2018 Challenge Statements

Cybersecurity Challenge

2018 Statements

CS01: Operational Technology Intrusion Detection Systems

In Information Technology (IT) systems, the main security consideration is to protect sensitive data, whereas the Operational Technology (OT) Systems that process operational data e.g. Industrial Control Systems, such as Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS) are often designed to ensure high availability and safety. Breaches in IT system would result in loss of data while breaches in OT system may affect critical operations which may cause safety issues and property damage.

In addition, OT system has not traditionally been a network technology. For example, IT system uses standard communication protocols such as TCP/IP, whereas OT system, which consists of various devices from different OEM, uses proprietary or industrial communication protocols such as IEC and Modbus. It is a challenge to detect security breaches in such OT system with a large number of different proprietary communication systems

We are seeking innovative OT intrusion detection solutions based on the normalcy of known process models, abnormality of networks and system traffic between field devices and HMI. These may include, but not be limited to:

1. Profile network communication
2. Identification of “first seen” events
3. Identification of unusual manipulation of critical perimeters
4. Identification of unusual traffic between controllers/devices in the OT system which are not part of the baseline on behavior, time, value and threshold (e.g high volume, or abnormal hour)
5. Identification of anomalies in the traffic in a wide variety of vendors’ proprietary controllers/devices
6. Comparison of predicted dynamic process model data2 against sensors data
7. Identification of comparison deviations in (f)
8. Periodic controllers’ program/functions/firmware validation
9. Data/data registers’ integrity inspection
10. Correlation of field devices anomaly with network layer anomaly to detect malicious activities.

Proposed solutions should not have any consumption of production network bandwidth and should not have impact to the operation of the OT system. The scalability of proposed solutions will also be an important consideration for evaluation. Artificial intelligence in detecting abnormality behavior of monitored traffic is also recommended.

Cybersecurity Challenge

2018 Statements

CS03: Advanced Threat Monitoring

Security Operation Centres are dealing with a large variety of big datasets everyday. Some information sources are structured (eg. security logs), while others are unstructured (eg. intelligence reports on new threats). The current process of security analysis starts from sifting through all information sources (internal and external) to identifying noteworthy correlation from all data points. In a swath of irrelevant noise, security analysts are expected to focus on relevant data and venture to identify known and unknown threats.

We are seeking innovative solutions that will address all challenge areas as follows:

1. The first area is building an adversary behavioural and Tactics, Techniques and Procedures (TTP) knowledge base using known “attacker” datasets from all sources of information (both structured and unstructured). The knowledge base should also include modus operandi and adversarial actions of persistent threat actor over time. This shall aid the tracking, all-source analysis and assessment of emerging and evolving threats and allow organisations to proactively defend against these threats.
2. The second area is identifying “known” threat/anomalous activities. With the insights from the knowledge base in (1), similarities in “known bad behaviour” can be used to surface “known” threat/anomalous activity flows from network telemetry datasets, such as malware “beaconing”/callback activities, covert channels and possible data exfiltration etc. Analytics should be applied on both successful and failed/blocked attempts to gain further insights to the threat landscape specific to the organisation. This shall also further build up the knowledge base in (a).
3. The third area is discovering “unknown” threat/anomalous activities. With the “known” threat/anomalous activities formed, how can it be used to identify “undiscovered” or “unknown” attack processes from network telemetry datasets, e.g. new attack campaigns.
4. The fourth area is pinpointing precursors to a potential cyber-attack. Insights derived from “known” and “unknown” threat/anomalous activities will allow analysts to understand the cyber threat landscape over time (i.e. historical as well as real-time). This will allow pre-emptive measures to be put in place to mitigate against potential cyber-attacks.

We are seeking solutions to develop a coherent solution to address the aforementioned areas. This will aid organisations to achieve an efficient and effective way of deriving insights from very large dataset to better forewarn against eminent threats.

Solution providers should assume that no sample data will be shared by the sponsored organisation, and solution providers will have to source for relevant datasets to demonstrate the capabilities in solving the above challenge areas.

Cybersecurity Challenge

2018 Statements

CS05: Customer / User Data Security and Privacy

Incomplete customer data are often misleading and result in poor marketing decisions. Moreover, these data are mostly stored and managed in different databases and systems; thereby increasing the risk of data misuse and leakage.

As such, many organizations are increasingly looking to incorporate a single customer overview (also known as a ‘360’ or ‘unified’ customer view) where all customer data are consolidated into a single record.

We are seeking innovative solutions including but not limited to:

1. Efficient customer data collection and consolidation from various touch points; to alleviate the need for customers to do multiple data entries;
2. Effective protection of customer privacy and sensitive data;
3. Detection and blocking of abnormal access of customer data;
4. The ability to trace and monitor the digital path of customer data;
5. The ability to prevent customer data from leaving the organization’s system.

Cybersecurity Challenge

2018 Statements

CS07: Patch Management and Vulnerability in Operational Technology Environment

Software patches are applied to update systems and deal with vulnerabilities or security gaps. Software vendors routinely deliver patches for products to ensure system safety whilst updating systems. Without these patches, new functionalities remain undelivered and systems can be vulnerable to cyber-attacks.

One of the key challenges is the risk of applying these patches to a production system. Every OT system is different, and even though patches have been tested in the OEM setup, it is still necessary to thoroughly review patch management documentation, and perform proper risk assessment before allowing patches to be released into the production environment. This is important particularly given that the high cost of setting up mirrored staging sites.

Another key challenge is the delay in patch execution. In critical systems, some patches can only be applied during maintenance period; thereby leaving the organization at risk to the vulnerabilities for months or even a year. The process of patch execution remains time consuming and requires dedicated personnel – downloading and updating patches manually takes a long time.

We are seeking innovative solutions including but not limited to:

1. The cost effective assessment of the interdependency impact of the patches and patched systems
2. The identification of vulnerabilities (especially known or zero-day attacks) on an existing in-situ OT landscape to form a risk decision matrix for end- user to decide if it is critical for patching.
3. To prevent vulnerabilities being exploited without a patch; and
4. A more effective and efficient patch management methodology/system for silo and multi-site operating environments.

Cybersecurity Challenge

2019 Statements

CS09: Effective evaluation of the Security Posture of Outsourced Partner’s Systems

Outsourcing network services is a common business practice for most large organisations. Although these digital/network services often undergo rigorous contract reviews, content audits and extensive access control; they lack real-time risk identification and protection.

Due to the lack of visibility in engaging security implementation outside contractual specifications; outsourcing can pose a serious risk to proprietary information, especially protected user data. With the rise of cloud service providers from niche to global providers, there is also a lack of a real time security assessment, governance and certification of these providers for end-users to evaluate the cloud provider’s actual security posture in areas of operations, systems, networks and data protection.

Nevertheless, there are potential new vulnerabilities given the data sharing with third parties as well as the multi-layer interconnect between independently operated systems. These threats are exemplified by any changes and updates that are independently conducted by each party.

We are seeking proposals on innovative solutions to:

1. Improve the assurance mechanism and gain insights into the outsourced partners/providers’ internal security controls in the area of data security and privacy for all 3rd party; including cloud providers;
2. Provide threat risk assessments on systems access and connections and impose a need to know basic when granting access rights to external outsourced vendors.