A recent cybersecurity incident involving Shanghai Tunnel Engineering Company Singapore (STECS) has raised concerns about risks linked to third-party contractors in critical infrastructure projects.
Cybersecurity expert Takanori Nishiyama from Keeper Security said the case highlights a common issue: when contractors are given access to sensitive systems, they effectively become part of the organization’s security risk. If their systems are breached, it can expose the larger network.
Singapore’s Land Transport Authority responded by suspending STECS’s access to its systems as a precaution. While this was appropriate, Nishiyama noted that such actions are often taken only after an incident occurs, rather than preventing one.
The incident also points to a lack of oversight. A recent study found that only 22 percent of organizations in Singapore have clear visibility into the cybersecurity readiness of their suppliers and partners.
Experts warn that with many infrastructure projects relying heavily on contractors, stronger safeguards are needed. These include limiting access to only what is necessary, regularly verifying user identities, enforcing strict password controls, and monitoring all system activity.
The key takeaway: better ongoing control of contractor access is essential to prevent similar incidents from spreading or causing greater damage.
