Singapore and Germany have agreed to recognise each other’s cybersecurity rating systems for smart consumer items such as smart speakers, domestic robots, and home automation hubs. Following Finland, the EU member is the second to do so.
The Singapore Cyber Security Agency (CSA) said Thursday that it has reached an agreement with Germany’s Federal Office for Information Security (BSI) to mutually recognise cybersecurity labels issued by both nations.
Products with the BSI label would be judged to have met Level 2 of the CSA’s cybersecurity labelling standard under the agreement.
Singapore’s labelling scheme evaluates and grades smart gadgets into four categories depending on the number of asterisks, with each reflecting an extra degree of testing and assessment that the product has undergone. A level one product, for example, has satisfied basic security standards such as assuring unique default passwords and providing software updates, whereas a level four product has completed systematic penetration testing by recognised third-party test laboratories and met level three requirements.
The German BSI would recognise products graded Level 2 and higher.
Consumer Internet of Things (IoT) gadgets such as smart televisions, smart toys, health trackers, smart lighting, and smart thermostats would be eligible for mutual recognition.
Initially, the agreement would not include items such as smart door locks, general computing devices such as PCs and smartphones, and fire, gas, and water detectors that were meant to run any programme without a predetermined function, according to CSA.
The Singapore government agency stated that it will collaborate with BSI to expand the scope of the bilateral agreement.
In October 2021, Singapore signed a similar agreement with Finland, with consumer IoT items with the latter’s cybersecurity badge judged to have satisfied Singapore’s Level 3 criteria, and vice versa.
Such agreements not only saved smart device makers money and time spent on repetitive testing, but also allowed them access to new markets.
More than 200 goods had received Singapore’s cybersecurity labels as of October 2022. More than 300 applications for the labels have been submitted by the CSA.
Medical equipment that are linked will be evaluated for security hygiene.
The country’s labelling programme, which was introduced in partnership with the Ministry of Health (MOH), Health Science Authority (HSA), and Integrated Health Information Systems, was expanded to cover medical devices on Thursday (IHIS).
Such gadgets were increasingly connected to hospitals and residential networks, but may inflict bodily injury if an IoT assault occurred, according to Singapore’s Senior Minister of State for Communications and Information, Janil Puthuchear.
Speaking at the Singapore International Cyber Week conference on Thursday, the minister stated that medical devices such as ECG monitors and pacemakers were becoming smarter as healthcare companies and professionals used technology to improve their ability to collect patient data, deliver therapy, and customise therapy.
However, greater connection means increased cybersecurity concerns, which might expose patients’ personal information, clinical data, or treatment procedures, compromising patient health results.
Puthuchear stated, “When we think about IoT devices, we think of convenience and efficiency, but not always security and user safety. A lack of adequate IoT security might offer significant hazards. Many consumer IoT devices store a cache of user data and information that, if compromised, might jeopardise consumer privacy.
“In more extreme circumstances, IoT hacks may cause substantial physical injury, potentially putting lives at danger,” he warned, citing a 2017 vulnerability uncovered by the US Food and Drug Administration in pacemakers that allowed hackers to change the device’s functionality and drain its battery.
Extending Singapore’s cybersecurity labelling regime to medical devices will encourage manufacturers to design such items with security in mind.
The labelling method would apply to medical equipment that processed health data or could communicate with other devices, systems, and services.
Each of the four rating levels would represent an extra degree of testing and assessment that the product has completed. Level 1 signified that the medical equipment met the basic regulatory criteria, which are presently linked with HSA registration requirements for medical devices.
The baseline cybersecurity standards for Level 1 of the labelling scheme included the requirements that medical devices must fulfil in order to be registered with HSA. As a result, all HSA-registered medical items would be considered to have met Level 1 of the cybersecurity labelling scheme.
Levels 2 through 4 products would have to fulfil “enhanced” cybersecurity criteria, such as device and data requirements. According to CSA, devices in these categories may be required to undergo independent third-party tests, and more information will be supplied at a later date.
The government agency stated that a formal consultation with the medical device sector and associations will be undertaken within the next month to gain comment on the proposed Levels 2–4 standards. These would include the implementation timetable.