7 minute read
Managing cyber risks and ensuring resilience
Mr Raymond Ung, Assistant Director, Cyber Security Agency of Singapore, summarises his educational and career achievements, and points to the benefits of the CEng qualification, in this interview with ‘The Singapore Engineer’.
Mr Raymond Ung
The Singapore Engineer (TSE): Could you provide a few highlights of your education and career to-date, including the awards and commendations received?
Raymond Ung (RU): I graduated from Nanyang Technological University (NTU) as an Electrical Engineer, majoring in Industrial Automation, with an upper 2nd class honours degree. In the first half of my career to-date, I have been working as an engineer, rotating between the private and public sectors. In 2013, I was awarded a sponsorship by PUB, Singapore’s National Water Agency, to further my studies. This enabled me to study for a MSc degree in System Design and Management, at the National University of Singapore (NUS), which I completed in 2015. The courses of study broadened my thinking and cybersecurity was one of the key focus areas I pursued. I joined an automation company as a Technical Manager and here I was able to rapidly acquire further competencies in technology and cybersecurity, through handling a wider range of realistic cases. In 2018, I got the opportunity to join the Cyber Security Agency of Singapore (CSA) as a Senior Cybersecurity Consultant and I am currently leading a team of consultants as an Assistant Director at CSA.
Apart from acquiring multiple, professional certifications, as an individual, I have also been part of award-winning teams such as the following: • The CSA - OT Cybersecurity Masterplan team which was awarded the Recognition of Excellence Award by
OpenGov. • The Red Team (Kopitiam) which was recognised as the
Top Red Team at the global Critical Infrastructure Security Showdown (CISS) 2020, organised by SUTD.
TSE: What is the most meaningful career achievement for you so far, and why?
RU: There are two achievements that I would like to mention and both are related to safeguarding our nation’s resilience: • Designing and building a Critical Information Infrastructure (CII) to ensure a continuous supply of water for the nation. • Developing the Operational Technology (OT) Cybersecurity Masterplan to enhance the security and resilience of Singapore’s Critical Information Infrastructure (CII) sectors in delivering essential services. The masterplan serves to improve cross-sector responses to mitigate cyber threats in the OT environment and to strengthen partnerships with industry and stakeholders.
The OT Cybersecurity Masterplan outlines key initiatives covering the areas of People, Processes and
Technology, to uplift the cybersecurity postures of our
CII owners and organisations that operate OT systems.
I was the Lead for Key Thrust 1 & 2. Key thrusts in the OT Cybersecurity Masterplan include: 1. Providing OT cybersecurity training to develop human capabilities. 2. Facilitating the sharing of information through an OT
Cybersecurity Information Sharing and Analysis Centre (OT-ISAC). 3. Strengthening OT owners’ policies and processes through the issuance of an OT Cybersecurity Code of
Practice (CCoP). 4. Adopting technologies for cyber resilience through
Public-Private Partnerships. In addition, the masterplan encourages OT equipment manufacturers and service providers to implement cybersecurity in the developmental phase, so that products and systems are in-built with strong cybersecurity measures.
The OT Cybersecurity Masterplan will serve as a strategic blueprint to guide Singapore’s efforts to foster a resilient and secure cyber environment for our OT CII, while taking a balanced approach between security requirements, rapid digitalisation and ease of conducting business-as-usual activities.
TSE: Could you briefly describe the scope of your current duties?
RU: I am from the Critical Information Infrastructure (CII) Division where we work to strengthen the cybersecurity of the critical sectors in the Government, Transport, Services and Utilities clusters. I am currently the Team Lead of the Utilities Cluster. The key focus here is to partner regulators and CII owners to strengthen the cyber resilience of the nation's CII against cyber threats and to ensure the continuity of essential services.
Towards this end, my work will be focused on enhancing the protection, detection, response and recovery capabilities of CII and I am involved in directing, and administration of, the cybersecurity governance and legislative framework; engaging stakeholders on cyber risk management efforts; and supervising the implementation of security measures.
As a Team Lead of the Cluster Team, I also guide the officers in my team and assist the Head of the Division in day-to-day operations. In addition, I also have frequent interactions with senior leaders in the cybersecurity space.
TSE: What motivated you to become a Chartered Engineer?
RU: I wanted to validate my experiences and competencies in Systems Engineering and the CEng qualification has enabled me to achieve this.
TSE: How do you think becoming a Chartered Engineer has assisted you in the progression of your career so far?
RU: It has resulted in a differentiation in my professional standing, in my area of focus and expertise.
TSE: How do you think becoming a Chartered Engineer will assist you in the future?
RU: By becoming a Chartered Engineer, I will have more perspectives, instead of being limited by a narrow mindset, thereby enabling me to level up, as the landscape of technologies and cybersecurity is constantly and quickly evolving.
TSE: What advice would you give engineers who aspire to obtain the CEng certification?
RU: As engineers, we should strive to succeed and not be afraid of failure in the course of our work. In the event that we need to compromise on certain elements in a design, it should never be on something that may have a catastrophic impact on the business mission (e.g on the safety and security of lives), and it should be collectively agreed to, by all the stakeholders.
TSE: If there was one engineer (living or dead) you could meet, who would it be and why?
RU: I think it would be the engineers from the Honda HRC MotoGP team, such as Jun Miyazaki. Since I was young, I have been a fan of racing bikes and I have been riding superbikes in my younger days. I repaired the bikes myself, with the knowledge in electronics and electrical engineering I gained from school.
I had once been inspired to be an engineer who would design seamless and powerful gearboxes for racing bikes, but I think language and cost were barriers, at that time.
TSE: Any other information that you would like to provide?
RU: We should not constrain ourselves with a narrow, ‘checklist compliance’ mindset, but rather, by incorporating a risk-based approach in our work, we can see a better picture and resources can be better prioritised. We should also challenge ourselves by asking questions such as the 5 Ws (Who, Why, What, When and Where) and the 1 H (How), in order to optimise the outcome of the design or engineering process. Further, to incorporate cybersecurity into engineering perspectives, due to the evolving threat landscape, we should also embrace the changes and upskill ourselves accordingly. We can take reference from the Operational Technology Cybersecurity Competency Framework (OTCCF) which provides guidance on the competencies that professionals should equip themselves with, in performing their jobs in the engineering industries.
The Cyber Security Agency of Singapore (CSA) has launched the Operational Technology Cybersecurity Competency Framework (OTCCF) which will provide the foundation to attract and develop talent for the emerging OT cybersecurity sector in Singapore. The OTCCF – jointly developed by CSA and Mercer Singapore, and supported by SkillsFuture Singapore (SSG) and Infocomm Development Authority (IMDA) – maps out the various OT cybersecurity job roles and the corresponding technical skills and core competencies needed. It also captures the possible career pathways showing the options for vertical and lateral progression. The OTCCF aims to guide key stakeholders in the following ways: • OT and IT system owners can refer to the OT cybersecurity capabilities required to attract the right people, train them adequately, and map out their career pathways. • Training providers can refer to the technical competencies required by different job roles and be guided to develop best-in-class courses and certifications that cater to local training needs. • OT professionals or potential jobseekers can identify skillsets for cross- and up-skilling for a meaningful career in the OT cybersecurity domain. The career pathways could apply to job roles inclusive of vertical and lateral advancement opportunities. Additionally, CSA Academy has begun engaging stakeholders from the Institutions of Higher Learning and selected CII owners to garner their feedback for an upcoming OT Train-The-Trainer (OT TTT) programme. More information on the OTCCF may be obtained from www.csa.gov.sg/otccf.