The Singapore government has asked 11 critical information infrastructure (CII) sectors to raise their respective level of network security, following a recent major cyber attack on SingHealth, one of the country’s two major healthcare groups, during which personal information of 1.5m individuals including the prime minister was illegally accessed and stolen in what is largely believed to be a state-sponsored attack.
The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, are Government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media. The Cyber Security Agency of Singapore (CSA) has instructed them to take additional measures including the following:
- Remove all connections to unsecured external networks;
- If there are strong business or operational reasons to keep open connections, these should be mediated through uni-directional gateways (eg, data diodes) to prevent data leakage; and
- If two-way communication between the secured network and unsecured external network is required, a secured informational gateway has to be implemented.
On a sector-specific basis, MAS has also directed financial institutions to tighten their customer verification processes.
To address any risk that the information stolen from SingHealth may have been used by fraudsters to impersonate customers and perform unauthorised financial transactions, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification.
Additional information must be used for verification before undertaking transactions for the customer. This may include, for instance, one-time password, PIN, biometrics, last transaction date or amount, etc. Financial institutions must also conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions. A