Access Management , Endpoint Security , Governance & Risk Management

Singapore Launches IoT Cybersecurity Labelling

Labels Will Indicate What Security Standards Products Meet
Singapore Launches IoT Cybersecurity Labelling
Singapore's skyline (Photo: Erwin Soo via Wikimedia/CC)

Singapore has launched an IoT cybersecurity labelling program intended to improve the security of internet-connected consumer products.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The Cybersecurity Labelling Scheme will focus first on Wi-Fi routers and smart home hubs, according to the Cyber Security Agency of Singapore.

“Amid the growth in number of IoT products in the market, and in view of the short time-to-market and quick obsolescence, many consumer IoT products have been designed to optimize functionality and cost over security,” the Cyber Security Agency says. “As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in.”

Examples of labels indicating what tiers an IoT product has satisfied (Source: Cyber Security Agency of Singapore)

Singapore is one of a number of countries spurring IoT manufacturers to improve their cybersecurity. For example, the IoT Alliance Australia trade group is developing a testing and certification regime while the government works on an IoT code of practice (see: Coming Soon: 'Trust Mark' Certification for IoT Devices).

The U.K. has developed a code of practice for consumer IoT and has also passed legislation that mixes a labelling program with minimum security requirements for IoT devices. In the U.S., pending legislation would establish minimum security requirements for IoT devices purchased by federal agencies (see: Federal IoT Guidelines Move Closer to Becoming Law).

Four Testing Levels

Singapore’s program is voluntary for manufacturers for now, but the nation intends eventually to make it mandatory.

The testing has four rating levels, and the CSA has offered detailed information for manufacturers. Developers can make declarations that their products conform with the first two levels.

The first level means a product meets basic security requirements, such as mandating the use of unique passwords and delivering software updates as dictated by the European Telecommunications Standards Institute’s EN 303 645 standard.

The second level encompasses the first level requirements plus following the IoT Cyber Security Guide developed by Singapore’s Infocomm Media Development Authority, or IMDA. That includes the use of "security by design" principles, including risk assessments, during development.

The third level requires the testing of software binaries, and the fourth level signifies a product has passed structured penetration tests and fulfilled all of the other levels. Once a product has passed a level, manufacturers can put a label on the product indicating which level of requirements it satisfies.

Products can meet four tiers, which are then displayed on a label. (Source: Cyber Security Agency of Singapore)

The label is valid for up to three years as long as a company continues to deliver security updates. If a manufacturer doesn’t meet the requirements, the Cyber Security Agency will ask it to remove the label or undertake remediation steps.

As an incentive to get manufacturers to participate in the program, the agency is waving the fees for the first two levels until October 2021. The third and fourth levels require independent testing by third parties, so fees will apply.

The application fees for Singapore IoT labelling program (Source: Cyber Security Agency of Singapore)

Home Router Guidelines

The labelling program comes as Singapore is also strengthening the security requirements for home routers. On Monday, the IMDA published new minimum security requirements for routers.

“Home routers are often the first entry point for cyberattacks targeting the public as they form the key bridge between the Internet and residents’ home networks,” the agency says. “This proactive move comes against the backdrop of continued proliferation of networked intelligent devices in homes, such as web cameras and baby monitors, which has translated into higher risks of cyberattacks that target such devices.”

Under the new requirements, routers must have passwords with a minimum of 10 characters, of which two must meet a rule such as using a capital letter or a digit. The requirement applies to routers sold starting April 13, 2021. Routers that meet the specification will qualify for a Level 1 label, IMDA says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.