Picture Singapore’s largest telecommunications network. It carries the financial transactions, emergency communications, and government data of a city-state of nearly six million people. Now picture that infrastructure silently infiltrated for months by a state-linked espionage group, undetected until the telcos’ own security teams found it.
That is not a scenario exercise. In July 2025, Singapore’s critical infrastructure was under active attack by UNC3886, a Chinese-linked APT group. All four of Singapore’s largest telecommunications providers, Singtel, StarHub, M1, and Simba Telecom, had been targeted. The group operates through zero-day vulnerabilities in routers, firewalls, and virtualized environments, working precisely where most security tooling has no visibility.
This is the threat environment facing Singapore’s Critical Information Infrastructure (CII) organizations today, and exactly what the Cybersecurity Code of Practice 2.0 (CCoP 2.0) was designed to address. Treating CCoP 2.0 as a periodic compliance formality is a risk no organization in Singapore’s critical sectors can afford.
What CCoP 2.0 Is
CCoP 2.0 is Singapore’s legally binding minimum cybersecurity standard for CII owners, issued under the Cybersecurity Act 2018. It became fully enforceable in July 2023 and spans approximately 220 auditable security clauses across nine requirement sections. Audits are conducted by CSA-approved auditors, and the Commissioner sets timing and scope. The Cyber Security Agency of Singapore has been direct: compliance is a continuous process of risk reduction, not a checkpoint exercise.
From Reactive to Proactive: What CCoP 2.0 Changed
CCoP 2.0 represents a fundamental shift in what Singapore defines as minimum cybersecurity practice for its critical sectors.
| Dimension | CCoP 1.x Posture | CCoP 2.0 Requirement |
| Monitoring | Reactive, periodic | Continuous and proactive |
| Scope | IT-focused | IT and OT integrated |
| Detection | Signature-based | Behavior-aware, AI-ready |
| Audit cycle | Point-in-time | Continuous readiness |
Organizations still operating under the posture the previous framework tolerated are materially non-compliant today.
Who Must Comply
CCoP 2.0 applies to designated CII owners across Singapore’s 11 critical sectors: Energy, Info-communications, Water, Healthcare, Banking and Finance, Security and Emergency Services, Aviation, Land Transport, Maritime, Government, and Media. The UNC3886 breach illustrates exactly what is at stake when critical sector organizations lack continuous detection capability.
The compliance obligation also extends beyond formally designated CIIOs. Singapore’s Cybersecurity (Amendment) Act 2024, effective October 2025, expanded CSA oversight to third-party-owned CII, cloud service providers, and data center operators. Supply chain participants need to formally assess their exposure.
Why IT Security Protocols Fail in OT Environments
The OT Security addendum is mandatory because IT security tools do not translate to OT environments. This is not a configuration problem. It is an architectural one.
OT devices, including programmable logic controllers (PLCs), remote terminal units (RTUs), and SCADA systems, run on proprietary protocols such as Modbus, DNP3, and IEC 61850 that standard log parsers cannot interpret. These devices cannot support security agents, cannot be rebooted for patches, and cannot tolerate the latency that active scanning introduces. Effective OT detection requires passive network monitoring with protocol-aware parsing and cross-boundary correlation between IT and OT systems. Deploying an IT-centric SIEM into an OT environment and calling it covered is not a solution. It is a gap disguised as one.
Where the Detection Gap Consistently Appears
Storing logs is not detection. CCoP 2.0 requires continuous monitoring, behavioral anomaly detection covering lateral movement and credential misuse, coverage across both IT and OT environments, and retention policies that support investigation and audit verification on demand.
The threat data makes this urgent. The CSA’s Singapore Cyber Landscape 2024/2025 report found that APT attacks on Singapore have quadrupled since 2021, with infected infrastructure reaching approximately 117,300 systems, a 67 percent increase year over year. UNC3886 operates through exactly the techniques that signature-based detection misses: stealthy lateral movement, credential abuse in normal authentication patterns, and persistence in virtualization layers. Organizations that close the detection gap fastest have built continuous monitoring into daily operations, not assembled tooling ahead of an audit.
CCoP 2.0 Readiness: Six Indicators of a Detection Gap
Before your next audit cycle, assess your posture against these six indicators. If any apply, you have a documented gap under CCoP 2.0.
- Log retrieval: Does retrieving historical logs take more than one hour? CCoP 2.0 requires on-demand access for investigation and audit.
- Asset context: Can you identify the owner, criticality, and attack surface of any asset in under five minutes? Identification is foundational to every downstream domain.
- Lateral movement: Does your monitoring detect east-west traffic between internal systems? CCoP 2.0 explicitly requires detection of lateral movement and credential misuse.
- IT and OT integration: Are IT and OT environments monitored independently, with no cross-environment correlation? This fails the OT Security addendum by design.
- Audit readiness: Has your incident response plan been tested in the last 12 months? Response and Recovery requires demonstrated, exercised capability, not binders on a shelf.
- Anomaly detection scope: Are alerts based only on known bad IPs and file hashes? CCoP 2.0 requires detection of living-off-the-land techniques. Signature-only detection is insufficient. Graylog’s anomaly detection and AI-assisted investigation capabilities are built specifically for this gap.
For complete requirements and official guidance, refer to the Singapore Cybersecurity Act on the CSA website.
What Continuous CCoP 2.0 Compliance Looks Like
CCoP 2.0 audits are not fixed checkpoints. The Commissioner holds authority over timing and scope. Organizations that are prepared are not those that sprint to demonstrate compliance before an audit. They are those that have built CCoP 2.0 requirements into how security operations run every day.
In a threat environment where state-linked APT groups have operated inside Singapore’s critical sector infrastructure undetected for months, continuous monitoring is not a compliance differentiator. It is an operational necessity.
Graylog Security delivers the continuous monitoring and log retention CCoP 2.0 requires: coverage across IT and OT environments, behavioral anomaly detection, and audit-ready retention.
Follow Graylog on LinkedIn for practical guidance on SIEM, threat detection, and compliance for Singapore’s critical infrastructure sectors.
