CS01: Cybersecurity Risk Assessment and Audit Data Analytics
Build an application to take in data files, perform query and data extraction, and have analytics, dashboarding and reporting capabilities.
Cyber Security Challenge
2021 Challenge Statements
CS01: Cybersecurity Risk Assessment and Audit Data Analytics
Challenge
Build an application to take in data files, perform query and data extraction, and have analytics, dashboarding and reporting capabilities.
Background
Our organisation receives approximately 70 cybersecurity risk assessment reports annually and at least 80 audit reports every two years. Over time, the amount of reports builds up and would be a useful repository to reference for insights. The submitted reports can be in the form of Microsoft Word, Excel, PDF and hardcopy.
Currently, it is a time-consuming and resource-intensive exercise to manually review and validate that the submitted reports are complete and comprehensive. These reports will then be reviewed and analysed for insights.
Requirements
We are seeking a data analytics solution that, minimally, is able to query and analyse the data sources and pull together the information to address specific questions that we have from a data source completeness-standpoint; and separately from an data insight-standpoint. The use of Artificial Intelligence and Natural Language Processing in the solution will be an added advantage.
Some of the questions on data completeness and insights that the data analytics application would need to address include the following:
- Completeness and comprehensiveness of data sources whether they include the relevant sections/information, risk assessment methodology used, definition of risk, risk treatment options put in place, outliers, etc.
- Existing/trending cybersecurity risk profile of each cluster, sectors and system in considerations of the risk scenarios, risk category, appropriateness of risk treatment/control measures, risk treatment status/timeliness, etc.
- Risk and controls universe for each sectors and cluster including the mapping of risk scenarios to risk category and risk treatment/control measures
Note that a fuller list of questions will be shared separately during the in-depth discussion on the detailed requirements.
Limitations
- The solution provider is free to propose additional insights on risk assessment, audit report and format for dashboard and reports.
- Proposals with solution development within 12 months will have an added advantage.
CS02: 360 Cyber Fusion Analytics for IT/OT/IoT Convergence
Develop a cyber fusion analytics engine that correlates, converges and contextualise information, reports and threats from …
Cyber Security Challenge
2021 Challenge Statements
CS02: 360 Cyber Fusion Analytics for IT/OT/IoT Convergence
Challenge
Develop a cyber fusion analytics engine that correlates, converges and contextualises information, reports and threats from IT, OT and IoT devices and sectors to allow for automated response and operations.
Background
Traditional approaches to cybersecurity fall short in keeping up with today’s rapidly evolving threat landscape. In the haste to get products out the door, there has been little consideration placed on developing security capabilities capable of working holistically with one another. This has resulted in security silos that prevent an understanding of the full landscape, and which prevent against effective protection against today’s advanced and sophisticated threat actors.
A decentralised approach to cybersecurity results in organisational silos and overly complex products and solutions just to integrate and sense make data collected. Analysts are often swamped by an overwhelming amount of data that does not provide clear insight nor an action plan, and there could be duplicate efforts when a threat hits multiple systems, causing everyone to conduct a similar investigative process, wasting valuable time that could have been used to more actively respond to the threat.
A collaborative and combined effort like a cyber fusion centre would allow both SOC and Ops to share intelligence and data in order to facilitate the effective response to threats. Bringing together staff from various departments working and collaborating under one roof would drive an integrated response to threats and crisis, resulting in faster response time, reduced costs, increased productivity and better intelligence.
Requirements
The proposed Cyber Fusion Analytics engine should:
- Power a single dashboard for all assets, vulnerabilities, intelligence, intrusions, security events and incidents for tiered SOC investigation, compliance monitoring and reporting.
- Ingest and process information from threat intelligence sources (e.g. OSINT, insider threat, fraud, brand reputation, physical, geopolitical, supply chain) to better detect known or unknown cyber threats at early stage to drive incident prioritisation or remediation. Intelligence feeds must adhere to STIXX/TAXI structures, in the scenario that unstructured data is required, it will be discussed separately during the clarification session.
- Collect security telemetry or intel at various sources via API interfaces including but not limited to Asset Management, Vulnerability Assessment and Penetration Testing, Endpoint Protection, Identity-Email-Collaboration, Network Security, Application Security, Data Security, Cloud Security, IoT/OT Security, Threat Hunting, Threat Intelligence, Attack Surface Monitoring, Managed Detection & Response, SIEM/SOAR and SOC services.
- Cloud-first deployment, natively support cloud orchestration to provide automated build enhancements and configuration updates in real time.
