Regulations are still needed to ensure that organizations are required to adopt measures designed to strengthen their cybersecurity posture.
Singapore this week released guidelines it said would help organisations, including small and medium-sized businesses, better understand the risks associated with using cloud services and what they, and cloud service providers, should do to secure cloud environments.
Also: 6 Simple Cybersecurity Rules You Can Implement Now
The accompanying cloud security guides aim to facilitate the adoption of national cybersecurity standards, Cyber Essentials and Cyber Trust, developed by the Cyber Security Agency of Singapore (CSA), which announced their launch at the annual International Cyber Week conference in Singapore.
The accompanying guides, published in collaboration with the Cloud Security Alliance, were developed in close collaboration with three cloud providers – Amazon Web Services (AWS), Google Cloud, and Microsoft – which provided relevant customer insights and market statistics. The cloud providers also “verified” the content provided in the accompanying guides, CSA said.
The guides outline the risks and responsibilities organizations have with the cloud, and the steps they should take to protect their environments, including employee training and mechanisms for tracking and monitoring their cloud inventory. The documents also include provider guides for environments running on AWS, Microsoft, and Google platforms, organized based on the Cyber Essentials and Cyber Trust standards.
Also: Top 9 Mobile Security Threats and How to Avoid Them
“A common confusion when organizations use the cloud is the division of responsibility between them as cloud users, and the cloud providers,” CSA said. “In a cloud deployment, there is shared responsibility, and organizations may not be fully aware of which areas they are responsible for. This can increase the potential for misconfiguration, malicious attacks, and/or data breaches.”
The freely available guides are expected to help the 27% of businesses in Singapore that use cloud computing services, the government agency said, citing a 2022 study by the Telecommunications Media Development Authority (IMDA).
Singapore this week also took further steps towards expanding its national security marking initiative to include medical devices, with the launch of a sandbox where manufacturers can test their products. Sandbox participants will then provide feedback on the requirements and application processes, against which the devices will be assessed under the medical marking scheme, which is set to be launched at a later date.
Also: What is the Dark Web? Here's Everything You Need to Know Before Entering It
The Canadian Space Agency said the project will run for nine months, and feedback will be used to adjust operational workflows and requirements in the scheme, where necessary. The project was launched in collaboration with the Ministry of Health, the Health Sciences Authority and Synapse.
The cybersecurity agency noted that 15%, or more than 16,000 medical devices in local public health care institutions, are connected to the Internet, and that medical devices are increasingly connected to hospital and home networks. This could lead to increased cybersecurity risks, as vulnerabilities in software used for clinical diagnosis, for example, could be exploited to generate false diagnoses. Unsecured medical devices could also be targeted in denial-of-service attacks, preventing patients from receiving treatment.
Malicious hackers could also eavesdrop on this equipment to compromise the hospital network, potentially leading to data leaks or network shutdowns.
According to Safety Standards Canada, by expanding the safety rating system to include medical devices, manufacturers will feel motivated to include safety in the design of their products, and healthcare operators will be able to make more informed decisions about the use of such devices. The system includes four ratings, with each level reflecting additional testing that the product was evaluated against.
Also: Ransomware Victims Continue to Pay Ransoms, While Also Bracing for AI-Enhanced Attacks
The sandbox will allow device manufacturers to test their products based on various assessments, including software binary analysis, penetration testing, and security assessment.
However, such initiatives and other security best practices can only go so far if they are presented in the form of guidelines and advice, rather than orders that companies must adopt.
Many technology practitioners and CISOs will look at the guides and industry best practices, but doing so can only go so far if they are presented as advice, not regulations, said Karan Sondhi, vice president and chief technology officer for public sector at Trilix Security.
Initiatives like the security tagging program, for example, serve as an information tool, not an enforcement tool, Sondhi told ZDNET in an interview on the sidelines of the conference.
Harold Rivas, chief information security officer at Trilix, agreed, noting that the labeling system helps with purchasing decisions and raises awareness of potential risks. Rivas said the system gives decision makers a reason to consider alternatives and serves as a good reference point for independently verified best practices.
Also: Singapore, US pledge to combat online fraud through cross-border cooperation
Ultimately, there should be clear mandates to drive the industry toward clear outcomes, Rivas said.
Such requirements could include, for example, a proper patch management strategy and a robust monitoring system, Sondhi said. They should be accompanied by rollout roadmaps, he added, so that market players are given the timelines needed to ensure compliance.
He noted that there is certainly resistance to such mandates due to concerns about the cost and time it would take to bring products to market, and said that regulations should not be overly complex. They could also refer to accompanying standards bodies tasked with providing more detail and updating best practice adoption where necessary. This would free governments from having to keep up with market changes and instead focus on imposing high-level requirements, he said.
Law enforcement is also a good starting point when the road to cyber resilience is long and complex.
OT organizations, in particular, have ecosystems that need to be managed differently from their IT infrastructure, Sondhi said. They will need to take inventory of all their OT systems and technologies, and ensure that third-party tools are secured and integrated so that they have clear visibility across the entire supply chain.
Governments, including Singapore and the United States, are now helping the operational technology and critical information infrastructure sectors overcome these issues, Rivas said. However, he said the journey is long and will take time.
Also: Singapore, US to Collaborate on AI Governance, Form Joint Group
Governments can facilitate this process by imposing certain requirements on the industry, allowing all players in the industry to gradually adapt to these requirements, Sondhi said. For example, organizations that provide government-related services such as smart meters must demonstrate that they have a clear inventory of their systems and a timeline for managing corrections. Vendors who violate the requirements set out in these contractual agreements should be penalized, he added.
Such comprehensive regulatory frameworks help move actions forward and protect both organizations and citizens, Rivas added.
Strong cyber resilience is essential, especially as some of these sectors face increasing threats.
For example, public sector organizations in the Asia-Pacific region have had to fend off an average of nearly 3,000 attacks per week over the past six months, according to Vivek Gollapalli, Asia-Pacific chief information security officer at Check Point Software Technologies.
The education and research sector saw the highest number of weekly attacks, with 4,057 attacks per institution, over the past six months, followed by the healthcare sector with 2,958 attacks, and then the government and military sector with 2,882 attacks.
Also: What is Phishing? Everything You Need to Know to Protect Yourself from Scammers
Digital transformation is increasing the attack surface, and ransomware poses a serious threat with the ability to shut down entire networks, Gollapalli said. These risks have prompted governments to protect the internet infrastructure and operational technology industries.
He added that some of these sectors are still emerging, as smart nations are still being built using emerging technologies such as self-driving vehicles, smart cameras, and other Internet of Things devices.
As the OT infrastructure continues to evolve, the ability to manage the entire ecosystem will become more complex. For example, a different approach to applying security patches to OT devices may be required. And as the demand for connectivity grows, organizations will need to know which devices are connected, requiring more security assurances and built-in tools.
He said that with infrastructure management sometimes overlapping between the public and private sectors, we will also need to create an appropriate framework to protect the entire operational technology ecosystem.
There is still much to learn and different approaches will be needed, Gollaballi said. Amid this ongoing evolution, he urged continued conversations and collaboration between governments, OT manufacturers and security actors to close the gaps.
