Board members of critical services operators will soon be required to undergo cyber security training
Sign up now: Get ST's newsletters delivered to your inbox
Participants at the annual Critical Infrastructure Defence Exercise for the nation’s 11 critical sectors on Nov 12.
ST PHOTO: NG SOR LUAN
Follow topic:
SINGAPORE - Board members of the operators of critical services in Singapore will need to go through cyber security training, as part of new requirements that will be codified within the first quarter of 2026.
These board members will also need to enhance their supervision and responsibility over the critical information infrastructure (CII) as well as adjacent systems, said Minister for Digital Development and Information Josephine Teo on Nov 12.
These critical sectors include energy, healthcare, telecommunications, finance and media.
Chief information security officers should also be provided direct access to the board as part of the updated Cybersecurity Code of Practice, said Mrs Teo, adding that threat actors will stop at nothing to steal data from CII operators and disrupt services.
The updates come after the Government announced in October that it will be sharing classified threat intelligence
“What we would like for CII owners to do is to have a clear-eyed view of what they are up against, and to take the necessary action to better protect Singaporeans,” said Mrs Teo.
Speaking on the sidelines of the annual Critical Infrastructure Defence Exercise (Cidex) for the nation’s 11 critical sectors, she said the update comes at a time when the threat landscape has shifted considerably. The code was last updated in 2022.
CII operators that are found to have been negligent in securing their systems in the wake of an attack would face penalties, as outlined in the Cybersecurity Act. This would include those that do not follow the requirements in the updated code.
The Cybersecurity Act came into force in 2018, and was amended in 2024
“When it comes to cyber security, we need to hunt as a pack to identify where our weaknesses and vulnerabilities are; but we also need to defend as a team,” Mrs Teo said, adding that Cidex hones this aspect.
More than 250 participants from 33 governmental and private organisations are taking part in the exercise in 2025, which is being held at the Singapore Institute of Technology from Nov 11 to 14. The exercise has been held yearly since 2022 to test participants’ skills against simulated cyber attacks.
Participants include Changi Airport Group, telco M1, OCBC Bank and the Government Technology Agency, as well as others responsible for defending the nation’s digital backbone, power grid, rail systems and telecommunications networks.
The focus of the 2025 exercise is incorporating intelligence from ongoing cyber operations into the design of the attacks, said Singapore’s Defence Cyber chief Clarence Cai.
“We do this so that our defenders know what and, importantly, how to look for advanced actors in their networks when they return to their respective organisations,” he said.
This includes sophisticated attacks that originate in the IT space, that go on to disrupt infrastructure that controls physical systems and devices, he added.
He said participants also benefit from the learnings of various industry players such as Google and Amazon Web Services, which have shared their observations on cyber threats across different cloud environments.
Defence Minister Chan Chun Sing said that 2025’s drill is the first where all 11 CIIs participated to attain three goals: vigilance, unity of action and resilience.
“Vigilance means that we must keep everyone updated on the latest threats,” he said.
On unity of action, Mr Chan said the strength of the network is dependent on the weakest link.
“So if there’s one compromise in any part of the network, it actually compromises the entire network, which is why having all the various agencies coming together is so important,” he said.
But the most important goal, he said, is resilience, marked by how all the sectors’ competency can be levelled up to bounce back from any setback as soon as possible.
A state-sponsored threat actor entering through a virtual private network gateway to take down an energy plant was one of the simulated attacks that Major (NS) Chong Rong Hwa led his 20-strong team to defend against during the exercise.
As mentor of the cyber defenders within the energy sector, he worked with his team to identify all the different channels that an attack could come from, and guided them in differentiating between benign and malicious activities on the network.
“We will then remediate by removing some of the threats, perhaps by removing malicious software and IP addresses,” said MAJ Chong, who is from the Digital and Intelligence Service, a branch of the Singapore Armed Forces.
Another scenario faced by the transport sector was a traffic collision that resulted from a cyber attack on a traffic signalling system, he said.
Colonel Cai said: “An attack that starts in one sector may quickly be promulgated to other sectors, so our ability to communicate threat intelligence picked up by one sector to others is immensely important.
“This is the seriousness with which we take this exercise, because we know how it will affect the lives of our fellow Singaporeans.”