- Create a new cost-effective data lake or the relevant data model (for existing data lake) for data ingression, security analytics and retention.
- Be able to integrate with (or replace) exiting SIEM/SOAR and/or MDR/NDR platform to improve automation and cost-effective security operations. Telemetry, events and intelligence feeds must be vendor agnostic and the reuse of existing security solutions is preferred.
- Detect security incidents via known security patterns or anomalies via behavioural analysis, and confirm the validity of detected events with ML/AI data analytic capabilities to support incident response efforts.
- Have security playbooks for various business domains – Digital Workplace, Digital Cloud Application (e.g. eCommerce, CRM) Manufacturing & Supply Chain, Connected IoT Platform, Data Analytics Platform to define end to end security monitoring, incident response and crisis management capabilities.
- Complement existing Security Operation Centre (as a managed service) to drive cost efficiency via the new innovative technology and automated processes.
- The cyber security operations must adhere to NIST Cybersecurity and MITRE ATT&CK framework.
- Proposed solutions should consume minimum production network bandwidth and should not impact existing IT/OT/IoT system and network performance and operations.
Limitations
- If it is not possible to deliver above requirements by a single vendor, a partnership with an XDR provider can be considered to deliver an integrated and cost-effective operations.
- At minimum, 50% of the requirements must be delivered within 6 to 12 months, where the remaining 50% must be completed within 24 months.
CS03: Integrated Cybersecurity Risk Assessment and Remediation Management System
Develop a solution to conduct cybersecurity risk and compliance assessments – from identification to remediation, and leverage on the same data set to calculate the return of …
Cyber Security Challenge
2021 Challenge Statements
CS03: Integrated Cybersecurity Risk Assessment and Remediation Management System
Challenge
Develop a solution to conduct cybersecurity risk and compliance assessments – from identification to remediation, and leverage on the same data set to calculate the return of security investment.
Background
Cyber risk is one of the most important considerations for companies in digital transformation, and we need to build up a more risk-aware culture for cyber space when dealing with cyber security risk.
While current commercial-off-the-shelf (COTS) solutions provide severity rating for the vulnerabilities based on CVSS and proprietary threat intelligence, asset criticality/value is not considered. In addition, the potential impact for breaching compliance standards is not considered.
The current process of providing advisory services and risk assessments remain highly manual. Hence, a scalable and self-service cybersecurity risk assessment and remediation management system could address this need. Having the feature to track return of security investment would also help with reports to the management.
Requirements
The ideal vulnerability management solution should contain, but not be limited to the following:
- Track return of security investment.
- Conduct comprehensive risk assessment through:
- Vulnerability scanning of assets as they are added or changed
- Use of Artificial Intelligence / Machine Learning to detect zero-day vulnerabilities
- Use of threat intelligence and verify the vulnerability in real-time
- Identifying gaps between current controls and standards / best practice
- Calculating severity with consideration of user-specified criticality levels of assets and agreed risk appetite
- Recommending security controls based on industry best practices.
- Providing the option to implement the remediation automatically.
- Adopt AI / ML to improve risk assessment (e.g. Classification, feature selection of various attributes) to allow real time alerting and pro-active intervention.
- Conduct compliance assessment in addition to risk assessment.
- Integrate with asset management / CMDB system to retrieve and incorporate asset value and asset ownership information into the report.
- Distribute the report automatically to the respective asset owners and allow asset owners and security managers to include action plans/target timelines in the vulnerability instance.
- Allow customisation of the required remediation timeline based on severity and include the remediation timeline in the report for each vulnerability.
- Monitor the remediation timelines, and highlight deviations in the management dashboard. Notify the asset owners if necessary.
- Allow asset owners to raise risk deviation / acceptance directly in the dashboard.
- Develop an opt-in feature for organisations to leverage on collective knowledge collected via this solution, to provide a semi-automated method of risk advisory.
CS04: Purple Team
Email Filter and Phishing
Platform
Develop a comprehensive anti-phishing solution to identify and filter phishing emails with a high degree of accuracy based on machine learning, and leverage on the same data set to …
Cyber Security Challenge
2021 Challenge Statements
CS04: Purple Team Email Filter and Phishing Platform
Challenge
Develop a comprehensive anti-phishing solution to identify and filter phishing emails with a high degree of accuracy based on machine learning, and leverage on the same data set to implement an intelligent phishing simulation platform capable of generating realistic phishing drills that adapt to the phishing attacks targeting the organization.
