Parliament Sitting on 4 July 2022

QUESTION FOR WRITTEN ANSWER

99. Mr Sharael Taha: To ask the Minister for Communications and Information in view of malware tools such as Pipedream or Incontroller which can seize control of critical infrastructure (a) what is the threat that such malware poses to Singapore’s critical infrastructure; (b) what steps have been taken to protect Singapore from such threats; and (c) how can the Government help companies in Singapore to be aware of such threats and take the necessary precaution.

Answer: 

1. The Cyber Security Agency (CSA) monitors threats to Singapore’s cyberspace closely, especially those that threaten Critical Information Infrastructure (CII) that support essential services.

2. The strain of malware discovered in April, referred to as Pipedream or Incontroller, is designed to target equipment found in industrial control systems, which are core to the proper functioning and control of operational systems and processes. This malware enables the attacker to manipulate and disrupt industrial processes, allowing them to remotely collect information from these systems, shut down operations, sabotage industrial processes, and potentially cause physical harm and destruction.

3. When reports of this malware surfaced in April, CSA issued an advisory to our CII sector leads and owners to take precautions against this threat and make timely incident reports. To date, we have not found any evidence of Pipedream being used against our CII. Beyond CIIs, SingCERT also publishes public advisories on protecting industrial control systems, most recently in March, to advise enterprises on how they may bolster their cybersecurity measures against threats that target these systems.

4. It is important that CII owners and other enterprises remain vigilant against cyber threats and adopt the necessary cybersecurity practices to safeguard the systems and networks. CII owners are required by the Cybersecurity Act to put in place measures to meet cybersecurity standards set by CSA. For enterprises, CSA launched the SG Cyber Safe Programme in 2021 to encourage and help companies strengthen their cybersecurity posture.

5. This includes a cybersecurity certification programme for enterprises – comprising the Cyber Essentials and Cyber Trust marks – to recognise enterprises that have implemented good cybersecurity practices. CSA also developed cybersecurity toolkits for companies of various profiles to guide enterprise leaders and their employees on cybersecurity best practices. I encourage companies to apply for these cyber marks and take advantage of the resources and toolkits available on CSA’s website.

7. Mr Speaker, cyber threats are constantly evolving. Pipedream will not be the last strain of malware to threaten us. I urge everyone to stay vigilant, take cybersecurity seriously and practice good cyber hygiene.

 

Speech by Dr Janil Puthucheary, Senior Minister of State, Ministry of Communications and Information, at the Law Society's Cybersecurity and Data Protection Conference 2022 Speeches Cyber Security 04 Aug 22
MCI response to PQ on Work of Cyber Security Agency of Singapore in Raising Cybersecurity Posture of Enterprises on Preventive Initiatives Parliament QAs Cyber Security 02 Aug 22
MCI response to PQ on Regulatory Measures to Prevent and Block Unsolicited Messages on Unlicensed Loans and Illegal Gambling Websites Parliament QAs Cyber Security, Public Comms 01 Aug 22
Keynote Address by Mrs Josephine Teo, Minister for Communications & Information, at the Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on 12 July 2022 Speeches Cyber Security, Digital Readiness 12 Jul 22
MCI response to PQ on Steps to Protect Singapore's Critical Infrastructure from Malware Threat Parliament QAs Cyber Security 04 Jul 22
Speech by Dr Janil Puthucheary, Senior Minister of State, Ministry of Communications and Information, at the Virtual Youth Cyber Exploration Programme Central Capture-The-Flag Competition Award Ceremony on 24 June 2022 Speeches Cyber Security 24 Jun 22