The Singapore authorities announced the next stage in the implementation of the state information security strategy. Let’s figure out what their proposals are, where they are still concerned about the security of the home Internet and what we would like to do to protect citizens from the actions of intruders.
PS The other day we talked about the interest of the Romanian Internet provider market.
Singapore’s information security strategy was presented back in 2016, but it was only now that certain measures were introduced, at a time when the risks associated with the massive proliferation of new types of IoT devices became too difficult to ignore, and the overall level of cybercrime doubled and passed 50% growth rate threshold.
An additional stimulus was the epidemiological situation, provoking crossing about sixty percent organizations on remote control. According to this indicator, Singapore even became one of the leaders among the countries of the Asia-Pacific Region (APR).
How did you decide to act
Based on the national strategy, a roadmap was developed to protect the network infrastructure and ensure the information security interests of the country’s citizens. In the first direction, Singapore plans to establish cooperation with colleagues in the Asia-Pacific region, and in the second, it has begun independent work. Line ministry (CSA) has already presented a standardized device labeling scheme (Cybersecurity Labeling Scheme, CLS) – smart gadgets, routers and “smart home systems” – level of security:
Level 1 – product meets requirements to regular updates (IB-patches) and default protection measures (passphrases);
Level 2 – for the design process, assembly and the entire product life cycle, the developers modeled, assessed and minimized threats (Security-by-Design), brought the product into compliance IMDA IoT Cyber Security Guide;
Level 3 – the software stuffing of the device has passed laboratory automated testing for the presence of “binary” vulnerabilities, malware and backdoors;
Level 4 – product passed pentests and meets the requirements of the third level.
CSA decided to launch this “labeling” first for home routers and smart home systems. Starting April 13, 2021, the sale of such devices in Singapore without the appropriate labeling may be prohibited (manufacturers are expected to comply with at least the first level of security), but the purchased devices will not need to be changed.
Until October 6, 2021, marking will be free, but then it will require payment. Until they got it only two products brand Kyla. But CSA stressed that their methodology is based on international standards, so there should be no problems with duplication of certification, and the list of devices will expand rapidly.
First-level marking for home Wi-Fi and smart devices implies the installation of randomized passphrases by default, their strength, disabling potentially vulnerable interfaces, automatic downloading of information security patches, secure login to the device management system and checking for unauthorized remote access.
Where else do they introduce something like this
Similar frameworks discuss in the EU since 2016. So, one of them – The EU cybersecurity certification framework – was previously presented by the European Cybersecurity Agency (ENISA) and came into force this summer along with a general package of measures incorporated into a general code of practice called EU Cybersecurity Act…
An information security framework involves evaluating a whole range of devices. Requirements should be developed by a special certification group ECCG… Similar regulation of this market segment preparing to implement and the British authorities.
So far, such measures have not met with harsh criticism. On the background the scandal over the discussed proposals to regulate end-to-end encryption they look like a more adequate attempt to protect the interests of citizens. But how the labeling and certification requirements will affect the smart home gadget market in these countries remains to be seen.
Additional reading on the topic:
What is interesting about the Romanian Internet providers market
Work of Internet providers and development of communication systems