Singapore is set to develop a new program designed to better manage cyber security risks in the supply chain of critical information infrastructure (CII) and its operators.
The program will take the shape of a partnership involving a range of relevant stakeholders, including the Singapore Security Agency (CSA), CII owners and their vendors.
Broadly, the plan is for the program to provide recommended processes and sound practices for stakeholders to manage cyber security risks in the CII supply chain, according to Senior Minister of State, Ministry of Communications and Information Janil Puthucheary.
“The reality is that we will not be able to prevent every cyberattack – malicious actors only need to exploit one vulnerability to compromise our systems, while defenders must safeguard systems under their charge against all threats, all the time,” Puthucheary said in Parliament on 2 March. “Consistent and deliberate efforts to strengthen our cybersecurity are thus critical.
“Many essential services like banking and healthcare are powered by information and communications technology. These systems are our critical information infrastructure or CIIs. Today, all CII owners must maintain a mandatory level of cybersecurity as part of the Cybersecurity Act.
“However, we also recognise that most organisations, including CII owners, engage vendors to support their operations. Therefore, we also need to manage cybersecurity risks across the supply chain. Doing so requires CII owners to have a better understanding of their vendors to identify systemic risks and improve the level of cyber hygiene with the vendors,” he added.
This is where the proposed program comes in, according to Puthucheary, who suggested that the discussions the government will have with CII stakeholders as a result of this program will also help the government improve its own policies around supply chain risks.
More specifically, Puthucheary noted that, over the longer-term, Singapore’s CII sectors and the companies that operate within them will also need to adopt a zero-trust cyber security posture, with such a shift necessary to defend against supply chain attacks by highly sophisticated threat actors.
This would mean that CII owners and operators would need to authenticate continuously, detect anomalies in a timely manner and validate transactions across network segments.
Moreover, as part of Singapore’s Safer Cyberspace Masterplan, CSA will launch the SG Cyber Safe Program to support companies in strengthening their cyber security.
The SG Cyber Safe Program comprises two parts, the first being the provision of informational resources and educational material for key roles, including C-suite executives, cyber security teams and frontline employees.
The second part will see the rollout a voluntary SG Cyber Safe Trustmark to provide a mark of distinction for companies that invest in cybersecurity.
“What this means is that if you are looking for an HR processing service for instance, and care about the cybersecurity level of the service provider, you may look out for the trustmark for added assurance that the service provider takes its cybersecurity seriously,” Puthucheary said. “CSA will engage stakeholders regarding the specifics of the Trustmark from April this year.”
Details about the proposed programs come just weeks after local telco Singtel revealed that personally identifiable information of at least 129,000 of its customers was exfiltrated following an attack on the telco’s systems via legacy FTA file sharing software from vendor Accellion.