11 critical sectors told to review cyber security

The cyber attack, which took place between June 27 and July 4, compromised the personal data of 1.5 million SingHealth patients, including data on the medical prescriptions of Prime Minister Lee Hsien Loong.
The cyber attack, which took place between June 27 and July 4, compromised the personal data of 1.5 million SingHealth patients, including data on the medical prescriptions of Prime Minister Lee Hsien Loong. ST PHOTO: SYAMIL SAPARI

Move comes as Govt lifts pause on new Smart Nation projects after data breach

Eleven critical services sectors in Singapore have been told to review their cyber security, even as the Government lifted the pause on new Smart Nation projects that was imposed after the recent data breach at SingHealth.

Following a nationwide review of cyber-security policies, additional measures were being put in place "to strengthen the ability to detect and respond quickly to cyber-security threats", the Smart Nation and Digital Government Group (SNDGG) and the Cyber Security Agency (CSA) said in a joint statement yesterday.

CSA has asked all critical sectors to review their business case for connecting their systems to untrusted external networks, such as the Internet or unsecured Wi-fi.

"If there is no business need to do so, then owners (of the 11 critical sectors) should remove such connections," CSA said.

But if there is a business justification to connect to external networks, then these connections should be better protected, it said.

They could use "uni-directional gateways" to prevent data leakage, for example, it added. A uni-directional gateway is a network appliance that allows data to travel in only one direction so as to guarantee information security.

And if two-way communication with the public Internet is required, a "secured informational gateway" could be implemented, CSA said. A secured Information exchange gateway is a system designed to enable the flow of information between networks while at the same time protecting an internal domain from both inbound malware threats and outbound leakage of sensitive information. This can be done by a variety of means, such as encryption and content inspection, to protect the network path to the system.

The 11 sectors that are affected are aviation, healthcare, land transport, maritime, media, security and emergency, water, banking and finance, energy, infocomm and the Government itself.

About 143,000 public servants have already disconnected from the public Internet and removed Web surfing from workstations.

"While the Government will continue to review and upgrade its security measures to guard against new threats and strengthen its infrastructure, it is not possible to completely eliminate the risk of cyber-security attacks," the statement said.

"We should not allow such incidents to hold us back in building a Smart Nation and digital government. We need to persist in our efforts to harness the potential of the digital age, while building deeper expertise in cyber security so that we can do so confidently."

SNDGG, which is in charge of coordinating Smart Nation projects - such as a national digital identity and a national sensor network - also said that these projects can now proceed.

SNDGG had previously paused the launch of new technology projects following the country's worst cyber attack.

The attack, which took place between June 27 and July 4, compromised the personal data of 1.5 million SingHealth patients, including data on the medical prescriptions of Prime Minister Lee Hsien Loong.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said these are only stop-gap measures put in place while a Committee of Inquiry (COI) is ongoing.

"The direction from CSA is ab-solutely necessary in lieu of so many unknowns," said Mr Cheang, adding that some sectors such as banking and telecommunications are ahead of others in cyber-security readiness.

"The COI, which could take up to the end of this year, will then provide further insight into how the overall security of our national assets can be improved," he added.

Correction note: The story has been updated for clarity.

A version of this article appeared in the print edition of The Straits Times on August 04, 2018, with the headline '11 critical sectors told to review cyber security'. Print Edition | Subscribe