New effort to protect Singapore's critical information infrastructure

New CII Supply Chain Programme to help better manage cyber-security risks in the supply chain

Organisations running Singapore's critical information infrastructure (CII), such as telecommunication networks and public transport systems, will be asked to better manage their vendors' cyber-security risks, in the wake of recent global hacking attacks through third-party suppliers.

This will be done under a new national effort called the CII Supply Chain Programme, which is being developed by the Cyber Security Agency of Singapore (CSA), with CII owners and an external consultant that the agency will engage.

The programme, not mandatory for now, covers the owners of CII and their vendors in 11 sectors: Government; security and emergency; healthcare; media; banking and finance; energy; water; info-communications; maritime; aviation; and land transport.

Announcing this during the debate on his ministry's budget yesterday, Senior Minister of State for Communications and Information Janil Puthucheary said the programme will recommend processes and sound practices for all stakeholders to manage cyber-security risks in the supply chain.

Discussions with stakeholders will also help the Government improve its policies around supply chain security, he added.

"With more activities taking place online, it's important that people trust the digital systems used to store, collect and transfer our information," said Dr Janil.

The programme's announcement comes after recent cyber attacks such as one revealed in December in which IT management software provider SolarWinds was targeted by hackers.

About 18,000 customers of the Texas-based firm were hit, including American tech giants Microsoft and FireEye.

Many more could be subjected to risks of data theft as the full extent of the damage of the SolarWinds hack has yet to be determined.

Closer to home, a file-sharing system provided by US cloud-sharing company Accellion was targeted by a cyber attack in December, affecting customers globally, including Singapore's largest telco, Singtel.

About 129,000 Singtel users' data was stolen in the breach.

Currently, all CII owners must maintain a mandatory level of cyber security under the law.

But Dr Janil yesterday said the Government also recognises that most organisations, including CII owners, engage vendors to support their operations.

"Therefore, we also need to manage cyber-security risks across the supply chain," he added.

More details on the supply-chain programme are expected in the third quarter of this year.

This article first appeared in The Straits Times.