Singapore and Finland have inked an agreement to mutually recognise each country's cybersecurity labels for Internet of Things (IoT) devices, aimed at helping consumers assess the level of security in such products. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicated testing.
The global pandemic had accelerated the pace of digitalisation as well as surfaced many uncertainties and challenges, driving governments and businesses to drive their digital transformation, said Singapore's Senior Minister of State for the Ministry of Communications and Information, Janil Puthucheary.
Dependence on IoT had increased as nations looked to transform into smart cities, fuelled by the need for connectivity and to tap data, said Puthucheary, who was speaking Wednesday at the Singapore International Cyber Week conference. He noted that the number of connected devices worldwide was projected to double to 50 billion devices in 2030, compared to 2018.
This growing adoption brought with it security risks that must be addressed, he said.
"Majority of consumer IoT devices are built and developed to optimise functionality and cost, usually at the expense of the security of the device. However, IoT security should not and cannot be an afterthought, but should be a key consideration and a design fundamental," he noted. "Without the requisite security in place, it leaves end users exposed to malicious cyber threat actors seeking to compromise the devices and this results in the loss of data. More importantly, privacy and trust."
Pointing to leaked footage of home cameras in Singapore last year, he stressed the need to drive consumer awareness and responsibility, enhance the skills of security professionals, and build partnerships with the international community and industry.
Singapore last year introduced its multi-tiered Cybersecurity Labelling Scheme (CLS) to enable consumers to make more informed decisions when buying IoT devices, said Puthucheary. The initiative also gave manufacturers a way to differentiate their products, he added.
Since its launch in October 2020, CLS had shored up more than 100 applications, with some labelled products available online and on the shelves of physical stores. These included products from manufacturers Signify, BroadLink, Aztech.
The new agreement with Finland now extended the programme internationally, where both countries would mutually recognise cybersecurity labels issued by the Cyber Security Agency of Singapore (CSA) and Transport and Communications Agency of Finland (Traficom).
According to CSA, the agreement was the first of such bilateral recognition and Singapore hoped to rope in more partners.
The pact with Finland aimed to reduce the need for duplicated testing and ease market access for manufacturers, said CSA. Under the agreement, consumer IoT products that met the requirements of Finland's cybersecurity label would be recognised as having met CLS Level 3 requirements in Singapore, and vice versa.
The Singapore Standards Council, which is parked under Enterprise Singapore, on Wednesday also launched the country's first national standard, Technical Reference (TR) 91 on Cybersecurity Labelling for Consumer IoT. The move would provide a standard that could be adopted by manufacturers, developers, testing bodies, and suppliers of consumer IoT devices across the globe.
CSA added that TR 91 offered a framework for countries to align and mutually recognise their respective cybersecurity labels.
The Singapore government agency said it also was increasing the number of approved test labs for Levels 3 and 4 applications to meet growing demand for CSL assessment. In addition, the national labelling scheme would be further extended to include more products and services beyond consumer IoT devices, CSA said, adding that more details on this would be provided in future.
In January 2021, several devices were added to the CSL including smart lights, smart door locks, smart printers, and IP cameras. The scheme initially applied only to Wi-Fi routers and smart home hubs.
Puthucheary noted that security measures also were needed for the networks of IoT devices, particularly since the potential impact of Distributed Denial of Service (DDoS) botnets could go beyond individual users. He pointed to the Mirai malware in 2016 that exploited insecure IoT devices to build a botnet that launched a DDoS attack, bringing down internet access in the US.
"The work of building a safe, resilient, and secure IoT ecosystem is, thus, very important and spans across various stakeholders," he said.
In this aspect, he noted that CSA had partnered with the Global Cyber Alliance to leverage the latter's Automated IoT Defence Ecosystem (AIDE), which was a global network of partners that shared IoT threat information.