New cyber security label for smart home devices launched; plans to have standards adopted overseas

From smart speakers to high-tech light bulbs, Internet of Things devices are expected to surge in popularity. PHOTO: JBL

SINGAPORE - A new labelling scheme to indicate the cyber security levels of home appliances has been launched in Singapore, with plans to have the standards adopted at an international level.

The Cybersecurity Labelling Scheme (CLS) will be similar to energy labels, with a tiered reference to security levels that can guide consumers into making informed decisions.

The voluntary scheme was launched on Wednesday (Oct 7) at the fifth Asean Ministerial Conference on Cybersecurity at Marina Bay Sands.

At the event, Communications and Information Minister S. Iswaran said that the scheme would strengthen cyber security around Singapore's Internet of Things (IoT), and could raise the global security standards of IoT devices.

IoT refers to physical devices that are linked to each other and the Internet.

"The scheme is the first of its kind in the Asia-Pacific. It establishes cyber security rating levels for registered smart devices, such as home routers and smart home hubs.

"Manufacturers of IoT devices can voluntarily apply for the CLS," said Mr Iswaran, who is also Minister-in-charge of Cybersecurity.

The Cyber Security Agency of Singapore (CSA) will be administering the label, which was first introduced earlier this year.

The agency is waiving application fees for the first year to encourage adoption.

Mr Iswaran said that the Government intends to use the label to uplift the security standards of products not only in Singapore, but also internationally.

"With the labels, consumers can easily assess the level of security of each device and make informed purchasing choices," he said.

"CSA plans to work with Asean member states and other international partners to establish mutual recognition arrangements for the CLS, to enhance security standards of the global IoT device market."

From smart speakers to high-tech light bulbs and robot vacuum cleaners, IoT devices are expected to surge in popularity.

Market research firm Gartner had estimated that IoT devices in use will grow from 8.4 billion globally in 2017 to 20.4 billion this year, with twice as many consumer installations as industrial ones.

But the rules surrounding how IoT devices are designed with cyber security in mind are lax, raising concerns about major privacy and security risks as such IoT devices proliferate.

Singapore's cyber security labelling scheme follows the European Union's standard for IoT devices, which spells out the minimum standards for manufacturers, including having no default passwords and ensuring that there are regular software updates over the air without user supervision.

The Republic is among the first group of countries to adopt such a standard.

The labelling scheme was launched during the fifth Singapore International Cyber Week.

There are four levels, each represented by an asterisk. In order to pass the standards for the first two levels, manufacturers need to submit a declaration of compliance with supporting evidence.

For the two higher levels, they will need to submit an assessment report by a lab approved by the CSA.

The agency started accepting applications for the label from Wednesday.

The CLS will be valid for the length of time in which the device is supported with security updates, up to a maximum of 3 years.

"For a start, CSA will introduce the CLS to Wi-Fi routers and smart home hubs. These products are prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users," said the CSA.

Join ST's WhatsApp Channel and get the latest news and must-reads.