Parliament: New cyber security label for smart devices

From robot vacuum cleaners to smart light bulbs, connected devices are poised to surge in popularity. PHOTO: ST FILE

SINGAPORE - A cyber security label similar to the energy efficiency labels on home appliances will be rolled out to help buyers of smart devices better judge how exposed they are to cyber risks.

This label will be stuck on Wi-Fi routers and smart home hubs, for starters, as part of Singapore's new Safer Cyberspace Masterplan designed to protect consumers and small firms.

The labelling scheme will be extended to more of these so-called Internet of Things (IoT) or connected devices to help users, who are often unaware of their security risks.

Announced by Singapore's Senior Minister of State for Communications and Information (MCI) Janil Puthucheary in Parliament on Tuesday (March 2), the initiative aims to address this "growing area of concern".

"The scheme will raise consumer awareness of more secure products and aims to encourage manufacturers to adopt additional cyber security safeguards," said Dr Janil during the debate on MCI's budget.

To be launched later this year, the scheme will initially be voluntary, administered by the Cyber Security Agency of Singapore.

Singapore's labelling scheme will follow the European Union's standard for IoT devices, which spells out the minimum standards for manufacturers, including having no default passwords and ensuring that there are regular software updates over the air without user supervision.

Singapore is among the first group of countries to adopt the standard.

CSA said that the labels will indicate the security provisions present in the smart devices. More details will be announced later.

From robot vacuum cleaners to smart light bulbs, IoT devices are poised to surge in popularity.

Market research firm Gartner has estimated that the number of IoT devices in use globally will grow from 8.4 billion in 2017 to 20.4 billion this year, with twice as many consumer installations as industrial ones.

But the rules surrounding how IoT devices are designed for cyber security are lax, raising concerns about major privacy and security risks as such IoT devices proliferate.

Dr Janil, who is also minister-in-charge of GovTech that is behind the Singapore public sector's technology transformation, said a public consultation is in the works to establish minimum IoT security standards.

Addressing questions about the Government's efforts on cybersecurity from Mr Cedric Foo (Pioneer), Mr Vikram Nair (Sembawang GRC) and Workers' Party chairman Sylvia Lim (Aljunied GRC), Dr Janil announced that Singapore's new Safer Cyberspace Masterplan will be launched later this year.

The masterplan will broadly contain measures to help consumers and small businesses stay cyber-safe, but its details are still being worked out.

It complements other plans launched previously for critical services sectors like energy, telecoms and banking.

These include the Operational Technology (OT) Cybersecurity Masterplan, launched last year. The plan addresses OT systems, including traffic light controls, train-signalling systems, sensors detecting the chemical content in drinking water and the electricity grid.

Consumers welcome the cyber-security labels. Technology consultant Larry Leong, 52, likened them to hawkers' hygiene labels, saying the scheme would raise cyber-security awareness among consumers.

"However, the devil is in the details, including manufacturers' willingness to have their product designs audited," said Mr Leong.

Security also comes at a cost, said Mr Aloysius Cheang, a board director at the International Information System Security Certification Consortium, a United States-based non-profit entity.

"Even if manufacturers choose to adopt the labels, the hassle and additional costs involved could make our market unattractive.

"Manufacturers could also pass the costs to consumers," he said.

Updating the House on efforts to protect Singapore's critical information infrastructures (CIIs), he said that all 11 of the CIIs are doubling down on new cyber security measures following the recommendations of the Committee of Inquiry into the cyber attack that hit SingHealth in 2018, Singapore's worst.

These measures include automating the rollout of software patches and conducting more drills to sharpen people's readiness to respond to cyber incidents.

To date, three sectors - energy, infocomm, and security and emergency - have fully implemented all the recommendations, said Dr Janil. The recommendations have been applied to at least 70 per cent of the critical systems in the other sectors.

Join ST's WhatsApp Channel and get the latest news and must-reads.