Background
Phishing continues to be one of the most common causes of cybersecurity breaches today, and the attacks are on an escalating trend. While user education and awareness are important in mitigating this threat, technology can also play a part to assist in the identification of phishing threats.
Today, most email security solutions are able to filter out basic phishing emails, but it is not difficult for attackers to craft the content in a way to evade detection. One reason for this is the lack of advanced filtering algorithms, such as one that is able to use machine learning to identify phishing emails specific to an organisation.
Currently, most phishing simulation platforms utilize a standard library of phishing drill content which are too generic in nature, and the effectiveness diminishes over time. With this new method, phishing drills can continuously learn and evolve automatically.
Also, current phishing drill platforms only track if users have clicked on a link, and use that to determine the fall-prey rate. Though this is a good measure, it could be further enhanced if users were brought to a functional but fake login page where their actual credentials could be captured and verified. This would provide another dimension of analysis and reporting to allow the prescription of appropriate follow-up actions for those who fall prey.
Requirements
The proposed solution should have the following capabilities and features:
- Allows users to submit phishing emails with the primary objective of using the data to train the machine learning model. The plugin should be integrated with popular email clients (e.g. Microsoft Outlook).
- Leverage advanced machine learning, sophisticated feature engineering, threat intelligence, and potentially other new web security techniques, to achieve high identification accuracy of phishing emails in the potential presence of wrongly submitted samples in training data. Essentially, the algorithm should cater for wrongly submitted samples as much as possible.
- Identify phishing emails, and integrate with common email providers (e.g. Office 365). Assign visual tags to emails based on confidence level, instead of blocking emails suspected to be phishing emails.
- Develop a phishing drill emails content generator which leverages machine learning, threat intelligence and other similar inputs as with (2) using the submitted samples as training data. Generated emails should replicate the style and content of training data, but should not be restricted to only the reported threats.
- Create campaigns to send out phishing drill email to users.
- Customise campaigns for different groups of users, with varying parameters (i.e. Frequency of sending, different email content). This includes designing of spear-phishing campaigns, tailored to the most vulnerable roles and departments.
- Utilise results of phishing campaigns to tailor future campaigns (i.e. Users who have fallen prey will get more phishing campaigns).
- Generate comprehensive reports that uniquely identifies users who fell prey to phishing emails.
- Integrate with enterprise logins (i.e. Microsoft ADFS) to create fake but functional login pages to capture (but not collect) credentials of users who have fallen prey.
Limitations
The solution must run on-premise in the end-user’s environment as it involves the potential capture of the users’ credentials.
CS05: Integrated Solution using Automation, Analytics and AI in a Defence Model for Cloud
Design and build an integrated solution using automation, analytics and AI to enhance threat detection capability, improve asset protection using automated response …
Cyber Security Challenge
2021 Challenge Statements
CS05: Integrated Solution using Automation, Analytics and AI in defense model for Cloud
Challenge
Design and build an integrated solution using automation, analytics and AI to enhance threat detection capability, improve asset protection using automated response and increase visibility of cloud environment for a holistic defence of the Cloud.
Background
There is a growing trend towards utilising the Cloud platform for a host of services including the common Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), to the more niched Security-as-a-Service (SecaaS). Even malicious entities are using these established avenues to run ransomware-as-a-service.
Commercial Off-The-Shelf (COTS) solutions offering detection and protection capabilities are often tailored to commercial entities with deep financial resources or cater only to specific IaaS/PaaS setups. Most of these solutions offer restrict dashboard views and limited analytical functionality (e.g. rule-based) to cover security gaps. This often requires intricate knowledge in integrating different COTS solution and understanding the expected pre-requisites. Thus, this breaks down the holistic defence model into disparate parts covered by different solutions, resulting in misconfigurations, potential software conflicts and inconsistent/duplicative protection coverage.
To further compound these issues, many of the solutions also require manual/human intervention to check and validate high volume of alerts, slowing down incident response times and allowing the perpetrator to exfiltrate data or spread malware through to other connected workloads, databases and domains across the organisation.
Requirements
We are seeking to work with the industry to design and build an innovative solution that is both cost-effective and comprehensive to address the challenges of utilising Cloud services. This new solution should be Cloud Service Provider (CSP) agnostic and offer detection and response capabilities for all cloud models (E.g. IaaS, PaaS and SaaS), through the following features with the use of Artificial Intelligence:
- Perform User Entity Behaviour Analytics on asset information to determine baseline and detect anomalies (E.g. activities that deviate from the baseline).
- Constantly self-adjust/balance, to reduce false positive and generate alerts with high fidelity.
