Singapore: Adding medical devices to labelling scheme in OT systems

Singapore wants to broaden the scope of its cybersecurity labeling program to cover medical devices, particularly those that handle sensitive data and might interact with other systems. Additionally, it emphasizes the importance of OT system security and the necessity to develop the relevant skill sets.

OT systems were previously built as independent infrastructures that weren't connected to the internet or other networks. However, the convergence of IT and OT systems had been prompted by the demand for higher efficiency and functionality.

For example, remote monitoring and data sharing for insights increased efficiency, but at a price since they increased the attack surface, according to David Koh, Singapore's cybersecurity commissioner and CEO of Cyber Security Agency (CSA).

OT systems were once in a secure air-gapped working environment, but Koh pointed out that they were now vulnerable to potential cyberattacks and breaches might have a real-world consequence. Koh was presenting at the ISC2 conference Secure Singapore on Wednesday. He emphasized the necessity to develop the requisite skill sets to manage the convergence of IT and OT systems in order to mitigate such hazards.

These teams would now need to comprehend how IT systems were deployed to support key services, such as water and power plants, as both sides had previously been run and controlled separately. Beyond the technical components, he noted, such skill sets should also include knowledge of business processes and interdependencies.

Zachary Tudor, associate laboratory director for national and homeland security at Idaho National Laboratory, agreed and emphasized the necessity for managers who were aware of the security concerns posed by the fusion of IT and OT.

According to Tudor, who is also the chairperson of ISC2's board, C-suite executives also required to be educated about the commercial risks and repercussions of the interdependencies between the two domains.

In response to the convergence, Singapore, according to Koh, modified its cybersecurity approach, incorporating an OT security masterplan that emphasized boosting processes, infrastructures, and skills to handle possible risks. Its OT Cybersecurity Competency Framework offered criteria for the technical and cybersecurity skills necessary for OT industry sectors, including those in CII markets like water, healthcare, maritime, and energy.

This week, CSA introduced a scholarship program for up to 80 deserving students enrolling in the Master of Science in Security by Design program at the Singapore University of Technology and Design. The program was a component of the government's initiatives to promote the development of OT cybersecurity capabilities.

Plans to expand labelling scheme to healthcare

Koh also emphasized the necessity of assisting the general people in making better security-related decisions, particularly when buying Internet of Things (IoT) equipment.

He highlighted that because the security posture of the gadget was often opaque, with little information offered and the focus instead being on its features and affordability, users would buy such goods without giving them much thought.

In order to solve this, the CSA established the Cybersecurity Labelling Scheme (CLS), and adoption of the voluntary program has been better than anticipated, according to a number of firms, he said. The effort was initially launched for home routers but eventually expanded to encompass all consumer IoT products, including smart lights and door locks.

Koh disclosed that efforts were now being made to extend the CLS to include medical and healthcare equipment. According to him, security was crucial because these devices might have an impact on someone's health or even cause them harm.

Medical devices would be covered by the program if they handled sensitive data, such as personally identifiable information, and had the ability to "collect, store, process, or transfer data," according to a CSA paper outlining the pilot CLS for those devices. Additionally, they would have access to other systems and services and the capacity to manually or automatically communicate through wired or wireless networks.

In May, Singapore revealed intentions to establish a $13.9 million ($19.5 million) center to facilitate security measures, physical hardware attacks, and vulnerability assessments of software and hardware goods. In order to create pertinent accreditation programs, particularly IT testing programs that allowed initiatives like CLS, the center would collaborate with CSA and the Singapore Accreditation Council.

By the end of April, more than 200 goods had been submitted for labeling under the initiative, according to CSA.

Koh continued by saying that nations including Germany, Australia, the United States, and the United Kingdom had contacted Singapore to develop reciprocal recognition of similar labeling and certification methods in the corresponding worldwide markets. According to him, such bilateral recognition would eliminate the need for repeated testing.

In October of last year, Singapore and Finland signed a contract to do this for their respective nations' IoT cybersecurity labels.

Source:

https://www.zdnet.com/article/singapore-talks-up-ot-security-looks-to-add-medical-devices-to-labelling-scheme/

Contact us at info@arqon.com for more information.