Singapore―SICW 2024―The Cybersecurity Labelling Scheme (CLS), launched by Singapore’s Cyber Security Agency (CSA) as a voluntary program to rate commercial products based on their cybersecurity standards, has gained international momentum with South Korea joining its proactive efforts to protect the digital ecosystem.
By signing a mutual recognition arrangement (MRA) with Singapore on October 16, South Korea became the first country in the Asia-Pacific region to join the ambitious cybersecurity scheme. On the same day, Germany also updated its existing CLS agreement with Singapore.
The MRAs with South Korea and Germany were signed during the International Internet of Things (IoT) Security Roundtable, part of Singapore International Cyber Week (SICW). Lee Sang-joong, President of Korea Internet & Security Agency (KISA), and Barbara Kluge, Deputy Head of the Directorate-General Cyber and Information Security at Germany’s Federal Ministry of the Interior and Community (BMI), representing the Federal Office for Information Security (BSI), appeared on stage with David Koh, Commissioner of Cybersecurity & Chief Executive at CSA.
The MRAs will cover smart devices intended for consumer use, including smart home assistants, home automation and alarm systems, and IoT gateways and hubs that connect multiple devices.
The MRA between South Korea and Singapore will take effect on January 1, 2025. Under the agreement, smart consumer products certified with KISA’s Certification of IoT Cybersecurity (CIC) and Singapore’s Cybersecurity Label will be mutually recognized in both countries. South Korea’s CIC scheme has three levels: Lite, Basic, and Standard, all requiring third-party laboratory testing. CSA will accept products with CIC Basic Level and above as meeting CLS for IoT Level 3 standards. Similarly, KISA will recognize products labeled with CLS for IoT Level 3 and above as fulfilling CIC Basic Level requirements.
Germany, which signed its first MRA with Singapore in 2022, has expanded the agreement to include cybersecurity label recognition for Home Gateways, such as Wi-Fi routers. The MRA continues to cover smart devices, including smart cameras, smart speakers, home automation hubs, and health trackers. Under the agreement, smart consumer products certified with Germany’s IT Security Label and Singapore’s Cybersecurity Label will be mutually recognized. CSA will accept products with Germany’s IT Security Label as meeting CLS for IoT Level 2 requirements, while BSI will recognize products labeled with CLS for IoT Level 2 and above.
The CLS for IoT consists of four rating levels, represented by one to four asterisks. Each additional asterisk indicates a higher tier of testing and assessment the product has passed. Level 4, the highest, is awarded to products that have undergone structured penetration tests by approved third-party labs. As of October 2024, CSA has received applications for over 650 products, with more than 500 – ranging from routers to smart lighting and smart cameras – receiving the CLS for IoT label.
CSA expects that manufacturers of smart consumer devices will benefit from these MRAs by saving on costs and time associated with duplicated testing, while also gaining improved access to new markets.
“The CLS is to help consumers and providers identify secure products. It seeks to improve products by incentivizing manufacturers to see cybersecurity as a competitive advantage,” said Janil Puthucheary, Senior Minister of State, Ministry of Digital Development and Information & Ministry of Health of Singapore, during his speech before the signing ceremony. “We have a collective journey towards a more secure, a more interconnected future. We have to engage in open dialogue, share knowledge, forge partnerships to secure our IoT and a safer digital world for all,” the minister added.
Separately from the MRAs, Singapore launched the CLS for Medical Devices (CLS for MD) on the same day. To address growing threats to medical devices and enhance cybersecurity for this equipment, the nation developed this “first-in-the-world” multi-level scheme. From October 2023 to July 2024, the government conducted a sandbox phase in which medical device manufacturers were invited to test their devices and provide feedback on the scheme. Based on the feedback collected, the requirements and processes of the scheme have been refined, including greater clarity on the application process and assessment methodology, along with clearer templates to guide the industry in meeting the minimum requirements.