The water treatment plant in Singapore's North District had been running the same SCADA system since 2016. The engineering team knew every PLC, every HMI, every network segment — and they knew that the corporate IT network and the operational technology network were connected through a single data historian server that allowed operators to view real-time process data from their corporate workstations. They considered this safe because the connection was one-way: data only flowed from OT to IT. Then a spear-phishing email compromised an engineer's corporate laptop, and the attacker used the data historian server as a pivot point to reach the OT network. They did not manipulate any SCADA controls. They did not need to. They exfiltrated operational data — water quality metrics, pressure readings, pump status — for 23 days before the anomaly was detected in a log review.
This is the real state of OT security in many Singapore critical infrastructure environments: a surface-level belief in isolation, a genuine absence of visibility into OT network traffic, and a growing attack surface as IT and operational technology converge. Singapore's CII sectors — water, energy, transport, banking, healthcare, and info-communications — operate OT environments that were designed for reliability, not security. And the threat actors targeting these sectors have adapted accordingly.
Why OT Security Demands a Different Approach in Singapore
Operational technology environments differ from enterprise IT in ways that fundamentally change the security calculus. OT systems — programmable logic controllers, SCADA platforms, distributed control systems, industrial automation software — are built for continuous operation over decades, not for the patching and upgrade cycles that characterise enterprise software. A PLC deployed in a water treatment plant may have a 20-year operational lifespan with no vendor support for the final years of that life. Patching a live SCADA server in a running process environment requires a maintenance window that many critical infrastructure operators cannot schedule without disrupting essential services.
Singapore's OT landscape is particularly complex for several reasons. First, the government has been actively driving IT/OT convergence through its Smart Nation initiative — connecting operational data from transport, utilities, and public services to digital platforms for analysis and optimisation. This convergence creates new attack paths between previously isolated OT networks and internet-connected enterprise systems. Second, Singapore's critical infrastructure includes maritime and port operations — terminals, cargo handling systems, and vessel traffic management — which have their own OT environments and are increasingly connected to supply chain management platforms. Third, Singapore's energy sector transition toward solar PV and grid digitisation is introducing new OT components, new IP-based communications, and new integration points with enterprise IT.
The threat actors targeting Singapore's OT are not opportunistic. The Threat Groups targeting Southeast Asian critical infrastructure — particularly those with nexus to state-linked actors — have developed OT-specific attack capabilities. The Trisis/Triton attack, which targeted safety instrumented systems in petrochemical facilities, demonstrated that sophisticated adversaries are willing to invest in developing ICS-specific malware. Even less sophisticated threat actors can cause significant disruption through simple attacks on OT networks: the 2021 attack on a major US fuel pipeline operator forced the shutdown of an entire pipeline system through a ransomware attack on the IT network that propagated to the OT network via a VPN connection used for billing data.
The Five OT Security Gaps We Find in Singapore CII Environments
1. Invisible IT/OT Network Connectivity
The most common OT security finding in our Singapore critical infrastructure assessments is network connectivity that the OT team does not know exists. Data historian servers, OPC-based integrations, remote access solutions deployed by vendors, and maintenance laptops that are occasionally connected to OT switches — each of these creates a bridge between the enterprise IT network and the OT environment. When asked, OT engineers will often say their network is air-gapped. When we conduct a passive network assessment and map actual traffic flows, we find that fewer than 15% of Singapore OT environments we assess are genuinely isolated. The rest have one or more connection paths to the IT network that create a two-way attack path.
2. No OT Network Monitoring
Enterprise IT environments are monitored by SIEMs, EDR platforms, and network detection systems. OT environments are frequently invisible to these tools — the monitoring infrastructure was never extended to the OT network, or the monitoring tools generate alerts that the SOC team cannot interpret because they lack the operational domain knowledge. The result is that an attacker moving laterally through an OT network — using standard industrial protocols like Modbus, S7comm, or EtherNet/IP — generates no alerts. The Singapore water utility scenario described above was only detected because a log review found anomalous traffic on the IT side of the network, not because OT monitoring raised an alert.
3. Default and Shared Credentials on OT Equipment
PLCs, RTUs, and SCADA HMI servers are frequently deployed with default vendor credentials — the same credentials documented in publicly available manuals that any attacker can access. In many Singapore OT environments we assess, the same administrative credential is shared across all PLCs of the same model, making it trivial for an attacker who has compromised one controller to move laterally across the entire control network. Password management for OT equipment is complicated by the fact that changing credentials may require coordinating with the original equipment manufacturer, testing in a non-production environment, and scheduling a maintenance window — but the operational friction does not change the security risk.
