large en-terprises. Over the course of the year, more than half a bil-lion personal records, as well as identities, were stolen or lost from cyber breaches. Financial losses arising from data

■ 4


breaches averaged US$4 million per breach in 2016,4 with most data breaches arising from malicious or criminal attacks. The total cost of data breaches has increased by 29 percentage points since 2013 globally, and this figure is expected to rise rapidly.

Just recently, the Singapore Police Force released its mid-year crime statistics, which showed that online scams and e-commerce crimes are on the rise.5 There is, thus, a com-pelling need to be more vigilant and for us to take steps to create a safer cyberspace.

The Singapore Government established the Cyber Security Agency of Singapore (CSA) in April 2015, to provide dedicated and centralised oversight of Singapore’s national cybersecurity functions. CSA con-solidates and builds upon the government’s cybersecurity capabilities, including those that used to reside separately in the Ministry of Home Affairs and the Infocomm Devel-opment Authority of Singapore (IDA). The idea is to bring together previously dispa-rate areas of policy and operations under a single roof, so as to enhance collaboration and synergy to achieve greater effectiveness in strengthening Singapore’s cyber defence. We are driven by two strategic priorities: 1) strengthening the cybersecurity of the core of information infrastructures and 2) build-ing cyberspace resilience through nurtur-ing a cybersecurity ecosystem, promoting awareness, and international collaboration. Together with partner agencies, CSA has de-veloped Singapore’s Cybersecurity Strategy, which outlines the government’s plans to build a resilient infrastructure, create a safer cyberspace, develop a vibrant cybersecu-rity ecosystem, and strengthen international partnerships. However, the success of the strategy depends not only on the govern-ment but also on individuals and enterprises taking a collective responsibility to tackle cy-bersecurity challenges.

J making cybersecurity a business priorityCyber-attackers are becoming increasingly sophisticated, and enterprises are discover-ing that traditional methods of defence no longer provide sufficient protection. To be

able to better deal with cyber threats, enter-prises must recognise and treat cyber risks as important business risks. The responsibil-ity of defending against cyber-attacks does not rest only on the IT personnel or the chief information officer (CIO). When there is a se-rious major breach in an organisation, senior management is often expected to shoulder the responsibility. The security chief of JP Morgan Chase & Co., Jim Cummings, was replaced a year after a massive breach that involved data theft of 83 million customers.6 In another inci-dent, Target’s CIO, Beth Jacob, resigned after 40 million credit and debit card details were stolen in 2013.7 Shortly after Jacob’s resigna-tion, Gregg Steinhafel, president and CEO of Target and chairman of the Target board of directors, stepped down, ending his 35-year career with the company.

Cybersecurity deserves attention at the highest level at every organisation. Breaches can lead to dire consequences, such as dam-aged reputation and loss of competitive advan-tage. Boards and management should devote adequate support and invest sufficient re-sources to ensure relevant cybersecurity mea-sures are deployed to protect their systems and networks. Organisations should recognise the importance of cybersecurity and the impact of cyber-attacks on businesses, and invest wisely in cybersecurity tools and resources.

J Developing a dynamic cybersecurity industryThe dynamic and fast-growing cybersecurity industry presents new economic opportuni-ties to be seized. Many innovative companies are ready to ride this wave, and they recog-nise that there is tremendous potential to fur-ther cybersecurity research and development (R&D) to overcome the issues that may im-pede industry growth. Imperative to the de-velopment of the industry is the participation of industry partners with strong solutions and research capabilities. The Singapore Gov-ernment welcomes more of these innovative companies to anchor advanced capabilities in Singapore to testbed their solutions, while at the same time, helping to build up deep tech-nical expertise within Singapore’s talent pool and create better jobs for the workforce.

5 ■

cybErsEcurITy sTrATEGy: coLLEcTIVE DEFENcE Is THE KEy

Many global cybersecurity companies have chosen Singapore as the regional base for Asia Pacific because Singapore has a highly skilled workforce. Based on a report by World Bank,8 Singapore is also one of the easiest places to run a business. Today, the cybersecurity market in Singapore is worth about S$570 million, and it has the potential to double in value by 2020. Singapore will continue to pursue collaborations with stra-tegic domestic and international partners. This is critical in aiding the development and growth of the cybersecurity industry and en-suring it keeps pace with the rapidly chang-ing cybersecurity threat landscape.

J Innovation through research and development

To deal with the rapidly evolving cyber threat landscape, there is a need for close collabora-tion and cross-pollination of ideas among ac-ademia and industry, both local and foreign. Cybersecurity R&D does not involve just developing engineering solutions to difficult technical problems; emphasis must also be placed on research into policy, governance, and legislation, which are equally essential.

As a global hub for multiple economic sectors, such as banking and finance, logis-tics, and telecommunications, Singapore is well-positioned for piloting cybersecurity so-lutions across the region. With a strong gov-ernance framework and a supportive govern-ment in place, Singapore is the ideal location to testbed cybersecurity solutions, especially at the national level.

The National Cybersecurity R&D Pro-gramme, which was launched in 2013, pro-vides S$130 million worth of funding over five years and plays an important role in developing Singapore’s cybersecurity R&D expertise and capabilities. The programme is coordinated by the National Research Foun-dation of Singapore (NRF) and CSA to pro-mote collaboration among academia, research institutes, and the public and private sectors. In 2016, the government further strength-ened its commitment to the programme by extending it from 2018 to 2020 with an addi-tional funding of S$60 million. As part of the

programme, NRF introduced the Corporate Laboratory@University scheme to encourage public-private R&D collaboration between universities and companies. NRF is also in the process of setting up the National Cyber Security R&D Laboratory, which is a shared infrastructure that provides computing re-sources and data sets for researchers to col-laborate. The initiative will better align aca-demic research with industry needs, which will eventually raise the overall standard of cybersecurity in Singapore.

J building a vibrant ecosystemA vibrant cybersecurity ecosystem is key to the building of strong and sustainable cyber-security capabilities and readiness. A trusted and resilient cyber environment needs to be built upon the strong foundation of a capable and competent workforce.

Over the years, Singapore has developed a pool of talented and dedicated cybersecu-rity professionals. However, there is a short-age of skilled manpower in the industry. Ac-cording to the Annual Survey on Infocomm Manpower9 by IDA, there is a total demand for 4,700 cybersecurity professionals, with about 1,000 cybersecurity positions left un-filled in 2015. Good security requires highly skilled practitioners with deep expertise. With the demand for cybersecurity profes-sionals projected to increase further within the next three years, there is a need to sup-port new entrants as well as to train and upgrade the skills of current professionals. In order to meet the high cybersecurity man-power demand, CSA is collaborating with Institutes of Higher Learning to craft an in-dustry-oriented curriculum and provide on-the-job training for new entrants to cyberse-curity. The government will build on existing scholarship and sponsorship programmes to strengthen the branding of cybersecurity. This initiative will help to attract more en-trants into the cybersecurity industry.

To further ramp up the cybersecurity manpower supply, CSA will facilitate the conversion of experienced professionals from related fields to cybersecurity with the introduction of the Cyber Security Associates

■ 6


and Technologists (CSAT) programme. Pro-fessionals will be able to train and up-skill themselves for cybersecurity roles under the CSAT programme. CSAT training partners, such as Singtel and ST Electronics, are al-ready working with the government to grow the pool of cybersecurity experts in Singa-pore. Besides the CSAT programme, CSA is also working on other initiatives, such as the Cybersecurity Professional Conversion Pro-gramme with the Workforce Development Agency, to further augment Singapore’s cy-bersecurity manpower pipeline by convert-ing jobseekers and reskilling them to take on cybersecurity jobs.

The talent development programmes will not be successful without the support of in-dustry. The Partnership for the Advance-ment of the Cybersecurity Ecosystem (PACE) programme, initiated by CSA, is an example of a meaningful public-private partnership that co-develops customised solutions with industry partners to raise Singapore’s cyber-security posture while supporting efforts to develop cybersecurity skills in the workforce. CSA also works closely with industry associ-ations, such as the Association of Information Security Professionals (AISP), to introduce and build strong communities of practice for cybersecurity professionals in Singapore. This also serves as a platform to facilitate in-formation and ideas exchange among like-minded cybersecurity professionals.

The growth of a capable, adept, and com-petent workforce is sustained by strong ca-reer prospects. There is a need to continually examine ways to promote cybersecurity as a rewarding career to enable companies to attract and retain cybersecurity talent. The government will work with the industry to define a competency framework for cyberse-curity. Companies are also strongly encour-aged to work with CSA to help cybersecurity professionals develop complementary skills, such as risk management and risk communi-cation, to facilitate the translation of cyber-security issues into enterprise risk manage-ment at a corporate level. Larger companies ought to define apex cybersecurity positions at the C-suite level in recognition of the fact

that cybersecurity is no longer a domain solely for CIOs. To do so, CSA will work with industry partners to conduct C-suite education as well as reach out to small and medium-sized enterprises.

J conclusionCSA is committed to developing Singapore’s cybersecurity ecosystem. However, no one agency, organisation, or individual can deal with cyber threats by itself. The government can lay the foundation by building the nec-essary infrastructure; developing strategies, policies, and legislation; as well as providing platforms to facilitate meaningful collabora-tions to contribute to the cybersecurity eco-system. However, it needs the support of all stakeholders, from government agencies to industry players, to businesses, and to the man-in-the-street. After all, we are only as strong as the weakest link. Collective defence is the key to creating a safer cyberspace.

Works Cited1. Source: http://www.straitstimes.com/

opinion/cyber-cold-war-heats-up2. Source: A 2016 Report from

Cybersecurity Ventures sponsored by Herjavec Group

3. Source: Symantec 2016 Internet Security Threat Report

4. Source: Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis

5. http://www.channelnewsasia.com/news/singapore/crime-rate-down-in-first/3081968.html

6. http://www.bloomberg.com/news/articles/2015-11-04/jpmorgan-chief-security-officer-jim-cummings-reassigned-to-texas

7. http://www.nytimes.com/2014/03/06/business/targets-chief-information-officer-resigns.html

8. Source: Doing Business 2016 by World Bank Group

9. Source: IDA Annual Survey on Infocomm Manpower for 2015

7 ■

What Corporate Leaders Need to Know and Do About CybersecurityGood Harbor Security Risk Management – Richard A. Clarke, Chairman; former White House Advisor on Cybersecurity & Counterterrorism

wHAT corPorATE LEADErs NEED To KNow AND Do AbouT cybErsEcurITy

Every company has or will be subject to cyber attack. That can be disastrous for a company, or it could be a minor nuisance. The difference may be determined by whether

the leadership of the company understands cybersecurity sufficiently and can act on their understanding.

Because no corporation can function without its IT net-work, and because of the risks inherent in running such networks, every corporate leader must have a basic un-derstanding of cybersecurity, just as they must understand the basics of accounting or corporate laws and regulations. But what do leaders need to know and do? They do not need to be able personally to write computer code or to understand the alarms being sent to their company’s Secu-rity Event and Incident Management (SEIM) system. Rath-er, they need to understand where cybersecurity fits into their overall Enterprise Risk Management (ERM) system and strategy. To do that, corporate leaders must review four key elements of the relationship between cybersecu-rity and their corporation.

First, they must understand the full range of risk—what could go wrong because of malicious activity on or di-rected against their data network and their Internet of Things (IoT). The company could be attacked by corpo-rate espionage actors, cyber criminals, or disgruntled em-ployees. Various types of data could be stolen, or altered, or erased. Production or delivery of services could be slowed or stopped. Products could be damaged. Money could be stolen. Embarrassing information could be pub-licly revealed. The reputation of the company could be harmed. Customers could turn away. Stockholders could sell off the stock or move for a change in leadership. Gov-ernment regulators could punish the company. Competi-tors could steal market share, or even use the company’s own research.

■ 8


The risk register and the prioritisation of the risk is unique to each company. No two companies are alike. Thus, corporate leaders must ‘discover’ their risks and then deter-mine their importance. This process is called determining the company’s Risk Profile and then its Risk Tolerance.

Cyber risk planning is different from com-pliance with government regulations and audit standards. Many companies that have been fully compliant or had recently passed ‘penetration tests’ have still been hacked and severely damaged.

The risk approach focuses on what is spe-cific to an individual company’s needs and is built on the realisation that no standards or best practices will eliminate all risk.

Second, leaders must ensure that their gov-ernance system is designed appropriately for handling cybersecurity. It is not an issue for the chief information officer (CIO) alone to worry about. Nor is it only the concern of a security officer. It is a ‘whole of company’ is-sue because it can put the entire company at risk. It is not the job of the CIO to determine what risks the company should or should not run, or what level of risk is appropriate. Im-plementing a responsible corporate approach to cyber risk requires the informed participa-tion and regular review of a council of senior company officers. Boards of directors must also be well informed and agree to the cyber risk approach.

Third, company leaders must ensure that they have a two- or three-year plan to im-prove their cybersecurity, a plan that is based on their risks, reducing the most important risks first. Leaders should not buy cybersecu-rity products and services without knowing that what they are buying is directly tied to what they think are their priority risks.

Fourth, leaders must expect and be ready for cyber incidents or breaches. They must un-derstand that risks cannot be eliminated, only mitigated. No plan and no technology can get a company to zero cyber risks, but an appro-priate plan tailored to the needs of a company may reduce the chances of the most damaging risks occurring. A plan may also make it more possible for a company to rebound quickly when a cyber incident does occur. Resilience is as important as a goal as is prevention. Thus, leaders must know what they and all of the members of their team would do in a cy-ber crisis. Leaders must ensure the readiness of their company for such an incident, with an adequate and detailed plan that they exercise and on which there is appropriate training.

Using information technology smartly can differentiate a company and make it a leader; it can make a company highly profitable. Not understanding or being prepared for the cy-ber risks that come with being a 21st-century company could, however, mean failure for a company and for its leaders.