- Propose response/actions to suspected incidents. Consider allowing an option to enable automated responses, to reduce manual validation times and protect against breaches. Interoperability with other existing security solutions in the environment for automated incident response is required to enable ease of configuration for such automated responses.
- Use machine learning to analyse responses to threats/intrusions and provide feedback to improve defence model. (This is suitable for national implementation where the analytical sample size is large)
The listed features above should be done both within a single CSP, as well as across various CSPs.
CS06: Forensic Acquisition
in the Cloud
Design and develop a web-based platform that conducts triage to search, preserve and analyse forensic artifacts from various cloud service providers (CSP).
Cyber Security Challenge
2021 Challenge Statements
CS06: Forensic Acquisition in the Cloud
Challenge
Design and develop a web-based platform that conducts triage to search, preserve and analyse forensic artifacts from various cloud service providers (CSP).
Background
Criminals are increasingly leveraging on web technology to advance and expand their vice operation, facilitate communications, and to conduct digital transactions. Oftentimes, their modus operandi relies on CSPs such as Amazon Web Service (AWS), Microsoft Azure or Google Cloud. These companies account for more than half of the worldwide market share of cloud infrastructure service providers.
A key concern for digital forensic examiners is the ability to ensure that digital evidence triaged from the cloud can be proven to be tamper-proof, so that they can be admissible in a court of law. A proper chain-of-custody should also be maintainable as proof of accountability when the proceedings necessitate the transfer of ownership of said evidence.
While CSPs may offer native logging and monitoring services (e.g. AWS CloudTrail, Azure Log Analytics, GCP Audit Logs), these services target user actions and server logs primarily while leaving the hosted content (e.g. VM instances, storage, database) untouched.
Requirements
The proposed solution should offer the following capabilities or characteristics, with the use of Artificial Intelligence and Machine Learning:
- Acquire the front-end of a website including but not limited to:
- Screen capture of the web façade
- Scraping of hosted content
- Parsing of text and metadata
- Access the back-end of a website and traverse through all accessible endpoints or running services on a CSP to search for potential sources of forensic artifacts (e.g. storage, VM images, databases, identity access management portal, etc)
- Remotely triage and export selected data (potentially going into terabytes or petabytes of information) in whole or in part seamlessly onto a local or remote storage
- Log down each step in the forensic acquisition process to ensure integrity of digital evidence, and produce a court admissible audit trail
- Generate hash value for each exported forensic artifacts
- Process collected data to perform evidence discovery (e.g. indexing for keyword search, link analysis, sentiment analysis, image/video classification)
- Provide a basic case management system with user access control
- Deployed in the cloud, ideally on a serverless or containerised architecture
- Or otherwise be proven to be scalable, flexible in choice of deployment environment and self-provisioned
- Designed modularly with appropriate level of abstraction for potential inclusion of new native features as required by end-user
- Designed with relevant API endpoints exposed for potential integration of external tools or services as required by end-user
The solution provider is to state clearly in the proposal, if the solution will only be able to fulfil the requirements for a certain cloud model (i.e. SaaS, PaaS, IaaS) or a specific CSP (i.e. AWS, Microsoft Azure or Google Cloud). Pre-requisites that are necessary for the solution to meet the requirements above are to be documented in the proposal.
Limitations
The end-user is not able to provide operational data. Applicants are advised to source for or generate their own test cases / dataset.
CS07: Unified IoT Security for
Connected Products Utilising Edge Computing
Develop a centralised IoT Hub and its corresponding security architecture that integrates connected products and its ecosystem together for efficient security operations.
Cyber Security Challenge
2021 Challenge Statements
CS07: Unified IoT Security for Connected Products Utilising Edge Computing
Challenge
Develop a centralised IoT Hub and its corresponding security architecture that integrates connected products and its ecosystem together for efficient security operations
Background
Digital security must be designed into IoT devices from the ground up and at all points in the ecosystem to prevent vulnerabilities from one part jeopardising the security of the whole. As smart products become increasingly interconnected, they rely on a centralised hub connected to other services to provide a feature-rich, sophisticated, and personalised experience.
The processing and transfer of large volumes of personal data makes it an attractive target for attackers. The protection of consumer privacy data must be strictly adhered to according to the relevant laws at the point of collection, in-transit, and at rest to prevent misused or exfiltration at the device or network level.
Traditional perimeter security defence models are no longer sufficient or practical for the exponentially increasing number of connected devices. Intelligent systems with sentient capabilities that can actively detect, monitor, predict and respond are needed to defend against the growing landscape of threats.
