Cyber Security Agency of Singapore publishes CCoP 2.0 with regulations for owners of critical information infrastructure

The Cyber Security Agency of Singapore (CSA) has published the Codes of Practice or Standards of Performance issued by the Commissioner of Cybersecurity for the regulation of owners of Critical Information Infrastructure (CII), in accordance with the Cybersecurity Act. The CCoP 2.0 (Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition) is the Cybersecurity Code of Practice for Critical Information Infrastructure (Second Edition) and comes into effect from Jul. 4, 2022, superseding previous versions of the Code. 

“CCoP 2.0 will only come into compliance 12 months after the issuance of CCoP 2.0. Cybersecurity Code-of-Practice –First Edition will only be applicable to the cybersecurity audit conducted with audit period that falls before the compliance date of CCoP 2.0,” the document said. “Thereafter, CCoP 2.0 must be used for subsequent audits. However, the CIIO may use CCoP 2.0 for their audit before the compliance date if they are ready,” it added.

The CCoP 2.0 is intended to specify the minimum requirements that the critical information infrastructure owner (CIIO) shall implement to ensure the cybersecurity of the CII. “The CIIO is expected to implement measures beyond those stipulated in this Code to further strengthen the cybersecurity of the CII based on the cybersecurity risk profile of the CII,” according to the CCoP 2.0 document released Monday. 

The CSA document seeks to level up new cybersecurity capabilities in the CII sectors due to the cyber threat landscape having evolved with threat actors using sophisticated tactics, techniques, and procedures (TTPs) to attack CII sectors. Each CII sector faces cybersecurity risks that are specific to their digital terrain, and cyber-attacks have increased in scale and sophistication to a point where they could present systemic risks to Singapore.

The CCoP 2.0 aims to improve the odds of defenders against hackers’ sophisticated TTPs and impede their progress of attacks. It also enhances agility in addressing emerging risks across domains such as cloud, 5G, and AI. It enables coordinated defenses between government and private sectors to identify, discover, and respond to cybersecurity threats and attacks on a timely basis.

The compliance timeline in the initial CCoP 2.0 draft was with immediate effect for existing clauses. However, CSA has revised the compliance timeline to a grace period of 12 months for all clauses for the compliance of CCoP 2.0, applicable to both existing and any newly designated CII.

CSA also recognized the technical and/or operational challenges to implementing the revised heightened cybersecurity requirements and the need for a longer grace period to comply with all the requirements. “Unfortunately, the impending cybersecurity threats have raised the need for more effective measures to be built-up expediently to reduce cybersecurity risks. Cybersecurity is a continuous process of risk reduction,” it added. 

The CSA said that the Act does not penalize a CIIO that requires more time and/or resources to implement the measures. “It allows the Commissioner to grant the necessary waivers when there are valid reasons. If the CIIO is unable to comply with any specific CCoP 2.0 requirements, it may submit a request of waiver made available under Section 11(7) of the Cybersecurity Act to the Commissioner. The Commissioner has the authority to reject the waiver if the mitigating or compensating controls are deemed to be insufficient,” it added.

The CCoP 2.0 document also addresses governance requirements, which involve establishing and maintaining frameworks to ensure the cybersecurity strategies of the CIIO are aligned with their business objectives. It also guides the CIIO in evaluating, defining, and directing efforts to manage cybersecurity risks. It also considers identifying resources and assets supporting the CIIO’s critical business functions. Finally, it also enables the CIIO to prioritize its efforts in protecting its assets. 

The CSA document also covers protection requirements that help the CIIO understand and implement the required people, process, and technology controls to protect the CII and limit and contain cybersecurity incidents’ impact. It also covers detection requirements that aim to assist the CIIO in understanding and implementing the required people, process, and technology controls. The measure will help detect and identify any malicious activity or vulnerability that could compromise the CII, including any stepping-stone attacks and attacks against the crown jewels of the system. The CIIO must investigate and identify potential threats and determine the impact, root cause, and controls for containing threats and incidents and fortifying CII.

Furthermore, the CCoP 2.0 document establishes, manages, and exercises cybersecurity incident response plans and crisis communication plans to prepare the CII for cybersecurity incidents. It also considers cyber resilience includes maintaining the ability of the CIIO and CII to withstand cybersecurity incidents, continue delivering essential services and recover from cybersecurity incidents. 

Effective security awareness training helps employees understand proper cyber hygiene, the security risks associated with their actions, and identify cybersecurity incidents they may encounter in their work, the CCoP 2.0 document said. “Being aware of the evolving cybersecurity threats and being equipped with the essential cybersecurity skillsets enable the CIIO to recognise cybersecurity threats and mitigate them in a timely manner,” it added.

The CSA document also notes the OT (operational technology) architecture and security requirements. With increased connectivity between IT and OT systems, threat actors can now compromise IT systems connected to the Internet, secure their footholds, and move to the OT systems to disrupt industrial processes. Therefore, when designing security architecture for OT, it is strongly recommended to segregate the OT network from the enterprise network. It is also essential to incorporate engineering design/concepts such as fail-safe mechanisms to eliminate or reduce the consequences of the affected system concerning cybersecurity risks, it added.

Last month, the Canadian government introduced a legislative bill to strengthen Canada’s cybersecurity stance across the financial, telecommunications, energy, and transportation sectors. The move would also introduce a regulatory regime requiring designated finance, telecommunications, energy, and transportation operators to protect their critical cyber systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.