9 ■

cLEAr AND PrEsENT DANGEr

Clear and Present DangerSingtel – Bill Chang, Chief Executive Officer, Group Enterprise

The global digital economy is growing rapidly and is bringing about productivity improvements, increas-ing business efficiency, and creating tremendous val-

ue. Singapore is also aiming to be the world's first Smart Nation. As the digital footprint grows with the economy and our country becomes more wired up with high-speed digital highways, while also connecting to a plethora of smart devices with IOT (Internet-of Things), it will open up a much larger surface area of vulnerabilities for cyber-attacks to occur. The rapidly increasing trend of cyber-at-tacks has been cited as among the top risks facing econo-mies, according to the World Economic Forum’s Global Risks Report in 2016.

While the cyber criminals’ modus operandi has evolved rapidly in sophistication, scale, and frequency of attacks, companies, on the other hand, are struggling to under-stand the nature of the threats and keep up with these fast-evolving cybersecurity challenges. Company boards and top management are increasingly recognising that cyber threats are one of the top three enterprise risks that their organisations can face.

J From boardroom to ops roomThis is no longer a technology issue left to be handled by the CIOs or CISOs (chief information security officers) alone; it also needs to actively involve the C-suite management and boards. Board directors need to be more educated in the fast-rising risks of cyber threats so as to provide over-sight and governance with management in cyber risk as-sessment. In the financial industry, regulators now require board members to undertake cybersecurity awareness training and also involve a number of them in cyber drills. This helps boards provide better oversight for the financial industry. It also helps companies to be more prepared for cyber-attacks and to be in a better position to manage the situation in the event of a cyber breach.

■ 10


More can be done to help train our com-panies' boards and C-suite management. A comprehensive program should cover areas like greater awareness of cyber risks, risk as-sessments, and the decisions and investments made to mitigate those risks. Boards have to ensure an ongoing review with management (given the very fast pace of cyber threat evo-lution) on cyber defence strategy, and must ensure adequate funding and resources are allocated while reviewing the associated level of risk tolerance.

Board members should also assess the skills and experience of their bench to ensure they have adequate digital and cyber talent. In a number of companies, boards are start-ing to bring in digital- and cyber-savvy tal-ent to augment their board's bench. This will not only help the company leverage digital technologies to accelerate growth and trans-form its business, but will also help to advise

management and provide key oversight and governance in the area of cybersecurity.

J ‘within and beyond’ company wallsThe training should also help boards and management build a framework to instil a culture of cybersecurity readiness, as well as advise them on what to request for periodic updates with management, and how to assess the effectiveness of ongoing programs to con-stantly help evolve their cybersecurity matu-rity curve over time.

It is also key to note that six out of ten cy-ber breaches are the result of internal lapses, whether due to weak enforcement of poli-cies, employee negligence, or malicious in-tent. A recent survey in Singapore, with a sample size of 194 respondents, highlighted many ways these internal lapses can occur. There is a need for progressive internal user education to be more aware of the ‘Dos and

Top RiskyInsiderThreats

Installation of Unauthorized

Software or Malware24%

25% (2015)

Failing to Install SecurityUpdates and Patches

9% 10% (2015)

Weak Passwords11%

9% (2015)

Access and Privilege

Modification/Escalation18%

18% (2015)

General Lack of Security Training

7% 10% (2015)

Unauthorized File Transfers,Such as Via Email

or the Cloud31%

28% (2015)

TOP RISKY INSIDER THREATS

11 ■

cLEAr AND PrEsENT DANGEr

Don’ts’ in cybersecurity, as these can lead to serious compromise of sensitive systems. CISOs also have to play a key role in advis-ing their boards and reviewing with them the prioritised areas to enhance their cyber defences, as it would be too costly to defend everything that the enterprise covers.

Beyond their company walls, they also have to look across their supply-chain cyber risks, as all companies have connected cus-tomers and suppliers. This is to ensure the cyber risk assessment is reviewed as part of their overall supply-chain program. As a matter of fact, many of the very high pro-file cyber breaches in the world are due to supply-chain risks—like the Target retailer breach in the US, which was caused by one of their subcontractors, losing 40 million of their customers’ records eventually.

Many SMEs (Small & Medium Enterpris-es) have little or no cybersecurity awareness, let alone appropriate security measures in place to protect themselves and their supply chains. They also lack the security expertise to advise, implement, and defend their busi-ness. More needs to be done in educating SMEs on this serious security challenge to their business and also to their supply chain, involving their customers, partners, and sup-pliers. Cloud-based security solutions and managed security services, which are cost effective, are best suited for SMEs' adoption due to the lack of expertise in-house.

J Not ‘IF’ but ‘wHEN’ mind-setBeyond awareness, risk assessment, and risk tolerance, boards should also be trained to cover the post-breach crisis management and communications process. We have seen that in many high-profile breach cases, the poor handling of post-breach crisis management and engagement with stakeholders actually resulted in the destruction of the company's value and loss of trust with customers, even incurring serious probes and penalties from regulators and class-action suits from shareholders. The big challenge with cyber breaches for many companies: usually they do not have enough information on what was lost, how or when it happened, who

caused it, or how to prevent it. Meanwhile, the press, stakeholders, or regulators may be all over the company if their customer or critical data breach has already been made public. Very frequently, the company un-der breach may not know the answers until months later—all while it faces the barrage of the stakeholders' and media's queries, as well as regulatory investigations. Succumb-ing to this pressure, this is where most com-panies make the mistake of giving partial or even incorrect information, resulting in loss of confidence and causing the impacts earlier described. Boards and management should be trained in post-cyber-breach manage-ment to develop their protocols, and even regularly update and conduct drills involv-ing boards and management—not with the mind-set ‘IF’ a cyber breach will happen but ‘WHEN’ it will happen.

Beyond training boards and management, it is also key to train their CIOs, CISOs, and cybersecurity operations staff. This is to con-tinually sharpen their cyber defence skills in the midst of a very fast-changing cyber threat landscape. Globally, there is already a shortage of 1 million cybersecurity-trained professionals in 2016, according to Forbes. In Singapore, our total cybersecurity profes-sionals are only about 1% of our overall ICT workforce. This will not be sufficient for Sin-gapore’s needs as we strive towards our vi-sion to be a Smart Nation, which will require much higher numbers of cybersecurity pro-fessionals in a number of fronts. Compound-ing that challenge, more businesses are also accelerating their digital transformation, which means they will also require greater numbers of cyber defenders as their digital footprint grows.

So, in a very tight cyber talent market globally, it is key that companies invest in the ongoing training and development of their cybersecurity professionals to better defend themselves and also retain their rare talent. As for companies without the core tal-ent of cyber professionals, which also have to defend themselves against ongoing cyber threats, they should consider partnering with a managed security service provider (MSSP).

■ 12


In this aspect, they have to consider MSSPs with deep and global capabilities, consider-ing the nature of this global threat phenome-non that we will face for a long time to come.

This article was adapted from an earlier article ‘Trekking in a clear and present danger cyber world’, which was published in the fourth-quar-ter issue of Directors’ Bulletin, a publication of the Singapore Institute of Directors.

13 ■

buILDING AN INTEGrATED, worLDwIDE rEsPoNsE To GLobAL cybErsEcurITy THrEATs

Building an Integrated, Worldwide Response to Global Cybersecurity ThreatsKhoo Boon Hui, former INTERPOL President; retired Singapore Police Commissioner

Cybercrime is a borderless enterprise. Most cybercrime takes place across national borders, creating a chal-lenge for law enforcement as well as corporate directors

and senior executives. While cybercriminals gain strength through sophisticated international networks and a thriv-ing market in malware, most private organisations lack the kind of coordination that could enhance the detection and containment of cyber threats.

From a law enforcement perspective, cybercrime has much in common with terrorism and organised crime. Just as terrorism changed the face of law enforcement in recent decades, so is cybercrime pushing public and private se-curity professionals to find new ways to protect the con-nected world—both digital and physical. To combat the threat of organised crime and terrorism requires coordina-tion across national borders and between the public and private sector. Combating cybercrime is no different.

Cybersecurity is not a competitive advantage. When one organisation is attacked, reputations suffer across industries and confidence is undermined. A cyber breach can ripple through the entire supply chain, user base and digital ecosys-tem of an organisation—spreading the effects well beyond the point of the breach. Add to this the question of safety at power plants, factories, transportation systems and the growing network of connected sensors and devices known as the Internet of Things and it is easy to see why cybersecu-rity is an imperative that is bigger than any one organisation.

J The problemHackers can now craft attacks with unprecedented so-phistication and correlate information not just from pub-lic networks but also from different private sources, such as cars, smartphones, and wearables. This affects not just individuals but also businesses and nations. As a result, these advances have made countering such attacks an in-creasingly daunting task.

■ 14


These cyber threats are further compli-cated by the evolving modus operandi of cybercriminals. They are engaging in rapid information sharing and the streamlining of operations and processes as they perfect the means to remain undetected while carrying out intelligence on their target organisations. Cybercriminals search for what works best and continually adapt for success. Malware is recognised as the tool of choice in most cybercrime. Criminals and state actors alike reuse and adapt malware and rely on local services to help them. For example, Shifu malware, an advanced banking trojan dis-covered by IBM Security X-Force and named after the Japanese word for thief, was made up of different elements of existing mal-ware and stitched together by a modern day Dr Frankenstein to create a new monster.

Cybercriminals will attempt to under-stand the local situation. The criminals know that authorities are looking for them and re-searching them. Hence, they make their in-trusions hard to detect by adopting cutting-edge technology to mask their identity.

They have been benefitting from the lower costs of acquiring tools, informal partner-ships, access to cheaper and more powerful automated computing power, and even out-sourcing hacking or DDOS attacks through services offered on the Darknet. They also collaborate constantly. The latest trend is for cybercriminals to incorporate social media as an attack vector and a platform to form learn-ing communities and a marketplace for train-ing. They are no longer hiding underground.

Facebook, for example, has become the open platform of choice for cybercriminals. Twitter is being exploited for hacktivism in financial fraud, and we are increasingly exposed to the use of WhatsApp as the new Darknet. Using social media as a platform to generate learning communities, cybercriminals have harnessed the potential of technologies available today, extending their reach beyond the Darknet to the Internet world at large.

If international organisations and compa-nies want to leverage the Fourth Industrial Revolution to their benefit and create a long-run competitive advantage, they must not

only invest in upgrading their production facilities but also rethink and refresh their existing IT security standards. Traditional security tools against traditional threats re-main indispensable, but it is necessary to continuously adapt to emerging digitisation, supplemented with new, innovative meth-ods of defence.

Even once fail-safe defences can be un-done with the right technology. For example, the Singapore Government plans to sepa-rate Internet access from the workstations of government officials by June 2017. How-ever, even this air gapping may not be good enough. Israeli researchers have discovered a way to extract limited amounts of data from air-gapped computers using the sound emitted by their cooling fans. The group has previously demonstrated how to hack air-gapped machines using radio waves and other techniques.

The PricewaterhouseCoopers Global Eco-nomic Crime Survey 2016 revealed that cy-bercrime has been on a steady increase every-where since it first appeared in the survey in 2011.1 Cybercrime has now jumped to second place, while asset misappropriation, bribery and corruption, procurement fraud, and ac-counting fraud—the traditional leaders in this category—all show a slight decrease.

Between 2013 and 2015, the costs of cy-bercrime quadrupled, and Juniper Research predicts that the costs of data breaches will quadruple again between 2015 and 2019, to a collective $2.1 trillion globally.2 Ransomware is currently the biggest cybersecurity threat. It has replaced advanced persistent threat (APT) network attacks as the most problem-atic cyber threat. In a recent study done by Cyber Threat Alliance (CTA) on Cryptowall 3.0, ransomware has been used to extort a staggering $325 million from tens of thou-sands of victims worldwide.3

There is much to be learnt from the evolu-tion of the ransomware scheme. A lot of dam-age caused by ransomware could be undone by regularly backing up data and by moni-toring systems for such threats. Ransom-ware started by attacking home-users, and expanded quickly to target law enforcement

http://searchsecurity.techtarget.com/news/2240238734/CryptoWall-30-Ransomware-returns-adopts-I2P



15 ■


agencies, business corporations, and even hospitals. This is simply due to the fact that the data at ransom did not have the neces-sary backup. In other words, there would be nothing to ransom if enterprise and personal data were regularly backed up, properly serialised, and secured in an offline envi-ronment. Instead, cybercrime groups often incorporate ransomware as a serendipitous add-on to their malware attacks, preying on individuals and organisations that fail to take simple precautions.

J working toward a better defenceThe old adage “prevention is better than cure” is still relevant. Where cybersecurity is concerned, we should not take the easy way out by letting the bad guys have free rein and hope that your more expensive system is better than your competitor’s, thus mak-ing him the alternative target. Cybersecu-rity must deter criminals by increasing their costs of launching successful attacks by de-ploying fit-for-purpose technology. The key is to invest prudently in systems that are prevention-oriented rather than detection-oriented, and which are well integrated and automated rather than a complex aggrega-tion of various legacy systems requiring hu-man intervention.

Just as in countering terrorism, cyber de-fenders have to be vigilant 24/7; adversaries need to be successful only once. Again as for terrorism, there is a critical need for multi-layer, multi-modal defence. Such defence in depth is required to secure the perimeter, see the threat that is coming, and detect anoma-lies within the system.

The focus of cybersecurity should not be just internal. Senior leadership can influence the security practices of suppliers and part-ners—whether by a direct set of minimum requirements asked of them in contractual negotiations, or indirectly through efforts to advocate for their own uplift in security ca-pability via the sharing of knowledge, threat intelligence, or other resources.

In many successful attacks, the bad guys are deploying machines while the defenders are heavily dependent on human expertise,

which is in short supply. This is why we need machine (smart use of technology) and method (process excellence, design, and innovation) to support the human (expertise). This is why directors and senior executives—as well as security professionals—need to recognise that their challenge is not just a technical is-sue but also a human one.

