Cybersecurity Labelling Scheme (CLS)

About Approved Labs For Consumers For Manufacturers Product List Publications Registration Updates FAQ

Introduction

In recent years, there has been an exponential increase in the number of connected Internet of Things (IoT) devices in the world. It is estimated that there will be some 50 billion IoT devices in use around the world by 2030^[1].

Amidst the growth in number of IoT products in the market, and in view of the short time-to-market and quick obsolescence, many consumer IoT products have been designed to optimise functionality and cost over security. As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in.

This poses cybersecurity risks such as the compromise of consumers’ privacy and data as hackers generally look for the easiest systems to attack that will net the most damage and returns.

Compromised IoT devices can also be used by threat actors to form a botnet to launch Distributed Denial of Service (DDoS) attacks which could bring down Internet services. One example of this is the Mirai botnet attack in 2016 which were carried out via innocuous IoT devices, such as home routers and IP cameras. The attack left much of the internet inaccessible in the US East Coast.

Currently, information on the amount of security that is built into these devices is not made readily available by the manufacturers. Thus, consumers are unable to make informed decisions towards purchasing more secure devices.

About the Cybersecurity Labelling Scheme

The Cyber Security Agency of Singapore (CSA) has launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices, as part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore's cyberspace.

The CLS is the first of its kind in the Asia-Pacific region. Under the scheme, smart devices will be rated according to their levels of cybersecurity provisions. This will enable consumers to identify products with better cybersecurity provisions and make informed decisions.

The CLS also aims to help manufacturers stand out from their competitors and be incentivised to develop more secure products. Currently, consumer smart devices are often designed to optimise functionality and cost. They also have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning.

The CLS was first introduced to cover Wi-Fi routers and smart home hubs. These products were prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users. It has since been extended to include all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers.

Mutual Recognition

Finland
Singapore and Finland have signed a Memorandum of Understanding (MoU) to mutually recognise the Cybersecurity Labels issued by CSA and the Transport and Communications Agency of Finland (Traficom) in 2021. Under the MoU, Consumer IoT products that have met the requirements of Finland’s Cybersecurity Label are recognised as having met the requirements of Level 3 of Singapore’s Cybersecurity Labelling Scheme, and products with CLS Level 3 and above are recognised by Finland to have met their requirements.

Level 3 and Level 4 applications for consumer connected products may be granted both Singapore’s Cybersecurity Labelling Scheme label and the Finnish Cybersecurity Label at once, with a single application process.

Germany
Singapore and Germany have signed a Mutual Recognition Arrangement (MRA) to mutually recognise the cybersecurity labels issued by CSA and the Federal Office for Information Security of Germany (BSI) in 2022. Under the MRA, smart consumer products issued with Germany’s IT Security Label will be recognised by CSA to have fulfilled Level 2 of Singapore’s Cybersecurity Labelling Scheme, and products with CLS Level 2 and above are recognised by Germany to have met their requirements.

The mutual recognition of cybersecurity labels will apply to devices intended for use by consumers such as Smart Cameras, Smart TVs, Smart Speakers, Smart Toys, Smart Garden and Household Robots, Gateways and Hubs for Home Automation, Health Trackers, Smart Lighting, Smart Plug (Smart Power Socket), and Smart Thermostats.

Country/Organisation	Level of Mutual Recognition
Finland	Finland’s Cybersecurity Label with CLS Level 3 and above
Germany	Germany’s IT Security Label with CLS Level 2 and above

Please send any enquiries on the Cybersecurity Labelling Scheme to cls_iot@csa.gov.sg.

For more details on the different certification schemes for cybersecurity products by CSA, download:

Cybersecurity Certification Guide (1.5mb)

^[1] IoT connected devices worldwide 2030, Statista Research Department, 22 January 2021, https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/