Singapore, Germany to mutually recognise IoT cybersecurity labels

The two countries have signed an agreement to recognise their respective security rating mechanism for a range of consumer products, including smart televisions, smart speakers, health trackers, and home automation hubs.
Written by Eileen Yu, Senior Contributing Editor

Singapore and Germany have inked a pact to recognise their respective cybersecurity rating system for smart consumer products, including smart speakers, household robots, and home automation hubs. The EU member is the second country to do so, following Finland. 

Cyber Security Agency of Singapore (CSA) said Thursday it signed the agreement with Germany's Federal Office for Information Security (BSI) to mutually recognise cybersecurity labels issued by both countries. 

Under the pact, products issued with BSI's label would be deemed to have fulfilled Level 2 of CSA's cybersecurity labelling scheme

Singapore's labelling model assesses and rates smart devices into four levels based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. Level one, for instance, indicates a product has met basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.

Products rated Level 2 and above would be recognised by German's BSI.

The mutual recognition would apply to consumer Internet of Things (IoT) devices that included smart televisions, smart toys, health trackers, smart lighting, and smart thermostats. 

The agreement initially would not cover some products, such as smart door locks, general computing devices such as computers and smartphones, as well as fire, gas, and water detectors, which were designed to run any applications without a predefined purpose, CSA said. 

The Singapore government agency said it would work with BSI to add more product categories under the bilateral agreement.

The Asian nation had inked a similar pact with Finland in October 2021, with consumer IoT products carrying the latter's cybersecurity label deemed to have met Singapore's Level 3 requirements, and vice versa. 

Such agreements saved smart device manufacturers not only cost and time they would otherwise have spent on duplicated testing, but also gave them access to new markets.

As of October 2022, more than 200 products had been issued Singapore's cybersecurity labels. CSA had received more than 300 applications for the labels.

Connected medical devices to be assessed for security hygiene

The country's labelling scheme on Thursday was expanded to include medical devices, which was launched in collaboration with the Ministry of Health (MOH), Health Science Authority (HSA), and Integrated Health Information Systems (IHIS).

Such devices increasingly were connected to hospitals and home networks, but could cause physical harm should an IoT attack occur, said Singapore's Senior Minister of State, Ministry of Communications and Information, Janil Puthuchear. 

Speaking Thursday at the Singapore International Cyber Week conference, the minister said medical devices such as ECG monitors and pacemakers were getting smarter as healthcare companies and professionals leveraged technology to improve their ability to collect patient data, deliver therapy, or customise therapy.

Increased connectivity, though, meant increased cybersecurity risks and could compromise patients' personal information, clinical data or treatment protocols, ultimately, affecting patient health outcomes.

Puthuchear said: "When we think about IoT devices, convenience and efficiency are top of mind, but not necessarily security and safety of the users. The lack of strong IoT security can pose serious risks. Many consumer IoT devices contain a cache of consumer data and information that, if leaked, could compromise consumer privacy.

"In more severe cases, IoT hacks can lead to serious physical harms, even risking lives," he said, pointing to a 2017 vulnerability the US Food and Drug Administration discovered in pacemakers, which made it possible to alter the device's functions and deplete its battery. 

Extending Singapore's cybersecurity labelling scheme to include medical devices would encourage manufacturers to design such products with cybersecurity in mind. 

The labelling scheme would apply to medical devices that handled health data or were able to connect to other devices, systems, and services. 

Comprising four levels of rating, each level would indicate an additional level of testing and assessment that product had undergone. Level 1 meant the medical device had achieved baseline regulatory requirements, currently aligned with registration requirements for medical devices approved by HSA. 

Baseline cybersecurity requirements for Level 1 of the labelling scheme comprised requirements medical devices would have to meet to be registered with HSA. Hence, all HSA-registered medical products would be deemed to have complied with Level 1 of the cybersecurity labelling scheme. 

Products rated under Levels 2 through 4 would have to meet "enhanced" cybersecurity requirements, such as device and data requirements. Devices in these categories might have to pass independent third-party tests, according to CSA, which said further details would be provided at a later data. 

The government agency said a formal consultation with the medical device industry as well as associations would be held within the next month, to gather feedback on the proposed requirements of Levels 2 to 4. These would include the timeline for implementation. 


Editorial standards