The tipping point for security has always been cost, and while certain industries are willing to spend large amounts, the consumer segment is extremely competitive and cost sensitive. The right balance must be found for it to be commercially viable in a large-scale global deployment.
Requirements
A secure IoT system (consisting of backend hub, gateway, IoT devices etc) must have the following capabilities:
- An integrated approach in the detection of security configurations, detection and assessment of vulnerabilities and centralised reporting.
- Monitoring of end to end connections between connected devices and the entire hub
- Have edge computing/federated learning abilities at the connected device to secure data before it is being transmitted out.
- Automatically detect and alerts a central controller upon detection of intrusion, tampering of firmware, algorithm or data within the connected devices.
- Provide telemetry in industry standard formats for integration into a Fusion Centre’s platform for end-to-end monitoring of the entire ecosystem.
- The centralised hub should be able to identify compromised devices and anomalous network activities based on an AI/ML engine’s analysis of a reference model derived from historical (empirical) data and the normal operating characteristics of connected devices. Such devices should be isolated to protect core services and other uncompromised devices, while still remaining functionally operational for the end-user.
- Ability to detect and tag personal identifiable information, personal sensitive information or environmental information automatically.
- Be able to attest to independent accreditation of applicable IoT security standards.
- Solution needs to be developed in a cloud-first approach for scalability, and automation is to be the key guiding principle for the solution.
- A shared library with open API approach embedded into the connected devices for data ingestion and integration is preferred over an embedded agent-based approach.
- Solution should optimise use of connected device’s bandwidth and should not adversely impact the system and network performance and operations.
Requirements
- If it is technically unfeasible or cost prohibitive to protect every single device, companies may propose an alternative approach that protects the majority of devices and central ecosystem while still maintaining a good level of trustworthiness.
- At minimum 50% of the requirements must be delivered within 6 to 12 months, with the remaining 50% to be completed within 24 months.
CS08: Threat Detection and Risk Profiling system for Maritime
Vessels
Build a threat detection and risk profiling system catered for maritime vessels systems that can analyse, correlate and provide a coherent overview of threat spans across the IT, OT and IoT …
Cyber Security Challenge
2021 Challenge Statements
CS08: Threats Detection and Risk Profiling system for Maritime Vessels
Challenge
Build a threat detection and risk profiling system catered for maritime vessel systems that can analyse, correlate and provide a coherent overview of threat spans across the IT, OT and IoT systems networks in real time.
Background
A ship’s system is complex and runs on Information Technology (IT), Operational Technology (OT) for navigation, propulsion and machinery, access control, cargo management systems) as well as the Internet of Things (IoT).
With increased digitalisation, integration, and automation onboard, the originally isolated systems are now moving to a converged network. This introduces higher risk of unauthorised access or malicious attacks to the ships’ systems and network and may result to potential safety, environmental and commercial consequences.
A real time solution that profiles cybersecurity risk, detect threats, and protects critical assets across all 3 systems will be beneficial to ship operators to mitigate these risks.
Requirements
We are seeking for an innovative converged security solution that includes but is not limited to the following capabilities:
- Identify known cyber threats (malicious code or traffic. This should be based on known threats/ anomalous activities).
- Protect or isolate critical assets from detected known threats based on (1).
- Learning and discovery of data points, data traffic and do assets’ risk profiling in real time using AI / ML methods.
- Establish baseline for operating states and detect anomalies in the network. (Unusual data traffic, new traffic events etc)
- Identify events that increases risk score (Unauthorised access, attempt to modify settings, unusual traffic between critical assets onboard vessels etc..) and recommend remediation.
- Provide alert to local operators and administrator to carry out checks.
- Simple UI that can be operated by personnel with only basic training
- Provide dashboard, periodic compliance report for audit verification.
- Ability to aggregate vulnerabilities to a risk scoring system to better understand internal security gaps and external threats.
- Solution may need to be ship-class certified.
Limitations
- Solution may not have access to consistent and/or reliable data/internet connections.
- Solution should not impact the ship’s OT systems and IoT Systems.
- Solution cannot be installed directly on the ship’s OT systems.
CS09: Operational Technology (OT) Honeypot
Construct a honeypot system to collect cyber-attack information for Operational Technology (OT) networks to serve as an early warning system, and provide the ability to analyse cyber …
Cyber Security Challenge
2021 Challenge Statements
CS09: Operational Technology (OT) Honeypot
Challenge
Construct a honeypot system to collect cyber-attack information for Operational Technology (OT) networks to serve as an early warning system, and provide the ability to analyse cyber attackers’ Tactics, Techniques and Procedures (TTPs), detect new malware and zero-day exploits, as well as confuse potential cyber attackers. The system could also be able to trace the intruder to its source or origin.
