#WorkinginCSA: Pioneering Internet of Things Cybersecurity Certification Scheme

24 Jun 2022

Edwin Sin is an officer with CSA’s Cybersecurity Engineering Centre (CSEC), where he is a certifier at the Cybersecurity Certification Centre (CCC). He helped to establish the Cybersecurity Labelling Scheme (CLS) and now leads the operations and enhancement of this scheme.

1. What sparked your interest in cybersecurity?

This goes quite a while back to my university days at the Singapore Institute of Technology. My curiosity in cybersecurity was first sparked when I was working on my final year project as a computing science major, which involved developing an Android mobile application that communicated with a backend hosted on the cloud. The web server and database were hosted on Amazon Web Services, but I quickly discovered that the implementation had a wide variety of cybersecurity risks, and that the server and database could be compromised. I knew I had to secure the project, so I researched solutions and techniques. It was astonishing to not only read about the ways in which we could have been compromised, but also the possible solutions to address the risks. It was a story of “how can I make this less breakable”.

After I graduated, my first job was with Underwriter Laboratories. There, I was responsible for performing certification testing on MasterCard/Visa payment terminals and mobile payment solutions, and it was intriguing to see the level of cybersecurity provisions that was engineered into payment solutions to safeguard against payment fraud and financial losses.

2. Can you share more about how you helped to establish CSA’s Cybersecurity Labelling Scheme (CLS)?

The idea of establishing the Cybersecurity Labelling Scheme was mooted back in 2018, in response to growing concerns of the threat that the increased adoption of Internet of Things (IoT) devices globally could pose.

Back then, there was no certification scheme that looked into the security of IoT devices (or other emerging technologies). Many IoT devices were sold with poor cybersecurity provisions and with little to no security features built in, while at the same time, consumers were increasingly starting to adopt Smart Home devices.

As such, the team believed it was critical that consumers should not only have access to more secure IoT devices, but also to tools to help them to make informed decisions when purchasing an IoT device.

Although we had great ambitions, it was not easy creating a new scheme from scratch, since Singapore was one of the first nations in the world to think about implementing such a scheme. We had no references to model our scheme after, and other existing schemes were not compatible with IoT devices. Moreover, as Singapore is a small nation commanding a small percentage of the global market, there were considerations as to whether Singapore could attract multinational companies to participate, being that they could always withdraw from the Singapore market. Hence, a huge hurdle we faced was in designing and implementing a scheme that would be a win-win situation for all stakeholders. Management was supportive of this initiative and pushed us to try and venture into the unknown – on our end, we were glad to have been given the opportunity to set up the CLS.

It was an uphill task, tackling the multi-faceted aspects of establishing a new scheme, but it made for a very fulfilling journey for the team. At the start, we conducted a lot of research into technical requirements, tools, and test methodologies for the various categories of IoT devices (i.e., Wi-Fi Routers, Smart Home Hubs, IP Cameras, Smart Home Sensors). We then went on to conduct pilot projects to test and refine the technical requirements against actual devices, and worked on garnering support from manufacturers and test laboratories to encourage adoption of and participation in the scheme. We also worked together with colleagues from the Infocomm Media Development Authority to mandate Level 1 for home Wi-Fi routers, as we thought it was important for such devices to be secure. And finally, we had to come up with the marketing materials and, more importantly, the design of the Cybersecurity Label.

While the technical aspect is central to the creation of the scheme, there were also other aspects that were critical to our success. I was glad to have had the opportunity to collaborate closely with my colleagues from the Communications and Engagement Office (C&EO) and the International Cyber Policy Office (ICPO). For instance, together with C&EO, we were able to work with the media and other public communications channels who expressed interest in running news of the CLS.

ICPO also provided a bridge for us to engage with several nations and share our idea of the CLS, with the hope that mutual recognition could be broached if they were also interested. At the same time, as part of efforts to raise awareness of the CLS in the global community, we participated in many international forums, conferences and events, as well as engaged with organisations such as the World Economic Forum, the United Nations, ISO, ETSI, and many others.

I cannot remember how many events we attended, but we were fortunate that with accelerated digitalisation, most of them were held virtually due to the COVID-19 pandemic. This allowed us greater access to foreign conferences without the need for physical travel. In different circumstances, it would have been impossible to reach out so extensively.

The launch of the scheme was challenging, but the work doesn’t stop here. The team’s focus is on keeping the scheme running smoothly, and also to broach the idea of mutual recognition with other nations, to list the labelling framework as an ISO/IEC standard, and possibly establish Cybersecurity Labelling Schemes for other types of devices.

3. Tell us something interesting about your job that not many people know about?

Being a certifier at the Cybersecurity Certification Centre, I get to work with a wide variety of IoT and IT security products through the certification schemes that we operate, namely the Cybersecurity Labelling Scheme (CLS), Singapore Common Criteria Scheme (SCCS), and the National IT Evaluation Scheme (NITES). Our work is akin to network penetration testing on a system or a web application, only we focus on the IT product, assessing its security through insights gained from the product’s implementation. Through this process, I also got to pick up various bits of technical knowledge.

Some interesting things I learned include – how an IoT device can be hacked through its universal asynchronous receiver-transmitter (UART) interface to obtain root shell access (by modifying the U-boot environment parameters to boot into single user mode of Linux), and how a Smart Digital Lock can be bypassed even without the password (by recording and replaying the 433 MHZ radio frequency, a signal that has no encryption or authentication). In the case of the Smart Digital Lock, it is truly frightening that the attack can take place without the user even realising it, especially considering that digital locks supposedly offer better security than traditional key locks.

Aside from the technical knowledge that I get to pick up, it is also very rewarding to see that the level of cybersecurity of such IT products has improved through the various schemes (CLS, SCCS, NITES), which has further motivated me to do better. I would like to see more products being securely designed and implemented, and which are capable of mitigating the specified security threats.

The internet, and cybersecurity, touches almost all aspects of daily life in the digital age and through these schemes, I hope to make a difference so that consumers and enterprises can have better and more secure devices. This will lead to a safer and more secure cyberspace, not just for my friends and family, but also for everyone.

Most people tend to think that my job involves sitting in front of a computer screen for a large proportion of the day, which is not quite true. I do spend a significant amount of time interacting with, learning from, and exchanging ideas on securing the cyberspace with experts from all over the world, from manufacturers specialising in IT security products, to international cybersecurity counterparts, to organisations such as the World Economic Forum, United Nations, ISO, ETSI, etc. I also get to play a part in defining standards and requirements through participation in the various technical working groups, and I greatly appreciate the opportunities this role has given me, to be able to do all these things.

4. What is your advice to those looking to work in the cybersecurity industry?

Give the cybersecurity industry a go if you have an interest in this field. Cybersecurity is always evolving, and the technology and cyber landscape are fast moving – you will never have a dull day! Working in cyber is an exciting ride with many different potential domains to specialise in, endless opportunities to work on exciting and challenging projects, and new technologies, techniques, and tools to pick up. This is what makes this field continually interesting and enriching.

5. How do you unwind from work?

As much as I like staying indoors, watching Netflix or hanging out with my friends, I also enjoy being outdoors – you can find me hiking or swimming on the weekends, as well as jogging in the wee hours of the night when it is quieter and less warm.