Singapore and Finland have signed an agreement to mutually recognize each country’s cybersecurity labels for Internet of Things (IoT) devices, with the aim of helping consumers assess the security level of such products. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicate testing.
The global pandemic has accelerated the pace of digitization and brought to light many uncertainties and challenges, prompting governments and businesses to push ahead with their digital transformation, said Minister of State at Singapore’s Ministry of Communications and Information Janil Puthucheary.
Reliance on IoT had grown as nations sought to transform into smart cities, driven by the need for connectivity and harnessing data, said Puthucheary, speaking Wednesday at the Singapore International Cyber Week conference. He noted that the number of connected devices worldwide is projected to double to 50 billion devices in 2030, compared to 2018.
This growing adoption brought with it security risks that need to be addressed, he said.
“Most consumer IoT devices are built and developed to optimize functionality and cost, often at the expense of device security. However, IoT security should not and cannot be an afterthought, but that should be a key consideration and a fundamental design.” He noted. “Without the necessary security, it leaves end users exposed to malicious cyber threats looking to compromise devices, resulting in data loss. More importantly, privacy and trust.”
Pointing to leaked footage from home cameras in Singapore last year, he stressed the need to drive consumer awareness and responsibility, upskill security professionals, and build partnerships with the international community and industry.
Last year, Singapore introduced its multi-tier cybersecurity labeling scheme (CLS) to enable consumers to make more informed decisions when purchasing IoT devices, Puthucheary said. The initiative also gave manufacturers a way to differentiate their products, he added.
Since launching in October 2020, CLS has bolstered more than 100 apps, with some labeled products available online and on physical store shelves. These included products from manufacturers Signify, BroadLink, Aztech.
The new agreement with Finland now extended the program internationally, where both countries would mutually recognize cyber security labels issued by the Singapore Cyber Security Agency (CSA) and the Finnish Transport and Communications Agency (Traficom).
According to CSA, the agreement was the first of its kind for bilateral recognition and Singapore hoped to attract more partners.
The pact with Finland was aimed at reducing the need for duplicate testing and facilitating market access for manufacturers, the CSA said. Under the agreement, consumer IoT products that met Finland’s Cyber Security Label requirements would be recognized as meeting CLS Level 3 requirements in Singapore, and vice versa.
The Singapore Standards Council, which is stationed under Enterprise Singapore, also released the country’s first national standard, Technical Reference (TR) 91 on Cybersecurity Labeling for Consumer IoT, on Wednesday. The move would provide a standard that could be adopted by manufacturers, developers, testing bodies and providers of consumer IoT devices around the world.
CSA added that TR 91 offered a framework for countries to align and mutually recognize their respective cyber security labels.
The Singapore government agency said it was also increasing the number of approved testing labs for Tier 3 and Tier 4 applications to meet growing demand for CSL testing. Additionally, the national labeling scheme would be further extended to include more products and services beyond consumer IoT devices, CSA said, adding that more details would be provided in the future.
In January 2021, several devices were added to the CSL, including smart lights, smart door locks, smart printers, and IP cameras. The scheme was initially applied only to Wi-Fi routers and smart home hubs.
Puthucheary noted that security measures were also needed for networks of IoT devices, particularly as the potential impact of Distributed Denial of Service (DDoS) botnets could go beyond individual users. He pointed to Mirai malware in 2016 that exploited insecure IoT devices to build a botnet that launched a DDoS attack, cutting off Internet access in the US.
“The work of building a safe, resilient and secure IoT ecosystem is therefore very important and spans multiple stakeholders,” he said.
In this regard, he noted that CSA had partnered with the Global Cyber Alliance to leverage the latter’s Automated IoT Defense Ecosystem (AIDE), which was a global network of partners sharing information on IoT threats.