← Back to all briefings
Cybersecurity 7 min read Published Updated Credibility 92/100

Singapore Enhances CII Cybersecurity Code of Practice — July 4, 2022

Singapore’s 2022 Code of Practice for Critical Information Infrastructure raises governance, OT resilience, and supply-chain security expectations, requiring boards to evidence outcome-based cyber controls and rapid incident reporting.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Executive briefing: On 4 July 2022 Singapore’s Cyber Security Agency (CSA) issued the Code of Practice for Cybersecurity of Critical Information Infrastructure (CII CoP), updating the 2018 baseline with expanded governance, operational technology (OT) resilience, and supply-chain security obligations for operators designated under the Cybersecurity Act. The refreshed code applies to 11 critical sectors, raising the bar for board accountability, control testing, third-party assurance, and incident reporting cadence. It also interlocks with the Safer Cyberspace Masterplan and the National Cybersecurity Strategy, signalling heightened regulatory scrutiny on how CII owners evidence resilience outcomes rather than merely documenting policies.

What changed and strategic context

The 2022 CII CoP introduces prescriptive requirements across governance, risk management, architecture, operations, and response domains. It requires CII owners to integrate cybersecurity into enterprise risk management, maintain auditable security-by-design practices for system changes, and implement continuous monitoring with defined metrics. The code also codifies obligations to secure OT environments, including segregated networks, whitelisting, and safety-system coordination. These updates respond to rising ransomware, supply-chain compromises, and geopolitical tensions affecting maritime, energy, healthcare, and telecommunications infrastructures in Southeast Asia.

The code complements legislative amendments that empower CSA to issue remediation directions, conduct inspections, and require audits. Non-compliance can lead to financial penalties, licence revocation, or criminal liability. CII owners must therefore translate the code into actionable programs encompassing governance, people, process, and technology controls, while capturing evidence that demonstrates outcomes such as reduced mean time to detect (MTTD) and recover (MTTR) from incidents, hardened OT perimeters, and validated supplier controls.

Governance, accountability, and oversight expectations

CSA requires each CII owner to designate a senior executive responsible for cybersecurity, ensure board oversight, and integrate cyber risk into enterprise reporting. Boards should receive quarterly metrics covering threat trends, control effectiveness, incident drills, and investment needs. The code mandates:

  • Policy governance. Maintain a cybersecurity strategy approved by the board, reviewed at least annually, and aligned to sectoral risk scenarios defined by CSA and relevant Lead Government Agencies.
  • Risk management integration. Embed cybersecurity risk assessments into the enterprise risk management framework, with defined risk appetite statements, risk treatment plans, and assurance mapping to internal audit, compliance, and technology functions.
  • Independent assurance. Conduct annual audits covering governance, technical controls, and OT security, performed by qualified assessors independent of operations, and report findings to CSA.
  • Training and competency. Implement role-based training programs, documenting completion rates, proficiency assessments, and tabletop exercises for management and operational teams.

Boards and senior management must maintain evidence that cybersecurity budgets, staffing levels, and technology investments align with threat intelligence. CSA encourages benchmarking against frameworks such as the NIST Cybersecurity Framework and ISO/IEC 27001, but insists on localisation to Singapore’s threat landscape. Outcome testing should demonstrate improvements in incident detection rates, vulnerability remediation timelines, and supplier compliance scores.

Architecture and network security controls

The CII CoP devotes significant attention to secure architecture, especially in converged IT-OT environments. Key requirements include:

  • Network segmentation and zoning. Implement layered zones separating corporate IT, DMZ, control systems, and safety instrumented systems, with conduits governed by firewalls, data diodes, or secure gateways. Document data flows and enforce unidirectional controls where feasible.
  • Secure configuration baselines. Maintain hardened baselines for servers, endpoints, programmable logic controllers, and network devices. Baselines must be reviewed quarterly, with drift detection and remediation playbooks.
  • Change management. Apply security-by-design principles to new deployments, requiring threat modelling, secure coding reviews, penetration testing, and cyber-physical impact analysis before production release.
  • Asset management. Maintain an accurate inventory of hardware, software, firmware, and virtual assets, updated within 24 hours of change, including criticality, ownership, and patch status.

CII owners should corroborate architectural controls through vulnerability assessments, red teaming, and OT-specific penetration testing. Evidence of success includes reduced attack surface (e.g., fewer exposed services), validated segmentation (e.g., blocked lateral movement attempts), and timely patch cycles for critical vulnerabilities, especially those disclosed in CSA’s weekly advisories.

