Steps to Protect Singapore's Critical Infrastructure from Malware Threat
Ministry of Home AffairsSpeakers
Summary
This question concerns the threat posed by malware such as Pipedream to Singapore’s critical infrastructure and the measures taken to safeguard these systems. Mr Sharael Taha asked about the risks of industrial control system manipulation and how the government supports company awareness and precautions. Minister Josephine Teo stated that the Cyber Security Agency (CSA) issued advisories to Critical Information Infrastructure (CII) owners and found no evidence of local impact. She noted that CII owners must meet standards under the Cybersecurity Act, while enterprises are supported through the SG Cyber Safe Programme’s toolkits and certification marks. Minister Josephine Teo emphasized the importance of staying vigilant and practicing good cyber hygiene against evolving threats.
Transcript
99 Mr Sharael Taha asked the Minister for Communications and Information in view of malware tools such as Pipedream or Incontroller which can seize control of critical infrastructure (a) what is the threat that such malware poses to Singapore’s critical infrastructure; (b) what steps have been taken to protect Singapore from such threats; and (c) how can the Government help companies in Singapore to be aware of such threats and take the necessary precaution.
Mrs Josephine Teo: The Cyber Security Agency (CSA) monitors threats to Singapore’s cyberspace closely, especially those that threaten Critical Information Infrastructure (CII) that support essential services.
The strain of malware discovered in April, referred to as Pipedream or Incontroller, is designed to target equipment found in industrial control systems, which are core to the proper functioning and control of operational systems and processes. This malware enables the attacker to manipulate and disrupt industrial processes, allowing them to remotely collect information from these systems, shut down operations, sabotage industrial processes, and potentially cause physical harm and destruction.
When reports of this malware surfaced in April, CSA issued an advisory to our CII sector leads and owners to take precautions against this threat and make timely incident reports. To date, we have not found any evidence of Pipedream being used against our CII. Beyond CIIs, SingCERT also publishes public advisories on protecting industrial control systems, most recently in March, to advise enterprises on how they may bolster their cybersecurity measures against threats that target these systems.
It is important that CII owners and other enterprises remain vigilant against cyber threats and adopt the necessary cybersecurity practices to safeguard the systems and networks. CII owners are required by the Cybersecurity Act to put in place measures to meet cybersecurity standards set by CSA. For enterprises, CSA launched the SG Cyber Safe Programme in 2021 to encourage and help companies strengthen their cybersecurity posture. This includes a cybersecurity certification programme for enterprises – comprising the Cyber Essentials and Cyber Trust marks – to recognise enterprises that have implemented good cybersecurity practices.
CSA also developed cybersecurity toolkits for companies of various profiles to guide enterprise leaders and their employees on cybersecurity best practices. I encourage companies to apply for these cyber marks and take advantage of the resources and toolkits available on CSA’s website.
Mr Speaker, cyber threats are constantly evolving. Pipedream will not be the last strain of malware to threaten us. I urge everyone to stay vigilant, take cybersecurity seriously and practice good cyber hygiene.