Hardware Flaws Delay Smart Nation Projects in SingaporeSecurity Experts Assess the Impact of Spectre and Meltdown
Some projects related to Singapore's Smart Nation initiative have been postponed as a result of concerns about the Spectre and Meltdown chip flaws that are affecting so many devices, security experts say (see: Asian Experts Size-up Meltdown and Spectre Vulnerabilities).
"I know a few projects which were in midway have been halted and other projects which were supposed to begin soon have been postponed to assess the impact of the flaw," says one Singapore security expert, who asked not to be named.
A spokesperson from Smart Nation and Digital Government Office tells Information Security Media Group: "The effects of these hardware flaws are still being assessed across the board, by product manufacturers and users alike. We will closely monitor the situation as we continue to take proactive measures to mitigate cybersecurity risks."
According to Singapore's Smart Nation website, the national digitization project is designed to support "better living, stronger communities and create more opportunities for all."
Assessing the Gaps
Meanwhile, some Singapore banks and telcos, including Singtel and StarHub, are applying available software fixes to mitigate the risks of the flaws.
"Most companies are still in the assessment stage where they are figuring out the likely impact of the flaw," says a research consultant with a vendor, who asked not to be named.
Although Singapore is considered one of the most advanced countries in Asia in terms of cybersecurity, some security experts say there still are multiple gaps.
"Singapore does have a national security master plan that is executed by Cyber Security Agency of Singapore," says Aloysius Cheang, CEO at an IoT and Smart City startup initiative, which is in stealth mode. "However, the effectiveness of CSA depends on having them being involved in all major smart nation initiatives right from the start with the power to influence proceedings."
Experts from both the private and public sector must be involved in designing a plan smart nation, he adds. "Thus in a way, Singapore is not ready to meet the challenges posed by these security flaws in their smart nation projects."
The situation also raises concerns about the security of IoT devices.
"In reality, most hardware chips found today in our day-to-day lives, be it mobile phones, laptops, PCs, simple IoT devices such as IP cameras or autonomous vehicles are powered by chips that can be compromised by Spectre and Meltdown and many more other hardware security flaws," Cheang says.
Need for Vigilance
The spokesperson from Smart Nation and Digital Government Office notes: "We must always anticipate the emergence of security risks, including the most recent ubiquitous Meltdown and Spectre hardware flaws. Hence the need to maintain a high level of vigilance, including regular prompt updating of system software and internet surfing separation that was fully implemented in government systems since May 2017. Good cybersecurity practices by individuals, businesses and government are essential for the implementation of a Smart Nation."
Tony Jarvis, chief strategist, Asia Pacific at Check Point, sounds a similar theme. "Vulnerabilities are a fact of life, and can be introduced at any stage of the supply chain," he says. "Whether it is flaws in hardware such as chipsets, or bugs in software, the outcome is the same. Security teams recognize that security is an ongoing process of identifying vulnerabilities and applying the necessary measures to mitigate the risk which they pose."
And Anthony Lim, consultant and auditor, Asia Pacific, at Cloud Security Alliance, points out that in the wake of other vulnerabilities, including Heartbleed and Shellshock, "despite a few high profile exploitations, hype and publicity, patches were eventually found and deployed."
Lim points out, however, that updating chipset firmware will prove challenging.
"It is difficult to get updates when a device doesn't use mainstream CPU, OS or app software, though deployment of Android as an OS or platform in IoT is getting popular," he says.
Meanwhile, organizations should be taking other security precautions. For instance, Jarvis says that if third parties are given access to any part of a system, that access should be carefully controlled to ensure only the privileges absolutely required in order to perform the necessary functions are granted.
"Instead of creating one large, flat network, organizations should instead architect their networks into smaller, isolated environments. By doing so, it ensures that if any part of the system becomes compromised, then that infection is limited in scope and cannot spread to the rest of the network," he says.
Unfortunately, security by design is still rare. "We are still at the stage where components like IoT, infrastructure, security and Smart Nation are taken separately, and any association currently is still in practical terms more by coincidence than by design," Lim says.