The Singapore OT Cybersecurity Masterplan

In this article we focus on this fourth area of focus, Secure-by-Deployment, which is integral to materially strengthening OT cybersecurity standards. What does Secure-by-Deployment look like in a practice? According to the Masterplan, it involves:

1. Secure-by-Design,
2. Secured default configurations,
3. Deployment by qualified personnel, and
4. Monitor deployment for security assurance.

As a technology vendor and partner with the Singaporean government, Waterfall Security has committed to support the first two pillars of OT cyber resilience – the ones most relevant to us. The first two pillars are product-focused, the last two are personnel-focused. Secure-by-design and secured default configurations are a set of principles that ensure products are designed and developed to withstand malicious cyber attacks, manage cyber risk, and remain resilient throughout the product lifecycle. These principles are core to Waterfall’s technology and solutions.

More specifically, the secure-by-design concept reflects a commitment to cybersecurity in every aspect of product design. This is a very natural fit with how Waterfall has operated throughout the life of the company – we produce security products and so of course we are thinking about security, pretty much constantly, in every aspect of our design and development processes.

The second core concept of the Secure-by-Deployment standards is secured by default configurations. This is a newer and more cutting-edge security practice that reduces human error in product deployment and normal use. The principle is simple: secure by deployment says “make the most secure configuration of the product the default configuration.”

For example, consider encryption of everyday email. You may not be aware, but you can encrypt your outgoing emails in MS Outlook so that only the recipient of the email can read them. To do this however, you must know which extra configuration steps you must take to load the encryption keys into your application and enable the function. If you do not perform these steps, the email you send can be read by systems administrators or others at many points in the communication path from sender to receiver. Furthermore, the recipient of your encrypted email must also have taken configuration to be able to decode and read your messages. The Secure by default principal stipulates that when you install an email client for the first time, the program automatically guides you through the configuration steps needed to enable message encryption, and every email you send thereafter is encrypted. Said another way, you and other end users must have special knowledge and take special steps to disable the most secure settings, such as if you don’t want your emails sent encrypted.

The secure by default configuration principle applies to Waterfall products and to other industrial automation products as well. For instance, DNP3 standards support several kinds of encryption, even though most deployments are  not encrypted. In a secure-by-default product, when you enable a new DNP3 connection, the product would turn on encryption by default, and you have to go through additional effort to disable encryption in the deployment. Instead of taking additional steps to make sure industrial product are deployed in as secure a state as possible, with secured by default products, additional steps must be taken to change the configuration of the product to a less secure state, leading more often to more secure deployments.

The updated Singaporean Masterplan demonstrates the Singapore CSA’s commitment to lead the world in defending against evolving cyber threats to OT networks and infrastructures. Safe, reliable and efficient industrial operations require an approach that extends beyond traditional practices, one that involves secure design and deployment principles to meaningfully address the risks of compromise to OT networks.  Waterfall Security is happy to be a major contributor to helping Singaporean companies effectively align with the Masterplan and reach their goals of OT cyber resilience. To explore how Waterfall products can contribute to material improvements in your own OT security posture, please reach out to us for a free consultation.