Endpoint Security , Internet of Things Security , Open XDR

Singapore Expands Consumer IoT Labelling

Now Included: IP Cameras, Smart Door Locks, Lights and Printers
Singapore Expands Consumer IoT Labelling
Some consumer IoT devices in Singapore will bear a label indicating compliance with cybersecurity standards.

Singapore is expanding a labelling program that allows buyers to see at a glance the cybersecurity readiness of a consumer IoT device.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

The program, called the Cybersecurity Labelling Scheme, was at first intended to only cover Wi-Fi routers and smart home hubs because of the ubiquity of those devices, according to the Cyber Security Agency of Singapore. The program launched last October (see: Singapore Launches IoT Cybersecurity Labelling).

Now, the CSA says it will expand the program to cover IP cameras as well as smart door locks, lights and printers.

Under the program, smart devices will be rated according to their levels of cybersecurity provisions. “This will enable consumers to identify products with better cybersecurity provisions and make informed decisions,” the CSA says.

Star Ratings

The program is voluntary for manufacturers, but the CSA is hoping that manufacturers will see that qualifying for a label will offer a competitive advantage. The government eventually plans to make the program mandatory.

“Currently, consumer smart devices are often designed to optimize functionality and cost,” the CSA says. “They also have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning.”

The labelling program encompasses four levels, based on the cybersecurity readiness of a device. The label will display stars based on the level attained.

The first level means a product meets basic security requirements, such as mandating the use of unique passwords and delivering software updates as dictated by the European Telecommunications Standards Institute's EN 303 645 standard.

The second level encompasses the first-level requirements plus following the IoT Cyber Security Guide developed by Singapore's Infocomm Media Development Authority. That includes the use of "security by design" principles, including risk assessments, during development.

The third level requires the testing of software binaries. And the fourth level signifies a product has passed structured penetration tests and fulfilled all of the other levels. Once a product has passed a level, manufacturers can put a label on the product indicating which level of requirements it satisfies.

Products can meet four tiers, which are then displayed on a label. (Source: Cyber Security Agency of Singapore)

Consumers will see a star rating on the label, which can be displayed when a device is on the market.

The label is valid for up to three years as long as a company continues to deliver security updates. If a manufacturer doesn't meet the requirements, the CSA will ask it to remove the label or undertake remediation steps.

As an incentive to get manufacturers to participate in the program, the agency is waving the fees for the first two levels until October. Fees will still apply to the third and fourth levels because they require independent testing by third parties.

Labelling Gains Traction

Singapore says the program is the first of its kind in Asia, although other labelling initiatives are underway in other regions.

In late 2019, Finland launched its Information Security Mark program. The security labels designate that a particular device has met requirements set by the Finnish Transport and Communications Agency's Cyber Security Center.

The U.K. has developed a code of practice for consumer IoT security and has also passed legislation that includes a labelling program as well as minimum security requirements for IoT devices.

In Australia, the IoT Alliance Australia trade group is developing a testing and certification regime while the government works on an IoT code of practice (see: Coming Soon: 'Trust Mark' Certification for IoT Devices).

The U.S. hasn’t created an IoT labelling program, but two states already have IoT-specific security laws. California's law - SB-327 - which went into effect in January 2020, forbids the sale of devices that lack reasonable baseline security measures. Oregon's IoT law, which also became effective in January 2020, is similar to California's.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.