J minimise damage with a proactive responseThe stakes are clearly high when it comes to data breaches. Companies should be proac-tively protecting themselves against cyber threats, yet the recruitment and retention of skilled cybercrime specialists continues to be a challenge. Consider the cyberattacks on the giant discount retailer Target Corp. and on the banking giant JP Morgan Chase and Co., which caused the companies to spend an additional $100 million and $500 million, respectively, on security post-breach. Many believe that this cost can be significantly reduced if a breach is responded to quickly and properly with the right mix of methods, machines and experienced manpower.

Businesses need to recognise that perfect cybersecurity does not exist. They should, instead, focus on adopting a defence-in-depth approach to protect their key assets and be adequately prepared to react to inci-dents when they occur. From cybersecurity testing, compliance, and risk assessment to protecting businesses with round-the-clock security monitoring, to establishing security incident response plans, organisations re-quire an all-round approach towards cyber-security protection.

An organisation needs an effective reme-diation and incident response plan that can manage cyber events to minimise damage, boost the confidence of external stakehold-ers, and reduce recovery time and costs. This includes a crisis management plan, full me-dia training for any spokespeople, and a war games exercise to test resilience.

Senior management and the board must understand and act upon the fact that cy-bersecurity is not just an IT problem. And because successfully protecting confidential data is a must, sufficient resources have to be

■ 16


made available so that a customised incident-response plan can be devised and executed. Legal, corporate communications, finance, HR, and various other departments need to work in lockstep to enable mandatory breach notification, thorough incident investigation, and timely and coherent initial and follow-up communication with other relevant stake-holders, including employees, customers and suppliers. Such communication must provide stakeholders the opportunity to ask questions and provide feedback.4

J Educate and educateWith recent breaches reported in the press, organisations tend to focus on technology, but these events mostly happen because of employee negligence. It could be as simple as a well-meaning employee sending busi-ness documents home to work on over the weekend, or losing an unprotected laptop, or forwarding an email to the wrong per-son. According to the PricewaterhouseC-oopers 2016 Information Security Survey, employees remain the most cited source of compromise at 34%, with ex-employees accounting for another 29%. Worryingly, incidents attributed to business partners climbed to 22%.

The most sophisticated and advanced se-curity technology in the world cannot guard you securely unless employees understand their roles and responsibilities in safeguard-ing sensitive data and protecting company re-sources. This involves establishing and imple-menting practices and policies that promote security and training employees to identify and avoid risks. You need to foster a security-conscious culture within the company and among key stakeholders.

Continuous training in security awareness can raise employee alertness to the reality of threats, vulnerabilities, and the consequenc-es, and help them take active roles in secur-ing your enterprise information. Employees should be educated on current key security issues, including information protection, so-cial networking, virus protection, password security, web browser security, email security, mobile security, and more.

J Information sharing is keyAs cybersecurity information and knowledge progresses, with new technologies emerging every day, organisations must leverage new means to harness this knowledge. This can be done through information sharing. Many se-curity incidents could be avoided if informa-tion is transmitted across organisations and industries in time. Information sharing is also a useful tool to make it prohibitively costly for cybercriminals to launch successful attacks.

Some examples of successful information-sharing platform include the following:

JJ The FS-ISAC, which is a U.S. information-sharing facility and an industry forum for collaboration on critical security threats facing the global financial services sector using STIX™ and TAXII™. Structured Threat Information Expression (STIX™) is a structured language for describing cyber threat information so it can be shared, stored, and analysed in a consistent man-ner, while Trusted Automated eXchange of Indicator Information (TAXII™) is a free and open transport mechanism that standardises the automated exchange of cyber threat information.

Such information sharing within the pri-vate sector, when acted upon, can increase the cost to the cybercriminal of launching suc-cessful attacks. Bianco’s “Pyramid of Pain” is a useful guideline for security protection (see diagram). This concept is based on the under-standing that not all indicators of compromise are the same—they have varying degrees of impact on cybercriminals.5

The pyramid defines the pain or difficulty it inflicts on the adversary when the authori-ties or potential victims deny those indica-tors to them. For example, adversaries can adapt with relative ease to the disclosure of their hash values or Internet Protocol (IP) ad-dresses, but disclosure of characteristic tactics, techniques, and procedures (TTPs) are much more difficult—and expensive—to overcome.

http://www.forbes.com/business/

http://www.forbes.com/business/

http://stixproject.github.io/releases/1.2/

http://stixproject.github.io/releases/1.2/

http://taxiiproject.github.io/releases

http://taxiiproject.github.io/releases

17 ■


J role of governments: The need for public-private partnerships

Moving beyond the organisation, cybersecu-rity efforts must expand across sectors and even national boundaries because of the speed and pervasiveness of cyber threats and their serious repercussions. Today’s cybercrime de-mands strong public-private collaboration to defend against this formidable challenge and tackle ever-evolving cyber threats.

Establishing the capacity to combat cyber-crime requires coordinated and committed multi-stakeholder efforts—a collective re-sponse. This response requires understanding the threat environment, sharing information, and implementing the best practices across the public and private sectors. Corporate dif-ferences and conflicts of interests should be put aside to create expert analysis and intel-ligence, and develop coordinated and proac-tive responses.

Combating cybercrime is a shared re-sponsibility. The private sector is a rich source of expertise and innovative capacity. As one of the main victims of cybercrime,

businesses have a firsthand understanding of the threat landscape. Evidence required by law enforcement officers to prosecute cybercriminals is often held by the private sector. Public-private partnerships enable cybersecurity experts to combine their re-spective strengths, overcome individual limitations, and reduce any blind spots in combating cybercrime.

There have been several remarkably suc-cessful operations executed by public and private entities. For instance, the takedown of the Simda and Dorkbot botnets, under-taken by INTERPOL, various law enforce-ment agencies, and private sector technology IT-security firms, exemplifies the successes of public-private collaboration.6 Equipped with data and intelligence provided by the private sector, INTERPOL was able to support these operations through active and live coordina-tion with law enforcement officials in partici-pating member countries and other regional law-enforcement organisations to take down malicious servers and identify cybercrimi-nals with the aim of prosecuting them. This

nJTough!

nJChallenging

nJAnnoying

nJSimple

nJEasy

nJTrivial

Tips

Tools

Network/ Host Artifacts

Domain Names

IP Addresses

Hash Values

BIANCO’S PYRAMID OF PAIN

■ 18


extends the private-sector pyramid of pain to exposing the cybercriminals real identity, disrupting their botnets and criminal net-works, and even arresting and prosecuting the individuals responsible.

J cultivating trust in a borderless world Information gives the good guys the knowl-edge we need to defeat cybercrime. But trust gives us the will and courage to use this knowledge to protect ourselves and oth-ers who may be vulnerable. In a borderless world where attacks may come from any-where, trust becomes increasingly important for us to collaborate and foster relationships among stakeholders.

Already, organisations such as the Eu-ropean Cybercrime Centre (EC3) in The Hague, INTERPOL Global Complex for In-novation in Singapore, Japan Cybercrime Control Center (JC3), and National Cyber Forensics and Training Alliance (NCFTA) in Pittsburgh have been set up to develop trust-ed networks among authorities and corpo-rate sectors to cooperate and enhance global competencies against cybercrime.

Global megatrends have radically altered the contemporary situation in national and global security. The increased mobility of money, people, goods, and information, the intensity of these flows, and the rise of global interconnectivity have all led to a high vol-ume of crime and security issues originating far beyond the jurisdictions they affect. Ten years ago the Singapore Police began a closer coordination with the global network of law enforcement to better appreciate threats and to collaborate on enforcement. But inter-national law enforcement has not adjusted fast enough to this new global reality and remains highly decentralised. International cooperation, meanwhile, is still characterised by self-interested interactions at the bilateral or multilateral level.

While the bad guys have established their own networks, the new connectivity police paradigm requires a wider perspective that incorporates global policing elements at all levels and maintains communication and intelligence sharing among them. The new

paradigm acknowledges that there is a global common interest to combat crime that might hit any country. The focus needs to shift from not just national or local security concerns but to global security considerations.

This was one of the reasons that Singapore built the INTERPOL Global Complex for In-novation to allow experts in the future of po-licing to work together with the private sec-tor. Already some success has been achieved through this approach where, acting upon private-sector information, large-scale bot-nets hosted in countries that may not nor-mally collaborate bilaterally have been taken down. The culprits may never be brought to justice, but their identities have been exposed, their attack infrastructure has been disrupted, or their malware has been revealed—all of which help to drive up the cost of cybercrime.

Unlike terrorism and organised crime, the private sector—especially cybersecurity pro-viders—have greater access to expertise and information than the public sector. The pri-vate sector should not wait for the authorities to lead the way but instead initiate their own alliances to share best practices and—more importantly—threat information. Some see the intelligence they own as a competitive ad-vantage not to be freely shared, but it would help put defenders of cybersecurity on stron-ger footing if incentives were devised where access to the products of such sharing could be dependent on the quality and quantity of the inputs shared.

J From the server room to the boardroom Businesses are increasingly concerned with cyber threats, but there is a tendency to treat cybersecurity as just another risk to be miti-gated. Many boards rely on management to handle cyber risks, which are often further delegated to the CTO or CISO. Some com-panies have never had a meaningful board-room discussion on cybersecurity, nor do they have a crisis management plan in place specifically to handle a breach. Boards fail to appreciate the differences in risk velocity between the physical world and the cyber world in terms of the speed, scale, and po-tential impact of a cyber incident.

19 ■


Furthermore, there is a growing conver-gence of physical threat and cyber threat vec-tors, from data exfiltration to financial ran-somware, to attacks that are now targeting critical infrastructure. Indeed, some boards in the United States have even formed se-curity committees to oversee both physical threats and cyber threats. An exposition on vulnerability and the potential consequences to the confidentiality of intellectual property, integrity of data, and availability of services are board-level concerns.

J conclusion: The challenging road aheadThe discipline of cybersecurity is often char-acterised by attempts to conjure up some-thing definitive in an environment plagued with uncertainty. Traditionally, the approach of securing the perimeter through signa-ture-based detection to keep the bad guys out provided a good enough approach. To-day, a threat-based and anomaly-based ap-proach requiring intelligence and sensors is required. This is similar to how authorities deal with homegrown and self-radicalised terrorism except that much of the informa-tion is in the hands of the private sector.

Security operations today endeavour to be intelligence-driven. This prioritises efforts and controls against recently encountered threats, as well as over-the-horizon threats the cyber intelligence function has to antici-pate. This requires the building of alliances. The risk of being under attack is much high-er given the industrialisation of cybercrime. Today’s hackers either work for complex operations that are akin to businesses or of-fer their services or stolen data on the dark web for organised crime to exploit. That’s why public- and private-sector cybersecurity professionals need to match the capabilities of the bad guys, recognising that there is no silver bullet to addressing security issues, whether physical or cyber.

Today, a systems-and-networked approach should be mandatory, using the right plat-forms in both physical security and cyber protection. At the same time, cybersecurity is as much a human issue as it is a technology issue. Attitude matters. The board and senior

executives can lead by fostering a security-conscious culture both within the company as well as with key partners. Because cy-bersecurity is a complex issue, it demands a complex solution. The key elements are:

JJ Proactive security measuresJJ Education and information-sharing

platformsJJ Public-private partnerships andJJ Cultivating trust

The global community needs to ensure that government leaders, boards and chief executives alike recognise the threat of cyber-crime. Leadership is required to enable societ-ies not just to provide the response but to be prepared for the future. We have to take the lead in organising ourselves to be prepared for even more sophisticated cybercriminals. Leaders need to develop legal and technologi-cal structures where stakeholders share real-time information and best practices, and iden-tify risks and challenges to enhance our efforts against cybercrime. Regular dialogues on cy-ber strategies to enhance capacity building as far as legal frameworks permit are required to raise the game against cybercriminals. These committed efforts need to be based on trust and collaboration across countries in the pub-lic and private sectors in order to keep our cit-izens and customers, our businesses, and our information and infrastructure systems safe. A collaborative and cohesive system is where we can harness our greatest potential in this fight against the cybercriminals.

Works Cited1. PricewaterhouseCoopers Global

Economic Crime Survey 2016, http://www.pwc.com/gx/en/services/advisory/consulting/forensics/economic-crime-survey.html

2. http://www.juniperresearch.com/researchstore/strategy-competition/cybercrime-security/financial-corporate-threats-mitigation

■ 20


3. http://www.darkreading.com/endpoint/with-$325-million-in-extorted-payments-cryptowall-3-highlights-ransomware-threat/d/d-id/1322899)

4. http://www.disaster-resource.com/index.php?option=com_content&view=article&id=2685:data-breaches-how-to-protect-corporate-reputation-and-the-bottom-line&catid=6:information-technology

5. http://rvasec.com/slides/2014/Bianco_Pyramid%20of%20Pain.pdf)

6. http://www.interpol.int/Media/Files/News-Media-releases/2015/2015-038-Simda-botnet-operation-%E2%80%93-Questions-and-Answers, http://www.interpol.int/News-and-media/News/2015/N2015-215

http://www.darkreading.com/endpoint/with-$325-million-in-extorted-payments-cryptowall-3-highlights-ransomware-threat/d/d-id/1322899




http://rvasec.com/slides/2014/Bianco_Pyramid%20of%20Pain.pdf

http://rvasec.com/slides/2014/Bianco_Pyramid%20of%20Pain.pdf

http://www.interpol.int/Media/Files/News-Media-releases/2015/2015-038-Simda-botnet-operation-%E2%80%93-Questions-and-Answers




http://www.interpol.int/News-and-media/News/2015/N2015-215



21 ■

THE FourTH INDusTrIAL rEVoLuTIoN – wHy sEcurITy cANNoT wAIT!

