The Singapore government has asked 11 Critical Information Infrastructure (CII) sectors to raise their respective level of network security, following the recent major cyber attack on the country's public health system.
The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, include Government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency, and media. The Cyber Security Agency of Singapore (CSA) has instructed them to take additional measures including the following:
a) Remove all connections to unsecured external networks;
b) If there are strong business or operational reasons to keep open connections, these should be mediated through uni-directional gateways (e.g. data diodes) to prevent data leakage; and
c) If two-way communication between the secured network and unsecured external network is required, a secured informational gateway has to be implemented.
This was announced in a statement jointly issued by the CSA and the Smart National and Digital Government Office on 3 August.
The Singapore government, which is one of the 11 CII sectors, has already implemented significant measures in the last three years to comply with these cybersecurity guidelines. For example, an 'air gap', or internet surfing separation, has removed unnecessary external connections with unsecured networks from most public servants' computers.
In the recent cyber attack on SingHealth, which was estimated to take place in the week prior to 4 July, Singapore’s largest group of healthcare institutions that includes four hospitals, five national specialty centres and eight polyclinics, personal data of 1.5m patients were stolen, included that of Prime Minister Lee Hsien Loong. Experts have said the attack was largely state sponsored.
Given the breach, the government is now studying whether it is feasible to permanently implement the same air gap in the public health systems that it has implemented in the public service, while considering the inconvenience this may bring. It is also looking into using virtual browsers on quarantined servers to access the Internet safely, and is expected to complete a pilot of such a system by the end of next month.
On 20 July, it had announced that all of Singapore's Smart Nation plans, including the mandatory contribution to the National Electronic Health Record (NEHR) project - which enables the sharing of patients' treatment and medical data among hospitals here – would be paused. However, in its latest statement, it has lifted the hiatus.
“The Smart Nation and Digital Government Group (SNDGG) has completed its review of cybersecurity policies and will implement additional measures for critical Government systems, to strengthen the ability to detect and respond quickly to cybersecurity threats. With these additional measures, the Government will lift the pause on new systems with immediate effect (3 August 2018),” it said.
“While the Government will continue to review and upgrade its security measures to guard against new threats and strengthen its infrastructure, it is not possible to completely eliminate the risk of cybersecurity attacks. We should not allow such incidents to hold us back in building a Smart Nation and Digital Government. We need to persist in our efforts to harness the potential of the Digital Age, while building deeper expertise in cybersecurity so that we can do so confidently.”