Singapore announces IoT cybersecurity labeling scheme

The Cyber Security Agency of Singapore announced the official launching of the Cybersecurity Labeling Scheme (CLS). The scheme, which takes reference from ETSI 303 645, will provide cybersecurity rating levels for registered Internet of things (IoT) devices so that consumers will be able to choose products based on their security ratings. The label will be valid for the length of time for which the device will receive security updates, up to three years. For now, the CLS is a voluntary scheme, and it includes four rating levels. (a) Level 1: Product meets basic security requirements such as ensuring unique default passwords and providing software updates. (b) Level 2: Product has been developed based on the principles of security by design and fulfilled level 1 requirements. (c) Level 3: Product has gone through an assessment of software binaries by approved third party test labs and fulfilled level 2 requirements. (d) Level 4: Product has undergone structured penetration tests by approved third party test labs and fulfilled level 3 requirements. According to the scheme, manufacturers applying for the first two levels will need to submit a declaration of compliance with supporting evidence. Those applying for levels 3 and 4 will also be asked to submit the assessment report by an approved lab. To encourage manufacturers to apply for receiving the label, the agency will waive the application fees for the CLS for a year. The CLS initiative is part of the Singapore Safer Cyberspace Masterplan 2020.