Update on Status of 11 Critical Information Infrastructure Sectors Identified to Review Their Connections to Untrusted External Network
Prime Minister's OfficeSpeakers
Summary
This question concerns the progress of 11 Critical Information Infrastructure (CII) sectors in reviewing network connections to untrusted external sources and the availability of government financial assistance. Miss Cheng Li Hui inquired about the completion timeframe for these reviews and the strategies for ensuring sustained vigilance within these critical sectors. Prime Minister Lee Hsien Loong responded that the review process will conclude by the end of 2018, with sectors instructed to remove unsecured connections or implement secured informational gateways. He clarified that government grants will not be provided for compliance as cybersecurity is a fundamental business cost, though the Cyber Security Agency of Singapore will provide professional advice. Finally, the Government will continue to work with CII owners to balance security needs with operational efficiency while providing public education through the Singapore Computer Emergency Response Team.
Transcript
1 Miss Cheng Li Hui asked the Prime Minister with regard to the 11 sectors identified to review their connections to untrusted external network (a) what is the timeframe for the sectors to complete their review; (b) whether Government grants and funding will be provided to assist companies in these sectors to beef up their cybersecurity capabilities; and (c) how does the Government plan to work with these companies to ensure that they stay vigilant.
Mr Lee Hsien Loong: In light of the recent cyber-attack on SingHealth’s computer systems, the Cyber Security Agency of Singapore (CSA) instructed the 11 Critical Information Infrastructure (CII) sectors to strengthen their network security, including taking the following steps:
Remove all connections to unsecured external networks if there are no strong business or operational reasons to keep such connections open.
If connections to unsecured external networks are required, these should ideally be mediated through uni-directional gateways, for example, data diodes to prevent data leakage.
If two-way communications between the secured network and unsecured external network is required, a secured informational gateway has to be implemented, such as filters for malicious content and firewalls.
The 11 CII sectors are currently conducting a review of their systems, in consultation with CSA. This process will be completed by the end of 2018.
The Government will continue to review the essential security measures that CII owners must adopt. Ultimately, these security measures must strike a balance between security, operational efficiency and cost. This is a dynamic balance that will be reviewed as the threat landscape evolves.
In an increasingly digital world, cybersecurity is critical to protecting business operations and strengthening trust between businesses and their customers. The Government will therefore not be providing grants or funding to CII owners to comply with cybersecurity requirements and implement such cybersecurity measures which should be borne by companies as part of normal business costs. Nevertheless, the Government and CSA will continue working closely with CII owners and businesses to strengthen their cybersecurity posture. This includes rendering professional advice to businesses, and working with the industry to provide affordable and convenient cybersecurity services to companies. In addition, the Singapore Computer Emergency Response Team (SingCERT) will continue to educate the public and businesses on how to protect themselves in cyberspace. Businesses and members of the public can visit SingCERT at www.csa.gov.sg/singcert and Gosafeonline at www.csa.gov.sg/gosafeonline for cybersecurity advisories and tips.