The Cyber Security Agency of Singapore (CSA) has launched a voluntary cyber security labelling scheme for consumer smart devices to improve IoT security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace.
Under the scheme, the first of its kind in Asia-Pacific according to CSA, smart devices will be rated according to their level of cyber security, enabling consumers to identify products with better cyber security provisions and make informed decisions.
The scheme is based on the ETSI Standard EN 303 645 ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’. It is an initiative under the Safer Cyberspace Masterplan 2020, a blueprint for the creation of a safer and more secure cyberspace in Singapore.
The Singapore and UK governments announced in October 2019 that they would co-operate on security for consumer IoT devices. That move followed the CSA releasing an Operational Technology Cybersecurity Masterplan as part of efforts to enhance the security and resilience of Singapore’s critical information infrastructure.
The UK, meanwhile, has decided to moving to mandating a similar scheme, also based on EN 303 645. And in August the UK based IoT Security Foundation (IoTSF) launched three guides on consumer IoT security based on EN 303 645 and designed to help industry comply with voluntary guidelines and legislation being developed by governments.
The CSA hopes the scheme will incentive manufactures to develop more secure products to differentiate themselves from competitors.
The scheme will be applied initially to Wi-Fi routers and smart home hubs, “because of their wider usage, as well as the impact that a compromise of the products could have on users,” CSA says.
To encourage adoption of the scheme it is waiving application fees for certification until 6 October 2021.
The scheme has four levels of security — represented by asterisks – reflecting the extent of testing and assessment a product has undergone..
Level 1: The product meets basic security requirements such as ensuring unique default passwords and providing software updates.
Level 2: The product has been developed using the principles of security-by-design such as conducting threat risk assessment, critical design review and acceptance tests.
Level 3: The product has undergone assessment of software binaries by approved third-party test labs.
Level 4: The product has undergone structured penetration tests by approved third-party test labs.
Manufacturers applying for the first two levels will need to submit a declaration of compliance with supporting evidence, while those applying for Levels 3 and 4 will also be required to submit the assessment report by an approved lab. The cybersecurity label will be valid for the length of time for which the device will be supported with security updates, up to a maximum of three years.
