RESTRICTED

CSA’s Cyber Incident Management Approach

RESTRICTEDRESTRICTED

2 of 7

Establishment of CSA- Cyber Security Agency of Singapore

- Established on 1 Apr 2015

- Under the aegis of the Prime Minister’s Office

- CSA provides dedicated and centralisedoversight of national cyber security functions

- It takes over and builds on functions from IDA and SITSA/MHA.

RESTRICTED

RESTRICTEDRESTRICTED

3 of 7

CSA - ROLES, FUNCTIONS & CAPABILITIES

Critical Sector Development

Standards & RegulationCritical Sector

ReadinessSector Cyber

Exercises

Partnership & Outreach

International Partnership

Public Awareness & Outreach

SingCERTEngagement

Crisis Communication

Consultancy

Technical & System Design Consultancy

Accreditation & Certification

Systems Testing & Evaluation

Research & Analysis

Cyber Situational Awareness

Cyber Research Threat Analysis

& AssessmentAlerts &

Advisory

Cyber Incident Response

Incident Response & RecoveryInvestigation

& ForensicsMalware

Mitigation

Capability Development

Capability & Technology DevelopmentResearch

Development

Policy & Legislation

Cyber Security PoliciesLegislation &

Governance

IndustryEngagement

Industry & Manpower Development

Education & Training Development

Private Sector Engagement

CSA

RESTRICTED

RESTRICTEDRESTRICTED

Cyber Incident Management

• Tiered approach

CII Operator

Sector Lead

CSA

RESTRICTED 4 of 8

RESTRICTEDRESTRICTED

Critical Information Infrastructure (CII) Sectors

• 10 Critical Information Infrastructure (CII) sectors identified

RESTRICTED 5 of 8

Aviation Energy Finance Government

Health Infocomm Land Transport Maritime

Security & Emergency Water

RESTRICTEDRESTRICTED

CII Operators• The CII Operators are the companies that

operate the identified CII systems, e.g. power plant operators

• CII Operators are responsible for the protection of their own system – Cyber security should be part of their business

requirement– CII operators will report the incidents to the

respective Sector Leads

RESTRICTED 6 of 8

RESTRICTEDRESTRICTED

Sector Leads• Sector Leads are responsible for cyber security in their

respective sectors, which includes both CIIs and non-CIIs– Responsible to assist the CII operators

• Every sector must have its own detection and early warning capability on a 24/7 basis

• Sector Leads need to take charge at sector level in the event of incident. – CII Operator/Sector Leads will be first-line responder to

sector incidents– Need to report all cyber incidents to CSA

RESTRICTED 7 of 8

RESTRICTEDRESTRICTED

National Cyber Incident Manager

• CSA is the National Cyber Incident Manager and operates the National Cyber Security Centre (NCSC) – Oversees the handling of the incidents within the

CII Sectors – Oversees National Cyber Threat Alert Level

(NCTAL) via assessment of the incidents across all CII Sectors, the cyber threat landscape and other information received

– Determines the national level measures that need to be implemented country wide.

RESTRICTED 8 of 8

RESTRICTEDRESTRICTED

National Cyber Incident Manager

• CSA controls the National Cyber Incident Response Team (NCIRT)• Coordinate cross-sector incidents and lean forward to

augment the sectors with more resources when needed

• CIRT teams from other agencies can be pulled together to support the impacted sectors during crisis (2nd tier support to the first-line responder)

RESTRICTED 9 of 8

RESTRICTEDRESTRICTED

Partners and Stakeholders

CSAInternational

Partners

Like-minded Nations

Cyber Security

Communities

SectoralStakeholders

RESTRICTED 10 of 8

RESTRICTEDRESTRICTED

Legislation• CSA needs to be appropriately empowered to

carry out its national duty.• Growing international trend towards

enactment of unified cyber security legislation

• Need for an Omnibus Bill on Cyber Security (under study)– Governance Powers– Standards Setting– Operational Powers– Information Sharing

RESTRICTED 11 of 8

RESTRICTED

THANK YOU

RESTRICTED