Singapore has launched a scheme to label smart devices with their cybersecurity ratings. Launched by the Cyber Security Agency (CSA) of Singapore, the Cybersecurity Labelling Scheme is currently a voluntary scheme that is available for Wi-Fi routers and smart home hubs to start with. Depending on the response, the CSA will make it mandatory for all internet of things (IoT) devices. The Straits Times first reported about it.

The CSA will waive the application fees for the labels for one year (until October 6, 2021) to encourage adoption.

Ratings standards

  • Level 1: Basic security requirements such as ensuring unique default passwords and providing software updates
  • Level 2: Level 1 + developed using security-by-design principles such as conducting threat risk assessment, critical design review and acceptance tests
  • Level 3: Level 2 + assessment of software binaries by approved third-party test labs
  • Level 4: Level 3 + structured penetration testing by approved third-party test labs

*Applications for Levels 1 and 2 will be processed in 5 working days while applications for Levels 3 and 4 will be processed in 3 weeks.
*While application fee has been waived off until October 6, 2021, for Levels 3 and 4, testing fees charged by the third-party labs will still be applicable.

Singapore cybersecurity IOT labels

What the labels would look like. Source: Singapore Cyber Security Agency

These labels will be valid as long as manufacturers support the product with security updates, up to a maximum period of three years. CSA will host a list of approved applications. In case a product ceases to meet the label requirement, CSA “will request” the manufacture to either rectify the situation or get the label removed or reviewed.

The scheme was launched by the Singaporean Communications Minister S. Iswaran on October 7 at the fifth ASEAN Ministerial Conference on Cybersecurity, who called it the first of its kind in Asia-Pacific. The labelling scheme draws reference from a similar European standard which is recognised by Australia and the US as well.

Singapore cybersecurity labels levels

How the labels work. Source: Singapore Cyber Security Agency

The scheme is supposed to help consumers “make informed purchasing choices”. “This takes on added significance when we consider the potential of 5G and the proliferation of IoT devices,” Iswaran said. Singapore’s aim is to take this standard across ASEAN nations and other international partners.

At the meeting, Iswaran also announced that the CSA will establish an Operational Technology Cybersecurity Expert Panel (OTCEP) that would advise the government and stakeholders on how to improve cyber resilience of operational technology (OT) systems.

He also stressed on the importance of safeguarding critical information infrastructures (CII) and building “regional cyber resilience” of CII, such as common cloud and banking systems, that have cross-border impact.