CSA’s CII supply chain paper works on mitigating cyber risks, uplifting cyber resilience
The Cyber Security Agency of Singapore (CSA) released a CII Supply Chain program paper that acts as a blueprint for the CSA, sector leads, CIIOs (critical information infrastructure owners), and vendors to build cybersecurity and resilience into the CII supply chain in response to the evolving threat landscape and increased digitalization. The program lays down five foundation initiatives to mitigate cyber supply chain risks and uplift the cyber resilience of Singapore’s essential services and work as the beginning of a journey toward a secure and resilient future for Singapore’s CIIs (critical information infrastructures).
David Koh, commissioner of cybersecurity and chief executive at the CSA said that the cyber supply chain issue is multi-faceted and multi-layered, and there are seldom any ‘perfect’ or ‘easy’ answers to this wicked problem. “The increasing complexity of supply chains affects both public and private sectors and is both a domestic as well as an international challenge. Addressing supply chain risks must be a multi-pronged effort.”
The cyber supply chain is only as strong as its weakest link, Koh said in his foreword to the paper. “It was with this challenge in mind that CSA conducted consultations with stakeholders, regulators, and industry experts to understand their posture and insights on cyber supply chain risk. With these insights, CSA will drive initiatives to enable the maturity and aid these organisations in their management of cyber supply chain risks,” he added.
The CII Supply Chain program outlines five foundational initiatives to begin the journey to address the cyber supply chain challenges facing CIIs at organizational, sectoral, national, and international levels. The actions include the development of a toolkit for the CIIOs to help them identify and inventory vendors, apart from assessing and rating their cyber supply chain risks using a standardized vendor management methodology. The goal is to aggregate a national view of all Tier 1 CII vendors and progressively move towards an increased depth of visibility of the cyber supply chain.
The agency also recommends a handbook to provide a repository of sound contractual terms for having cybersecurity requirements in their vendor contracts. The handbook enables CIIOs to improve negotiations with their vendors towards improved cybersecurity practices by helping to place group pressure on vendors to motivate them to achieve an improved cybersecurity posture for their products and services.
It also included a certification program for CII vendors to meet a set of baseline cybersecurity requirements for the cyber supply chain that seeks standards and certification that incentivizes vendors to improve their cybersecurity capability. The CSA also suggests a learning hub sharing knowledge, sound practices, and training resources on cyber supply chain risk management for CII stakeholders. The learning hub increases the awareness and appreciation of cyber supply chain risks among senior leaders and procurement stakeholders to elevate the topic from technological concern to organizational imperative.
The CSA also includes a platform for international cooperation to initiate close collaborations and working relationships with international government counterparts and industry groups to collectively address cyber supply chain resilience. The program aims to foster the various stakeholders in the ecosystem to work together to reduce cyber supply chain risks, create a catalyst for change and elevate the state of cyber resilience of Singapore’s essential services.
The CSA paper said that the CII supply chain program addresses three core objectives towards strengthening the availability and resilience of Singapore’s essential services in response to CII cyber supply chain risks. It seeks to develop a national framework that increases the transparency and visibility of cyber supply chain risks to CIIs. The framework enables CSA, sector leads, and CIIOs to contribute to managing cyber supply chain risks for CIIs with increasing sophistication, enhancing the cyber resiliency of Singapore’s essential services.
The program also works on aligning a shared understanding that provides a consistent approach to managing cyber supply chain risks across CIIOs, but is flexible to adapt to the needs of different sectors. This approach drives consistency in how CIIOs assess and improve the adequacy and efficacy of cybersecurity controls for IT, operational technology (OT), and Internet of Things (IoT) products and services vendors used to operate and maintain Singapore’s CIIs.
Lastly, the program aims to catalyze an ecosystem of CIIOs and vendors incentivized to continuously improve cyber supply chain resilience by establishing the foundational groundwork required to initiate proper governance structures and drive desired behaviors.
The intended benefits and outcomes of the CII supply chain program include a framework to guide CIIOs in the required practices and processes to increase the visibility of CII cyber supply chains, mitigate cyber supply chain risks and improve the cyber resilience of CIIs, It also works towards enhanced cyber supply chain risk management capabilities of all CIIOs regardless of sector, current maturity or size.
Furthermore, the program aims to improve CII vendor cybersecurity practices and the cybersecurity of the products and services they provide, increase collaboration between CIIOs, especially within individual sectors, to collectively manage cyber supply chain resilience risks in Singapore, and reduce information asymmetry between CII vendors and CIIOs on cyber supply chain incidents to assist with early warning and reduce response and mitigation time.
The CII supply chain program leverages transparent and consistent standards and sound practices to define initiatives and requirements. Leveraging existing industry-recognized standards such as the ISO 27001 standard and NIST cybersecurity framework leads to convergence on a common set of requirements aligned to sound practices that are established and widely known to many organizations to incentivize CIIOs to implement. With standardized cyber supply chain risk management practices, CIIOs can more effectively integrate requirements of the program or future cyber supply chain initiatives with existing risk management processes.
The program emphasizes an approach to cyber supply chain risk management that is proactive and continuous throughout the vendor lifecycle. The approach encourages CSA, sector leads, and CIIOs to take ongoing preventive measures to assess and prevent cyber supply chain risks. The CII supply chain program also pushes CIIOs to pivot towards anticipating and mitigating cyber supply chain risks continuously. Monitoring and addressing gaps in vendor cybersecurity controls can no longer take a point-in-time approach; it needs continuous assessment and tracking.
Recent supply chain attacks affecting enterprises have been the Log4j vulnerabilities, SolarWinds and Kaseya. The similarity across these three examples is that the attacks were against ‘linchpin technologies’—services or products vital to many organizations’ functioning. Disruptions to these technologies can create amplified effects that cascade down to have far-reaching impacts.
The U.S. Cyber Safety Review Board (CSRB) released its initial report this month disclosed that organizations that responded most effectively to the Log4j event understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and critical partners to action. Furthermore, the report added that to reduce the recurrence of the introduction of vulnerabilities like Log4j, it is essential that public and private sector stakeholders create centralized resourcing and security assistance structures that can support the open source community going forward.
Earlier this month, the two-day Operational Technology Cybersecurity Expert Panel (OTCEP) Forum 2022 event was held in Singapore, focusing on the nation’s OT cybersecurity practitioners, operators, industry, researchers, and policymakers engaging with international experts in the field. The conference helps enhance mutual learning while bringing people with different experiences who share unique perspectives and put their minds together to address OT cybersecurity challenges.
Related
