Regulatory Requirements on Threat Modelling reaches the APAC region

Original post by @Ajay

Singapore’s 2018 Cybersecurity Act indirectly makes it a criminal offence not to perform cybersecurity risk assessments which include threat modelling on computers and systems that have been designated by the Cybersecurity Agency (CSA) as Critical Information Infrastructure (CII).

The Act (Act 9 of 2018), otherwise known as the Cybersecurity Bill, first came into force in August 2018 to establish a legal framework for Singapore’s national cybersecurity. The key objective is to strengthen the protection of CII and provide the CSA the powers needed to act effectively to prevent, manage and respond to cybersecurity threats and incidents.

In accordance with the 2018 Cybersecurity Act, the CSA issued the Cybersecurity Code of Practice (CCoP) detailing the minimum regulatory requirements Critical Information Infrastructure Owners (CIIOs) must comply with; however, the expectation is that they implement measures beyond those stipulated.

The current version (CCoP v2) came into effect on 4th July 2022 with a grace period of 12 months and therefore has recently become effective as of 4th July 2023. All clauses are now applicable to existing and newly designated CII and CIIOs must comply with a significant increase in requirements. For example:

Governance Requirements

In Section 3.2.2, CIIOs are directed to include “identification of CII assets and cybersecurity threats, including threats identified from threat modelling,…and construction of risk scenarios” in their cybersecurity risk assessment methodology.

Related publications containing specific guidance on methodology include:

  • “For risk assessment methodology, the CIIO can refer to CSA’s Guide to Conducting Risk Assessment for CII or equivalent.”

  • “For threat modelling, the CII can refer to CSA’s Guide to Cyber Threat Modelling or equivalent.”

Identification Requirements

In Section 4.1.1e, CIIOs are required to create and maintain a complete and comprehensive inventory of CII assets which includes any interdependencies, such as the connections between the assets and other systems or networks.

Detection Requirements

CIIOs are directed to take proactive action to prevent or mitigate cybersecurity incidents by leveraging threat hunting (Section 6.3) and Threat Intelligence (Section 6.4) capabilities.

Security by Design

Those who are based in Singapore and active in the tech/security or service provider industries should be well aware of the importance of the 2018 Cybersecurity Act and CCoP. Such organisations may even feel some concern over their ability to continue to comply post 4th July 2023.

The CSA has therefore also provided guidance notes (Annexe A) to help organisations with strengthening their security posture. These include measures that employ proactive practices, notably Security by Design and adopting Cybersecurity Design Principles.

References

2018 Cybersecurity Act

Cybersecurity Code of Practice for Critical Information Infrastructure - Second Edition, Revision One

Guide to conducting cybersecurity risk assessment for CII

Guide to Cyber Threat Modelling