Singapore Launches IoT Cybersecurity LabellingLabels Will Indicate What Security Standards Products Meet
Singapore has launched an IoT cybersecurity labelling program intended to improve the security of internet-connected consumer products.
The Cybersecurity Labelling Scheme will focus first on Wi-Fi routers and smart home hubs, according to the Cyber Security Agency of Singapore.
“Amid the growth in number of IoT products in the market, and in view of the short time-to-market and quick obsolescence, many consumer IoT products have been designed to optimize functionality and cost over security,” the Cyber Security Agency says. “As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in.”
Singapore is one of a number of countries spurring IoT manufacturers to improve their cybersecurity. For example, the IoT Alliance Australia trade group is developing a testing and certification regime while the government works on an IoT code of practice (see: Coming Soon: 'Trust Mark' Certification for IoT Devices).
The U.K. has developed a code of practice for consumer IoT and has also passed legislation that mixes a labelling program with minimum security requirements for IoT devices. In the U.S., pending legislation would establish minimum security requirements for IoT devices purchased by federal agencies (see: Federal IoT Guidelines Move Closer to Becoming Law).
Four Testing Levels
Singapore’s program is voluntary for manufacturers for now, but the nation intends eventually to make it mandatory.
The testing has four rating levels, and the CSA has offered detailed information for manufacturers. Developers can make declarations that their products conform with the first two levels.
The first level means a product meets basic security requirements, such as mandating the use of unique passwords and delivering software updates as dictated by the European Telecommunications Standards Institute’s EN 303 645 standard.
The second level encompasses the first level requirements plus following the IoT Cyber Security Guide developed by Singapore’s Infocomm Media Development Authority, or IMDA. That includes the use of "security by design" principles, including risk assessments, during development.
The third level requires the testing of software binaries, and the fourth level signifies a product has passed structured penetration tests and fulfilled all of the other levels. Once a product has passed a level, manufacturers can put a label on the product indicating which level of requirements it satisfies.
The label is valid for up to three years as long as a company continues to deliver security updates. If a manufacturer doesn’t meet the requirements, the Cyber Security Agency will ask it to remove the label or undertake remediation steps.
As an incentive to get manufacturers to participate in the program, the agency is waving the fees for the first two levels until October 2021. The third and fourth levels require independent testing by third parties, so fees will apply.
Home Router Guidelines
The labelling program comes as Singapore is also strengthening the security requirements for home routers. On Monday, the IMDA published new minimum security requirements for routers.
“Home routers are often the first entry point for cyberattacks targeting the public as they form the key bridge between the Internet and residents’ home networks,” the agency says. “This proactive move comes against the backdrop of continued proliferation of networked intelligent devices in homes, such as web cameras and baby monitors, which has translated into higher risks of cyberattacks that target such devices.”
Under the new requirements, routers must have passwords with a minimum of 10 characters, of which two must meet a rule such as using a capital letter or a digit. The requirement applies to routers sold starting April 13, 2021. Routers that meet the specification will qualify for a Level 1 label, IMDA says.