Essential services providers to meet higher cyber-security standards under proposed law amendment

Essential services operators in Singapore must declare cyber-security outages and attacks faced by suppliers, as well as require these suppliers to provide contractual assurances, as part of proposed changes to the Cybersecurity Act tabled on April 3.

The authorities can also require organisers of major events here and autonomous universities to disclose their cyber-security measures under the Cybersecurity (Amendment) Bill.

The Cyber Security Agency of Singapore (CSA) said that the Bill – the first change to the Act since it came into force in 2018 – seeks to expand its oversight of critical information infrastructure (CII), as threats can often be obscured with increased digitalisation.

“The key aspect of the Bill is that it will ensure that CII owners remain responsible for the cyber security and cyber resilience of the CII, even as they embrace new technological and business models, like the use of cloud computing,” said CSA. “CII owners will also be required to report more types of incidents, such as those that happen in their supply chains.”

The critical sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.

The changes will expand CSA’s oversight of CII and any linked third-party systems, as well as levers to audit the digital defences of major event organisers, universities and other groups that hold sensitive data or perform significant functions.

CII owners will still bear responsibility for cyber incidents, including those that take place within the systems of their vendors and even if the CII had been outsourced or offshored. Thus, the Bill will require essential services providers to obtain legally binding cyber-security commitments from third-party vendors.

CII owners that fail to comply can face penalties for non-compliance.

The Bill also requires designated digital infrastructure players and entities of special cyber-security interest to follow similar obligations, under a separate framework where they are subject to “light touch” regulations as they are not owners of designated CII.

The Bill comes after several rounds of public consultations with companies, trade associations, government agencies and individuals since 2022.

Respondents generally understood the need for greater oversight, while some raised concerns about which systems in their periphery should be considered to be interconnected with their critical services, CSA said. Others asked about costs and how they would be inspected.

CSA said the proposed laws aim to address evolving tactics of cyber criminals to disrupt essential services, adding: “CSA holds the view that all CIIs, regardless of whether they are outsourced or owned by CII owners, should be subject to similar levels of cyber-security requirements.”

On how systems will be inspected, CSA said the proposed law makes clear that the authorities will step in only when it appears the CII owner has failed to comply.

Once the new policies are in force, organisations that do not comply can be penalised through fines, depending on the severity of the case.

Proposed changes to Cybersecurity Act of S’pore, and what triggered them

Amendments to the Cybersecurity Act were tabled in Parliament on April 3 to take into account risks introduced by suppliers, outsourcing and offshoring.

Critical information infrastructure (CII) operators in the essential services sectors remain answerable to the Cyber Security Agency of Singapore (CSA) for any lapses.

The sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.

Here is a quick look at the key changes in the Cybersecurity (Amendment) Bill.

1. Securing supply chains

• CII operators must report all incidents aimed at their systems, including those managed by or linked to their suppliers, as long as they impact the CII’s services.
• The proposal comes after major cyber attacks around the world that have targeted peripheral systems to sabotage critical services.
  • In 2019, hackers introduced malicious code into an IT monitoring tool from US software firm SolarWinds that serviced thousands of organisations. Over several months, the attackers gained access to the data of more than 30,000 public and private firms in the US.
  • In 2021, Colonial Pipeline, which operates the US’ largest fuel pipeline, was forced to shut down after attackers took control of its corporate payment services, which lie outside of its critical functions.

2. Oversight of cloud services

• The definition of “computers” will include virtual systems and cloud infrastructure – servers hosted on the internet that store and process data – that are rising in usage.
• CII owners have the option of moving to commercial cloud solutions, such as those offered by Amazon Web Services, Microsoft or Alibaba Cloud, while still bearing responsibility for any cyber-security lapses. The CII operator must make clear to third-party vendors that they have to comply with Singapore’s rules.
• At least one of the physical computing resources of the cloud services provider that support the virtual system has to be deployed locally.
• Data centres, cloud services and other foundational digital infrastructure that provide services to or out of Singapore will be regulated under a separate framework from main CII operators that will subject them to “light touch” regulations. They will have to provide cybersecurity-related details upon request, report any incidents and comply with standards of performance set by CSA.
• In 2021, critical vulnerabilities were found in cloud computing platform Microsoft Azure’s database that could permit hackers to access sensitive databases.
  • The changes to the Cybersecurity Act will make it mandatory for service providers to share details of such attacks, so that lessons can be shared with the wider industry and necessary action taken.

3. Regulation of systems used in key events

• CSA can designate systems that are critical to Singapore for a limited period as “systems of temporary cyber-security concern” and require their owners to comply with heightened cyber-security standards.
• Operators of designated systems will have to provide cybersecurity-related information upon request, comply with CSA’s standards, and report cyber-security incidents.
• These can be systems used for high-key activities akin to major vaccine distributions, forums or international events, such as the 2018 North Korea-US summit in Singapore.
  • In 2020, organisations around the world that were distributing Covid-19 vaccines were targeted by cyber attackers, who attempted to steal network log-in credentials to disrupt the distribution of doses, IBM reported.

4. Entities of special cyber-security interest

• Some autonomous universities and others deemed entities of special cyber-security interest will have to provide cybersecurity-related information to CSA upon request.
• Such entities are attractive targets for bad actors due to the sensitive data they hold or function that they perform.
• Their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety or public order of Singapore, said CSA.
• CSA does not intend to publish the full list of designated entities, for security reasons.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Law allowing detention without trial renewed for 5 more years to fight gangs, secret societies Ex-property agent who called himself ‘Ganja man’ sentenced to death for drug trafficking