Singapore government rolls out new cybersecurity programs for critical information infrastructures
Published 15 March 2021
Singapore is developing programmes to establish cybersecurity standards and minimize cyber risks across the supply chain for government sectors with sensitive data.
This primarily involves Critical Information Infrastructure (CII), referring to 11 sectors responsible for the delivery of the country’s essential services, including government, energy, and healthcare.
The program, called the CII Supply Chain Programme, will involve the Cyber Security Agency (CSA), CII owners, and their vendors.
It is a continuation of Singapore’s Cybersecurity Masterplan 2020, which outlines new policies for a more secure and trustworthy cybersecurity ecosystem.
Managing risk across the supply chain
Announcing the program on Mar 2, Senior Minister of State for Communications and Information Janil Puthucheary noted that while all CII owners are currently required to maintain a mandatory level of cybersecurity under the Cybersecurity Act, most organizations engage vendors to support their operation.
“Therefore, we also need to manage cybersecurity risks across the supply chain,” he said in Parliament. This requires infrastructure owners to have a better understanding of their vendors to identify systemic risks and improve their level of “cyber hygiene”.
It will provide recommended processes and sound practices for all stakeholders to manage cybersecurity risks in the supply chain, said Dr Puthucheary.
The Ministry of Communications and Information (MCI) noted that the CII Supply Chain Programme will help infrastructure owners develop guidelines to enable them to better understand and manage their vendors, such as by ranking them according to their cybersecurity posture.
More details on the programme will be announced in the third quarter of this year, MCI said.
Zero-trust cybersecurity posture
“In the longer term, our CII sectors and companies will also need to adopt a zero-trust cybersecurity posture,” he added, this is necessary to defend against supply chain attacks by “highly sophisticated threat actors”.
“In concrete terms, this means that CII owners should not trust digital activity in their networks without verification. They should also authenticate continuously, detect anomalies in a timely manner, and validate transactions across network segments,” added Dr Puthucheary.
Resources to strengthen the digital fortress
Separately, CSA will support companies in strengthening their cybersecurity with the launch of the SG Cyber Safe Programme, as part of the Safer Cyberspace Masterplan.
“First, we will provide informational resources and educational material for key roles including C-suite executives, cybersecurity teams and frontline employees, based on their specific roles and knowledge needs,” said Dr Puthucheary.
An employee cybersecurity toolkit will be introduced by the end of this year.
Cybersecurity “Trustmark” for firms
CSA will also introduce a voluntary Cyber Safe Trustmark for enterprises that have achieved a high standard of cybersecurity.
The industry consultations on the specifics of the trustmark to begin in April, and it is expected to be introduced by early next year, he added.
A recent survey has shown that there is a widening gap between cybersecurity needs and capabilities. For CII, this exposes the availability of the essential service in Singapore to hacking threats.
Singapore’s success in digitalisation has exposed new vulnerabilities, which will only grow as technologies evolve and become more complex, said Dr Puthucheary.
The Cyber Security Agency of Singapore (CSA) reported that 9,430 cybercrime cases were reported in 2019, accounting for 26.8% of overall crime in the island state.
As Singapore continues to equip itself to become Asia’s post-pandemic digital hub, it needs to ensure the “companies and people to be aware of the risks, vigilant of their manifestations, and make informed choices to protect our safety”, he added.