Budget debate: National effort to get owners of critical data infrastructure to manage vendor cyber-security risks

The programme will recommend processes and sound practices for all stakeholders.
The programme will recommend processes and sound practices for all stakeholders.PHOTO: ST FILE

SINGAPORE - Organisations running Singapore's critical information infrastructure (CII), such as telecommunication networks and public transport systems, will be asked to better manage their vendors' cyber-security risks in the wake of recent global hacking attacks through third-party suppliers.

This will be done under a new national effort called the CII Supply Chain Programme, which is being developed by the Cyber Security Agency of Singapore (CSA) with CII owners and an external consultant that the agency will engage.

It takes reference from international best practices by various countries, including the United States and Israel, and will also refer to guidelines from the Monetary Authority of Singapore (MAS) for outsourcing.

The programme, not mandatory for now, covers the owners of CII and their vendors in 11 sectors: government, security and emergency, healthcare, media, banking and finance, energy, water, info-communications, maritime, aviation, and land transport.

Announcing this in Parliament on Tuesday (March 2), Senior Minister of State for Communications and Information Janil Puthucheary said the programme will recommend processes and sound practices for all stakeholders to manage cyber-security risks in the supply chain.

Discussions with stakeholders will also help the Government improve its policies around supply chain security, he added.

“With more activities taking place online, it’s important that people trust the digital systems used to store, collect and transfer our information,” said Dr Janil.

In the longer term, he said CII companies also need a zero-trust cyber-security mindset, in which they do not trust any digital activity in their networks without first verifying it.

They should also authenticate continuously, detect anomalies in a timely manner and validate transactions across network segments.

The programme's announcement comes after recent cyber attacks such as one revealed late last year in which a popular IT management tool from Texas-based SolarWinds was tainted by cyber crooks.

About 18,000 customers were affected, with criminals using other methods too. Those hit by the hackers include American tech giants Microsoft, Cisco Systems and FireEye. Many more could be subjected to risks of data theft as the full extent of the damage of the SolarWinds hack has yet to be determined.

Closer to home, a file-sharing system provided by US cloud-sharing company Accellion was targeted by a cyber attack in December last year, affecting customers globally, including Singapore's largest telco, Singtel. About 129,000 Singtel users' data was stolen in the breach.

But CSA said the development of the supply-chain programme "is not in response to any recent cyber incident".

"It is part of CSA's continual efforts to enhance the security and resilience of Singapore's CII sectors, including raising the cyber-security posture of their vendors," the agency told The Straits Times, adding that it has been planning and consulting on the programme for a while.

On Tuesday, Dr Janil noted that many essential services like banking and healthcare are powered by information and communications technology.

While all CII owners must maintain a mandatory level of cyber security under the law, Dr Janil said the Government also recognises that most organisations, including CII owners, engage vendors to support their operations. So, cyber-security risks across the supply chain need to be managed.

This requires CII owners to have a better understanding of their vendors to identify systemic risks and improve the level of cyber hygiene of these vendors, said Dr Janil, noting that this is where the new CII Supply Chain Programme comes in.

The programme recognises that vulnerabilities can be introduced at any point in the supply chain and they can be hard to detect.

As CSA develops the programme, it will take into account assurances that can be provided to CII owners. These include a set of cyber-security requirements for identified vendors to adhere to, such as putting in place detection and monitoring mechanisms and plans to respond to incidents.

The requirements also include measures to ensure systems are resilient and can recover quickly from cyber attacks.

Vendors will be subjected to regular audits by independent third parties based on these requirements.

And if vendors fail to meet requirements, penalties could be meted out, such as paying for damages or having their contracts terminated.

To help CII owners better manage their vendors, the programme will also have a method for owners to assess and rank vendors according to how critical they are to the CII owners. This takes into account the potential damage to the CII in the event of a cyber attack.

Several criteria will be identified to estimate the potential damage, such as the sensitivity of the data accessible by the vendor, the impact on business continuity and the level of dependency on technology.

CSA noted that establishing measures for vendors under the programme can lead to trade-offs that can affect CII owners' and vendors' operations, efficiency and operating costs.

The agency will work closely with them to review and make changes to their existing processes.

It will then "review the timeline for these processes and requirements to be made mandatory based on how the programme develops and matures".

More details on the CII Supply Chain Programme are expected to be announced in the third quarter of this year.

The announcement of the programme comes after MAS mandated that all financial services and e-payment firms here follow revised rules to better mitigate technology risks from Jan 18, 2021.

Banks and other financial institutions are also required to assess cyber-security risks of the third-party suppliers of the technology products and services they use.

In Singapore, there have been no major cyber breaches at financial institutions to date, said Mr Vincent Loy, assistant managing director of technology at MAS.

But he noted that it was not a question of whether they would be hacked but when.

Mr Loy said that, increasingly, many organisations, including financial institutions, use third-party applications because information technology is a complex business.

But this also means there are more ways for hackers to break into these organisations.

Vendors could also take a leaf from the general cyber-hygiene rules which, from August last year, MAS has required financial institutions to follow.

The rules include ensuring systems are configured securely, restricting unauthorised network traffic, patching software in a timely manner and using multi-factor authentication.

Mr Loy said the measures could address more than 90 per cent of cyber-security incidents, including among third-party suppliers.

Mr Gerry Chng, a partner at consultancy Ernst and Young Advisory, said the CSA's programme is a "timely reminder of how one needs to consider security beyond what is within direct control".

"It is no longer a straightforward case of identifying what is 'good or bad', 'inside or outside', or 'trusted or uncertain', due to the porous and vastly interconnected landscape," said Mr Chng.

"In the long term, such programmes will also benefit the overall digital ecosystem as even the strongest set up can be breached through a less secured entity."