A simple plan for smart security

UPDATED Singapore is launching a cybersecurity labeling initiative designed to give consumers an understanding of the security protections built into Internet of Things (IoT) devices.

Under the new Cybersecurity Labeling Scheme (CLS), security ratings will be assigned based on the devices’ adherence to secure-by-design principles, resistance to independent testing, and the absence of common software vulnerabilities.

Baseline security requirements, such as the the use of unique default passwords, will also factor into the IoT security rating.

In a website post, the Cyber Security Agency of Singapore (CSA) said “many consumer IoT products have been designed to optimise functionality and cost over security. As a result, many of them have little to no security features built in.”

An accompanying factsheet (PDF) also noted that secure-by-design principles were not widely adopted because IoT products typically had a “short time-to-market cycle”.

Such oversights put consumer privacy and data at risk, noted the CSA, and made IoT devices susceptible to being corralled into botnets that can be used to launch distributed denial-of-service (DDoS) attacks.

The agency said also that manufacturers seldom disclose to consumers what security features are included in their devices, leaving buyers in the dark.

Announcing the CLS, Dr Janil Puthucheary, Senior Minister of State in the Ministry of Communications and Information, said: “The scheme will raise consumer awareness on more secure products and aims to encourage manufacturers to adopt additional cybersecurity safeguards.”

Securing home networks

As part of Singapore’s Safer Cyberspace Masterplan, the CLS scheme will initially apply to consumer grade WiFi routers and smart home hubs, on the basis that these devices act as gateways into the rest of the home network.

However, the CSA said the scheme would eventually be broadened out to apply to other types of consumer IoT products.

The scheme will be aligned with the draft European standard for IoT security (EN 303 645), it further added.

Dr Puthucheary said the CSA and the Infocomm Media Development Authority (IMDA) would open a joint public consultation on the scheme, and that IMDA plans to publish an IoT cybersecurity guide aimed at enterprise users and their vendors.

Consumer protection

With the number of IoT-connected devices in use globally projected to nearly triple to 43 billion by 2023, various countries are scrambling to establish their own IoT security regulations.

Finland launched a similar labeling system in November 2019, and comparable plans are under consideration in the UK, following the publication of an IoT security code of practice in 2018.

The CLS will initially be voluntary to give IoT developers time to become familiarized with the scheme. The CSA said it will issue further details on the initiative and how to register “in due course”.


This article was updated to incorporate comments from Dr Janil Puthucheary. 


RECOMMENDED Knowledge transfer: Casey Ellis on IoT bug bounties and live hacking events