Published on 18 Oct 2023
Shifting the Balance: Striving towards global IoT standards for a digitally safer world
1. Thank you for joining us at the International IoT Security Roundtable event of the 8th Singapore International Cyber Week (SICW).
Importance of IoT Security
2. The rapid proliferation of IoT devices worldwide has brought about unprecedented connectivity and convenience. At workplaces, IoT solutions improve productivity and drive efficiency gains. In homes, these devices automate menial tasks, and change the way we engage with leisure and our lifestyles. It is perhaps unsurprising then, that the popularity of these devices has continued to increase worldwide.
3. Yet, these opportunities bring about risks. As the number of IoT devices increases, so too do our exposure and vulnerability to cybersecurity risks.
4. To an individual, having more IoT devices connected to our networks means that there are more potential entryways or “backdoors” that threat actors could use to compromise our home network and steal personal data, which may increase our risk to cyber-attacks.
5. These Infected IoT devices could also be used for malicious purposes. They can form botnets which can in turn be used to launch distributed denial-of-service (DDoS) attacks against other victims, disrupting their operations and services. One notorious example of this is the Mirai botnet, which has infected millions of vulnerable IoT devices worldwide, and been used to launch multiple large-scale DDoS attacks over the years.
6. These risks are further compounded by the fact that most IoT devices have been designed with a focus on lower costs and more user convenience, with security as an afterthought. This was expected since speed-to-market and profitability would likely be the key considerations.
7. Against this backdrop, tackling security risks in IoT has never been more critical. We should not be satisfied with IoT devices that are just cheap and easy to use – they need to be secure as well. As an international community, we need to work together to shift the balance towards better security.
Shifting the Balance – Update on Cybersecurity Labelling Scheme for IoT
8. How do we shift the balance towards security? I would like to offer the Cyber Security Agency’s (CSA) Cybersecurity Labelling Scheme (CLS) for IoT devices as an example. CSA launched the CLS for IoT in 2020, as part of efforts to improve IoT security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace. Since its launch 3 years ago, the CLS has received applications for more than 550 devices, of which more than 350 have received a label, covering a wide range of devices from Wi-Fi routers, Smart Home devices as well as home appliances.
9. Through the CLS, we had hoped to shift the balance in two ways.
10. First, by placing a label on a product, it reminds consumers about the importance of IoT security, and that it should be a consideration when buying an IoT device. Consumers can then make better informed decisions, considering the security of the device, at the point of purchase.
11. Second, the CLS also encourages manufacturers to take security more seriously. Now that security is another consideration for the consumers, a manufacturer can compete on who can provide more secure products, and seek to differentiate their products from that of their competitors.
12. We are thrilled to see that many devices now come with a cybersecurity label, and we hope more manufacturers will follow suit to apply. However, we recognise that implementing cybersecurity measures can still be challenging for many manufacturers, especially for those which may not have the necessary cybersecurity expertise and resources to do so.
13. CSA will therefore be working closely with the industry to develop a Cybersecurity Implementation Toolkit that manufacturers can use to build devices that are secure-by-design. By doing so, we hope to empower manufacturers to enhance their products' security and contribute to a safer and more secure digital environment for all.
14. Last year at SICW, I introduced the development of a new Cybersecurity Labelling Scheme for Medical Devices (“CLS(MD)”), a collaboration between CSA, the Ministry of Health (MOH), the Health Sciences Authority (HSA), and Synapxe1. The CLS(MD) scheme is targeted at helping consumers and healthcare providers to identify and select medical devices with better in-built cybersecurity.
15. Earlier this year, we held an industry consultation exercise on the CLS(MD) scheme. The industry has expressed strong support for this initiative as it suggests that they too understand the need to tilt the balance towards security. I thank all participants and contributors for your valuable input. Your feedback has continued to shape our cybersecurity labelling scheme.
16. The next step we are taking is to launch a sandbox programme for the CLS(MD). This sandbox will run for nine months, and participating medical device manufacturers will get a firstmover advantage to apply for the CLS(MD). CSA will also gain valuable insights and feedback into how the requirements and operational workflow of the scheme can be further refined when the CLS(MD) is eventually scaled up for wider adoption. We look forward to working closely with the industry on this sandbox. More details on the Sandbox will be announced at the Elevating Medical Device Security event later.
Working Together – Need for International Cooperation
17. Even as each country works to address pressing IoT security challenges within our domestic contexts, our efforts will be even more effective if we work together as an international community – whether it is in harmonising rules and regulations to reduce the cost of adopting security standards, or in collectively nudging industry players to shift the balance towards security.
18. Singapore is committed to working with like-minded nations and partners to harmonise efforts in improving IoT security and establishing mutual recognition efforts. Finland and Germany now mutually recognise the CLS, which allows consumers to enjoy a wider range of labelled IoT products from these countries.
19. We hope that more countries will join us. In this regard, CSA is developing an international standard, ISO 27404, which defines a Cybersecurity Labelling Framework. This standard will serve as a guide for countries looking to set up their own labelling schemes for consumer IoT and facilitate mutual recognition in the future.
20. To conclude, we need to continue working together to push boundaries and shift the balance towards security for IoT devices. Platforms like the International IoT Security Roundtable today are therefore crucial as they provide a space for members of the international community to share ideas, communicate and collaborate, so that we can more effectively tackle the challenges of IoT security together.
21. I wish all of you a fruitful and meaningful conversation today. Thank you.
1 Formerly known as Integrated Health Information Systems (IHiS).