30 May 2022

On 29 April 2022, the Cyber Security Agency of Singapore (“CSA”) issued the “Guidelines for CII Owners to Enhance Cyber Security for 5G Use Cases” (“Guidelines”) which is available on its website www.csa.gov.sg.

The purpose of the Guidelines is to suggest some measures to help Critical information Infrastructure Owners (“CIIOs”) identify the threats that can be introduced to systems when they are connected to 5G services, and to provide recommendations for mitigating cybersecurity risks. The intended audience of the Guidelines includes:

  • CIIOs (e.g. senior management, communication network planners and their cybersecurity teams)
  • CIIOs’ service and equipment providers (e.g. outsourced ICT teams / managed security service providers / ICT equipment vendors)

The Guidelines cover some possible threats that can be introduced when systems are connected to 5G services, using Microsoft’s STRIDE threat model:

  • Spoofing 
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service
  • Elevation of privilege

After identifying the possible 5G security threats and their impact on confidentiality (i.e. keeping data secure), integrity (i.e. maintaining system integrity) and availability (i.e. preserving system services and network availability), the Guidelines provide recommendations on how to mitigate these threats. Set out below is a summary of the recommendations:

  • Assurance of user equipment 
  • Segregation of traffic
  • Data protection
  • System hardening
  • Physical security
  • Business continuity planning
  • Awareness of 5G threats
  • Support requirements from 5G service providers
  • Configuration management
  • Access control / management
  • Overload controls
  • Resilience against downgrade attack
  • Monitoring of devices over the 5G network

The Guidelines also provide two case studies in the maritime and healthcare sectors to demonstrate how the recommendations can be applied for different use cases.