Singapore and Germany Reach IoT Labeling Agreement

Updated on 2022-10-20: Singapore and Germany Reach IoT Labeling Agreement

Singapore and Germany have signed an agreement to recognize each other’s Internet of Things (IoT) security labels. Singapore’s Cyber Security Agency (CSA) reached a similar agreement with Finland last autumn. CSA has recently expanded its labeling scheme to included medical devices.

Note

As we know from nutritional labels and UL labels on electrical cords, such labels don’t by themselves make things safer but more information to consumers backed by government buying power requiring compliance in government procurements does work to raise the bar.
As more countries implement rating/labelling requirements for consumer devices, the question of competing requirements and repeated testing for each market entered arises. Agreements such as these hold the promise of reducing duplicative testing. Over time, expect more categories of devices to be added to the agreement. Note that Singapore has a four-tier rating system and is only recognizing Germany’s labels as meeting the first two tiers.

Read more in

Updated on 2022-10-19: White House Convenes Meeting to Discuss IoT Security Standards

At a meeting earlier this week, the White House held a “workshop“ to discuss how to move forward with establishing cybersecurity standards for Internet of Things (IoT) devices. The meeting included representatives from the tech industry, government leaders, policy experts, and Consumer Reports, the non-profit consumer advocacy organization. White House officials say they expect to release the first set of standards in spring 2023.

Note

Since the direction so far is in line with my comments in Newsbites 81, I have to say this is good to see. Similar past efforts (like in fire retardant materials) succeeded where the government worked with private industry standards efforts and then used its buying power to make those standards meaningful to producers.
Work is progressing to ensure the consumer product labelling is both current and relevant. For example, the label will include having a barcode which allows the user to see the vendors security practices, current state so you can ensure the label is current. The label also includes a rating or score. The rating is derived from components such as how easily the device is to patch, encryption, and interoperability. Initially, complying with the standards will be voluntary. Note that even with a rating, sufficient information has to be provided to ensure products are deployed securely.

Read more in

Updated on 2022-10-17

The US is working on a cybersecurity labeling system, similar to what’s used for food. Participants are meeting on October 19th to discuss the plans. Read more: White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star

Updated on 2022-10-12

Later this month, the Biden administration “will bring together companies, associations and government partners to discuss the development of a label for Internet of Things (IoT) devices so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities.” The effort is listed in an October 11 White House fact sheet on the administration’s focus on strengthening the country’s cybersecurity. The White House swill also be meeting with “international; partners” at the end of this month “to accelerate and broaden this joint work” of the International Counter-Ransomware Initiative.

Note

Many good initiatives listed, but of course press releases are like sailboats – progress takes powerful wind to see actual progress. Two good things in there: (1) I would really like to see this statement lived up to by the US government: “Strengthening the Federal Government’s cybersecurity requirements, and raising the bar through the purchasing power of government. ” The government demanding higher levels of security in the products and services they procure is the single most powerful way they can drive a major reduction in vulnerabilities; and (2) There is a long history around fire resistant material standards where independent organizations like UL Labs worked with government agencies like NIST and industry associations to make sure that a wide variety of flammable “things” were much safer. This all succeeded because the government didn’t try to dictate standards, it worked with private industry to make sure that procurements and use of flammable “things” had to include compliance with the industry standards. Today, in the Internet of Things, there are already some meaningful standards efforts, like Connectivity Standards Alliance-IoT which have some big names on board: Amazon, Apple, Google, Samsung, etc. If the US government put its buying power behind some consensus standards, the bar for IoT security will be raised.
My concern with the IoT label is that it may not remain compliant continuously; what’s needed is a code users can scan to verify current status online, as other countries have done.
Labeling will be a great help. One of the things that a label should include is the environment in which the device is intended to be used, and specifically whether it is intended to be attached to the public networks. Devices like cameras and some medical devices, that are intended to attach directly to the public networks have different requirements than those like baby monitors or smartTVs that are intended to be connected only to local area networks.

Read more in

Overview

The White House said in a press release on Tuesday that it is working on a cybersecurity-themed label that would be applied to smart (IoT) devices and help inform Americans which devices “meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities.”

The Biden Administration said it plans to meet with vendors, industry groups, and government agencies later this month to discuss how this new labeling scheme should be done.

The announcement this week comes after the White House ordered NIST and the FTC last year to explore two labeling pilot programs on cybersecurity capabilities for IoT devices.

According to Cyberscoop, Deputy National Security Adviser for Cyber and Emerging Tech Anne Neuberger is spearheading the IoT cybersecurity labeling program, which is expected to launch next spring, in 2023.

The White House said the new cybersecurity labels will first be mandated for “the most common, and often most at-risk, technologies — routers and home cameras — to deliver the most impact, most quickly.”

Other device types will most likely be included in the program, which is the same approach that the German government took with its own IoT cybersecurity labeling scheme, which it initially launched last year with routers and email services, and then expanded to cameras, speakers, cleaning and gardening robots, smart toys, smart TVs, and then to all smart home consumer products starting this fall.

Currently, Germany and Singapore seem to have the most advanced cybersecurity labeling schemes for smart devices, even if similar labeling schemes also exist in the UK and Finland. Things are certainly moving quicker in the US than in the EU, where talks about an IoT cybersecurity labeling scheme have been taking place since the mid-2010s, but with little results as of yet. Several industry groups have also developed their own cybersecurity labeling schemes, but one sanctioned by either the US or the EU is most likely to get more traction internationally than anything else currently used anywhere else.

Read more

Updated on 2022-10-20: Singapore and Germany Reach IoT Labeling Agreement

Updated on 2022-10-19: White House Convenes Meeting to Discuss IoT Security Standards

Updated on 2022-10-17

Updated on 2022-10-12

Overview

Your Support Matters...