The Fourth Industrial Revolution – Why Security Cannot Wait!Quann – Professor Yu Chien Siang, Chief Innovation Officer

Revolutions, such as the American and French revolu-tions, are periods of radical change that leave wide-ranging impacts on our world. Industrial revolutions

are no different. Apart from the economy, they also im-pact our society, politics, and culture. To Klaus Schwab, best known as the founder of the World Economic Forum, we are already into the early stages of the Fourth Indus-trial Revolution.

In each of the three prior Industrial Revolutions, the economics, the society, and the politics of the time and the succeeding decades saw great upheaval. These revolutions brought with them the promise of socioeconomic mobility, facilitated the rise of the middle class, created new prod-ucts and services, and enabled a higher quality of life. This Fourth Industrial Revolution is like no other. The speed at which it is unfolding, its scale, and its impact on the global economy is unprecedented. These include the ex-pansion and pervasiveness of mobile Internet access, the prevalence of cloud computing, the Internet of Things, quantum computing, and the adoption of artificial intel-ligence (AI) with deep-learning capabilities. Never before has the world been connected so quickly and so tightly. Already, in Singapore, we are creating a Smart Nation, where connectivity between everything and everyone of-fers us limitless possibilities in doing things and solving problems. Tomorrow’s economy, the Cognitive Enterprise, will see the integration of AI into every facet of govern-ment, corporates, and individuals. This is the Internet of Everything (IoE).

J Tomorrow’s dangers here todayEvery Industrial Revolution has had its own fair share of problems and negative externalities. These include envi-ronmental damage, social/economic marginalisation and alienation, and the entrenchment of privilege and wealth. The characteristic hyper-connectivity brought about by

■ 22


this Fourth Industrial Revolution too brings with it unintended consequences, such as the security vulnerabilities arising from the fact that new business models and technolo-gies are evolving far more rapidly than secu-rity solutions.

For a start, many IoE devices are inher-ently insecure. Any device that connects to the Internet, corporate networks, and data-bases is a potential security risk. In fact, any device that is connected to a power line is inherently vulnerable, as data can be trans-mitted over power. For example, printers and copiers may appear innocuous, but they have the potential to store a tremendous amount of sensitive information. In short, hyper-convergence is making mobile secu-rity riskier as more functions, such as busi-ness cards, credit cards, and access cards, are being consolidated on the ubiquitous mobile phone. A report by Kaspersky revealed that the incidences of Android ransomware have increased by four times in one year. Ransom-ware can lock screens and even SIM cards, and malware can intercept any incoming SMS by replacing them with false ones.

Cognitive Enterprise models also create new security risks. The “Crown Jewel” of the new economy is data. Corporations and Smart Nations that are able to collect, anal-yse, and make sense of large data sets will be able to differentiate themselves from their competitors. The art then lies in translating these insights into meaningful services for citizens or products and services for con-sumers, corporations, and governments.

One of the vulnerabilities of the new economy lies in its dependency on Global Positioning Systems (GPS). Many govern-ments and critical infrastructure companies are over-reliant on GPS tracking systems as the single data source to provide positional, navigational, and timing data. Imagine the impact if such systems were affected through error or unavailability.

In brief, the threat is real, and the fallout is deadly. In the face of an ever more danger-ous future, it is crucial that one starts prepar-ing now. Preparation, to paraphrase the old adage, is better than scrambling for a cure.

Robert Mueller, a former director of the FBI, said that there would be only two types of firms in the near future: those that know they have been hacked, and those that have not yet realised it. This sentiment, that every organisation will be targeted and eventu-ally compromised, has been echoed by many other cybersecurity experts. With all this in mind, it becomes ever clearer that every or-ganisation must prepare, and that they must do so now.

J A holistic view of enterprise security is needed. Now.

What is certain is that it cannot be busi-ness as usual. Breaches will occur. Many cybersecurity plans, however, remain one-dimensional. Organisations might use Open Authorisation Authentication methods and have multiple firewalls, but these measures are less useful at dealing with intruders who have managed to overcome these perimeter defences. Similarly, in our experience, many organisations have deployed the latest and most sophisticated hardware and software to defend their systems, but do not engage security monitoring services or have contin-gency plans. When the Singapore Govern-ment announced that it was cutting Internet access on public servants’ computers, many corporate entities asked if they should do the same. Even if a system is air-gapped, has all its data encrypted, and is part of a Cyber Iron Dome, breaches will occur, and organisations need to respond quickly and appropriately.

The reality is that no silver bullets exist. Organisations need to have a comprehensive cyber-defence policy that adopts best prac-tices such as security-by-design and multi-layered defences-in-depth. Organisations also need to be proactive: they need to begin preparing even before they are threatened. A holistic approach is necessary, as cybercrimi-nals themselves are extremely sophisticated, dynamic, and creative, and will circumvent any single and static measure that is put in place. Cybercriminals should not be under-estimated, especially when they have time, money, and the initiative on their side.

23 ■

THE FourTH INDusTrIAL rEVoLuTIoN – wHy sEcurITy cANNoT wAIT!

The first step is to examine your organ-isation’s business model and identify its key assets: does your organisation rely on online transactions, or does it hold private and sensitive data of multiple individuals? How important is social media in promoting your business? This will help you plan and prioritise the key assets that your firm will have to secure and check first in the event of a cyberattack.

The next step is to set aside a budget for your cybersecurity needs. Already, the Sin-gapore Government has put aside 8% of its IT budget for cybersecurity, and non-gov-ernment organisations should follow suit. This is important not just because your or-ganisation needs to invest in cybersecurity, but also because responding to breaches can be expensive. Investing in a comprehensive cybersecurity framework ex ante will like-ly cost less than responding to a breach ex post. In Singapore, the case law, whether civil or criminal, on such breaches is still at a very nascent stage, but the ex post recov-ery costs can soar, especially in jurisdictions that are litigious.

And finally, your organisation should en-gage in Vulnerability Assessment and Pen-etration Testing, or VAPT. These are tests and exams that probe your organisation’s cybersecurity stance, readiness, and abil-ity to react. These tests are critical because they can reveal valuable information about your organisation’s weaknesses, thereby enabling your organisation to patch them up before these vulnerabilities are exploit-ed. To paraphrase Sun Tzu, it is of utmost importance to at least understand your own capabilities.

With the above, you will then be ready to put together the various pieces of your cybersecurity framework. First, from a tech-nical perspective, the VAPT should have revealed the key vulnerabilities in your sys-tem. A typical first step is to secure the pe-rimeter with firewalls and intrusion preven-tion systems. These security devices should be actively managed and monitored by a 24/7 Security Operations Centre to ensure that any breaches are detected promptly

so that remedial action can be undertaken. Second, the risk of an insider threat is real. According to the IT Security Risks Survey, in 2015, nearly three out of four organisa-tions were victims of insider threats. These may arise from malicious insiders or purely from poor security practices by employees. This is where education is important. It en-tails educating and training employees to internalise and implement cybersecurity best practices and protocols, and raising the level of cyber wellness in the organisation. Finally, it is imperative to raise the cyberse-curity skill sets within your organisation’s technical department, as they will be your first line of defence. Just as organisations have physical security Business Contin-gency Plans (BCPs), organisations need to develop cyber incident response plans pro-actively and pre-emptively. An incident re-sponse plan should cover an entire range of processes, from incident response planning to threat analysis, to containment, eradi-cation, recovery, and then post-incident recovery. These human elements are par-ticularly important, because cybersecurity is as much of an art as it is a science, and therefore requires the very human elements of judgment, discretion, and discipline.

J The art and science of being cyber secure Undergirding these tangible policies and action plans, however, are more immediate mind-set shifts. The first and most immedi-ate thing for any leader to recognise is that the Fourth Industrial Revolution is indeed upon us, and that every organisation needs to plan for this Industrial Revolution. As with another force of change, this Industrial Revolution brings with it the potential to both benefit and harm. Security must keep pace with the developments of this Indus-trial Revolution, lest an equivalent Cyber 9/11 occur.

At the end of the day, there are but two major takeaways for leaders. Does your firm already have a relevant and effective cybersecurity strategy in place? Do not just assume that it exists or that it is relevant and effective: have it presented to you and

■ 24


examine it closely. The other takeaway is that you should ensure that your organisa-tion possesses the right capabilities to protect itself in the cybersecurity domain. Not all IT professionals are cybersecurity equipped. There is a chronic shortage of cybersecurity talent the world over, and Singapore is no ex-ception. Consider partnering with an estab-lished Managed Security Service Provider

to de-risk and meet the growing complexity of your business. They would typically have the economies of scale and necessary prod-ucts, services, and manpower to support your business.

As we forge ahead into the brave new world brought about by the Fourth Indus-trial Revolution, this is what we need to do. And we need to do it now.

25 ■

sAFE TrAVELs: cybErsEcurITy For PubLIc TrANsPorT, From oPErATING TEcHNoLoGy To INFormATIoN TEcHNoLoGy

Safe Travels: Cybersecurity for Public Transport, From Operating Technology to Information TechnologyLand Transport Authority – Huang Shao Fei, Director, IT Security, Governance & Risk Management

For more than a century, railway systems have been en-gineered for safety. The operating technology that runs the railways of the world has evolved with reliability in

mind, and is meant to last for many years of continuous op-eration. But modern railways have entered the digital age with information technology now integrated into many control systems. Many of the industrial control systems used are from the pre-Internet era and do not have adequate cybersecurity built into them. Nor are these systems sched-uled to be patched regularly, given their long lifecycles.

Cybersecurity is just as critical to ensuring safety and reliability in public transit today as the physical security on which rail transportation was built. This is a very dif-ferent cybersecurity challenge than that faced by financial and consumer organisations. Online fraud, web deface-ments, and information theft can result in reputation loss and financial damage at worst. In transportation, lives may be at stake.

This is particularly worrying for public transporta-tion systems, as it is for power plants, oil rigs and other industrial and infrastructure facilities. Cyber-threat actors targeting major critical infrastructure such as transport-control systems are unlikely to be script-kiddies or hack-tivists, since the usual cybercrime motives would not ap-ply. There is nothing to steal and little leverage in laying claim to a defaced website or an embarrassing expose. In-stead, threat actors targeting transport systems could have far more sinister intentions.

J The cyber challenge While many control systems remain stuck in the pre-In-ternet era, cybercriminals are very much on the cutting edge. Cybersecurity threats are increasingly targeted, complex, and stealthy. In the past, air-gapped networks were enough of a barrier to protect against viruses, bots, and hackers. But now even systems that are not connected

■ 26


to the public Internet are no longer immune. Advanced Persistent Threats, such as those orchestrated by state actors with long time horizons and complex motives, show that perimeter security controls no longer guar-antee security. The reality today is that the level of attack sophistication is usually one step ahead of state-of-the-art vulnerability exploitation techniques—the tools that or-ganisations use to test their own system for possible vulnerabilities.

Singapore’s policy response to cyber threats has evolved along with the threats themselves, as described in the timetable of Singapore’s National Cyber Security Approach shown below. In reaction to the BlackEnergy malware aimed at Ukraine news media and electric power infrastruc-ture, for example, Singapore’s parliament is working now on a new cybersecurity bill to be tabled next year.

J singapore’s National cybersecurity Approach The reality is that while cybersecurity ex-perts continue to monitor known threats and related vulnerabilities, the key challenge is to distinguish the signals from the noise, to distinguish emerging threats and hidden vulnerabilities. As Donald Rumsfeld, the for-mer U.S. Secretary of Defense, once stated:

‘…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter catego-ry that tend to be the difficult ones’.1

It is the same for transportation systems. First, it is necessary to identify known-un-knowns such as ‘indicators of compromise’ that are not picked up by signature-based so-lutions such as antivirus software. But more critical—and more difficult to detect—are the unknown-unknowns or ‘black swans’.

Sophisticated attacks have a far longer gestation period and cannot be detected with traditional security solutions. Ponemon Insti-tute discovered that it takes more than seven months on average to identify a malicious or criminal attack.2 So far, the known cyberat-tacks on transportation systems don’t seem to be designed for disruption or sabotage. They appear to be surveillance operations. But they are a wakeup call to address vulnerabilities in industrial control systems so important to the operation of industry and infrastructure. These efforts are instrumental to ensure our transport systems are safe and reliable.

Copyright © Land Transport Authority | Innovation & InfoComm Technology Group | April 2016 | 6

EstoniaComes under Massive Denial-of-Service Attack

Singapore’s National Cyber Security Approach

StuxnetCyber Weapon Discovered in Iran

2010

Morris Virus1st Computer WormDiscovered

1988 2007

“Operation Malaysia”Anonymous attacks 91 Malaysian Government websites

2016

BlackEnergyMalware aimed at Ukraine news media & electrical power organisations

2011 2017and beyond

2007: Singapore updates Computer Misuse and Cybersecurity Act to address cyber threats to Singapore's Critical Information Infrastructure (CII)

1993

1993: Singapore enacts Computer Misuse Act

2017: New Cybersecurity Bill to be tabled in Singapore Parliament

2005-2007: National Infocomm Security Masterplan

2005

2008-2012: National Infocomm Security Masterplan 2

2008

2013-2018: National Cyber Security Masterplan 2018

2013

27 ■

sAFE TrAVELs: cybErsEcurITy For PubLIc TrANsPorT, From oPErATING TEcHNoLoGy To INFormATIoN TEcHNoLoGy

J The engineering challengeCybersecurity is a challenge for every indus-try. For industrial, infrastructure, mining, and certain healthcare equipment, there are the additional challenges of integrating in-focomm security with operating technology (OT). Adapting IT security controls to OT sys-tems requires in-depth domain knowledge of engineering systems—something that cannot be learned overnight—in order to ensure op-erational safety and reliability are not com-promised. This poses a significant challenge as the whole industry requires IT security per-sonnel with not only IT security capabilities but also knowledge of engineering systems. There is no off-the-shelf solution.

