Within All Government Websites
Frequently Asked Questions
All of these words
This exact phrase
Any of these words
Without these words
Whole of Government
Protection of Critical Information Infrastructure
What is a Critical Information Infrastructure?
Under section 7(1) of the Cybersecurity Act, a Critical Information Infrastructure is a computer or a computer system located wholly or partly in Singapore, necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore.
What is the profile of the Critical Information Infrastructure (CII) in Singapore?
The Cyber Security Agency of Singapore (CSA) has worked closely with Sector Leads to identify the Critical Information Infrastructure (CII) supporting the provision of essential services across 11 critical sectors.
The critical sectors are Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Infocomm, Media, and Security & Emergency Services. The list of essential services in these sectors are published in the First Schedule of the Act.
Under Section 7 of the Act, CII refers to specific computers and computer systems that are explicitly designated by the Commissioner of Cybersecurity. It is not the case that firms and sectors will be considered as CII.
The list of CII and CII owners will be finalised, before CSA and Sector Leads implement the Cybersecurity Act in the second half of 2018. The list of CII and CII owners are secret for national security reasons.
How vulnerable are our Critical Information Infrastructures (CII)? Have any of our CII networks been compromised or experienced attacks?
As a hyper-connected business hub, Singapore is vulnerable to cyber-attacks which are increasing in scale and sophistication. While we were fortunate to have escaped relatively unscathed so far, we have seen our share of cyber-attacks. One example is the breach of MINDEF's I-net system in February 2017 where the personal data of 850 national servicemen were leaked. In May 2017, Advanced Persistent Threat (APT) actors targeted two of our top universities.
Although none of our Critical Information Infrastructure (CII) has been disrupted, the global WannaCry and Petya malware attacks, which also surfaced in Singapore, are reminders of our vulnerability. We can expect more attempts to breach our cyber defences.
To enhance our defences against increasingly sophisticated cyber-attacks, the Cyber Security Agency of Singapore (CSA) works closely with Sector Leads to ensure that CII owners have capabilities and measures to detect, respond to and recover from cyber threats and cyber-attacks. CSA has been advocating that organisations should take cybersecurity into consideration when designing systems and networks to develop robust systems with defences against attacks, and not add them later as an afterthought.
How does the Cyber Security Agency of Singapore (CSA) determine the list of essential services?
In arriving at the list of essential services in the Cybersecurity Act, the Cyber Security Agency of Singapore (CSA) took reference from the list of critical sectors in the Computer Misuse and Cybersecurity Act (CMCA). CSA also surveyed the definition of "essential services" in other jurisdictions.
CSA then identified a total of 11 sectors with Critical Information Infrastructure. For each of these 11 sectors, CSA worked with the relevant Sector Lead to identify their essential services based on criteria such as impact to Singapore's economy.
We do not preclude gazetting new essential services in the future.
Section 7 of the Act states that a Critical Information Infrastructure (CII) is designated for a period of 5 years. Why is there a duration period for a CII?
Over 5 years, many aspects of the Critical Information Infrastructure (CII) may have changed - business, industry, clientele and market share. Hence, it would be useful to re-evaluate the status of a CII from time to time.
Section 9 states that designation of a Critical Information Infrastructure (CII) may be withdrawn. Can you explain with a scenario to illustrate how such a situation could arise?
For example, if the market share served by a Critical Information Infrastructure (CII) drops to below a certain threshold (e.g. a certain percentage) such that it is no longer significant, or the CII is decommissioned, the designation may be withdrawn.
Why is there a need to inform the Commissioner of a change in ownership of the Critical Information Infrastructure (CII) after the change has been effected?
When the ownership of a Critical Information Infrastructure (CII) changes, the new owner could have a different business case for the CII. The intent for requiring CII owners to inform the Commissioner of changes in ownership is to allow the Commissioner to assess whether the business function of the CII has changed and if the CII continues to fit the criteria of a CII. There is no intention for the Commissioner to veto any changes in ownership as these are business decisions.
If you are unable to find an answer to your query, please submit your
to let us know how we can help you.
Rate this Website
© 2019, Government of Singapore