New initiative to help manage cybersecurity risks in Singapore’s critical information infrastructure

SINGAPORE: Singapore is developing an initiative to help organisations establish best practices to better manage cybersecurity risks across the supply chain, including vendors that support their operations.

This relates to Singapore’s Critical Information Infrastructure (CII) – referring to 11 sectors responsible for the delivery of the country’s essential services, including government, energy and healthcare.

Announcing the initiative on Tuesday (Mar 2), Senior Minister of State for Communications and Information Janil Puthucheary noted that all CII owners are currently required to maintain a mandatory level of cybersecurity under the Cybersecurity Act.

“However, we also recognise that most organisations - including CII owners - engage vendors to support their operations. Therefore, we also need to manage cybersecurity risks across the supply chain,” he said in Parliament.

This requires infrastructure owners to have a better understanding of their vendors to identify systemic risks and improve their level of “cyber hygiene”, he added. 

The initiative, called the CII Supply Chain Programme, will involve the Cyber Security Agency (CSA), CII owners, as well as their vendors.

It will provide recommended processes and sound practices for all stakeholders to manage cybersecurity risks in the supply chain, said Dr Puthucheary. 

He said discussions with stakeholders will help the Government improve policies around supply chain risks.

“In the longer term, our CII sectors and companies will also need to adopt a zero-trust cybersecurity posture,” he added.

READ: ‘No indication’ that SolarWinds hack adversely affected Singapore, says Iswaran

This is necessary to defend against supply chain attacks by “highly sophisticated threat actors” such as those behind the SolarWinds breach, said Dr Puthucheary.

The breach, first reported in December last year, involved hackers breaking into Solarwinds’ systems and adding a malicious code into its software system, using the company as a springboard to jump deep into US government and corporate networks.

Solarwinds is a leading provider of information technology management software based in Texas. Its clients include US government agencies and large companies, such as Microsoft, FireEye and Cisco Systems.

“In concrete terms, this means that CII owners should not trust digital activity in their networks without verification. They should also authenticate continuously, detect anomalies in a timely manner, and validate transactions across network segments,” said Dr Puthucheary.

The Ministry of Communications and Information (MCI) noted that the CII Supply Chain Programme will help infrastructure owners develop guidelines to enable them to better understand and manage their vendors, such as by ranking them according to their cybersecurity posture. 

The programme will also enable vendors to maintain an adequate level of cybersecurity, it added. 

More details on the programme will be announced in the third quarter of this year, MCI said.

Separately, CSA will support companies in strengthening their cybersecurity with the launch of the SG Cyber Safe Programme, as part of the Safer Cyberspace Masterplan.

“First, we will provide informational resources and educational material for key roles including C-suite executives, cybersecurity teams and frontline employees, based on their specific roles and knowledge needs,” said Dr Puthucheary.

An employee cybersecurity toolkit will be introduced by the end of this year. 

READ: Nearly 130,000 Singtel customers' personal information, including NRIC details, stolen in data breach 

CYBERSECURITY “TRUSTMARK” FOR FIRMS

CSA will also introduce tools for enterprises to self-assess their cybersecurity posture.

A voluntary SG Cyber Safe Trustmark will also be introduced as a mark of distinction for companies that have invested significantly in cybersecurity. 

“This means that if you are a consumer, a business, looking for an HR processing service for example, and care about the cybersecurity level of the service provider, you may look out for the trustmark for added assurance that the service provider takes its cybersecurity seriously,” said the Senior Minister of State. 

Industry consultations on the specifics of the trustmark will begin in  April, he added. 

MCI noted that the SG Cyber Safe Trustmark is expected to be introduced by early next year. 

“As the trustmark is intended for companies and/or projects with higher cyber risk, a separate cyber hygiene mark will also be developed to complement the SG Cyber Safe trustmark,” the ministry said in a media release, adding that more details on both would be announced later. 

Singapore’s success in digitalisation has exposed new vulnerabilities, which will only grow as technologies evolve and become more complex, said Dr Puthucheary. 

“Trust in our digital systems is key to the success of our digital economy efforts. Without trust to transact, or to innovate, our best efforts to develop our digital ecosystem and reap the dividends will fall short,” he said. 

“Strong foundations, such as I've described, will fortify our defences against online threats, and support this trust. But they are not sufficient,” he added. 

“We need our companies and people to be aware of the risks, vigilant of their manifestations, and make informed choices to protect our safety.”