Singapore Expands Consumer IoT LabellingNow Included: IP Cameras, Smart Door Locks, Lights and Printers
Singapore is expanding a labelling program that allows buyers to see at a glance the cybersecurity readiness of a consumer IoT device.
See Also: Hybrid IT-OT Security Management
The program, called the Cybersecurity Labelling Scheme, was at first intended to only cover Wi-Fi routers and smart home hubs because of the ubiquity of those devices, according to the Cyber Security Agency of Singapore. The program launched last October (see: Singapore Launches IoT Cybersecurity Labelling).
Now, the CSA says it will expand the program to cover IP cameras as well as smart door locks, lights and printers.
Under the program, smart devices will be rated according to their levels of cybersecurity provisions. “This will enable consumers to identify products with better cybersecurity provisions and make informed decisions,” the CSA says.
The program is voluntary for manufacturers, but the CSA is hoping that manufacturers will see that qualifying for a label will offer a competitive advantage. The government eventually plans to make the program mandatory.
“Currently, consumer smart devices are often designed to optimize functionality and cost,” the CSA says. “They also have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning.”
The labelling program encompasses four levels, based on the cybersecurity readiness of a device. The label will display stars based on the level attained.
The first level means a product meets basic security requirements, such as mandating the use of unique passwords and delivering software updates as dictated by the European Telecommunications Standards Institute's EN 303 645 standard.
The second level encompasses the first-level requirements plus following the IoT Cyber Security Guide developed by Singapore's Infocomm Media Development Authority. That includes the use of "security by design" principles, including risk assessments, during development.
The third level requires the testing of software binaries. And the fourth level signifies a product has passed structured penetration tests and fulfilled all of the other levels. Once a product has passed a level, manufacturers can put a label on the product indicating which level of requirements it satisfies.
Consumers will see a star rating on the label, which can be displayed when a device is on the market.
The label is valid for up to three years as long as a company continues to deliver security updates. If a manufacturer doesn't meet the requirements, the CSA will ask it to remove the label or undertake remediation steps.
As an incentive to get manufacturers to participate in the program, the agency is waving the fees for the first two levels until October. Fees will still apply to the third and fourth levels because they require independent testing by third parties.
Labelling Gains Traction
Singapore says the program is the first of its kind in Asia, although other labelling initiatives are underway in other regions.
In late 2019, Finland launched its Information Security Mark program. The security labels designate that a particular device has met requirements set by the Finnish Transport and Communications Agency's Cyber Security Center.
In Australia, the IoT Alliance Australia trade group is developing a testing and certification regime while the government works on an IoT code of practice (see: Coming Soon: 'Trust Mark' Certification for IoT Devices).
The U.S. hasn’t created an IoT labelling program, but two states already have IoT-specific security laws. California's law - SB-327 - which went into effect in January 2020, forbids the sale of devices that lack reasonable baseline security measures. Oregon's IoT law, which also became effective in January 2020, is similar to California's.