Background
The volume of cyber-attacks on the power industry has escalated in recent years as threat actors seek to infiltrate energy infrastructure for cyber-espionage and sabotage. Protecting these critical Operational Technology (OT) networks from exploitation requires a multi-layered security approach that involves physical controls, firewalls, intrusion detection/prevention systems (IDS/IPS), a highly trained security team, and more. However, the tools (and the human teams managing them) have limitations (e.g. new malware may not be detected, inability to detect internal threats), which results in cyber risk for critical power networks.
One way to mitigate these limitations and continuously monitor the OT network is through the use of honeypots. OT honeypots can emulate a range of common industry control protocols to appear like a large facility, allowing hostile scanning and other activity to be detected without modifying existing network and system configurations.
They provide a means to gather data on attacker trends and tools, research potential countermeasures and test protocol implementations. Well-designed and deployed honeypots can serve as an early warning system, detect new malware and zero-day exploits, uncover insider threats and confuse cyber attackers.
Requirements
The proposed solution should have the following capabilities and features:
- Emulate devices and control protocols to appear like a power facility
- Adaptable to any ICS environment (e.g. if models change, easily configurable such as using mass-heat balance thermodynamic model or a generic simulator for operator with capability to do start up, steady state and shutdown of a power plant process)
- Acts as an indicator of attack (i.e. a tripwire)
- Appear as a fully functional power facility to cyber attackers in order to delay the actual discovery and compromise of the actual power facility
- Apply relevant industry knowledge to improve the deception and increase the stickiness of the honeypot to better analyse cyber attackers’ kill chain, trends and tools
- Detect both internal and external anomalies that may indicate an attack
- Collect and analyse information on interactions/ intrusions (e.g. actions taken, uploaded malware, exploits used) that can be translated into actions to improve existing cyber defences
- Provide alerts and notifications in case of attacks.
- (Optional) Trace the intruder to its source or origin where the attack was launched.
- Honeypot should be tested via a hackathon or similar event to prove its functionality
Limitations
- The honeypot must be appropriately sandboxed in the event it is to be integrated into one of standalone process control system to mitigate the risk of intrusion attempts into current operating OT systems.
- No sensor or appliance should be installed in the existing OT system
- The honeypot infrastructure shall remain at the test site after the conclusion of project.
CS10: Intelligent & Adaptive Detection Models for OT Systems
Build a digital twin with a detection engine model to detect security incidents and unauthorised commands through packet inspection. The detection engine should be able to adapt to …
Cyber Security Challenge
2021 Challenge Statements
CS10: Intelligent & Adaptive Detection Models for OT Systems
Challenge
Build a digital twin with a detection engine model to detect security incidents and unauthorised commands through packet inspection. The detection engine should be able to adapt to different SCADA network setups, data types and networks that can be scaled up through virtualisation with detailed simulation using hardware-in-the-loop (e.g. PLC).
Background
An OT plant contains many processes and workflows which generate large amounts of process data during routine operations. This makes it difficult for operators to detect spoofed values, especially if the spoofed value is within the permissible range.
Such anomalies will result in plant operators having an inaccurate picture of their systems, which can result in attackers being able to traverse through the plant network without being detected and this presents a serious security breach. Legacy OT communication protocols also do not have mechanism to authenticate and encrypt communication packets, allowing an attacker to freely launch attacks on PLC networks once they manage to gain access into the PLC network.
This challenge seeks an innovative solution that can help the plant predict process values and automatically trigger alerts if a deviation is detected. The solution should also be able to detect anomalies in a wide variety of process data based on historical behaviour and logs.
Requirements
We are looking at building a digital twin with anomaly detection and machine learning capabilities that can:
- Predict expected output and sensor values based on input values in comparison to historical data and the ability to withstand anomalous data due to machine failure/maintenance
- Correlate data from analogue and digital data points to detect anomalies
- Automatically learn baseline plant process through historical data and automatically trigger alerts when deviations between predicted and actual data collected is detected.
- Utilises AI/ML to detect security incidents based on anomalies in the process data and the detection of unauthorised commands through deep packet inspection.
- Automatically improve the AI/ML model in term of detection accuracy and false alarm through reinforced learning when more data is available.
