National cyber defence exercise ramps up scale & complexity

The second edition of defence exercise CIDeX doubles its participation, with over 200 joining from 26 agencies.

Malicious cyber-attacks can disrupt our water distribution, shut down our gas plant and overload our airport substation – crippling our way of life.

National agencies played out this devastating scenario on a fictional nation at the Critical Infrastructure Defence Exercise (CIDeX).

Held from 22 to 24 Nov at the National University of Singapore School of Computing, CIDeX 2023 saw participants detect and tackle cyber security threats that disrupt critical operations and infrastructures.

The exercise involved over 200 participants – twice that of its inaugural edition last year. It is the largest "hands-on-keyboard" defence exercise in Singapore.

Participants came from 26 agencies including the exercise co-organisers, the Digital and Intelligence Service (DIS) and the Cyber Security Agency of Singapore (CSA). Last year's exercise involved 17 agencies.

Three new operating test beds were also introduced this year, allowing participants to tackle disruptions to the fictional city's gas pipeline, 5G network and airport operations for the first time. The established test beds from last year include the water and power supply.

Participants took up roles in the Red and Blue Teams to carry out attacks on these critical infrastructures and defend them respectively.

Different agencies working together

The simulated attacks are kept updated and realistic to build the skillset of participants, said Commander of the Cyber Defence Group, Colonel Tan ShengYang.

"We model some of the known Tactics, Techniques and Procedures (TTPs) of real-life, advanced, persistent threat groups. So it's realistic because we mimic the TTPs and apply them within the exercise."

He added that DIS personnel go for regular training and have collaborations with tech partners and educational institutes in order to stay current.

Second-time participant Military Expert (ME) 6 (NS) Delaney Ng said that the scale and complexity of the exercise was ramped up this year.

As part of the planning team, the Operationally Ready National Serviceman was responsible for organising the exercise to strengthen the cyber defenders' capabilities.

"When a team is finding the scenarios really easy, we tune up the intensity such that they get the most learning value out of the exercise," said the 45-year-old, who is the co-founder and chief executive officer of INTfinity Consulting, a cyber security consulting firm

He added that the value of the exercise was in having different agencies come together.

"Typically, in cyber security, one trains as an individual… By coming together as a team and playing different roles, they can learn from each other, sharpen their skills and contribute. I think this is one of the greatest strengths of CIDeX."

Red Team member Perumal Subramaniam, 38, was involved in planning and executing the disruption of the power supply and shutdown of the gas plant in the fictional city.

"It's my first time participating in CIDeX, so I have to understand the infrastructure behind the test beds. I have to understand the landscape to prepare and develop realistic scenarios accordingly," said the DIS Cyber Defence Specialist on how he focused on making the attacks challenging for the Blue Team.

On the other end, ME4 Yvonne Tan, 29, led the group responsible for protecting the city's water plant.

The Blue Team faced attacks that started with phishing and ransomware, which then progressed to affecting numbers in the water treatment network.

"We closely monitored the vulnerabilities, what was exposed to external internet-facing systems," said the Security Operations Centre manager at DIS.

"I would say it took pretty fast (for us to remediate the issues) because our monitoring systems were all up… and we could do our threat hunting."

She added that working with participants from CSA and the Public Utilities Board (PUB) during the exercise helped strengthen her skills for her day-to-day job.

"I do daily monitoring and incident response in DIS, so it correlates to this exercise because we work to defend our critical networks together… It was an opportunity to make use of everyone's knowledge," said ME4 Tan.

Visiting participants at CIDeX, Senior Minister of State for Defence Heng Chee How said that facing cyber-attacks is a fact of life today, and government agencies need to learn to defend against them together.

"You can see so many examples in the world – real wars, real attacks, commercial sector, security-related sectors – (causing) everyday life (to be) disrupted… So, for Singapore, we have to be ready for this," he said.

Senior Minister of State for Communications and Information and Health Dr Janil Puthucheary was also in attendance.

On the sidelines of CIDeX, the DIS signed Memorandums of Understanding (MoUs) for cyber collaboration with Google, ST Engineering Info-Security and Ensign InfoSecurity.

This is in addition to an MoU signed with Microsoft earlier this year, to expand its partnership with the technology sector.