CSA Pushes Ahead with Efforts to Improve IOT Security

1              Globally, there has been an exponential increase in the number of connected smart devices, supported by ubiquitous connectivity, as nations embark on their transformation journeys into smart cities and digital economies. Studies have estimated that there will be some 50 billion Internet-of-Things (IoT) devices globally by 2030, compared to just 22 billion of them in 2018^[1]. In Singapore, such smart devices are gaining popularity in homes and workplaces as well. Poorly secured smart devices pose risks such as the compromise of consumers’ privacy and data. On a larger scale, these devices can be compromised and amassed by attackers to target internet infrastructure and critical information infrastructure, as in the case of the Mirai botnet which disrupted internet connections across the US in 2016.

2              The Cyber Security Agency of Singapore (CSA) has introduced the several initiatives to improve IoT security, allow Singaporeans to better reap the benefits of IoT devices and better secure Singapore’s cyberspace.

Update on the Cybersecurity Labelling Scheme (CLS)

3              In October 2020, CSA launched the world’s first multi-level labelling scheme which provides security ratings for consumer IoT devices. Since the launch, CSA has received more than 100 applications for the CLS, with labelled products now available in physical stores and popular online shops. Some examples of the manufacturers with labelled products are Signify (formerly known as Philips Lighting), BroadLink, PROLiNK, and local manufacturer Aztech. 

4              To reduce duplicated testing across different countries and improve the ease of doing business for manufacturers, Singapore has signed a Memorandum of Understanding (MoU) with Finland to mutually recognise the cybersecurity labels issued by both countries. Under the MoU, consumer IoT products that have met the requirements of Finland’s Cybersecurity Label will be recognised as having met CLS Level 3 requirements, and vice versa. The MOU was signed by David Koh, Chief Executive of CSA and Sauli Pahlman, Deputy Director-General of the Transport and Communications Agency of Finland. This MOU is the first of such mutual recognition, and CSA will continue to engage other like-minded partners to facilitate more of such recognitions. 

5              With the CLS garnering international interest, CSA and the Singapore Standards Council (SSC), which is overseen by Enterprise Singapore (ESG), have also launched the first national standard, Technical Reference (TR) 91, on Cybersecurity Labelling for Consumer IoT. The TR 91 aims to serve as a standard that can be adopted by manufacturers, developers, testing bodies and suppliers of consumer IoT devices globally, as well as a framework for the harmonisation and mutual recognition of cybersecurity labels across countries. 

6              To meet growing demand for CLS assessment, CSA is planning to increase the number of approved test labs for Levels 3 and 4 applications. CSA is also looking into extending the CLS to additional products and services beyond consumer IoT devices to further grow the scheme and champion a Security-by-Design approach.  More details will be shared in due course.

International Partnership on IoT Threat Sharing

7              Beyond protecting individual IoT devices with the CLS, CSA also proactively monitors global IoT threats and attack data, so that Singapore can be better prepared against potential botnet attacks. As announced during the launch of the Safer Cyberspace Masterplan in October 2020, CSA will work with stakeholders to develop IoT threat analytics capabilities. 

8              To this end, CSA will leverage its international partner Global Cyber Alliance (GCA)’s Automated IoT Defence Ecosystem (AIDE)^[2]  and homegrown cybersecurity specialist Ensign InfoSecurity (Ensign)’s advanced threat analytics capabilities. Insights from these collaborations will provide CSA with early warning and visibility of the latest IoT attacks, and allow Singapore to develop and put in place policies and technical measures to safeguard against threat vectors. 

^[1] https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/

^[2] www.globalcyberalliance.org/AIDE

Annex: Quotes on the Partnership on IoT Threat Sharing

Quote by GCA:

This is a unique opportunity to increase GCA’s international collaboration and expand our network of partners, from cybersecurity agencies and large internet players to academia and research institutions. This project —and CSA’s support as a whole— is a crucial milestone in our roadmap for the AIDE ecosystem and in our long-term vision on IoT cybersecurity. The fact that this effort is happening in Singapore, a global flagship for technology, will pave the way to expand the initial scope of the project to other international smart cities.

Mr Philip Reitinger
President and CEO of GCA

Quote by Ensign InfoSecurity:

This initiative will play an integral role in securing our country’s digital landscape as it enables us to address threats targeting the fast-growing IoT space. By leveraging Ensign’s tradecraft expertise and analytics capabilities, we can generate highly contextualised, bespoke intelligence on potential IoT cyber threats. This raises our nation’s readiness to predict, respond to, and mitigate IoT cyber threats.

Ms Tammie Tham
Chief Executive Officer of Ensign InfoSecurity

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions, and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. 

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.