Pause on Smart Nation drive lifted; 11 sectors told to raise network security level

SINGAPORE — New technology projects and computer systems in the public sector will be allowed to resume their roll-out, the Government announced on Friday (Aug 3) as it lifted a temporary pause imposed in the wake of an unprecedented cyber attack on SingHealth.

At the same time, 11 critical information infrastructure sectors – including aviation, land transport, media and banking and finance – have been instructed to raise their level of network security.

These sectors will have to remove all connections to unsecured external networks, also known as the implementation of Internet surfing separation.

If there are strong business or operational reasons to keep open connections, these sectors should use uni-directional gateways – which allow data transfer to flow in a single direction – to prevent data leakage, said the Cyber Security Agency and the Smart Nation and Digital Government Group.

And if two-way communication between a secured network and an unsecured external network is required, the sectors should implement a secured informational gateway.

Speaking to TODAY, National University of Singapore adjunct professor Yu Chien Siang said the "expensive" uni-directional gateways cannot prevent data leakage completely, "and will also allow malware to enter". 

He described a secured informational gateway as a "firewall with strict rules", and companies in the critical information infrastructure sectors would already have them. However, it will not stop advance persistent threat attacks, he added.  

Nevertheless, a secured informational gateway acts as a security-guard outpost between an organisation’s network and the Internet, said Ms Joanne Wong, senior regional director for Asia-Pacific and Japan at security intelligence firm LogRhythm.

Such a gateway would subject all information going in and out of the secured network to “checks”.

Secured informational gateways can be seen in organisations that require users to sign in through a web portal in order to access the organisation’s Internet and resources. Ms Wong said they are a “good practice and add an additional layer of security without compromising the benefits of the Internet”.

Banks in Singapore and the region frequently use secured informational gateways as one of many deterrence measures. The same gateways can be used to speed up detection and response to threats in the event of a breach, she said.

Over a one-week period from June 27 to July 4, hackers broke into the IT systems of SingHealth, Singapore's largest healthcare group, to steal the demographic data of 1.5 million patients. They also took the records of the outpatient medication given to 160,000 people, among them Prime Minister Lee Hsien Loong.

In the wake of the cyber attack, the biggest and most serious yet on Singapore, the Government on July 20 ordered a pause on all Information and Communications Technology (ICT) projects in the public sector.

On Friday, the Government said it has, as one of the 11 critical information infrastructure sectors, implemented significant measures such as Internet surfing separation in the last three years to comply with cyber-security guidelines.

If measures to delink workplace computers from the Internet had been in place, SingHealth could have reduced the number of vulnerable openings in its systems, Deputy Prime Minister Teo Chee Hean had said in the wake of the cyber attack.

"We could and should have implemented Internet surfing separation on public healthcare systems just as we have done on our public sector systems," said Mr Teo at the Public Service Engineering Conference 2018 last month. "This would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to attack.”

Following the SingHealth cyber attack, all three public healthcare clusters – SingHealth, National Healthcare Group and National University Health System – implemented temporary Internet surfing separation measures.

Ms Wong noted that the level of network security across the 11 sectors may differ. Traditionally, banking and finance and government institutions were the most likely targets of cyberattacks and many organisations in the two sectors will already have one of the three options instructed by the Government in place.

“However, the remaining sectors might not, especially those that require heavy use of external communications. Sectors such as maritime, emergency services, energy, land transport and media are emerging targets for hackers and might not already have the network infrastructure in place to cater for such segregation,” said Ms Wong.

In lifting the pause on new ICT systems, the Government said it was not possible to completely eliminate the risk of cybersecurity attacks even as it continued to review and upgrade its security measures.

"We need to persist in our efforts to harness the potential of the digital age, while building deeper expertise in cybersecurity so that we can do so confidently,” the Cyber Security Agency and the Smart Nation and Digital Government Group said. ADDITIONAL REPORTING BY SIAU MING EN