To deal with the cybersecurity challenges facing land transport systems, the traditional, domain-centric view of engineering proficien-cy and capability development needs to be revisited. In most engineering organisations, engineers are assigned to work in domains for which they are trained, and they typically re-main in their own fields for their entire techni-cal careers. In today’s context, the convergence of OT and IT requires cross-domain skills and knowledge. Only then will there be harmoni-sation of IT security and standard operating procedures on the ground.

Another challenge is the lack of industry-specific cybersecurity standards for rail sys-tems. While there are internationally accepted IT security standards for IT systems, such as ISO27001, there are no similar cybersecurity standards for operating technology and in-dustrial control systems, not to mention for rail systems. Because of this, most IT security consultants, including auditors, use IT secu-rity standards to design and benchmark the cybersecurity of non-IT systems, which do not adequately address operating environment and business constraints. To be clear, standards provide product manufacturers, vendors, sys-tem integrators, and customers with a com-mon point of reference for architecting and de-signing secure systems. This remains a pivotal challenge for not only transport regulators and operators, but for the entire IT security indus-try as well; there is no model to follow, and the operating environment is not IT-based.

J An approach to cyber safety for public transportation

To deal with the evolving landscape of cyber threats—and the expanding vulnerability of cyber-physical systems—requires a mul-tipronged approach: governance, ongoing vigilance, incidence response, and capability development. The steps that follow will help to ensure an effective security program for transportation systems:

JJ Institute holistic, practical treatment of cybersecurity risks that cover people, pro-cesses, and technology across the whole of land transport.

JJ Reduce the likelihood of attack through a good multi-layered design and strong operational and maintenance procedures.

JJ Improve monitoring of the effectiveness of systems and procedures to ensure early warning of attack.

JJ Enhance alignment between public trans-port operators and regulators for man-aging cybersecurity for critical systems, particularly in terms of security-by-design for new systems, information exchange of threats and advisories, cyber-incident management and escalation.

JJ Mitigate disruption if systems come under attack by developing, testing, and main-taining incident response plans.

JJ Perform regular cybersecurity exercises to validate public transport operators’ readi-ness to handle cyber incidents and coordi-nation with law enforcement.

JJ Set industry security standards. For exam-ple, the Cyber Security Workgroup under The International Association of Public Transport, a non-profit advocacy organi-zation for public transport authorities and operators, is exploring this together with policy decision makers, scientific insti-tutes, and the public transport supply and service industry.

J conclusionCybersecurity is no longer contained within the IT realm. Security needs to extend to op-erating technology and control systems, not only to mitigate organisational risk but also

■ 28


to ensure public safety. As such, cybersecu-rity should be on the agenda of any board as part of managing the organisation’s risk and should be viewed with the same level of ur-gency as corporate financial performance and business strategy. The fact is, cybersecurity undergirds the existence of many organisa-tions and should be part of strategic conver-sations by senior levels of management. For industrial, infrastructure, and engineering organisations, cybersecurity is more than an existential matter. It is a question of pub-lic safety that requires collective knowledge

from the realms of infocomm and engineer-ing as well as the concerted effort of boards, management, and regulators.

Works Cited1. http://archive.defense.gov/Transcripts/

Transcript.aspx?TranscriptID=26362. Ponemon Institute, 2016 Cost of Data

Breach Study: Global Analysis, http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN

29 ■

wHAT 30 yEArs oF cybErsEcurITy HAs TAuGHT sEcurITy ProFEssIoNALs

What 30 Years of Cybersecurity Has Taught Security ProfessionalsSingtel – Baey Chin Cheng, Chief Information Security Officer

As the C-suite works to understand its cyber risk, we must also work to provide an understanding of what its security professionals have been facing as these

risks have grown up around them. Thirty years ago, a strong door with a lock gave information security profes-sionals assurance of a good night’s sleep. But the world is changing so quickly. What was once regarded as ‘master security professional’ know-how is considered basic to-day. At the same time, the world is so much more connect-ed that vulnerabilities can be found in places that were never thought to be part of an enterprise system, while the biggest source of IT disruption still comes down to human error.

The tools and techniques of security have evolved since the worldwide web emerged three decades ago. But se-curity professionals hear some of the same questions and excuses today that they did when the desktop PC was a new invention. Some of the rationalizations that follow are short-sighted, while others are destined for failure.

A. we have always been doing it this way!Sound familiar? When asking about what can be fine-tuned, it is usual to hear this. ‘Things are just fine. The way we do things is tried and tested, and there have not been any inci-dents. You don't want to change a working formula’.

How does one overcome such well-intended advice? Humans are generally concerned about being told that they are doing the wrong thing or making a wrong deci-sion. Sometimes a decision is right when it is made. But circumstances change, and it is worth taking another look to take advantage of newer ways of doing things. History has shown us that if we don't try, we will never know. What worked previously may no longer be relevant.

Before concluding that it is the user that is wrong, IT professionals also need to look at themselves. In the bank-ing industry, for example, the cloud was traditionally a

■ 30


taboo topic. Comments such as ‘you don't know where your data is’ or ‘you are not in control’ were common reasons that the cloud was not viewed as a viable option. Well, the cloud is here to stay. Technology has improved, and the world has moved on. If we don't embrace the cloud—and secure what we put on the cloud—what will be left to secure? At many organisations, there is a great deal of attention paid to securing on-premise systems, even as most of the enter-prise is run over the cloud.

b. I will adopt security if it gives me a 100% guarantee that I have nothing to worry about.There are only two things that are certain in life: death and taxes! Other than that, the world is evolving and changing constantly. What is a hero today can quickly turn to a zero tomorrow.

Security is possible, but there will always be trade-offs. If being hacked is the primary concern, then don’t connect to the Internet. But then there are internal risks. So, you can make your system a stand-alone. That is an improvement. What about the person who has to clean the room where the computer re-sides? You could switch it off, bury it under-ground and make sure that no one can access it except with a crane, bulldozer and excava-tor. Now that's 100% secure.

On a more practical note, it is important to remember that security is like many other risks that need to be managed in business. You need to understand the environment, know where the taboo areas are, know the po-tential impact of a breach or outage and make a calculated call. Nothing in life is risk-free. It is how much risk one wants to take. And whose job is it to make that call?

Our job as security professionals is to try to mitigate the risks and explain the residual risks and potential impact to senior execu-tives. If we feel that it is a big issue, explain why. If we believe that it is reasonable, tell them so. At the end of the day, someone has to make a call. But we must give our profes-sional opinions, and we all know opinions are always right.

c. If someone else can do it, I don't see why we can’t do the same.What the statement above does not tell you is:

JJ a) What the compensating controls that the other party has implemented are

JJ b) Why it was allowed andJJ c) What the risks involved for the organi-

sation that allowed it are

Security sometimes comes at the expense of openness or ease of use, but that does not mean it is not necessary. For example, in one organisation, a single signatory is required for transactions up to $2,000,000. Does this mean that all organisations can adopt this freely? Obviously, the answer is no. There could be multiple checks and balances be-fore reaching the one signatory. And it is for payments to pre-authorized recipients, and the bank is aware of this. Security has to be looked at holistically. Security is about lay-ering of controls. One needs to know all the different layers of controls to determine the risks involved.

D. but we have a security team to handle that!What is the role of the security team? Is it to be responsible and accountable for all things related to information security? Yes and no.

Security professionals are actually tech-nology risk managers. If the organisation is to be considered truly secure, everyone from the CEO down to the office attendant has a role to play in making sure that the infor-mation assets of a company are protected. How many times have we seen press reports about organisations losing data because of a genuine mistake made by someone with legitimate access to a system? What about the staffer who plugged in a thumb drive he picked up and caused a massive malware outbreak? Information security profession-als can do only so much. If security is left only to the professionals, then we will never have truly secure organisations. The risks in-volved cannot be effectively managed by one individual or department alone. It is every-one’s responsibility.

31 ■

wHAT 30 yEArs oF cybErsEcurITy HAs TAuGHT sEcurITy ProFEssIoNALs

E. our security is assured because we use the best encryption algorithm.Encryption is one of the best tools for a vari-ety of tasks. It could be to ensure the confi-dentiality of information, ensure integrity of information, or to authenticate an individual or process. To have strong security, we all know that we need to implement an indus-trial-strength encryption algorithm. There are many vendors out there who will tell you that they have the most current and industry-best algorithm, and it is being used by all the big-ger organisations, both government and fi-nancial institutions.

Is it correct that the encryption algorithm plays a vital part in security? Yes. Data En-cryption Standard (DES) was once the de fac-to standard and said to be unbreakable. It has been broken. A key reason is that encryption is about computation power. With the power available today, DES can be broken easily.

Assuming that we were to go back 30 years, does it mean that something protected by DES could not be broken? No. An easy way would be to hit the guy who knows the encryption key on the head with a hammer to get it. Once we know the encryption key, we can get at whatever DES was used to pro-tect. A sound management process for both the keys of encryption and regulating access to systems and data play equally important roles in ensuring security.

Security must be maintained in many layers and on many fronts. Failure to maintain any aspect can undermine the security intended. Look at things holistically, and don’t rely on only one element to give you assurance. We are only as strong as the weakest link.

F. should we not trust our own staff to do the correct thing? Why are we so suspicious of our staff? We have a rigorous staff selection process, per-form background checks and put them through intense training. Should we not trust that they can do what they are paid to do and that they will not fail us?

It’s a sad fact, but we humans are the weak-est link for most cyber breaches and outages. Someone clicks on an attachment and causes a major virus outbreak, even after he was told not to do it. And there have been many people who called up to say that they have provid-ed their personal credentials and password, even after being educated on the hallmarks of phishing. Why did they do it? Some of them are just curious and some of them are clueless.

The most basic of controls in the financial industry is ‘segregation of duties’. No one should have control of a process from cradle to grave. This person becomes far too power-ful, and if he or she fails or their access is com-promised, then your controls fail too.

Security professionals have many interests to balance, but there is one overarching goal: protect the information assets and interest of the organisation. Sieve through the noise and the answer will be clear. Understand the en-vironment, and remain relevant. Some things that worked previously may no longer be rel-evant or acceptable. Accept change, but build security into every innovation.

■ 32

buILDING cybEr rEsILIENcE

Building Cyber ResilienceNTUC FairPrice – Seah Kian Peng, Chief Executive Officer

The pace of change in today’s technology landscape is unprecedented, and its impact on the business world as we know it will continue to be a disruptive force.

The low cost of digital platforms is enabling digital start-ups to challenge, and in some cases, overtake market in-cumbents. An often cited example is the disruption Uber, Airbnb, and Alibaba have created in the taxi, hotel, and re-tail industries respectively. The effect of this phenomenon is felt across all industries, including the supermarket and consumer goods sector.

At the confluence of this technology push and con-sumer pull, companies are driven to rethink their business model, customer proposition, and operating systems in a bid to transform themselves into digital businesses—busi-nesses that capture the new opportunities and economic benefits associated with seamless hyper-connectivity, massive data analytics, and innovative technologies. But while pervasive digitisation creates tremendous value, the operational, reputational and economic risks escalate cor-respondingly. The stakes become higher in the event of a breach or disruption.

Organisations become increasingly dependent not only on information systems that they operate but also on those managed by their supply-chain partners, technology pro-viders, as well as their customers. In this era of cloud, mo-bile, social media, and the Internet of Things, the digital landscape becomes an expansive ecosystem to secure and manage. The traditional paradigm where organisations focus on securing the perimeter between them and the ex-ternal world is no longer adequate nor relevant in the con-text of today’s digital landscape. In the context of a retailer such as FairPrice, our customers interact with us through their mobile devices and over social media, while much of our supply chain is interconnected and automated. We also interact with our products and infrastructure digitally through a network of sensors and RFID technology. Secur-ing all these connections extends far beyond the walls of our enterprise. As such, digital security is no longer simply

33 ■

buILDING cybEr rEsILIENcE

an IT issue; it has become an enterprise issue and a management issue. It is an issue for ev-ery employee and every business partner in the digital ecosystem.

J From cyber insecurity to digital securityIn 2015, the estimated worldwide informa-tion security spending amounted to a stag-gering US$75.4 billion. According to the World Economic Forum, most cybercrime in-cidents go unreported, and most companies conceal their losses to avoid risk to their rep-utations. Lloyd’s estimates that cyber-attacks cost businesses US$400 billion a year in direct damage and post-attack disruption.

Closer to home, high-profile cybersecu-rity incidents in recent years include the breach affecting over 3 million SingPass ac-counts, loss of customers’ personal data by a popular karaoke chain, and the breach of a prominent government agency’s IT systems, to name a few.

This tension will continue to escalate be-tween an organisation’s drive to embrace digital innovations and at the same time control cyber risks. Every organisation needs to evaluate the way cybersecurity is strategically managed and embedded into the business to enable the continued pursuit of its digitisation agenda. It is, thus, impor-tant to ensure security is built into every digital innovation.

J Pursuit of cyber resilienceThe threat of a cyber-attack is ever present, and the question is not if but when an organ-isation will be subject to some form of attack. While a strong immune and defence capabil-ity is essential for survival, the key is how or whether an organisation will respond and emerge from such an experience.

While it is vital to protect systems, infra-structure, and data in the digital environment, organisations need to move beyond protec-tion. In an interconnected, always-on world, organisations need to develop cyber resil-ience: the capability to prepare for, withstand, adapt to, and rapidly recover from negative impacts of cybercrime.

At FairPrice, we adopt four paths to man-aging cyber resilience.

1. Managing digital risk as a component of enterprise risk management

2. Creating a culture of cybersecurity awareness

3. Building effective cyber defences4. Developing cyber-recovery plans and

a regime to test them

J Digital risk as a component of enterprise risk management

Until recently, most organisations treated cy-bersecurity as something for the IT team to sort out. While cybersecurity is largely in the technical domain, mitigation can often sit out-side the IT function.

We view cybersecurity as a priority risk and an integral part of overall corporate risk management and governance. In so doing, senior leadership and board directors are en-gaged in cybersecurity decisions that have strategic and business impact. Deciding what to protect, how much to invest in protection, and how to ensure that security is built into every new product, application, or service re-quires a framework that extends beyond the IT function.

