-
By Shelley Shan / Staff Reporter
The Administration for Cybersecurity yesterday said it would expand the scale of cybersecurity attack and defense drills this year by including more critical infrastructure (CI) operators.
The government has designated CIs for energy, water resources, telecommunication, transportation, banking and finance, emergency services, hospitals, science parks, and industrial parks.
According to the Regulations for Classification of Cyber Security Responsibility Levels (資通安全責任等級分級辦法), “Class A” CI operators are those whose information and communication systems, if disrupted or compromised, would have a “catastrophic or extremely severe impact” on public interests, public morale, or the life, body and property of the public.
Photo: Reuters
“Class B” operators are those that would cause “severe impacts” under similar circumstances, the regulations state.
This year’s cybersecurity drills would include Class B operators, such as regional water resources agencies and hospitals, the administration said.
China attempted to breach Taiwan’s critical infrastructure an average of 2.63 million times last year, a 6 percent increase from 2024, it said, citing a National Security Bureau report.
Other bureau reports showed that on top of intensive cyberattacks targeting the nation’s telecommunications and transportation systems, and defense supply chains since 2024, there was also a significant increase in breaches of Taiwan’s energy infrastructure, emergency services and hospitals last year, the administration said.
That shows China has switched from data theft to disrupting people’s lives and social stability, it added.
Critical infrastructure is most vulnerable to cybersecurity risks when there are loopholes in old systems or those that are difficult to replace, the administration said.
While the integration of information technology and operation technology systems helps enhance management efficiency, it also increases risks of external intrusion, it said.
At the same time, government agencies face risks from outsourced systems and supply chain management, excessive account privileges and lack of cybersecurity awareness among government workers, the administration said, adding that mechanisms and resilience against cybersecurity threats need to be fortified as well.
The government’s CI cybersecurity protection team annually conducts cybersecurity inspections in select infrastructure and works with field personnel to identify potential cybersecurity threats, it said.
A digital cyber range simulating real industrial control system environments was also established to conduct cybersecurity tabletop exercises based on realistic scenarios and verify actual incident response capabilities, it added.
This year’s drills would be expanded to include Class B operators to leverage the cybersecurity capabilities of private-sector firms.
The drills would focus on assessing the security of agencies’ external facing assets, and assisting them in improving asset management and vulnerability remediation efforts, the administration said.