4. Unpatched and End-of-Life OT Components
The NIST Guide to Industrial Control Systems Security and the ISA/IEC 62443 series both identify unpatched systems as a primary OT security risk. Singapore's critical infrastructure operators face a genuine dilemma: the oldest OT equipment may not support patching, and even if it does, patching requires testing in an environment where a single error can cause a process disruption affecting thousands of people. We find SCADA servers running Windows 7, HMI workstations without antivirus, and PLCs running firmware that has not been updated since the original deployment — in some cases because the vendor no longer supports the hardware. The security approach for these end-of-life OT components must be different from enterprise IT: compensating controls, network isolation, and strict access limitations rather than patch-based remediation.
5. Insufficient OT Incident Response Capability
When an enterprise IT security incident occurs, the response team isolates affected systems, collects forensic evidence, and restores from backups. When an OT security incident occurs, the response team must additionally consider the physical process consequences of containment actions. Shutting down a compromised PLC to isolate it may cause a process disruption. Restoring a PLC from backup may require manual recalibration. Forensic investigation in an OT environment may require capturing volatile memory from a running PLC — a process that is technically complex and carries operational risk. Most Singapore organisations do not have an OT-specific incident response plan, and the teams that would execute it have never exercised the scenario.
CSA CII Governance Standards and OT Security: Under the Cybersecurity Act 2024 and the CII Governance Standards issued by the Cyber Security Agency of Singapore, CII licensees are required to implement security measures for their operational technology environments, including network segmentation, access control, and monitoring. The standards require that OT security be addressed as part of the overall cybersecurity programme — not as a separate discipline with separate visibility. For water, energy, and transport CII operators, the CSA's OT Security Reference Guide provides baseline expectations that will be referenced in audit activities.
A Practical OT Security Roadmap for Singapore Operators
Securing an OT environment is not a single project. It is a programme that requires ongoing investment, specialised expertise, and coordination between the OT engineering team and the enterprise security team.
- Conduct a passive OT network assessment. Before implementing any controls, understand your actual network topology. Passive network monitoring using tools like Claroty, Nozomi Networks, or similar OT-specific network analysis tools can map all active devices, protocols, and connections in your OT environment without disrupting operations. This gives you the evidence base for network segmentation decisions — and frequently reveals connections that the OT team was not aware of.
- Establish an OT security monitoring baseline. Extend monitoring to the OT network — even if it starts with passive monitoring and anomaly alerting rather than active blocking. The goal is visibility: the ability to detect anomalous traffic, unexpected device communications, and unusual access patterns in the OT environment. Integrate OT alerts into the SOC with OT-literate analysts who can interpret industrial protocol activity.
- Implement IT/OT network segmentation. Deploy firewalls or unidirectional gateways at all IT/OT boundary points. The preferred model is a DMZ architecture where all IT/OT data exchange occurs through a controlled intermediary — not a direct connection. For Singapore CII operators, this segmentation must be documented and maintained, with change management processes that require security review before any new IT/OT connection is introduced.
- Address OT credential management. Develop a credential management programme for all OT equipment. Where possible, change default credentials. Where equipment does not support credential changes, implement compensating controls: network-level access restrictions, monitoring for credential use from unexpected sources, and physical controls on access to the OT network infrastructure.
- Develop an OT-specific incident response plan. The IR plan must include OT engineering team members as primary responders, define the decision authority for process-affecting containment actions, establish forensic collection procedures that account for the volatility of OT device memory, and identify the equipment and expertise required for OT-specific evidence preservation. Exercise this plan — separately from your enterprise IT tabletop exercises.
- Establish an OT patching and maintenance programme. Where OT components can be patched, develop a schedule and testing process that enables security updates without disrupting operations. Where they cannot, implement compensating controls: network segmentation, enhanced monitoring, access restrictions, and vendor engagement to understand end-of-support timelines and migration options.
Know What's Actually Running in Your OT Network
OT security requires specialist assessment tools, OT-literate assessors, and an approach that accounts for the operational constraints of critical infrastructure environments. Infinite Cybersecurity offers OT security assessments for Singapore critical infrastructure operators, including passive network mapping, network segmentation review, credential assessment, and OT incident response planning. We work with your OT engineering team — not around them.
The Convergence Reality
The idea that OT networks can remain air-gapped from enterprise IT is a legacy assumption that no longer reflects reality — and attackers know it. Singapore's Smart Nation initiatives, the digitisation of critical services, and the legitimate business need for operational data to inform enterprise decision-making are all accelerating IT/OT convergence. The organisations that manage this convergence most safely are not the ones that resist it. They are the ones that design the integration with security as a first requirement — not an afterthought.
Start with visibility. You cannot secure what you cannot see. A passive network assessment of your OT environment will give you the evidence to have the right conversations with your engineering team, your board, and your regulator. The next sophisticated attacker targeting Singapore's critical infrastructure is already conducting reconnaissance on OT networks. The question is whether they find the gaps before you do.