Such a framework entails developing an enterprise view of business risks across the entire value chain, the priority of the underly-ing information assets and agreed trade-offs. This process involves assessing how much risk the business can afford and developing a means to quantify the financial impact of dif-ferent types of risk, including costs related to business downtime, recovery, and remedia-tion efforts; potential damage to reputation; and mitigation efforts.

This is not a one-time activity, because we recognise that over time business mod-els change, new technology capabilities are introduced, and cyber risks evolve. It is for this reason that we have put in place a structured, repeatable process for the cyber-security team, while the management team continually reviews information assets, pri-oritises business risks, and aligns on differ-entiated protection.

■ 34


J creating a culture of cybersecurity awareness

Employees have been generally identified as the biggest vulnerability an organisation has. Common breaches range from choosing weak passwords to downloading files from insecure links. One of the ways we look to address this is segmenting users based on the data they need to access and helping each group understand the business risks associ-ated with their everyday actions. In the quest for cyber resilience, it is imperative to bring employees on board as allies in the defence against cyber threats.

We also impress upon the senior man-agement team to ensure that IT security, risk management processes, and principles are incorporated into the company’s corporate processes by design rather than as an after-thought. Through this, we aim to create a culture of risk management and resilience throughout the organisation to ensure that IT security becomes an integral part of the or-ganisation’s culture, where compliance with IT-security policies is part of every project process from the start.

J building effective cyber defences To ensure that a security campaign is suf-ficiently robust, we assess the effort from multiple dimensions. Three of the most im-portant are technology, cost, and the potential negative impact. Getting the technology right entails understanding and quantifying the value of the risks that the company is trying to mitigate. After which, we look to identify the technologies that are available for dealing with the risks of greatest concern.

Given that a totally secure environment is impossible to create, the senior management team evaluates the best level of security. In other words, what is the maximum risk (rep-utational, operational, or financial, including the cost of remediation) that the company is willing to live with and then gauge the mar-ginal value of any additional security to be gained through further spending. Through

this process, we can then decide what level of spending is optimal given the business strat-egy, tolerance for brand and operational risk, and other considerations. In this sense, cyber risk is similar to other risk management de-cisions that corporate directors and senior leaders have been making for decades.

In the deployment of cyber defences, we recognise the need to develop the capability to aggregate and analyse the most relevant information, proactively engage with at-tackers, and tune defences accordingly. The robustness of our technology architecture is also constantly reviewed to enhance our abil-ity to protect ourselves while continuing to drive digital innovation.

J Developing a cyber-recovery plan Despite our best efforts, we recognise that a security breach of some type is likely in-evitable, since it is not possible to be 100% secure. As such, we prepare ourselves ac-cordingly by testing systems and the ability to recover, regularly identifying vulnerabili-ties, and designing emergency operating procedures and response plans. The ques-tions we ask ourselves include: can we take the company offline in a controlled manner if necessary? Is our communications depart-ment prepared to manage the necessary in-ternal and external communication efforts in the event of a breach?

J conclusionNo defence system is invulnerable. While there are ways to stack the odds in one’s fa-vour, we will all face a cyber incident at some point, no matter how cautious or prepared we are. Whether this causes only minor dis-ruption or has more severe consequences depends on how prepared we are, the speed of reaction, and the depth of our defences. However, when cyber resilience elements are adopted effectively as a coherent whole, it builds the organisation’s cyber resilience and enables it to realise the value of digitisation in this brave, new, and uncertain world.

35 ■

sEcurING THE INTErNET oF THINGs: cybErsEcurITy From IT To oT

Securing the Internet of Things: Cybersecurity From IT to OTNanyang Technological University – Professor Lam Kwok Yan, Professor of Computer Science, School of Computer Science and Engineering, College of Engineering

J cyberspace and cybersecurityCybersecurity is gaining ever-increasing importance on the board’s agenda and is an area of phenomenal growth internationally. The pervasive adoption of Internet technol-ogy has led to its evolution from an internetworking tech-nology to the notion of a cyberspace in which individuals and organisations conduct many daily activities. Due to the ever-increasing demand for improved productivity and business agility, the world has witnessed a pervasive adoption of infocomm technology in every sector—from government to telecommunications, to energy, education, and financial. Furthermore, within each sector, the under-lying information systems and industrial control systems are increasingly interconnected, and each in turn becomes part of cyberspace. Figure 1 (following page) illustrates a scenario where a financial IT system as well as an indus-trial control system are connected to the Internet.

Cyberspace is a global interconnection of infocomm in-frastructure that is woven into the fabric of our daily lives—a virtual space created by technological components inter-connecting various stakeholders, including state organs, government agencies, business enterprises, and individu-als. The activities carried out in cyberspace include govern-ment operations, businesses transactions, supervisory con-trol and data acquisition of critical utilities infrastructures, remote access to information assets, and the social interac-tions of ordinary citizens. (See Figure 2.)

Cybersecurity has also evolved from a purely technical issue of network and systems security to a vastly different and highly complicated issue of national security signifi-cance and economic impact. It is obvious from experience that cybersecurity incidents could lead to serious disrup-tion of daily activities and even social unrest. Cyber terror-ists and state-funded cyber warfare activities tend to take a long-term, low-profile approach, gradually infiltrating

■ 36


FIGURE

cyberspace as a virtual space for interconnecting various economic activities

FIGURE

IT system and Ics system interconnected in cyberspace

37 ■


critical information infrastructure (CII) sys-tems. But cybersecurity is not limited to CII as sophisticated cyber attackers tend to make use of non-CII systems as stepping-stones to-wards more critical targets.

The scope of cybersecurity is much bigger than traditional enterprise security. While the latter typically aims to address the pro-tection needs of IT (information technology) systems, the former also put a great deal of emphasis on the protection needs of OT (op-eration technology) such as industrial con-trol systems (ICS), SCADA (supervisor con-trol and data acquisition) systems, as well as other cyber-physical systems found in hos-pitals, factories, refineries, construction sites, and buildings.

The objectives and the underlying tech-nological requirements of OT security are very different from the traditional enter-prise security with which most practitioners in the ICT space have been familiar. Tradi-tional enterprise security is characterized by a technology framework that covers the protection needs of the various layers of a typical IT system.

In order to address the new challenges of cybersecurity in the OT space, there is a pressing need for cybersecurity profession-als to develop a deeper understanding of OT systems (particularly systems and applica-tion architecture and software, communica-tions and control protocols) in various secu-rity-critical sectors.

J Evolution of security from IT to oTIn most enterprise IT systems, security mech-anisms are designed in layers that correspond to enterprise architecture. For example, a typi-cal security architecture will include the fol-lowing components:

JJ Hardware security to provide protection at the processor level and, in the case of tamper-resistant hardware, provide a physically secured environment for pro-gram execution and data processing

JJ Operating system security to provide pro-tection at the process level, i.e., memory, address space, devices, and file systems

JJ Cryptographic modules and security pro-tocols for meeting the protection needs of inter-process communications (IPCs) as well as for supporting distributed authen-tication of network-based client-server application systems

JJ Access control and authorisation, which are based on the presence of some robust authentication mechanisms, to enforce security policies in network-based distrib-uted application systems and

JJ Application-level security for providing security protection of application trans-actions that are executed remotely and within the untrusted environment of the open Internet

Such layering of security mechanisms helps simplify design and analysis of tradi-tional centralized and distributed IT applica-tion systems such as e-commerce, e-banking and e-government systems. In order to facili-tate the design and implementation of such security mechanisms, a well-structured enter-prise security architecture typically will begin with some security infrastructure services such as:

JJ Perimeter network architecture created by multiple tiers of firewalls and possibly virtual private networks for remote user access

JJ Key management services such as public key infrastructure as well as identity and privilege management services and

JJ Other system-wide security services such as intrusion detection and audit logs

A widely adopted enterprise security ar-chitecture will incorporate these security components and infrastructure services in a manner that complies with the relevant secu-rity standards and guidelines. When decid-ing the balance among security protection, deployment costs, and user convenience, enterprises almost invariably adopt a risk-based approach to enterprise-security archi-tecture design that aims to achieve security in a cost-effective and user-friendly manner. (See Figure 3.)

■ 38


Now, however, cyberspace has evolved into a kind of distributed computing system consisting of computers, network, and devic-es designed to support industrial control and operations as well as enterprise systems. In a typical OT deployment, the networking com-ponents play a crucial role of interconnecting devices (such as sensors and actuators) and computer systems in order to facilitate dis-tributed monitoring and control functions of industrial operations such as power gen-erators, oil refineries, and production lines in advanced manufacturing. Sensors are typi-cally needed for monitoring some physical characteristics of industrial operations, which are critical for the control systems to make timely and effective decisions through some supervisory and control interfaces such as the SCADA. The process control decisions made by the control systems will affect the physi-cal process by sending commands to actuator

devices, which also play a critical role in OT. Figure 4 (following page) illustrates the typi-cal components of a SCADA system where there are remote terminal units (RTUs), which:

JJ Collect sensing data from the field environment

JJ Send sensing data to the SCADA server via a communication server

JJ Receive control commands from the SCADA server via the communication server and

JJ issue commands to physical devices to which the RTUs are connected.

In the past, most of the SCADA systems or ICS systems were not viewed as a distributed computing system. Instead, they were viewed as an integral part of some industrial process and operations such as a power generator, pet-rochemical plant, or oil refinery. The sensors

FIGURE

structured approach to security design of enterprise information systems

Security Management

Security Technology

Security StandardsSecurity Implementation

Security Design and Planning

Risks Management and Control

Risks Analysis and Assessment

Security Requirements

Security Objectives

Transaction SecurityAuthentication, Access Control, AuditCrypto, PKI, Smart Cards

Anti-Virus, OS, AuditFirewalls, VPN, Scanner, IDS

Security Accreditation

Security Certification

Security Audit

Security Operations

Security Review

39 ■


and actuators are also viewed as basic com-ponents and devices of the industrial systems, and are considered part of the proprietary industrial systems operating within a closed environment. Security was mainly a matter of physical security and controlling access.

Due to the ever-increasing demand for improved productivity and business agil-ity, there has been a trend of interconnect-ing SCADA and ICS systems to other IT systems, bringing OT into the realm of IT professionals. Picture a scenario where a SCADA system is connected to the office automation IT system, possibly for stream-lining the billing and inventory control workflow. (See Figure 5.) The IT system is in turn connected to the Internet for support-ing e-commerce applications.

The cybersecurity situation is further complicated by aggressive plans to launch ambitious smart city and smart nation

programmes, embraced by most govern-ments worldwide. Advanced cyber and data technologies are being exploited and adopt-ed to re-invent and enhance every aspect of social and economic activity, from manufac-turing capabilities to government operations, to citizen mobility, healthcare, and quality of life for the aged. Broadly, smart city and smart nation technology aims to achieve the following objectives:

JJ AutomationJJ Data-centric decision makingJJ Borderless marketsJJ Disruptive business models and

enhanced efficiency

In order to achieve the goals of improv-ing business agility and operational effi-ciency of public-sector services and munici-pal functions, there have been an increasing

FIGURE

components and connectivity of a typical scADA

■ 40


number of OT-like cyber applications that aim to collect and analyse sensing data in a close-to-real-time manner so as to allow timely reactions to dynamic, real-world situations. With the pervasive adoption of connected devices as integral parts of cy-ber applications, the notion of the Internet of Things (IoT) is now a key consideration of cyber application designers and business solution planners. The scope of cybersecu-rity has evolved as well to include not only traditional IT systems but also OT systems and, more recently, IoT systems. Neverthe-less, as a fast-developing and promising

area in the future landscape of smart-na-tion applications, but with limited prior experiences in the adoption and security protection strategies, IoT security remains a challenge to cybersecurity practitioners. Specifically, the issues include:

JJ The adoption strategy of IoT in cyber applications

JJ The business process integration of IoTJJ The development of security policies that

are relevant to IoT adoption andJJ Security architecture that caters to the

needs of IoT security

FIGURE

Interconnectivity among oT, IT, and the Internet

41 ■


The security of the IoT is a concern not only for the wearable devices that most peo-ple associate with connected devices, but also for the critical information infrastructure on which we all depend. The IoT will soon be-come the biggest attack vector for most or-ganisations, as the number of connected de-vices is set to grow explosively. Nowadays, organisations recognize the value of the IoT, but most find it difficult to integrate into their current business processes and struggle to process the massive amount of heterogeneous data being collected. They have not adequate-ly addressed the risks associated with the collection of that data and have not updated their security architecture and cybersecurity incident-response processes to address the needs of IoT security.

In the area of cybersecurity design, it is widely recognised that there is no one-size-fits-all solution. In order to meet the con-current needs of and balance among secu-rity protection, cost of protection and user convenience, security design tends to take a risk-based approach, which starts from a risk analysis based on the nature of the applications. Security control mechanisms are devised with the dual objectives of be-ing cost-effective and not being prohibi-tively complicated for users. Given the cur-rent trend of fast adoption of IoT, but with limited prior experiences in the associated security issues and approaches, it is pos-sible that IoT security could reach a situa-tion where IoT systems are not adequately protected for some applications and overly protected for others. This is reminiscent of the plight of public key infrastructure (PKI), which was in a similar situation in deliver-ing its promises in securing e-commerce in the late 1990s.