- Detect manipulation and/or spoofed data from data collected by SCADA I/O servers through machine learning of historical behaviour by operators
- Automatically filter out relevant OT communications protocol (e.g. Modbus, DNP3 for machine learning to monitor network traffic, learning the plant’s behaviour
- Differentiate between maintenance/equipment failures and Cyber attacks
- Ability to score and rank alerts to reduce false alarms and operator load
- Be able to detect suspicions traffic (e.g. illegal file transfer, malicious packets, scanning traffic, download of PLC logic) that should not be present in the automation network
- Interface with common SCADA system (e.g. OPC)
- (Optional) The ability to block spoofed commands and not become a risk to plant operations will be considered in the evaluation criteria
Limitations
- Proposed implementation should not impact the operations of any plant.
- Internet connection to external systems are not allowed.
CS11: Breach and Attack Simulator (BAS) for an Internet of Things (IoT) connected Power Grid
Develop a Breach and Attack Simulator (BAS) for IoT devices like Advanced Metering Infrastructure (AMI) and Electric Vehicle (EV) charging points to continuously identify potential …
Cyber Security Challenge
2021 Challenge Statements
CS11: Breach and Attack Simulator (BAS) for an Internet of Things (IoT) connected Power Grid
Challenge
Develop a Breach and Attack Simulator (BAS) for IoT devices like Advanced Metering Infrastructure (AMI) and Electric Vehicle (EV) charging points to continuously identify potential vulnerabilities and weakness in deployed end-point devices at remote sites that are unattended
Background
Part of Singapore’s Smart Nation Initiative is to push for more connectivity in the daily touch points of the citizens. One such way was the proliferation of connected devices in the form of the AMIs, or “smart meters” that are connected to the grid and can provide real time data. While previously offline, the new connected meters offer advantages in the form of real time consumption tracking, allowing for better load balancing and generation forecast. However, being connected has also opened it up to threats on the internet.
With the global trend towards electrification, charging points/stations for EVs are also being rapidly deployed, and such charging points need to be connected to the grid for its advanced functions to work.
As more devices are connected to the grid, the number of access points increases as well, raising the possibility of hackers gaining access to it the private grid network. The current method of securing the IoT devices before they are deployed will not be feasible when deployment ramps up, and there is also the requirement to keep them secure at all times against charging threats. A BAS for IoT devices is thus required to keep up with the threats.
Requirements
The proposed solution should be able to identify potential vulnerabilities through automated, continuous assessments and should include the following requirements into consideration during development:
- Develop and Maintain a database of vulnerabilities for IoT systems
- Identify and flag vulnerabilities detected
- Continuously scan, identify and flag new vulnerabilities
- Provide remediation and mitigation suggestions on detected vulnerabilities.
- Be resilient and fail-secure, isolating faults without affecting the entire grid
- Be compatible with all relevant IoT devices in use
Limitations
- Solution providers should have a portable setup, which allows them to connect to the network and run the simulation on SP Group’s test site.
- Solution providers will be able to run the simulation on a living lab test-site, which is a lab environment with devices such as EV charging stations and smart meters.
CS12: Supply Chain Security: Detection of Malicious Code and Vulnerabilities within Software Patches for IT/OT Environments
Provide a solution that can scan and review software and system patches of commercial software and applications commonly used in an IT/OT environment so as to identify malicious code …
Cyber Security Challenge
2021 Challenge Statements
CS12: Supply Chain Security: Detection of Malicious Code and Vulnerabilities within Software Patches for IT/OT Environments
Challenge
Provide a solution that can scan and review software and system patches of commercial software and applications commonly used in the IT/OT environment so as to identify malicious code and vulnerabilities, as well as provide recommendations on remediation actions
Background
Organisations adopt commercial software and system tools for their day-to-day operations (e.g. Windows, SCOM, Altris, Ansible), which require regular patches and updates. However, we increasingly see threat actors embedding malware into these patches resulting in credential theft, privileged escalation and lateral movements, ransomware, data exfiltration and data theft which results in major disruptions to businesses.
One recent example is the SolarWinds incident where the company released a “rogue” software update of their Orion platform solution which resulted in malicious codes being pushed down to 18,000 of their customers. This compromise not only impacted SolarWinds products but also their customer’s own products.
Another example of a Supply Chain attack was the recent Kaseya ransomware attack that was triggered over the American Independence Day weekend. The attack carried out by threat actors who leveraged on a vulnerability within Kaseya’s virtual management software. Ransomware was then pushed via an automated, fake, and malicious software update to multiple managed service providers (MSP) who in turn passed it onwards to their customers.
