THE almost daily glitches that disrupt the operations of the EDSA-MRT have impacted 500,000 to 600,000 commuters daily. With lesser number of trains, the number of riders appears to have gone down to about half. There is no peak or non-peak period to speak of since the MRT operates at almost maximum level throughout its operating hours—commuters waiting for trains quickly fill up the station platforms in both directions and fill up the trains even faster upon arrival.
But what if the glitches were not caused by electro-mechanical failures? What if the glitches were caused by cyberattacks on the signaling system? The disruption could end up worse than commuter inconvenience and lost productivity as commuters are unable to reach their work destinations on time. Unseen hands could take over the controls of the signaling system and cause collisions, or worse, send the trains running at top speed, crashing through safety barriers, and falling off the overhead rails.
Transportation (land, sea, and air) is a critical infrastructure that needs protection. Aside from the train system, there are many providers of land transport but which have not reached a level of sophistication which require automation of their operations. But air transport is another matter. Imagine if the air traffic control system is the target of cyberattacks. Not only will it paralyze our air transport system but it could endanger lives up in the air and severely impact the economy.
The country has been a recipient of cyberattacks, mostly web defacement attacks on government websites and in some private sector websites. Attacks on government website peaked following incidents with neighboring countries – the incident at the Balintang Channel where Taiwanese fishermen were shot at, the hostage taking at the Quirino Grandstand involving Hong Kong nationals, the Panatag Shoal incident with the Chinese, the misadventure in Sabah, and other such incidents. These incidents led to keyword wars as Filipino hackers retaliated.
Transport and government are two of the critical infrastructures identified by the DICT. The others are energy, water, health, emergency services, banking and finance, business process outsourcing, telecommunications, and media.
While the DICT has classified government as a critical infrastructure, government websites and their systems are at present in individual silos—government information systems and web-facing applications are disjointed. Imagine, however, if all government information systems and websites are joined together in one network. A cyberattack on this network could be disastrous.
Perhaps the disjointed state of the country’s critical infrastructure is an advantage in the internet age – there is no single point of attack. Still, both public and private sectors are harnessing information and communications technologies that will result in the efficient delivery of goods and services. It may still be a long way, but the country will reach a high degree of connectedness in the years to come. And when that becomes reality, it had better be ready to face adversities in a connected world.
This is the whole point for putting together the National Cybersecurity Plan (NCSP) 2022. The NCSP seeks to protect critical infrastructure, government, businesses, and the individual citizen against cybersecurity incidents.
Just as government has long recognized that protection of critical infrastructure is a national security matter, there is now the realization that cybersecurity is a national security issue. This is the common theme of the messages delivered at the opening of the Philippine Cybersecurity Conference 2018. The featured speakers on the first day of the conference are from the National Security Council, the Department of National Defense, and the Armed Forces of the Philippines. On the second day, a featured speaker is from the Philippine National Police who gave an update on the PNP’s Anti-Cybercrime Group law enforcement activities.
The conference was the first to be organized by the Office of Cybersecurity and Enabling Technologies under the barely two-years-old DICT. It highlighted DICT’s push for the implementation of the NCSP 2022.
To further ensure implementation of the NCSP, the DICT has issued the memorandum circulars which prescribe rules and regulations for 1) the Protection of Critical Infostructure (CII), MC005 dated August 1, 2017; (2) the Protection of Government Agencies, MC006 dated August 1,2017; and 3) the Protection of Individuals, MC007 dated August 1, 2017.
MC005 addresses the need to adopt PNS ISO/IEC 27000 Family of Standards and other relevant international standards for mandatory compliance by government agencies. Specifically, all government agencies must adopt the Code of Practice for Information Security Controls stipulated in PNS ISO/IEC 27002 within one year from date of effectivity of MC005 while CII operators are mandated to adopt PNS ISO/IEC 27001 on information security management systems within two years.
MC005 prescribes the conduct of risk and vulnerability assessments annually. It also requires all CII operators to organize their individual Computer Emergency Response Teams (CERTs) and, as individual sectors, create their respective sectoral CERTs, while DICT shall organize the national CERT. The DICT has so far pushed for the creation of a CERT in the energy sector. It has its sights on the organization of a CERT for the banking and finance sector next.
MC006 prescribes the creation of the government CERT (GCERT). International collaboration will be coursed through the national CERT.
The various CERTs prescribed to be created under MC005 and MC006 are mandated to respond to cybersecurity incidents and resolve such incidents following international best practices.
MC007 focuses on the development and implementation of cybersecurity awareness and training programs.
Organizations, public and private, especially those operating CII need to address their cybersecurity posture. A lot more work has to be done.