20 November, 2018
As a vital system in modern society, energy infrastructure is a prime target for adversaries and represents a critical vulnerability deserving of special attention. Energy infrastructure and supply chain often feature prominently as targets to be disrupted or defended in a military campaign, or as a priority for restoration in disaster relief.
During times of economic growth, there is constant work to, at the minimum, build up and maintain infrastructure, and where possible innovate and improve infrastructure to enhance security and resiliency. There are competing tensions in promoting innovation while ensuring that the infrastructure remains secure.
In Singapore, the Smart Nation push, together with the recent rollout of the Open Electricity Market, is expected to spur innovations benefitting consumers, service providers and other market players. Concepts that have been proposed include real-time tracking of energy prices and corresponding re-scheduling of energy intensive operations to manage energy costs, and predictive technologies and energy storage solutions to improve energy supply and management.
One key element across these developments and concepts is the need for access to data and infrastructure, and the capability to process the data to generate and test meaningful solutions. It comes as no surprise that access to this data and the underlying infrastructure is not and cannot be unfettered.
As threats to energy infrastructure escalate in the modern world, regulators are working hard to strike a delicate balance between transparency, privacy and security.
In Singapore, the energy sector is designated as 1 of 11 Critical Information Infrastructure ("CII") sectors under the Cybersecurity Act 2018 (partially in force on 31 August 2018, expected to be in full effect by end 2018 or early 2019). Owners of systems which have been designated as a CII have specific duties under the Cybersecurity Act including reporting requirements in the event of prescribed cybersecurity incidents, conducting regular cybersecurity audits and risk assessments, and compliance with codes of practice, standards of performance or written directions in relation to the CII. Understandably, the list of CII and CII owners is kept secret for national security reasons.
This presents several challenges for product or solution providers that may require access to data from or an interface with a CII including but not limited to (i) the CII designation may only cover some but not all systems (only systems"necessary for the continuous delivery of an essential service"), (ii) product or solution providers may not officially know and may have to infer from obligations imposed upon them whether or what systems of their counterparty is designated as a CII, (iii) codes of practice may not be publicly available and it may take time for appropriate protocols to be established in order to enable product or solution providers to securely obtain data or develop alternatives to accessing such data or interfacing with the CII.
Currently, only two types of cybersecurity service providers will be subject to licensing under the Cybersecurity Act:
(i) penetration testing and
(ii) managed security operations centre monitoring.
For the time being, apart from the two specified cybersecurity services, CIIs and product or solution providers will have to rely on other means to assess their proposed arrangements to ensure that they are fully aware of their risks and obligations, and appropriate levels of protection are put in place.
While there are existing independent standards and certification bodies for consideration, parties should keep in mind that the implementation of the Cybersecurity Act is still being refined and further review may need to be undertaken when the Cybersecurity Act is in full effect.
For further information, please contact:
Sandra Seah, Partner, Bird & Bird
sandra.seah@twobirds.com