Requirements
The proposed solution should address these key requirements:
- Scan Commercial Software patches and releases and detect malicious code/functions, vulnerabilities and suspicious behaviours
- Handle a wide variety of software and system tools
- Efficient execution of scan (i.e. able to be completed in a short time)
- Little or no impact on day to day functionality of software and applications being tested
- Use machine learning (ML)/artificial intelligence (AI) to improve review process
Limitations
Proposed solutions should not excessively load production system resources and impact business operations.
CS13: Protection of Personally Identifiable Information (PII) and Data Sharing in Healthcare
Detect and de-identify PII automatically, and manage secure data sharing in a scalable and efficient manner
Cyber Security Challenge
2021 Challenge Statements
CS13: Protection of Personally Identifiable Information (PII) and Data Sharing in Healthcare
Challenge
Detect and de-identify PII automatically, and manage secure data sharing in a scalable and efficient manner
Background
Data collected in healthcare systems contain highly sensitive information, which includes PII and health records. These data are often transmitted to other digital systems for research and audit purposes via automated batch processing or as live streamed data. Current measures are taken to restrict availability of information through the following:
- Containment of data within the Intranet,
- Controlled access to only authorised personnel,
- De-identification and encryption of data-at-rest and data-in-transit, and
- Complete anonymisation of data and generation of synthetic data for use in unsecured instances
These measures, though effective, are highly restrictive and reduce the efficiency of secure data sharing.
Currently, de-identification and anonymisation are heavily reliant on human effort to apply these codes on multiple datasets, which is tedious and prone to error. Activities such as tokenisation of PII before transmission as well as the setting cryptographic keys are also manually performed. In addition, the periodic changing of cryptographic keys, and maintaining change logs often takes a long time to complete. Implementation could be further delayed or non-operational, if there were any changes in personnel.
This challenge seeks an innovative solution, which can detect and automatically de-identify PIIs of various datasets at scale; and to manage secure data cryptographic keys in a scalable and efficient manner.
Requirements
The proposed solution must provide (but is not limited to) the following functionalities:
- Manage and protect cryptographic keys (Automated Key Management System), in alignment with NIST’s definition of cryptographic key lifecycle management and best standards
- Perform cryptography functions for large volumes of data at high speed
- Generate, deploy and test cryptographic keys automatically, for enrolment of new users between data stream owner, data stream recipients and IT personnel
- Authenticate and authorize users, according to end-user’s requirements (i.e. Principle of least-privilege)
- Implement algorithms and protocols in a modular basis, to allow for upgrading to new, emerging industry standard cryptographic algorithms and supporting of various types of communication protocols
- Create a set of gradated policies for users to select levels of pseudonymization of healthcare data, which are compliant to government regulations (i.e. PDPA and GDPR)
- Be able to automatically identify PII from data collected in the healthcare systems. This means identifying data which are:
- PII by itself (i.e. NRIC)
- PII data, which is formed from aggregating various non-PII data (i.e. First Name, Age, Gender)
- Collect audit trails of events, such as user logon activities, changing of cryptographic keys and failed authentication of non-interactive operations.
- Flexible to be deployed in either on-prem and cloud environments.
Scalability of the proposed solution will be an important consideration for evaluation.
Limitations
- Data and the solution must remain in Singapore.
- Solution providers must sign a NDI with the end-user.
- Project is to be completed within 12 months.
- Solution must be installed on user’s servers for testing
- Proposed solution should not consume significant network bandwidth or impact operational systems.
- The user will fully own and configure the automated deidentification code once the project is completed.
- Proposals with solution development being completed in 12 months will have an added advantage.
CSOC: Open Category
Innovative cybersecurity proposals that do not fulfil any of the Challenge Statements can be submitted under …
Cyber Security Challenge
2021 Challenge Statements
CSOC: Open Category
Innovative cybersecurity proposals that do not fulfil any of the Challenge Statements can be submitted under the “Open Category”. The proposal should clearly explain the issue(s) that it aims to address, demonstrate innovativeness and novelty in solving the identified problem (i.e. no existing solution, or an improvement(s) on existing solutions), and have concrete go-to-market plans.
Examples of areas for cybersecurity innovation include but are not limited to:
- AI For Cybersecurity
- Cloud Security
- IoT Security
- OT Security
- Privacy-enhancing Technologies
For proposals submitted under the Open Category, the applicant company must secure at least one committed cybersecurity end-user by the third milestone. The company can leverage on “minimum viable products” and/or market ready technologies to develop cybersecurity applications with new features and functionalities that would meet the new and emerging demands of cybersecurity users.