MCI response to PQ on Steps to Protect Singapore Critical Infrastructure from Malware Threat

Parliament Sitting on 4 July 2022

QUESTION FOR WRITTEN ANSWER

99. Mr Sharael Taha: To ask the Minister for Communications and Information in view of malware tools such as Pipedream or Incontroller which can seize control of critical infrastructure (a) what is the threat that such malware poses to Singapore’s critical infrastructure; (b) what steps have been taken to protect Singapore from such threats; and (c) how can the Government help companies in Singapore to be aware of such threats and take the necessary precaution.

Answer: 

1. The Cyber Security Agency (CSA) monitors threats to Singapore’s cyberspace closely, especially those that threaten Critical Information Infrastructure (CII) that support essential services.

2. The strain of malware discovered in April, referred to as Pipedream or Incontroller, is designed to target equipment found in industrial control systems, which are core to the proper functioning and control of operational systems and processes. This malware enables the attacker to manipulate and disrupt industrial processes, allowing them to remotely collect information from these systems, shut down operations, sabotage industrial processes, and potentially cause physical harm and destruction.

3. When reports of this malware surfaced in April, CSA issued an advisory to our CII sector leads and owners to take precautions against this threat and make timely incident reports. To date, we have not found any evidence of Pipedream being used against our CII. Beyond CIIs, SingCERT also publishes public advisories on protecting industrial control systems, most recently in March, to advise enterprises on how they may bolster their cybersecurity measures against threats that target these systems.

4. It is important that CII owners and other enterprises remain vigilant against cyber threats and adopt the necessary cybersecurity practices to safeguard the systems and networks. CII owners are required by the Cybersecurity Act to put in place measures to meet cybersecurity standards set by CSA. For enterprises, CSA launched the SG Cyber Safe Programme in 2021 to encourage and help companies strengthen their cybersecurity posture.

5. This includes a cybersecurity certification programme for enterprises – comprising the Cyber Essentials and Cyber Trust marks – to recognise enterprises that have implemented good cybersecurity practices. CSA also developed cybersecurity toolkits for companies of various profiles to guide enterprise leaders and their employees on cybersecurity best practices. I encourage companies to apply for these cyber marks and take advantage of the resources and toolkits available on CSA’s website.

7. Mr Speaker, cyber threats are constantly evolving. Pipedream will not be the last strain of malware to threaten us. I urge everyone to stay vigilant, take cybersecurity seriously and practice good cyber hygiene.