Before you read the rest of this article and the ideas, expert advice from our experts, watch the video on the Top Cyber Attacks in History, so you have a better appreciation of what follows.
Done watching? If you are not disturbed by these 10 hacks, you are either not connected to the internet in any shape or form, you haven’t watched enough Die Hard movies (something to binge-watch over the Easter break).
What prompted this article is an announcement by the Singapore government of recent updates to the country’s critical information infrastructure (CII). Referencing the 2018 Cybersecurity Act, the Cyber Security Agency (CSA) of Singapore, listed 11 systems deemed necessary for the continuous delivery of essential service the loss or compromise of which of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore.
According to Joanne Wong, vice president, international markets, LogRhythm, opined that the recent SolarWinds breach has cast a spotlight on the need for organisations to implement not only robust internal cyber practices, but also insist on the same level of cyber vigilance across their entire supply chain.
“The enhanced regulations, first for financial institutions and now critical information infrastructure, drive home the need for both private and public institutions to adopt a zero-trust cybersecurity posture across their entire digital operations,” said Wong.
Who is impacted by CII
Per CSA, the critical sectors are energy, water, banking & finance, healthcare, transport (which includes land, maritime, and aviation), government, Infocomm, media, and security & emergency services. It is important to note that this is not about one company or one organisation.
The use of the term “infrastructure” recognises the connected nature of any economy. As such, while not identified explicitly, other sectors like retail can be added to the list at any point in the future.
Andre Shori, APAC chief information security officer for Schneider Electric, as the Singapore government expands compliance requirements for CII’s to include their supply chain, this will have the effect of increasing baseline cybersecurity practices throughout the industry.
“Suppliers should expect to see a marked increase in customer attention to internal cybersecurity practices. This is why we have seen the supplier community heavily invest in the adoption of cybersecurity best practices like the NIST Cybersecurity Framework and international standards like ISO 27000 and IEC 62443,” he continued.
James Alliband, a security strategist with VMware Carbon Black building security intrinsically into the fabric of the enterprise can help teams significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.
Adoption is not mandatory but…
“So, nobody has to do anything at the moment, but I am sure the minute a hack is identified as coming from a third party that will change, so maybe it makes sense to get ahead of the curve,” he added.
Because it is not mandatory, there are no sticks to throw at those that wish to do nothing. But why wait for hell to break loose if you can do something now as a good corporate citizen?
Piff points to the pitfall of being voluntary – it is difficult to validate this.
“Ask your supplier: “are you secure?” and how do you suppose they will answer? Without third- and fourth-party audits, there is no way of knowing,” he added. “Although practices and procedures are being developed and third-party auditors recommended, but until we see them, it’s still about trusting what you are told by organisations that would lose your business if they are insecure. What do you suppose they will tell you?”
Alliband says more likely CII operators already maintain some form of mandatory level of security under the Cybersecurity Act. But as high-profile attacks of 2020 show, the digital transformation efforts that CII operators have adopted and accelerated can now be used to incapacitate the delivery of Singapore’s essential services or compromise the sensitive and private data of Singaporeans.
Is compliance necessary?
If there is any lesson to be drawn from the Solarwinds breach is that CI owners and their suppliers must never rest when it comes to cybersecurity.
Shori believes strong cybersecurity is about a continuous evolution of your practices to address the dynamic threat environment.
“CI owners and suppliers should start a dynamic and transparent conversation about internal cybersecurity practices now so that relevant audits and deadlines can be met and improvements can be made,” he continued.
IDC’s Piff says everyone thinks they have one until they have to implement it, and then they realise they don’t have one at all.
“This means going far, far beyond just the IT security team and engaging the lines of business, corporate communications, legal, the C-Suite – whilst there will be an IT response to this, the whole the team is not an IT-only one,” he opined.
“I also keep in mind that legal and regulatory compliance are minimum requirements for cybersecurity. Regulations will not completely address all the risks that an entity may face, because laws cannot keep up with the pace of technology and threats. Having said that, a good cybersecurity program should complement all relevant laws and regulations that are geared towards improved cybersecurity practices,” noted Shori.
Best practices elsewhere
Schneider’s Shori suggests looking to Australia as an example, referring to the country’s Cybersecurity Strategy that sees reform of their SCI Act to establish baselines for their CII’s, IoT regulations, additional powers to help their government respond better to incidents.
Australia is investing AUD1.7 Billion towards improving its national cybersecurity strategy in 2020.
In reflecting on Singapore’s CII strategy, IDC’s Piff says the essence of the guideline is good. Many hacks are attributed to third party suppliers, and simply assuming they are secure is no longer a useful approach.
“For the supply-chain partners, your risk profile must include the risk your customer may face, so a small cleaning firm may have a limited risk profile, but if they are cleaning inside a bank, then this must be added to theirs and the appropriate security applied. This is a non-cyber example, but you can see how it would relate in the digital realm,” he added.
LogRhythm’s Wong stresses that the supply chain is only as strong as its weakest link.
“Organisations, especially in these essential sectors, must safeguard their operations and maintain visibility over their entire network by ensuring third-party vendors have the same levels of safeguards to effectively identify and remediate threats with speed. This goes hand-in-hand with the zero-trust philosophy of not trusting any unverified activity and the need for constant monitoring and surveillance to detect suspicious activities,” she concluded.