J cybersecurity challenges of IoTCybersecurity is a problem created by real-world applications in cyberspace, and so, too, the solutions must be. Specifically, cy-bersecurity researchers and practitioners must have a deep understanding of the fol-lowing factors:

JJ The nature of the underlying data and system to be protected

JJ The threat models of the open network infrastructure in global scale

JJ The risk and trust models of application systems in different industry domains

JJ Applicable policy and regulations for gov-erning the behaviour and conduct as well as rights and liabilities of all stakeholders

JJ Implementation of cybersecurity regimes for policing and surveillance in order to safeguard cyberspace as a safe and robust environment for conducting business and social interactions

JJ The design and establishment of light-weight protocols and mechanisms for meeting the security needs of low-cost, resource-constrained IoT devices

JJ The risk associated with IoT devices and data collected from IoT devices given the heterogeneous nature of that data

JJ The design and establishment of proto-cols and mechanisms for cross-border cybercrime investigation and tracking of cyber criminals

JJ The design and development of forensic methodologies and tools for gathering court-admissible evidence in cyberspace in order to support law enforcement

Cybersecurity study is a natural extension of traditional information security studies, but there are important differences. Informa-tion security tends to define the underlying operating and threat models on information processing systems, focusing on the design and analysis of security algorithms and pro-tocols, resource access control mechanisms, and high assurance development of security hardware and software components. The aim is to protect information assets and detect possible compromises.

Cybersecurity, on the other hand, aims to address the design and analysis of mod-els and mechanisms for safeguarding large-scale cyber systems, covering traditional IT systems as well as mission-critical OT sys-tems. R&D on cybersecurity mainly focuses on cyber protection, threat detection, and mechanisms for responding to cybersecurity

■ 42


incidents. Current cybersecurity efforts put a lot of emphasis on protection, detection, and reactive measures such as information pro-tection mechanisms, identification and trust management, authorisation and accountabil-ity enforcement of principals, user behaviour analytics for anomaly detection, malware analysis, digital forensics of computer and network nodes, privacy protection, and ano-nymity of individuals. (See Figure 6.)

When it comes to cyber protection, con-cepts such as defence perimeters as well as defence-in-depth still play a major role in the security design of cyber systems. OT sys-tems are assumed to be operating within a relatively well-protected environment, with connectivity to external networks being well-controlled through tiers of firewalls. In essence, the approaches of making use of an optimized combination of network-access control mechanisms for establishing tiers of network perimeters form the basis of model-ling a closed system in the open environment of the cyberspace. Other IT security compo-nents such as IT security management and best practices as well as standards compli-ance and certifications are still applicable for security governance and assurance.

However, the introduction of the IoT into cyber applications has led security designers to revisit the existing approach to cybersecu-rity architecture. As mentioned, the unique features of IoT devices include:

JJ Low-cost, resource-constrained end-point devices will by nature have difficulty run-ning traditional cryptography-based secu-rity mechanisms and managing crypto-graphic keys securely

JJ IoT devices may operate in an open envi-ronment, where physical security is dif-ficult to assume

JJ The security requirements of IoT data are highly diversified. For example, some IoT data, such as wearable medical sensors, require strong privacy protection, while some, such as ICS sensors, require strong integrity assurance, as unauthorised modi-fication of the IoT data could lead to disas-trous consequences

JJ The connectivity and message-passing ser-vices between IoT devices and backend infrastructure require some kind of authen-tication between the communicating enti-ties in order to minimise risks of unauthor-ised access to the backend systems

FIGURE

multi-pronged approach to cybersecurity

Cyber Protection Measures

Response & Contingency

Threat & Anomaly Detection

Cybersecurity Approach

43 ■


The IoT network is driven by interoper-ability and efficiency rather than security. It is built on digital infrastructure for intercon-necting IoT devices to wireless networks and the Internet, with some cloud computing to support the analytics and intelligent-control needs of IoT systems. As a result, authentica-tion of sensors in the IoT network is a signifi-cant challenge for the following reasons:

JJ The limited and constrained resource of sensors, in terms of computation and com-munication

JJ The massive number of sensors involved in an IoT network and

JJ Cost versus benefit considerations

These make the applicability of many tra-ditional strong cryptography-based identity-and-authentication mechanisms questionable in this IoT scenario. Hence, making the con-cept of ‘identity’ within the Internet of Things difficult to implement.

Identity or identification is fundamental to most security-control mechanisms, such as access control, authorisation and account-ability. Thus, there is an urgent need to bet-ter understand the notion of identity of IoT objects for authentication purposes. At the same time, an increasing number of mission-critical applications are being deployed us-ing IoT networks and big data analytics for intelligent decision making. This results in the recent R&D trend in lightweight authen-tication mechanisms for sensors’ identity in-side an IoT network.

The research community not only inves-tigates lightweight cryptographic techniques for supporting the security operations of IoT devices, but it also attempts to investigate the feasibility of establishing a sensor’s identity at the network infrastructure layer by analys-ing the sensor device behaviour (for example, what kind of data a sensor device pushes to the IoT network backend). Such an approach is based on the paradigm of ‘cybersecurity at the edge’, where attempts are made to move some of the cyber-protection functionalities to the network gateways that provide connectiv-ity to remote IoT devices.

This approach of cyber defence at the edge tries to provide behaviour analytics and anomaly detection capabilities so that some form of authentication can be estab-lished between IoT devices and the remote cloud computing backend. The key idea is to use selected data from some window of the data stream that the IoT devices have captured and communicated recently back to the backend or cloud data server as an important factor for authentication. The al-gorithmic complexity of the authentication is a concern. However, the advantage of this approach is that, since authentication is on a sliding basis, it offers a smaller window to a security breach and thus a potentially stron-ger resistance. Although this approach might be limited to authenticating IoT sensors that are used mainly for monitoring and tracing, it is still a useful direction to explore, since this would cover most IoT systems.

IoT security has attracted much interest among industry practitioners and researchers in recent years. Together with the explosive growth of IoT adoption are new IoT tech-nologies and innovative ideas of deploying them in disruptive business models. With the rapid development of IoT and IoT secu-rity ideas and technologies, one should not underestimate the multitude of risks associ-ated with IoT systems. The corresponding security objectives of IoT applications will also evolve rapidly, hence IoT security needs to be developed with a pragmatic and far-reaching vision that can meet the operational and business needs of early adopters of IoT and remain relevant to the rapid development of the IoT industry as well as the associated regulatory, policy, and standards compliance issues that have yet to emerge.

J summaryThough IoT security is an emerging field that is still fast evolving, it is useful to identify ar-eas where IoT and IoT security are different from traditional IT and OT systems. Some of the key issues relevant to security designers of IoT systems for supporting future cyber ap-plications include the following:

■ 44


JJ IoT devices typically operate in open envi-ronments, where physical security is dif-ficult to assume

JJ IoT devices operating in an open environ-ment tend to face serious key management problems such as tamper-resistant storage of cryptographic keying materials needed by security protocols

JJ IoT devices tend to be low-cost compo-nents, which have limited computing capabilities to perform traditional security protocols such as strong authentication or key distribution

JJ Higher-end IoT devices, such as surveil-lance cameras for video sensing, tend to be implemented as appliances operating under the control of off-the-shelf operating systems that make for easy targets

JJ Due to the heterogeneity of IoT sensors, the security requirements of IoT sensing data vary significantly depending on the nature of the underlying IoT applications.

For example:

•Somesensordata,suchasenvironmentsensors and traffic surveillance cameras, expect little confidentiality protection but require strong integrity protection, as their quality will impact control deci-sions made at the analytic servers

•Some sensor data, such as from sen-sors installed in autonomous vehicles, require strong integrity protection and may also require a certain level of pri-vacy protection

•Somesensordata,suchasfromhealth-care sensing devices, require strong pri-vacy protection, but most users tend to have very low security awareness. This may create a number of weak links in the network and hamper the adoption of proper IoT security functions

•IoTdevicesthatimplementcontrolfunc-tions on mechanical equipment (actua-tors) require strong authentication and integrity protection of data received from the command and control centre

JJ Identification and authentication are the key issues in IoT security, but, at the same time, they are difficult to achieve in typical IoT systems

JJ There is a lack of IoT security stand-ards and reference architecture for guid-ing the use of IoT technologies in cyber applications. Hence, the industry may end up with many diversified approaches to implement IoT systems, making it difficult to perform security and risk analysis, and hard to compare and interoperate different IoT systems in future

JJ IoT technologies are evolving, and so are the associated legislative and regulatory concerns regarding the handling and use of IoT data. It is expected that necessary legislation and regulation will be devel-oped in future for protecting the interests of consumer users of IoT systems. Hence, a clear understanding of the IoT system architecture and cybersecurity approach from the earliest design phase of the sys-tem development will help organisations to manage regulatory risks—and to com-ply with future regulations

To conclude, it is important to develop a suite of IoT security standards and reference architecture (application architecture and se-curity architecture) to help address the afore-mentioned concerns of the IoT community. To facilitate this development, some coordinated efforts by major IoT stakeholders, including regulatory agencies, industry organisations, and researchers, will be desirable to drive the development of IoT and IoT security in order to meet the anticipated challenges of the IT and OT industries.

45 ■

coNTrIbuTor ProFILEs

Contributor Profiles

47 ■


DR YAACOB IBRAHIMMinister for Communications & Information and the Minister-in-charge of Cyber Security

Dr Yaacob Ibrahim is the Minister for Communications & Information, the Minister-in-charge of Muslim Affairs and the Minister-in-charge of Cyber Security.

He was a structural engineer at Bylander Meinhardt Partnership before receiving a scholarship to pursue a PhD at Stanford University (US). He worked as a post-doctoral fellow at Cornell University (US) before joining the National University of Singapore. He is currently on leave of absence from the university as an associate professor.

Dr Yaacob has been active in community service since his school days, and has been involved in the Association of Muslim Professionals, Jami-yah, Majlis Ugama Islam Singapura and the Nature Society (Singapore). Dr Yaacob also served as a board member of the Civil Service College, the National Heritage Board, STV12 Pte Ltd, Temasek Polytechnic, and as a trustee of NTUC Income, a union-linked cooperative. He has been associ-ated with Yayasan Mendaki since its formation and has been its Chairman since March 2002.

Since 1997, Dr Yaacob has served as a Member of Parliament. He served as Parliamentary Secretary and Senior Parliamentary Secretary at the Ministry of Communications and Information Technology before he was appointed as the Minister of State for Community Development and Sports in Novem-ber 2001. In March 2002, he was appointed the Ministry’s Acting Minister and the Minister-in-charge of Muslim Affairs. The following year in May, he was promoted to Minister for Community Development and Sports.

In August 2004, Dr Yaacob was appointed Minister for the Environment and Water Resources. He was re-appointed in the same capacity following the May 2006 General Election. After the May 2011 elections, Dr Yaacob was appointed Minister for Information, Communications and the Arts. In November 2012, with the restructuring of the ministries, he became the Minister for Communications and Information. He has been re-appointed to serve in this capacity following the September 2015 General Election. He continues to be in charge of Muslim Affairs.

In April 2015, Dr Yaacob was appointed the Minister-in-charge of Cyber Security and oversees the Cyber Security Agency, an agency formed under the Prime Minister’s Office. He has been re-appointed to serve in this ca-pacity following the September 2015 General Election.

■ 48


Forbes media

BRUCE H. ROGERSChief Insights Officer

Bruce Rogers is the Chief Insights Officer for Forbes Media, responsible for managing the Insights division, which creates and distributes thought-lead-ership, research-based content for blue-chip customers such as IBM, Google, KPMG, SAP, CIT, and Deloitte. Bruce also oversees the Forbes Insights con-tent channel on Forbes.com, and writes a column for Forbes where he pro-files thought leaders changing the business landscape.

Bruce is also the Head of Forbes’ CMO Practice, overseeing the group’s creation of content through the Forbes CMO Network section of Forbes.com, and events such as the annual Forbes CMO Summit. Under his guidance, the CMO Practice recently released an in-depth report entitled, “Publish or Perish: A CMO Roadmap to Managing, Systematizing and Optimizing the Marketing Content Supply Chain”.

Prior to this role, Bruce was the Chief Brand Officer, responsible for all integrated marketing, brand communication, research, and sales support activities for Forbes Media.

From March 2000 to October 2008, Bruce was the Vice President of Mar-keting for Forbes.com. In this position, he was responsible for developing and implementing marketing strategies and programs to build the Forbes.com brand, drive consumer traffic, create customer acquisition and reten-tion programs, as well as initiate research and promotions in support of advertising sales. During his tenure, Forbes.com grew from under 500,000 to 20 million unique monthly visitors.

From 1992 until March 2000, Bruce served as Vice President, Worldwide Marketing Communications for Forbes Inc. In this capacity, he oversaw brand building for the company. He directed marketing efforts for Forbes' growing publishing assets and was directly responsible for Forbes.com's and Forbes magazine's advertising campaigns. In this role, he inaugurated Forbes' signature "CEO Profiles” ad series, which in 1995 won a Gold EF-FIE award from the American Marketing Association.

Bruce serves as the President of the Business Marketing Association of New York and is a board member of the Media Ratings Council and the advisory boards for SBV Capital, Adtech, and BPA (Business Publishers Association).

He is the co-author of "Profitable Brilliance: How Professional Services Firms Become Thought Leaders" as well as the previously published, "In the Line of Money: Branding Yourself Strategically to the Financial Elite".

He has a BA in Human Communication from Rutgers University and re-sides in Waldwick, New Jersey, with his wife and their two children.

49 ■


Palo Alto Networks Inc.

SEAN DUCAVice President, Regional Chief Security Officer

Sean is the Regional Chief Security Officer for Asia Pacific at Palo Alto Net-works, where he works on the development of thought leadership, threat intelligence, and security best practices for the cybersecurity community and business executives.

With more than 18 years of experience in the IT security industry, he acts as a trusted advisor to organisations across the region, helping them improve their security postures and align security strategically with busi-ness initiatives.

Prior to joining Palo Alto Networks, he spent 15 years in a variety of roles at Intel Security, with his last position as the Chief Technology Officer for Asia Pacific. Before this, Sean was involved in software development, techni-cal support, and consulting services for a range of Internet security solutions.

Sean actively discusses security issues in mainstream media, including television, radio, print, and security-related broadcasts. He regularly par-ticipates in forums, conferences, and panels, and provides intelligence on cybersecurity matters to the public and private sector.

