PART 2 | Providing information to Commissioner |
| Information to ascertain if computer, etc., fulfils criteria of critical information infrastructure |
3.—(1) For the purposes of subsection 2 of section 8 of the Act, a notice to provide relevant information to the Commissioner under that subsection must be given in writing in the form set out on the Internet website at https://www.csa.gov.sg.(2) The Commissioner may by notice under section 8(2) of the Act require a person who appears to be exercising control over a computer or computer system, to provide to the Commissioner the following information relating to that computer or computer system as is relevant for the purpose of ascertaining whether the computer or computer system fulfils the criteria of a critical information infrastructure:| (a) | name and location of the computer or computer system; | | (b) | the function that the computer or computer system is employed to serve; | | (c) | the type of essential service, if applicable, that the computer or computer system has a role in making available in Singapore, and the role performed by the computer or computer system; | | (d) | the person or persons, or other computer or computer systems, that the computer or computer system mentioned in the notice serves; | | (e) | information relating to the design of the computer or computer system, including the parameters and key components of the computer system, as specified in the notice; | | (f) | the name, address, contact and business registration number (if applicable) of the person to whom the notice is given; | | (g) | if the person to whom the notice is given is not the owner of the computer or computer system, the name, address, contact and business registration number (if applicable) of the owner; | | (h) | such other information as the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria of a critical information infrastructure. |
|
|
| Information relating to critical information infrastructure |
4.—(1) For the purposes of subsection (1) of section 10 of the Act, a notice to the owner of a critical information infrastructure to furnish information required under that subsection must be given in writing in the form set out on the Internet website at https://www.csa.gov.sg.(2) The Commissioner may by notice under section 10(1) of the Act require the owner of the critical information infrastructure to provide to the Commissioner —| (a) | the following information on the design, configuration and security of the critical information infrastructure:| (i) | a network diagram depicting every key component and interconnection in the critical information infrastructure, and any external connection and dependency that the critical information infrastructure may have; | | (ii) | for every key component in the critical information infrastructure, the following details:| (A) | its name and description; | | (B) | its physical location; | | (C) | any operating system and version; | | (D) | any key software and version; | | (E) | its internet protocol address and any open port, if the component is internet facing; | | (F) | the name and address of the operator, if the owner is not the operator; |
| | (iii) | the types of data processed on or stored in the critical information infrastructure; | | (iv) | the name and contact of every individual having overall responsibility for the cybersecurity of the critical information infrastructure; |
| | (b) | the following information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure:| (i) | the name and description of that other computer or computer system; | | (ii) | the physical location of that other computer or computer system; | | (iii) | the name and address of its operator, if the owner is not the operator; | | (iv) | a description of any function provided by that other computer or computer system; | | (v) | the types of data exchanged with the critical information infrastructure; | | (vi) | the operating system and version; | | (vii) | the key software and version; | | (viii) | how that other computer or computer system is interconnected with or communicates with the critical information infrastructure, including the communication protocol of that other computer or computer system with the critical information infrastructure; |
| | (c) | the name of any outsourced service provider supporting the critical information infrastructure, and the nature of the outsourced service; and | | (d) | such other information as the Commissioner may require in order to ascertain the level of cybersecurity of the critical information infrastructure. |
|
|
| Report of cybersecurity incident in respect of critical information infrastructure, etc. |
5.—(1) For the purposes of section 14(1) of the Act, where a cybersecurity incident mentioned in section 14(1)(a), (b) or (c) of the Act occurs, the owner of a critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident in the following form and manner:| (a) | by submitting the following details in the manner specified in paragraph (2), within 2 hours after becoming aware of the occurrence:| (i) | the critical information infrastructure affected; | | (ii) | the name and contact number of the owner of the critical information infrastructure; | | (iii) | the nature of the cybersecurity incident, whether it was in respect of the critical information infrastructure or an interconnected computer or computer system, and when and how it occurred; | | (iv) | the resulting effect that has been observed, including how the critical information infrastructure or any interconnected computer or computer system has been affected; | | (v) | the name, designation, organisation and contact number of the individual submitting the notification; |
| | (b) | by providing to the fullest extent practicable the following supplementary details in writing in the form set out on the Internet website at https://www.csa.gov.sg within 14 days after the submission mentioned in sub‑paragraph (a):| (i) | the cause of the cybersecurity incident; | | (ii) | its impact on the critical information infrastructure, or any interconnected computer or computer system; | | (iii) | what remedial measures have been taken. |
|
(2) The details mentioned in paragraph (1)(a) must be submitted —| (a) | by calling the telephone number specified by the Commissioner; or | | (b) | if the owner is unable to submit the details in the manner set out in sub‑paragraph (a) within a reasonable time —| (i) | by text message to the telephone number specified by the Commissioner; or | | (ii) | in writing, in the form set out on the Internet website at https://www.csa.gov.sg, to the electronic address specified by the Commissioner. |
|
|
(3) For the purposes of section 14(1)(a) and (b) of the Act, the following are prescribed cybersecurity incidents in respect of a critical information infrastructure or an interconnected computer or computer system:| (a) | any unauthorised hacking of the critical information infrastructure or the interconnected computer or computer system to gain unauthorised access to or control of the critical information infrastructure or interconnected computer or computer system; | | (b) | any installation or execution of unauthorised software, or computer code, of a malicious nature on the critical information infrastructure or the interconnected computer or computer system; | | (c) | any man‑in‑the‑middle attack, session hijack or other unauthorised interception by means of a computer or computer system of communication between the critical information infrastructure or the interconnected computer or computer system, and an authorised user of the critical information infrastructure or the interconnected computer or computer system, as the case may be; | | (d) | any denial of service attack or other unauthorised act or acts carried out through a computer or computer system that adversely affects the availability or operability of the critical information infrastructure or the interconnected computer or computer system. |
|
(4) In paragraph (3) —“interception”, in relation to a communication to or from a critical information infrastructure or an interconnected computer or computer system, includes —| (a) | listening to or recording of the communication; and | | (b) | acquiring the substance, meaning or purport of that communication; |
|
| “interconnected computer or computer system” means any computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure. |
|
|
| Cybersecurity risk assessment |
6.—(1) For the purposes of section 15(1)(b) of the Act, a cybersecurity risk assessment of a critical information infrastructure must be conducted in the following form and manner:| (a) | the assessment must —| (i) | identify, as far as is reasonably practicable, every cybersecurity risk to the critical information infrastructure; | | (ii) | evaluate the likelihood of the occurrence, and the possible consequences, of the materialisation of each identified cybersecurity risk; and | | (iii) | identify the action that the owner of the critical information infrastructure will take in respect of each identified cybersecurity risk; |
| | (b) | the report of the assessment must cover the following:| (i) | the methodology used in the cybersecurity risk assessment; | | (ii) | a description of every identified cybersecurity risk to the critical information infrastructure; | | (iii) | the evaluated likelihood and possible consequences of the materialisation of each identified cybersecurity risk; | | (iv) | the identified action that the owner of the critical information infrastructure will take in respect of each identified cybersecurity risk. |
|
| (2) The first cybersecurity risk assessment of a critical information infrastructure must be completed within 6 months after the date of the notice issued under section 7(1) of the Act or, subject to section 15(1)(b) of the Act, such longer period as the Commissioner may allow in a particular case. |
| (3) In this regulation, “cybersecurity risk”, in relation to a critical information infrastructure, means the risk that a vulnerability in the cybersecurity of the critical information infrastructure may be exploited by a cybersecurity threat or incident. |
|
|
