The proliferation of “smart” devices has resulted in increasing security concerns due to the lack of cybersecurity provisions. On the other hand, general consumers have no easy means to determine the security provisions of IoT devices and therefore manufacturers are not incentivised or motivated to invest in the security of such devices.

The Cybersecurity Labelling Scheme (CLS) is the world’s first multi-levelled rating scheme for consumer Internet-of-Things (IoT) Devices. By making cybersecurity provisions transparent and providing indication of the level of security in IoT devices, the CLS empowers consumers to make informed purchasing decisions while incentivising manufacturers with competitive branding to develop more secure products to differentiate themselves from competitors. The CLS also improves international market access and eliminate trade barriers by facilitating Mutual Recognition Arrangements (MRAs), thereby eradicating duplicated testing and reducing cost of compliance across national boundaries.

The CLS has received over 300 applications. Today, consumers have access to more than 200 CLS labelled products (across Wi-Fi Routers, Smart Home Hubs, Smart Lighting, Smart Home Appliances, IP Cameras, etc.) with better cybersecurity provisions, and more labelled products becoming available. The CLS is currently mutually recognised with Finland and Germany, and more MRAs discussions with other nations and organisations are on-going. These has enhanced the reach and richness of the IoT eco-system, and garnered global efforts to build a safer and more secure IoT eco-system.

Beyond raising the hygiene level of consumer IoT devices, CLS’ agile modality governance has been instrumental in transforming mindsets, steering industry towards being proactive and more sustainable, and getting consumer to be ready for our digital future.

Overall, CLS helps to raise cybersecurity, harmonise standards, and change mindset, to foster an enabling environment for our digital future.

https://www.csa.gov.sg/Programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme/about-cls

• International

The CLS helps to reduce the attack surfaces by eradicating common flaws and mistakes in IoT, raise cybersecurity hygiene, and create a safe and more secure cyberspace. It brings about the following benefits:
• Safeguarding Citizens: Providing transparency in consumer IoT’s cybersecurity provisions, transforming mindsets, and enabling consumers to make informed purchasing decisions.
• Fostering a Cybersecurity-conscious Industry: Incentivising manufacturers through branding to differentiate their product from competition, inculcating a more proactive attitude.
• Growing Digital Economy: Reduce cost of compliance and facilitate market access through MRAs.

The CLS is designed with internationally acceptable standards as a basis. CLS Level 1 and 2 leverage standards such as the ETSI EN 303645 and NIST 8259.

The set of CLS publication is available on the CSA website. The framework of the CLS itself is formalised into the Singapore Technical Reference 91 (TR 91). A Universal Cybersecurity Labelling Framework (UCLF) has also been approved for development under NP/ISO27404, agnostic of whether a binary or multi-level scheme, to serve as a common labelling requirement reference to integrate and harmonise standards, to facilitate interoperability and compatibility for mutual recognition globally.

Importantly, beyond raising the hygiene level of consumer IoT devices, CLS has been instrumental in changing mindsets both in the industry and for the consumer. In the industry, it moves away from the developer-centric, complained focus approach towards an inherently proactive and more sustainable ecosystem where developers are incentivised to develop more secure products. For the consumer, CLS is helping consumer to gain better awareness of cyber risks, and to imbue in themselves a cybersecurity consciousness upfront to be ready for our digital future.

The CLS and the supporting framework are regularly reviewed to ensure their relevance. As the CLS framework will be formalised into an ISO/IEC standard, it follows the periodic review cycle. Similarly, the international standards that support CLS, the EN 303 645 and NIST 8259, undergo periodic reviews.

Internally, CSA reviews and updates the baseline framework of CLS to ensure its relevance to technology development and threat landscape. For instance, the minimum test specifications are constantly updated by incorporating feedbacks from the approved testing laboratories to ensure the specifications remain relevant and adequate to test devices against prevalent threats.

The CLS’ sustainability is further accentuated by its following attributes:

Agile Governance for Emerging Technology. CLS modality of agile governance, enables it to be flexible and dynamic to set a low entry barrier while progressively nudge developers towards achieving higher security requirements. This is achieved through a sustainable approach by stimulating demand from consumers through awareness, education, and transparency (through CLS), which in turn incentivise developers to proactive develop more secure products, keeping in pace with advancement of technology, through competitive branding and market dynamics.

Facilitate International Mutual Recognition. The CLS actively seeks out like-minded partners for mutual recognition to improve market access and reduce cost of compliance and testing across national boundaries. These improvements will address key woes highlighted by the industry and help grow the digital economy.

Cultivate a Sustainable Industry. By empowering consumers to make more informed purchasing decisions to suit their cybersecurity needs, providing branding to incentivise manufacturers to develop more secure product, and facilitating mutual recognition to reduce cost of compliance and reducing barriers to market, CLS cultivates a proactive mindset in the industry for long term sustainability.

CLS endeavours to promote WSIS’ values of freedom, equality, solidarity, tolerance, and shared responsibility. CLS builds confidence and security in the use of technology devices, through shared responsibility between consumers and device manufacturers. CLS encourages businesses and device developers to consider security as part of their device design and encourages consumers to make informed decision when selecting a secure smart device for their daily needs. The collaborative approach enables the creation of an enabling environment for a thriving secure digital ecosystem. Strike balance between Innovation and Security. The CLS enables a delicate balance of raising cyber hygiene while continuing to encourage innovation and advent of new products. In this way, regulators need not stifle innovation; but over time, progressively nudge the market towards higher security requirements based on factors such as market demand, product readiness, and technology maturity. Cultivate a Proactive Industry. The scheme is flexible, combining the attributes of self-declaration and third-party independent assessment. It can be light weight, low cost and scalable for basic cyber hygiene to allow easy onboarding, while offering the opportunity to progress towards higher assurance for stronger branding. This design is a paradigm shift from the traditional developer-centric, compliant focused approach. Changing Consumer mindsets. With now a spectrum of labelled products in the markets, we are beginning to refocus our efforts on the consumer through a plethora of activities in the social media, campaigns and public roadshows, and news and media, to raise awareness and educate our consumers on the CLS and importance of cybersecurity. Unlike in the physical world, our populace has cultivated the safety habits like locking the house, zipping up the wallets, we cannot take for granted that the populace knows how to safeguard themselves in the digital world.