Singapore's 2021 Strategy: Secure Critical InfrastructureDocument Outlines What Organizations, Vendors, and Government Need to Know
Singapore has rolled out its new cybersecurity strategy that charts the course for the island state to become a more cyber-resilient nation.
Cybersecurity Strategy 2021, Prime Minister Lee Hsien Loong says, aims to defend the country's cyberspace, simplify cybersecurity for end users and promote the development of international cyber norms and standards.
The prime objective of Singapore's new strategy is to build resilient critical information infrastructures, or CIIs. In addition to this, Cybersecurity Strategy 2021 aims to make cyberspace safer for citizens by securing digital infrastructure, devices and applications; fostering cybersecurity talent; and strengthening Singapore's global cybersecurity posture.
Singapore released its first cybersecurity strategy in 2016. The motive for releasing a new strategy is the advent of disruptive technologies and a shift from perimeter-based security to a zero trust model, IT-OT convergence, an increased attack surface in the wake of the pandemic followed by the subsequent shift to remote working, and increased geopolitical tensions.
Securing Critical Information Infrastructures Is Top Priority
According to Cybersecurity Strategy 2021, CIIs that were previously isolated from the internet are now linked to other digital systems, exposing them to vulnerabilities and threats.
Singapore's new strategy encompasses the risks posed by operational technology systems and the impact on security brought about by IT-OT convergenc and states that existing policy and legislative frameworks must be able to address these risks.
In a panel discussion at Singapore's Cyber Security Agency in late September, David Koh, commissioner of cybersecurity and chief executive of the Cyber Security Agency of Singapore, or CSA, said that like IT security, OT security has increasingly become "a national security concern" due to the convergence of cyberspace and the physical world.
The new strategy advises organizations to adopt a "risk management mindset" and urges organizations to invest more in modern cybersecurity measures.
Calling cybersecurity a team sport, Cybersecurity Strategy 2021 says that the government will take the lead in rolling out initiatives, but it expects organizations to leverage their own resources and contribute to the country's cybersecurity posture.
Among other initiatives, the new strategy proposes to review the Cybersecurity Act and introduce policy initiatives, such as the OT Cybersecurity Masterplan and OT Cybersecurity Competency Framework.
Critical Infrastructure Organizations
For security leaders at organizations that constitute critical infrastructure - telecom, energy, healthcare and banking companies - the new strategy advises leveraging the CII Supply Chain Program to manage vendor cybersecurity risks.
It also urges CII owners to adopt a zero trust cybersecurity posture for critical systems and security leaders to adopt a risk-based approach and factor cybersecurity into the organization's risk management framework.
The CII Supply Chain Program, which is an initiative of the CSA, comprises security policies and processes for critical infrastructure owners and their vendors, including reporting mechanisms that show the extent to which vendors meet assurance commitments and contractual obligations.
Failure to meet the program's requirements would invoke penalties, which are currently unspecified.
Non-Critical Infrastructure Organizations
As part of another cybersecurity initiative, the SG Cyber Safe Program, organizations must apply for the SG Cyber Safe Trustmark starting in early 2022. First announced by the CSA in March 2021, the SG Cyber Safe Trustmark is a badge of distinction for companies that have good cybersecurity measures corresponding to their risk profiles.
Organizations will also be required to use resources and toolkits developed by the CSA to raise cybersecurity awareness levels.
The strategy says the hardware and software vendors must ensure that their employees are adequately equipped with cybersecurity skills and the knowledge required to build secure by-design software and hardware products.
They must also apply to get their products certified under the Cybersecurity Labelling Scheme, or CLS. The program was launched by the CSA in March 2021 to improve internet of things security and increase the overall cyber hygiene practiced by vendor companies.
The CLS comprises four different tiers of assessment:
- The first tier entails security baseline requirements that can deal with common cyberattacks.
- The second tier checks for threat modelling, secure development, secure supply chain, and security testing.
- The third tier uses automated binary analyzers to check for known critical vulnerabilities or malware.
- The fourth and final tier requires the product to pass penetration testing conducted by third-party independent laboratories.
Cybersecurity Strategy 2021 says that the government will ensure that all its CII and non-CII systems are resilient, protected and trusted by users.
To do this, the strategy entails modernizing the cybersecurity architecture of government systems to keep up with the latest cybersecurity requirements and raise the level of cybersecurity competency in government organizations.
In addition, government organizations - both CII and non-CII - will be moving away from a "compliance mindset" that does not serve the purpose of achieving security in a rapidly evolving environment toward a "risk management mindset."
The new strategy also charts a road map to implement the Government Trust-based Architecture, or GTbA, that "translates zero trust principles to the Government concept" to "strengthen the security of applications and systems."
Singapore Government Actions
According to Cybersecurity Strategy 2021, the government of Singapore will strengthen its technical capabilities to detect and analyze malicious cyberthreats to defend against evolving threats.
"This includes the development of a Cyber Fusion Platform that will allow the Government to conduct investigations with enhanced speed and efficiency," the new strategy says. It also mentions that a new National Cyber Security Command Center will be established.
Cybersecurity Strategy 2021 encourages cybersecurity researchers to leverage the National Cybersecurity R&D Program to develop advanced cybersecurity capabilities and participate in CSA initiatives such as the Cybersecurity Industry Call for Innovation to create new innovative cybersecurity solutions. It also requires researchers to collaborate with local industry associations.
Among the goals set for government organizations, the new strategy talks about operationalizing the Government Cybersecurity Operations Center, or GCSOC, to provide real-time monitoring and increased situational awareness and ensure that incident response is fast and accurate.
In addition, Singapore's Smart Nation and Digital Government Group will encourage responsible reporting of suspected vulnerabilities through bug bounty and vulnerability disclosure programs.
Through the Better Data Driven Business program, the government aims to provide free tools and guidance to help companies secure their customers’ personal data. It also aims to support small and medium businesses that are at a fairly nascent stage in data analytics to leverage data for more complex use cases.
According to the new strategy, Singapore's Infocomm Media Development Authority and the Personal Data Protection Commission will continue to guide organizations in developing and deploying trustworthy artificial intelligence systems.
The new strategy also says that the government aims to bolster Singapore's global cybersecurity posture through capacity-building initiatives and by developing technical and interoperable cybersecurity standards.