■ 50


cyber security Agency of singapore

DAVID KOHChief Executive

Mr David Koh is concurrently the Deputy Secretary (Technology) and Dep-uty Secretary (Special Projects) of the Ministry of Defence (MINDEF) and the Chief Executive of the Cyber Security Agency (CSA) of Singapore. Prior to his current appointments, Mr Koh served in the Singapore Armed Forces and has held varied command and staff appointments in MINDEF and the SAF. As the Chief Executive of CSA, he leads CSA’s efforts to provide dedi-cated and centralised oversight of national cyber security’s functions.

These include strategy and policy development, cyber security opera-tions, industry development and outreach. Mr Koh and his team will also work closely with the private sector to develop Singapore’s cyber security ecosystem.

He sits on the boards of the Media Development Authority (MDA), De-fence Science and Technology Agency (DSTA), DSO National Laboratories (DSO), and Temasek Defence Systems Institute (TDSI). Mr Koh graduated from King’s College, University of London, UK, with a Bachelor’s degree in Electrical and Electronics Engineering. He also has a Master’s in Public Administration from Harvard University, USA.

51 ■


Good Harbor security risk management

RICHARD A. CLARKEChairman; former White House Advisor on Cybersecurity & Counterterrorism

Richard Clarke is Chairman and CEO of Good Harbor and an interna-tionally-recognised expert on cybersecurity, homeland security, national security, and counterterrorism. He served for 30 years in the United States Government, including an unprecedented ten continuous years as a White House official, serving three consecutive Presidents. In the White House he was Special Assistant to the President for Global Affairs, Special Advi-sor to the President for Cyberspace, and National Coordinator for Security and Counter-terrorism. Prior to his White House years, he served as As-sistant Secretary of State and held other positions in the State Department and the Pentagon for 20 years.

Mr. Clarke serves as an on-air consultant for ABC News, taught at Har-vard’s Kennedy School of Government for five years, and has published seven books, including the national number one bestseller Against All En-emies and Cyber War: The Next Threat to National Security and What to Do About It. He served or currently serves in several advisory or board ca-pacities: Member, President Obama’s Review Group on Intelligence and Communications Technology; Co-Chairman, Virginia Governor’s Cyber Security Commission; Member, New York Governor’s Cyber Security Advisory Board; Senior Advisor to CSRA, Inc.; Chairman of the Board of Governors, Middle East Institute; Member, Board of Directors of Vera-code; Member, Board of Directors of Bit9; and Member, Board of Directors of Nok Nok Labs.

■ 52


singtel

BILL CHANGChief Executive Officer, Group Enterprise

Mr Bill Chang was appointed Country Chief Officer, Singtel Singapore on 12 September 2014. He is concurrently the Chief Executive Officer of Group Enterprise, which provides innovative and comprehensive Information and Communications Technology solutions to the Group’s enterprise cus-tomers across multiple geographies. Prior to assuming this position on 16 July 2012, he was the Managing Director, Business Group, Singtel. He joined Singtel in 2005 as Executive Vice President of Corporate Business.

Mr Chang serves on the boards of several wholly-owned and associate companies of Singtel. He is the Chairman of US-based Trustwave Hold-ings, Inc., one of the largest independent managed security services pro-viders, which Singtel has acquired. He is also a board member of SingPost.

Mr Chang is the Chairman of the Singapore Polytechnic Board of Gov-ernors. He was on the Board of the Workforce Development Agency for six years, until 2011. For his contributions to Singapore’s workforce develop-ment, Mr Chang received the National Day Public Service Medal in 2007.

In 2014, Mr Chang was conferred the honorary Fellow of the Singapore Computer Society in recognition of his pivotal role in advancing the info-comm industry in Singapore.

Mr Chang has served on the boards of Singtel’s associate companies. He was a board member of Bharti Airtel from March 2006 to April 2007 and Co-Vice Chairman of Globe Telecom from November 2007 to October 2009.

Before joining Singtel, Mr Chang was the Managing Director of CISCO Systems’ Advanced Services Group, where he was responsible for the com-pany’s operations in Asia Pacific.

Mr Chang holds a Bachelor of Engineering (Honours) degree in Electri-cal and Computer Systems Engineering from Monash University.

53 ■


KHOO BOON HUIFormer INTERPOL President; retired Singapore Police Commissioner

Mr KHOO Boon Hui began his career in the Singapore Police Force (SPF) in 1977, after a short stint in the Singapore Armed Forces. In July 1997, he was appointed Commissioner of the Singapore Police Force, a post he held till January 2010. He also served as President of INTERPOL from 2008 to 2012. After his stint in the police force, Mr Khoo was appointed as the Se-nior Deputy Secretary of the Ministry of Home Affairs from 2010 to 2014. He concurrently assumed the appointment as Director of the Institute of Leadership and Organisation Development, Civil Service College, on 21 January 2013. Upon his retirement from the Government, Mr Khoo was

appointed the Senior Advisor of the Ministry of Home Affairs on 21 January 2015, and a year later was re-designated a Senior Fellow. He is also a Senior Fellow of the Home Team Academy and the Civil Service College.

He is concurrently the Deputy Chairman of the Singapore Quality Award Governing Council and serves on the boards of Singapore Technologies Engineering Ltd, Singapore Health Services Pte Ltd, Singapore’s Ministry of Health Holdings Casino Regulatory Authority of Singapore, Certis CISCO, and Temasek Foundation. He is an Advisor to INTERPOL, Standard Chartered Bank (UK)’s Board Financial Crime Risk Committee, Singapore’s National Cybersecurity R&D Programme and is a member of the Global Initiative Against Transnational Organized Crime. He co-chairs the annual US-Singapore Law Enforcement Homeland Security and Safety Co-operation Dialogue with his counterparts from the US Department of Justice and Homeland Security. He also chaired the first two ASEAN Senior Officials’ Roundtable on Cybercrime held in conjunction with the RSA Asia Pacific and Japan Conference.

He had previously served as Chairman of Technology Against Crime, the organiser of the International Forum on Technologies for a Safer World, based in France; a member of World Economic Forum Meta-Council on the Illicit Economy; and as an advisor to the Cambridge University Police Executive Program, Oxford University’s Journal of Policing, the International Centre for Sports Security based in Qatar, and the Independent Commission on the Future of Policing in the UK.

He is also the Chairman of the Singapore Golf Association Governing Council and the Singapore Island Country Club; and serves on the Singapore Symphony Orchestra Council and YMCA Singapore’s Advisory Council.

Mr Khoo obtained his Bachelor of Arts (Engineering Science & Economics) from Oxford University in 1976 and his Master in Public Administration from the Kennedy School of Government, Harvard in 1982. He attended the Advanced Management Program at Wharton in 2002 and has received numerous international honours and local awards.

■ 54


Quann

PROFESSOR YU CHIEN SIANGChief Innovation Officer

As Chief Innovation Officer of Quann Singapore Pte Ltd, Professor Yu is responsible for cultural transformation, strategic problem solving, and in-novations in areas such as Big Data, video and cognitive processing, Smart Nation, Internet of Things (IoT), robotics, drones, and high-security soluti-oning. He also leads Quann Labs, focusing on cybersecurity innovation and anti-malware research.

Previously, Professor Yu held a similar role with the Ministry of Home Affairs. He has worked in the Civil Service since 1981 and was awarded Na-tional Day Honours, The Public Administration Medal (Silver) in 1993 and The Public Administration Medal (Silver) Bar in 2004.

Prior to being part of the Civil Service, he was awarded the Carl Duisberg Gesellschaft Scholarship, a Public Service Commission Scholarship, to pur-sue his studies at Fachhochschule Munchen, where he graduated as a Data Systems Engineer. During his studies, he received training at the Siemens Research Laboratory and IBM R&D Laboratory in Boblingen.

Professor Yu has been active in the fields of IT management and IT secu-rity for more than 20 years. He has led numerous national-level projects in IT security and homeland security and has been instrumental in evolving their architecture and fundamental mechanisms.

Professor Yu, a pioneer in the exploitation of microcomputers, is a for-mer President of the Singapore Microcomputer Society. He is the inventor of cost-efficient and unique smart card readers, cryptography systems, more efficient protocols, and fault tolerant systems. He is also an Adjunct Associ-ate Professor at the Department of Mathematics at the National University of Singapore, where he teaches an introductory course on cybersecurity.

55 ■


Land Transport Authority

HUANG SHAO FEIDirector, IT Security, Governance & Risk Management

As Director, IT Security, Governance & Risk Management, Shao Fei leads the cybersecurity programme at Singapore’s Land Transport Authority and in the land transport sector.

His work involves all aspects of IT and cybersecurity governance, rang-ing from risk management, standards development, reviews, and compli-ance, to his role as cyber security advisor to land transport stakeholders. Prior to joining LTA, Shao Fei worked in various IT security roles at the Ministry of Home Affairs, DSO National Laboratories, Ministry of De-fence, and IDA Singapore.

Shao Fei received his Bachelor’s degree in Mechanical Engineering from the University of Tokyo under the support of the Singapore Public Service Commission (PSC) and Japan Monbusho scholarships. He also holds an MBA from the University of Leicester, in addition to multiple IT security certifications including CISSP-ISSMP, CISSP, CISM, CRISC, and CISA.

■ 56


singtel

BAEY CHIN CHENGChief Information Security Officer

Baey has more than 30 years of experience, of which the past 25 years were in the banking industry. Currently, he is the Chief Information Secu-rity Officer at Singtel, a leading Singapore telco. Prior to this, he was the CISO of two of the largest local banks in Singapore. In addition to bank-ing, he has worked in other industries, including manufacturing, and in the government.

Baey started his career at Price Waterhouse as an auditor after gradu-ating with an accounting degree from the National University of Singa-pore. Subsequently, he went on to obtain a postgraduate diploma in Sys-tems Analysis from the Institute of Systems Science and an MA in Systems Management from the University of Lancaster (UK).

57 ■


NTuc FairPrice

SEAH KIAN PENGChief Executive Officer

Mr Seah Kian Peng is the Chief Executive Officer of NTUC FairPrice Co-operative Limited.

Mr Seah first joined NTUC FairPrice in January 2001 as the Chief Oper-ating Officer. Since then, he has worked with the team to transform Fair-Price into a multi-format retailer, and has increased significantly its mar-ket share, social impact and brand equity. Currently, FairPrice group has a chain of about 300 stores, employs over 10,000 staff, and has an annual turnover of over S$3.4 billion. FairPrice was also rated by Interbrand, a global brand agency, as the most valuable retail brand in Southeast Asia and the sixth top retail brand in Asia Pacific in 2014.

Mr Seah is also a Member of Parliament. First elected in May 2006, he was re-elected in May 2011, and again in September 2015.

Mr Seah did his undergraduate studies in Australia under the Colombo Plan Scholarship. He is a Fellow of the Chartered Institute of Marketing and a Fellow of the Singapore Institute of Directors. He is the Chairman of the Harvard Business School Club of Singapore. Prior to joining NTUC FairPrice, he worked in both the public and private sectors.

Mr Seah sits on various boards, including The Consumer Goods Forum, a global industry network that brings together the CEOs and senior man-agement of some 400 retailers, manufacturers, and service providers across 70 countries.

■ 58


Nanyang Technological university

PROFESSOR LAM KWOK YANProfessor of Computer Science, School of Computer Science and Engineering, College of Engineering

Professor Lam is a professor at Nanyang Technological University (NTU), Singapore. He has been a professor at Tsinghua University, PR China (2002-2010), and a faculty member of the National University of Singapore and the University of London since 1990. He was a visiting scientist at the Isaac Newton Institute of Cambridge University and a visiting professor at the European Institute for Systems Security. In 1997, he founded PrivyLink International Ltd, a spin-off company of the Na-tional University of Singapore, specialising in e-security technologies for homeland security and financial systems. In 2012, he co-founded Soda Pte Ltd, which won the Most Innovative Start Up Award at the RSA 2015 Conference. In 1998, he received the Singapore Foundation Award from the Japanese Chamber of Commerce and Industry in recognition of his R&D achievement in information security in Singapore. Professor Lam received his B.Sc. (First Class Honours) from the University of London in 1987 and his Ph.D. from the University of Cambridge in 1990. His re-search interests include distributed systems, IoT security infrastructure, distributed authentication, biometric cryptography, homeland security, and cybersecurity.

THE DEF IN IT IVE CYBERSECURITY GU IDEFOR D IRECTORS AND OFF ICERS

S INGAPORESecurityRoundtable.orgSecurityRoundtable.org

CONTRIBUTORS

SINGAPORENAVIGATING THE DIGITAL AGE |

• Khoo Boon Hui Former Interpol President; retired Singapore Police Commissioner

• Professor Yu Chien Siang Chief Innovation Officer, Quann

• Huang Shao Fei Director, IT Security, Governance & Risk Management, Land Transport Authority

• Baey Chin Cheng Chief Information Security Officer, Singtel

• Seah Kian Peng Chief Executive Officer, NTUC FairPrice

• Professor Lam Kwok Yan Professor of Computer Science, School of Computer Science & Engineering, College of Engineering, Nanyang Technological University

• Dr. Yaacob Ibrahim Minister for Communications & Information and the Minister-in-charge of Cyber Security

• Bruce H. Rogers Chief Insights Officer, Forbes

• Sean Duca Vice President, Regional Chief Security Officer, Palo Alto Networks

• David Koh Chief Executive, Cyber Security Agency of Singapore

• Richard A. Clarke Chairman, Good Harbor Security Risk Management; former White House Advisor on Cybersecurity & Counterterrorism

• Bill Chang Chief Executive Officer, Group Enterprise, Singtel

S U P P O RT E D B Y

THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND ... · THE DEFINITIVE CYBERSECURITY GUIDE FOR...

Documents

Transcript of THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND ... · THE DEFINITIVE CYBERSECURITY GUIDE FOR...