Operational technology resilience requirements

Given Singapore’s heavy reliance on OT for energy, transport, and water, the code expands on OT-specific controls. It mandates:

  • Development of OT cybersecurity plans incorporating safety-critical system dependencies, fail-safe modes, and recovery prioritisation.
  • Implementation of application whitelisting, multifactor authentication for remote access, and physical security controls for control rooms and engineering workstations.
  • Monitoring of process variables, safety system alarms, and network traffic to detect anomalies, supported by security information and event management (SIEM) integration.
  • Regular testing of backup and recovery capabilities, ensuring offline, immutable storage for critical configuration data and minimal downtime during restoration.

Outcome testing in OT environments should include simulation of scenario-based drills (e.g., ransomware affecting SCADA systems), review of recovery time objective (RTO) adherence, and validation of manual override procedures. CII owners must coordinate with safety, engineering, and operations teams to ensure cybersecurity actions do not compromise physical safety.

Supply chain and third-party management

The 2022 code recognises that third parties introduce significant risk. CII owners must establish supply-chain risk management programs covering vendors, integrators, and managed service providers. Obligations include:

  • Conducting due diligence on suppliers’ cybersecurity practices, including review of certifications, secure development lifecycle processes, and incident histories.
  • Embedding cybersecurity clauses in contracts to mandate notification timelines, cooperation during investigations, secure coding standards, and access control requirements.
  • Monitoring supplier performance via periodic attestations, technical assessments, and outcome-based metrics such as vulnerability remediation times and adherence to patch windows.
  • Maintaining an updated bill of materials for hardware and software components, tracking dependencies on global supply chains and potential exposure to sanctioned entities.

CSA expects CII owners to maintain evidence that suppliers participate in incident exercises, share threat intelligence, and implement secure update mechanisms. Organisations should cross-map supplier controls to standards like ISO/IEC 27036, NIST SP 800-161, and CSA’s own vendor risk advisories.

Incident response, reporting, and information sharing

CII owners must develop incident response plans aligned with CSA’s reporting requirements, which mandate notification of cybersecurity incidents within two hours of discovery and submission of incident reports within 14 days. The code requires:

  • Designated incident response teams with defined roles, escalation paths, and contact lists for CSA, sector regulators, law enforcement, and supply-chain partners.
  • Run-books covering containment, eradication, recovery, and post-incident reviews for scenarios such as ransomware, insider threats, supply-chain compromise, and denial-of-service attacks.
  • Participation in national exercises, including the annual Exercise Cyber Star, to validate coordination with government agencies.
  • Integration of threat intelligence feeds from CSA, SingCERT, and sector-specific sources into detection workflows.

Outcome testing should measure mean time to detect, escalate, and contain incidents, frequency of successful tabletop exercises, and closure of post-incident action items. Organisations should maintain evidence of lessons learned feeding into policy updates, technology enhancements, and staff training.

Metrics, monitoring, and continuous improvement

The code emphasises continuous monitoring through security operations centres (SOCs), vulnerability management programs, and analytics. CII owners should implement dashboards tracking:

  • Patch compliance rates for critical vulnerabilities within sector-specific timelines (often 14 days for high severity).
  • Configuration compliance against baselines, with drift remediation actions.
  • Effectiveness of access controls, including privileged access reviews and multifactor authentication adoption.
  • OT process integrity indicators, such as deviations in safety instrumented system triggers.

CSA encourages adoption of security orchestration, automation, and response (SOAR) tools to standardise incident handling, reduce manual errors, and generate audit trails. Internal audit, risk management, and compliance teams must coordinate to ensure metrics feed into enterprise dashboards and regulatory submissions.

Roadmap for the next 12 months

CII owners should adopt a phased roadmap:

  1. 0–90 days: Conduct gap assessments against the 2022 code, prioritise high-risk deficiencies (e.g., incomplete asset inventories, insufficient OT segmentation), and update board reporting templates.
  2. 90–180 days: Implement or enhance SOC capabilities, integrate OT telemetry, and formalise supplier assurance programs with outcome-based KPIs.
  3. 180–365 days: Execute red team and purple team exercises, align cyber resilience metrics with business continuity plans, and prepare for CSA audits by compiling evidence repositories.

Throughout the roadmap, organisations should maintain change management records, document control testing outcomes, and align investments with CSA’s cyber competency frameworks.

Sources

Zeph Tech supports Singapore CII owners by mapping CSA control requirements to enterprise risk frameworks, orchestrating OT security monitoring, and generating evidence packages that demonstrate measurable resilience outcomes to regulators.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Singapore CII cybersecurity
  • Operational technology resilience
  • Supply-chain cyber risk
  • Outcome-based assurance
Back to curated briefings