Singapore’s Cyber Security Agency announces targeted initiatives at SICW 2023

“Given the pervasive and fast-changing nature of digitalisation, we must adopt a multi-stakeholder approach and foster partnerships across borders and sectors,” said Deputy Prime Minister and Coordinating Minister for Economic Policies Heng Swee Keat.

He was speaking at the Singapore International Cyber Week (SICW), organised by the country’s national cybersecurity body, Cyber Security Agency (CSA). This year’s SICW explored how global policymakers and industry leaders can enable trust in the digital space through cybersecurity partnerships.

At the annual cybersecurity event, leaders from Singapore’s Cyber Security Agency announced key cybersecurity initiatives aimed at fortifying medical devices, Singapore’s cyber security workforce, and the cloud posture of businesses.

Cybersecurity labelling scheme for medical devices sandbox

First, the agency announced a new sandbox through which medical device manufacturers can submit their medical devices for cybersecurity testing, following which they can acquire one out of four possible cybersecurity ratings certifying the security of their products. 

These range from meeting baseline security requirements to withstanding third-party penetration testing and security evaluation.

“We think that there’s a need to plug this gap, where people need to know how strong the [medical] devices are, with respect to cybersecurity, to raise the awareness to get the correct devices that match their needs,” said Dr Alvin Lee, Deputy Director (Analytics and Capacity Building), Health Regulation - Ministry of Health. This can help healthcare purchasers make informed decisions, he explained.

He noted that the scheme, which will be voluntary to start and encompass new and existing devices, would require “alignment with existing policies, for example, procurement processes”. The ultimate goal, he added, is to have all medical devices used in hospitals be secure.

He was speaking at a session titled Strengthening Cybersecurity of Medical Devices - A Team Sport Approach, where he shared on how the Ministry of Health, the Health Sciences Authority, Synapxe, and CSA engaged key stakeholders to strengthen the cybersecurity of connected medical devices. 

In total, the agencies collected over 220 responses from industry providing feedback on the proposed scheme. 

Though connected devices are integral to modern healthcare, such devices may lack strong security as manufacturers prioritise speed to market, shared Poh Chang Chew, Principal Cybersecurity Consultant OT/Critical Infrastructure APAC, Fortinet with GovInsider.

Medical devices are critical tools to improving remote care and hospital care, GovInsider wrote previously.  

The first phase of the sandbox will go live on 20th October. 

Cloud security guides for organisations

Next, the agency announced the release of two cloud security guides that can help organisations better understand their role in securing the cloud environment and the cyber security preparations expected of them in accordance with national cybersecurity standards.

“These companion guides are intended to help enterprises be cyber safe when using the cloud  and help them achieve the Cyber Essentials and Cyber Trust marks. In doing so, their customers will have greater peace of mind when transacting with them,” said Dan Yock Hau, Assistant Chief Executive, CSA, in a press release.

The guide for Cyber Essentials aims to help customers better understand their responsibilities under the shared responsibility model.

Under the shared responsibility model, cloud users and cloud providers play different roles in securing the cloud: providers secure the environment of the cloud, while users ensure the security of data and environments within the cloud.

The second guide maps the cybersecurity preparedness domains of the Cyber Trust mark to the Cloud Security Alliance’s Cloud Controls Matrix, a de-facto standard for cloud security compliance. Cloud users can use this guide to determine if their cybersecurity posture is sufficient, from their cyber training initiatives to their data privacy plans.

These guides were developed in partnership with major cloud providers such as Amazon Web Services, Google Cloud, and Microsoft Azure, who helped to validate the contents of the guide and share insights from their customers’ journeys.

At this year’s Cloud Security Summit, cloud leaders from the Government shared some key hacks to navigating these responsibilities.

Cyber training for non-cyber professionals

CSA is launching SG Cyber Associates, a new programme that will provide foundational and targeted cyber training for non cyber professionals to support smaller organisations in dealing with their cyber threats.

The agency is partnering with professional bodies to train professionals such as engineers, auditors, and lawyers to better manage the unique cybersecurity challenges their industries face, from the digital underpinnings of engineering systems to data privacy concerns.

IT and software professionals can also tap on such training to create more secure products and services by design from the outset.

CSA is partnering with ISC2, a nonprofit specialising in cybersecurity certification, to offer entry-level foundational training to 10,000 participants over a period of three years.

CSA will also develop customised training with professional bodies to meet the specific needs of its members. Their first partnership will be with the Institute of Engineers Singapore and a local training provider to provide courses on specific tech domains.

At SICW, DPM Heng announced a structured programme, the SG Cyber Leadership and Alumni Programme, which will provide training courses catered to a range of participants at different stages of their cybersecurity journey. These courses will cover matters of cybersecurity policy and cyber diplomacy.

CSA has signed two Memoranda of Understanding with Microsoft and Google respectively to cooperate on cybersecurity.