Singapore steps up focus on IT supply chain cyber security

Calls for the adoption of cyber security standards across IT supply chains and the incorporation of security considerations throughout the system life cycle.

The Monetary Authority of Singapore (MAS) has flagged a fresh focus on strengthening security against cyber attacks on IT supply chains, with its Cyber Security Advisory Panel citing the need for a concerted effort to drive cyber security standards adoption across IT supply chains.

The issue was raised during the fifth annual meeting of the central bank and financial regulatory authority's Cyber Security Advisory Panel (CSAP), which was held virtually on 26 and 27 October.

Not only did the panel flag the need for the adoption of cyber security standards across IT supply chains, it also stressed the incorporation of security considerations throughout the system life cycle.

Moreover, the panel pointed to the importance of effective system monitoring and regular log reviews to facilitate prompt detection of suspicious cyber activities.

During its latest annual meeting, the panel specifically supported the adoption of zero trust security principles and architecture to tackle advanced cyber threats and IT supply chain attacks.  

In addition, the panel discussed cyber risks and mitigating actions in emerging technologies like blockchains and digital currencies.

“MAS is paying close attention to the rising occurrences and severity of ransomware and IT supply chain attacks globally,” said Ravi Menon, MAS managing director. “These attacks have led to massive financial losses and disruptions of essential services.

“Our Cyber Security Advisory Panel has provided us rich insights on how the financial industry can deal with these threats. MAS and the industry will maintain a cooperative, proactive and agile posture to manage the rapidly changing cyber risk landscape,” he added.

Meanwhile, the CSAP noted that multi-factor authentication (MFA) remained a key and effective tool for securing digital financial services.  

However, it also recommended that local financial institutions complement MFA processes with transaction notification and data analytics to proactively detect cyber intrusions, given the continuing risk of compromise in many existing MFA systems.  

At the same time, the panel underscored the need for an ecosystem approach to forge closer cross-border collaboration and public-private partnership in order to deter and foil ransomware attacks.  

On this front, the panel emphasised the importance of protecting ‘golden source’ backup data for effective service recovery and recommended that financial institutions consider implementing immutable data storage technologies that are resistant to ransomware attacks.

The panel also noted that the security awareness and competency of most developers in the blockchain space were not where they needed to be, and suggested more could be done to strengthen security in their software development lifecycle.  

Perhaps in reference to the ongoing cyber security talent crunch, the panel highlighted the need to build up a sufficient pool of IT professionals well-versed in both blockchain technology and cyber security. It also recommended making more tools available to aid in the security implementation and testing of blockchains.

The latest issues raised by the CSAP come just weeks after Singapore released its new Cybersecurity Strategy 2021.

Launched on 5 October, new strategy came five years after the launch of the first Singapore Cybersecurity Strategy in 2016 and works to simplify cyber security for end-users while developing deeper partnerships with industry to adapt to the changes in the cyber operating environment.

In the words of the Cyber Security Agency of Singapore (CSA), the new strategy outlines Singapore’s plans to take "a more proactive stance" against threats, raise the overall level of cyber security across the nation and advance international norms and standards on cyber security.

Just days before the launch of the 2021 strategy, Singapore’s Permanent Secretary for Communications and Information, Yong Ying-I, said she wanted to see updated policies and processes, and the adoption of security technologies by design, to help the country fend off emerging operational technology (OT) cyber threats.

October was a very cyber-focused month for Singapore. In addition to the launch of the Cybersecurity Strategy 2021 in conjunction with the sixth edition of the Singapore International Cyber Week (SICW), the city-state also hosted the ASEAN Ministerial Conference on Cybersecurity.

Just a handful of weeks earlier, in August, Singapore and the United States signed a new memorandum of understanding (MoU) aimed at strengthening information sharing and fostering cyber security exchanges between the two countries.

“Singapore and the United States share deep mutual interests in enhancing cyber security cooperation, particularly as cyber security has become a key enabler for both countries to leverage the benefits of digitalisation to grow our economies and improve the lives of our people,” David Koh, CSA chief executive, said at the time.