IoT cybersecurity labels will be mutually recognised by Singapore and Germany

A cybersecurity grading system for smart consumer devices such as smart speakers, domestic robots, and home automation hubs has been agreed upon between Singapore and Germany. This makes the EU member just the second such nation, after Finland.

As of Thursday, the Cyber Security Agency of Singapore (CSA) has reached an agreement with the German Federal Office for Information Security (BSI) to recognise each other’s cybersecurity certifications.

All items with the BSI label will be considered to have met the requirements of CSA’s Level 2 cybersecurity labelling system under the terms of the agreement.

The number of asterisks next to a product’s rating on Singapore’s labelling system indicates the depth of testing and evaluation the product has undergone. Examples of level one criteria include providing unique default passwords and making software upgrades available, while level four requirements include submitting the product to systematic penetration testing by authorised third-party test laboratories.

Products with a Level 2 or above rating would be accepted by the German BSI.

Smart TVs, smart toys, health trackers, smart lighting, and smart thermostats are all examples of consumer IoT devices that might benefit from mutual recognition under this proposal.

Smart door locks, general computing devices like PCs and smartphones, and fire, gas, and water detectors that are intended to run any apps without a predetermined function will not be covered by the agreement from the outset, according to CSA.

Singapore’s government agency has committed to collaborating with BSI to expand the scope of the bilateral agreement to include more product categories.

In October of 2021, Singapore and Finland signed an agreement identical to this one, which recognises consumer IoT items bearing Finland’s cybersecurity badge as having satisfied Singapore’s Level 3 criteria.

By avoiding the need for costly and time-consuming duplicate testing, smart device makers benefited financially and gained access to previously untapped markets via such partnerships.

Over 200 items have received Singapore’s cybersecurity labels by the end of October 2022. More than three hundred label applications were submitted to CSA.

Hygiene in terms of protecting patient data will be evaluated for connected medical equipment.

On Thursday, the Ministry of Health (MOH), the Health Science Authority (HSA), and the Integrated Health Information Systems inaugurated an expansion of the country’s labelling policy to cover medical equipment (IHIS).

The Senior Minister of State for Singapore’s Ministry of Communications and Information, Janil Puthuchear, warned that Internet of Things (IoT) attacks might have dangerous consequences due to the growing number of linked medical and household equipment.

At a conference in Singapore on Thursday, the minister stated that medical gadgets like ECG monitors and pacemakers were becoming more sophisticated as a result of the increased use of technology in the healthcare industry.

However, with this newfound interconnectivity came new cybersecurity threats that might jeopardise patients’ private information, medical records, and treatment plans, and hence negatively impact health results.

Puthuchear stated, “When we think about Internet of Things devices, convenience and efficiency are front of mind, but not necessarily security and safety of the consumers. IoT devices with inadequate security measures present real dangers. The privacy of users is at risk since many consumer IoT devices store sensitive information.

He cited a 2017 FDA discovery of a weakness in pacemakers that allowed for the modification of the device’s functionality and the depletion of its battery as an example of the severity with which Internet of Things hacks may cause bodily effects, even threatening lives.

Medical device makers may be incentivized to create safer goods if Singapore’s cybersecurity labelling policy were to be applied to the industry as a whole.

All medical equipment with health data storage or connectivity capabilities would be required to carry the label.

The four-tiered scale would reflect the increasing rigour of the testing and evaluation that went into creating the product. For a medical device to be considered “Level 1,” it must have met minimum regulatory criteria that are in accordance with HSA registration standards.

Level 1 of the labelling system includes baseline cybersecurity standards that medical devices must fulfil in order to be registered with HSA. As a result, medical items that have been approved by the HSA would be assumed to meet the requirements of the cybersecurity labelling system at the Level 1 status.

Level 2 through 4 products would need to fulfil “enhanced” cybersecurity criteria such device and data requirements. CSA has indicated that further information on whether or not devices in these classes would be required to pass third-party testing will be made available in the future.

The government agency said that during the next month, a formal consultation with the medical device sector and groups will be launched to seek comment on the proposed standards of Levels 2 to 4. Plans for when the change will take effect are one example.