11 critical sectors to beef up cyber security

More security audits, drills in new cyber defence model in response to COI recommendations

The Cyber Security Agency of Singapore will oversee and follow up on how the recommendations of the Committee of Inquiry that investigated the SingHealth attack will be carried out in the 11 sectors.
The Cyber Security Agency of Singapore will oversee and follow up on how the recommendations of the Committee of Inquiry that investigated the SingHealth attack will be carried out in the 11 sectors. ST FILE PHOTO

Singapore will intensify the use of technology to automate cyber security tasks such as the roll-out of software patches.

Also, more security audits and drills will be carried out to sharpen public officers' readiness to respond to cyber incidents.

These new measures to shore up the cyber security of public sector systems were disclosed by Minister-in-charge of Cyber Security S. Iswaran in Parliament yesterday.

This new model of cyber defence will be implemented across 11 critical information infrastructure sectors, including healthcare, energy, telecommunications and transport.

The new approach is a response to the recommendations of a high-level Committee of Inquiry (COI) that investigated the cyber attack on SingHealth, Singapore's largest cluster of healthcare institutions.

Mr Iswaran said its findings and recommendations gave "added impetus" to the ongoing efforts of the Smart Nation and Digital Government Group (SNDGG) to improve the cyber security of government systems.

"In particular, the findings reaffirmed the 'defence-in-depth' approach the public sector had adopted towards cyber security."

He added: "The public sector will also continue to strengthen our defences on all fronts - people, process, technology and partnerships, as informed by the COI recommendations."

The recommendations were unveiled last week in a public report that recounted the events that led to June's cyber attack that compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

On the technical front, SNDGG will look at improving the architecture of government systems to allow more extensive monitoring and detection of abnormal activities. It will also continue to introduce measures to better detect and respond to intrusions, and monitor critical databases.

Acknowledging that the Government cannot fortify its cyber security alone, he said it will enlist the help of the larger cyber security community, including ethical hackers.

The Cyber Security Agency of Singapore will oversee and follow up on how the COI recommendations will be carried out in the 11 sectors.

Said Mr Iswaran, who is also Minister for Communications and Information: "The recommended measures will help us defend ourselves better against malicious cyber activities, including from international attackers. This was not the first instance where we were targeted, and it will not be the last."

Mr Vikram Nair (Sembawang GRC) and Mr Cedric Foo (Pioneer) asked about the hackers' identity.

Mr Foo, chairman of the Government Parliamentary Committee for Communications and Information, said: "How about the person who actually broke into the house? There seems to be a vacuum as far as the sense of justice (goes)."

Replying, Mr Iswaran said: "I don't think we should deduce whether we have a sense of jus-tice to just one specific point - that there is no public attribution of the perpetrator."

Citing moves that the Government made in the spirit of transparency, he said Singapore can hold itself up to the best practices and standards. The moves include announcing the cyber attack on July 20 last year, 10 days after it was made known to the Cyber Security Agency of Singapore, and convening a COI and releasing the recommendations and findings.

"I can understand that members have a desire and on behalf of constituents to know this, but I think we have to exercise judgment - what is in our national interest and whether a public attribution serves our best interests. And as I said, we know who the perpetrator is, appropriate action has been taken."

Actions taken

Committee of Inquiry (COI )

•Following the announcement of the breach, Minister for Communications and Information S. Iswaran, who is also Minister-in-charge of Cyber Security, convened a four-member COI to get to the bottom of the attack.

•In a public report issued last Thursday, the COI identified five key factors that led to the breach.

•It also made 16 recommendations to enhance responses to similar incidents, better protect SingHealth's database against similar attacks and reduce the risk of such cyber attacks on public sector IT systems with large databases of personal data.


•The Personal Data Protection Commission (PDPC), Singapore's privacy watchdog, said yesterday that it has fined Integrated Health Information Systems (IHiS) $750,000 and SingHealth $250,000 for the data breach.

•Both Mr Iswaran and Minister for Health Gan Kim Yong said in Parliament yesterday that the Government accepts the COI's recommendations.

•Mr Iswaran said more technology will be used to automate cyber security tasks. Security audits and drills will be intensified to sharpen public officers' readiness to respond to cyber security incidents.

•A tiered model of Internet access will be in the works for the healthcare sector, said Mr Gan, should a virtual browser solution being tested prove effective.

•Mr Gan added that mandatory contributions to the National Electronic Health Record (NEHR) system will be deferred.

•The Cyber Security Agency of Singapore has instructed all critical information infrastructure (CII) sectors to strengthen network security. It has also designated all CIIs, and their owners must now comply with obligations under the Cyber Security Act.

Integrated Health Information Systems (IHiS)

•IHiS has outlined measures to strengthen cyber security, including two-factor authentication for local administrators. It is also studying the possibility of using a virtual browser solution.

•Two employees of the public healthcare sector's IT vendor, who were found to be negligent during the data breach, have been fired.

•A "significant financial penalty" has been imposed on five members of its senior management team, including its chief executive, Mr Bruce Liang.


•SingHealth is making changes to enhance its cyber security governance structures and improve management oversight of its critical systems. It will also work with IHiS to upgrade its cyber defence systems.

•The SingHealth senior leadership, including its group chief executive Ivy Ng, has voluntarily accepted a financial penalty.

Hariz Baharudin

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on January 16, 2019, with the headline 11 critical sectors to beef up cyber security. Subscribe