Push to better manage cyber-security risks in critical infrastructure

Organisations running Singapore's critical information infrastructure (CII), such as telecommunication networks and public transport systems, will be asked to better manage their vendors' cyber-security risks, in the wake of recent global hacking attacks through third-party suppliers.

This will be done under a new national effort called the CII Supply Chain Programme, which is being developed by the Cyber Security Agency of Singapore (CSA), with CII owners and an external consultant that the agency will engage.

The programme, not mandatory for now, covers the owners of CII and their vendors in 11 sectors: Government; security and emergency; healthcare; media; banking and finance; energy; water; infocommunications; maritime; aviation; and land transport.

Announcing this during the debate on his ministry's budget yesterday, Senior Minister of State for Communications and Information Janil Puthucheary said the programme will recommend processes and sound practices for all stakeholders to manage cyber-security risks in the supply chain.

Discussions with stakeholders will also help the Government improve its policies around supply chain security, he added.

"With more activities taking place online, it's important that people trust the digital systems used to store, collect and transfer our information," said Dr Janil.

The programme's announcement comes after recent cyber attacks such as the one revealed in December in which IT management software provider SolarWinds was targeted by hackers.

About 18,000 customers of the Texas-based firm were hit, including American tech giants Microsoft and FireEye. Many more could be subjected to risks of data theft as the full extent of the damage of the SolarWinds hack has yet to be determined.

Closer to home, a file-sharing system provided by US cloud-sharing company Accellion was targeted by a cyber attack in December, affecting customers globally, including Singapore's largest telco Singtel. About 129,000 Singtel users' data was stolen in the breach.

But CSA said the development of the supply-chain programme "is not in response to any recent cyber incident" and that the agency has been working on it for a while now.

Currently, all CII owners must maintain a mandatory level of cyber security under the law.

But Dr Janil yesterday said the Government also recognises that most organisations, including CII owners, engage vendors to support their operations. "Therefore, we also need to manage cyber-security risks across the supply chain," he added.

This requires CII owners to better understand their vendors to identify systemic risks and improve the level of cyber hygiene of these vendors.

As CSA develops the vendor programme, it will consider assurances that can be provided to CII owners. These include cyber-security requirements for vendors to follow, such as having plans to respond to incidents.

Vendors also have to ensure systems are resilient and can recover quickly from cyber attacks.

They will be audited regularly by independent third parties on the requirements. If vendors fall short, penalties could be meted out, like paying for damages.

CSA said that establishing measures for vendors can lead to trade-offs that affect CII owners' and vendors' operations, efficiency and costs.

The agency will review the timeline for the requirements and changes to processes "to be made mandatory based on how the programme develops and matures".

More details on the supply-chain programme are expected in the third quarter of this year.

A version of this article appeared in the print edition of The Straits Times on March 03, 2021, with the headline 'Push to better manage cyber-security risks in critical infrastructure'. Subscribe