Strengthening Protection for Singapore’s Critical Information Infrastructure Given Rise in Advanced Persistent Threat Attacks

122 Mr Sharael Taha asked the Minister for Digital Development and Information with the rise in Advanced Persistent Threat (APT) attacks against Singapore's critical infrastructure (a) what safeguards beyond mandatory reporting will be required of Critical Information Infrastructure (CII) owners for early detection and containment; and (b) how the Ministry will strengthen capability, talent and resources to defend against such threats.

123 Mr Sharael Taha asked the Minister for Digital Development and Information in light of the Advanced Persistent Threat (APT) attacks against Singapore's critical infrastructure (a) how will the Ministry work with international organisations and agencies to strengthen deterrence against such threats; and (b) whether the Ministry will consider a whole-of-Government approach to raise awareness and preparedness for such threats among organisations beyond critical information infrastructure (CII) operators, including businesses and the public.

124 Mr Sharael Taha asked the Minister for Digital Development and Information how can Singapore better harmonise its cyber resilience across industries by adopting international standards on cybersecurity for operational technology, such as IEC 62443 and MITRE ATT&CK for Industrial Control Systems, in light of a recent attack on Singapore's critical information infrastructure by advanced persistent threat actors (APT).

Mrs Josephine Teo: Singapore is indeed a target for cyberattacks by advanced persistent threat (APT). From 2021 to 2024, suspected APT attacks on Singapore increased more than fourfold. Such attacks happen across the private and public sectors, and various industries. Most recently, agencies detected UNC3886 attacking our critical information infrastructure (CII). Such attacks seriously threaten our national security. They can disrupt the delivery of essential services like electricity and water. Our sensitive data may also be stolen.

The Cyber Security Agency of Singapore (CSA) works closely with both domestic and international partners and stakeholders to protect our nation's cyberspace against such threats.

Within Singapore, CII owners play a critical role in safeguarding the critical systems under their charge. Under the Cybersecurity Act and Cybersecurity Code of Practice, CII owners must meet certain baseline requirements to help protect them from known vulnerabilities. These requirements are generally aligned to international best practices, such as the International Electrotechnical Commission (IEC) 62443 series of standards for automation and control systems, and the MITRE ATT&CK framework for Industrial Control Systems. CII owners must also conduct regular cybersecurity testing and audits to verify the robustness of their defences. To raise awareness and prepare organisations for cyber threats, CSA conducts Exercise Cyber Star each year. This nationwide exercise tests critical sectors on their readiness to respond during a cyber crisis.

International collaboration is also key to countering cyber threats, given the borderless nature of cyberspace. To this end, Singapore participates in regular CERT-to-CERT exchanges and joint cross-border operations, including with regional partners through the ASEAN Regional Computer Emergency Response Team.

While we have the foundations laid, we cannot afford to be complacent. APTs are highly skilled and well-resourced. They are constantly testing their target' defences and finding new ways to achieve their objectives. Therefore, CSA is reviewing how we can work with relevant agencies and stakeholders to better protect our CII. We will share more when ready.