Published on 16 Oct 2024
The Cyber Security Agency of Singapore (CSA) signed Mutual Recognition Arrangements (MRAs) for the recognition of cybersecurity labels with Korea Internet & Security Agency (KISA) and Germany Federal Office for Information Security (BSI) respectively at the International Internet of Things (IoT) Security Roundtable today. The event was held during the Singapore International Cyber Week 2024 at Sands Expo and Convention Centre.
Singapore – Republic of Korea (ROK) MRA
2. The MRA was signed by Mr David Koh, Chief Executive, CSA and Mr Lee Sang Joong, President, KISA, and it will take effect on 1 January 2025. Under the MRA, smart consumer products issued with KISA’s Certification of IoT Cybersecurity (CIC) and Singapore’s Cybersecurity Label will be mutually recognised in either country. The ROK’s CIC scheme consists of three levels: Lite, Basic, and Standard, with third party laboratory testing required at all levels. CSA will recognise products issued with CIC Basic Level and above to have fulfilled Cybersecurity Labelling Scheme (CLS)(IoT) Level 3 requirements. Similarly, KISA will recognise products labelled with CLS(IoT) Level 3 and above to have fulfilled CIC Basic Level.
3. The ROK is the first country in the Asia Pacific to formalise the mutual recognition of national cybersecurity labels with Singapore. This will apply to smart devices intended for use by consumers such as smart home assistants, home automation and alarm systems, IoT gateways and hubs that connect multiple devices.
Singapore - Germany MRA
4. The MRA was signed by Mr David Koh, Chief Executive, CSA and Ms Barbara Kluge, Deputy Head of the Directorate-General Cyber and Information Security, Federal Ministry of the Interior and Community (BMI). Under the MRA, smart consumer products issued with Germany’s IT Security Label and Singapore’s Cybersecurity Label will be mutually recognised in either country. CSA will recognise products issued with BSI’s label to have fulfilled CLS(IoT) Level 2 requirements, while BSI will recognise products with CLS(IoT) Levels 2 and above. The MRA builds upon the previous MRA signed in 2022, which expanded the scope of cybersecurity label recognition to include Home Gateways1 and continues to cover smart devices such as smart cameras, smart speakers, hubs for home automation and health trackers.
5. Manufacturers of smart consumer devices will benefit from these mutual recognition agreements as they save costs and time on duplicated testing and gain improved access to new markets.
6. As of October 2024, CSA has received applications for over 650 products, with more than 500 – ranging from routers to smart lighting to smart cameras – awarded the CLS(IoT) label.
About the Cyber Security Agency of Singapore
CSA is part of the Prime Minister’s Office and is managed by the Ministry of Digital Development and Information. For more news and information, please visit www.csa.gov.sg.
About the Korea Internet & Security Agency (KISA)
KISA is established in 2009 and is a sub-organisation under Korea’s Ministry of Science and ICT (MSIT). Aiming to improve the security for Korean Citizens and to enhance the industry’s competitiveness, the CIC is launched as a security certification system for IoT devices to combat rising security threats triggered by growth in the size of the converged IoT market. KISA has set ‘Internet promotion’ for the future and ‘Information Security’ for safety as its primary tasks and is focusing on enhancing the information security capacity of Korea’s ICT industry and expanding global cooperative partnerships. For more information, please visit www.kisa.or.kr/EN.
About the Federal Office for Information Security (BSI)
The BSI, formed in 1991 as part of the Federal Ministry of the Interior, is the federal cyber security agency and the chief architect of secure digitalisation in Germany. Its objective is the secure use of information and communication technology in government, economy and civil society as well as the protection of critical infrastructure in particular. The IT Security Label is one of many means to improve IT security awareness within the German society. BSI meets the global challenge of information security by actively participating in international bodies and targeting bilateral and multilateral cooperations with other countries. For more information, please visit www.bsi.bund.de/EN.
About the Cybersecurity Labelling Scheme for IoT [CLS(IoT)]
The CLS(IoT) is a voluntary scheme except in the case of Wi-Fi routers, for which obtaining a CLS(IoT) Level 1 is mandatory2. It comprises four levels of rating, represented by one, two, three, or four asterisks. Each additional asterisk represents an additional tier of testing and assessment that the product has undergone. The general requirements for each level are as follows:
a. Level 1: Adherence to the top three security baseline requirements within the ETSI EN 303 645 standard such as ensuring unique default passwords, having a vulnerability disclosure policy, and providing software updates.
b. Level 2: Adherence to a set of International Standard (currently based on all mandatory requirements within the ETSI EN 303 645).
c. Level 3: Ensuring that the product has been developed using the principles of Security-by-Design, has undergone assessment of the software binaries by approved third-party test labs, and has fulfilled Level 2 requirements.
d. Level 4: Structured penetration tests by approved third-party test labs and has fulfilled Level 3 requirements.
For more information, please visit www.csa.gov.sg/cls.
1 Home Gateways refers to devices (i.e. Wi-Fi routers).
2 CLS(IoT) is made mandatory for Wi-Fi routers as part of the Telecommunication Act. All Wi-Fi routers sold for local use in Singapore would need to have CLS(IoT) Level 1.