26 February 2019
The Info-communications Media Development Authority (“IMDA”) is conducting a public consultation from 25 January 2019 to 8 March 2019 on the content of IMDA’s new guide (“Guide”) which provides recommendations and guidance to Internet of Things (“IoT”) users and vendors in securing their IoT devices and networks. The Guide aims to promote best practices in implementing security for IoT devices and networks, and to cultivate awareness that security should not be an afterthought but needs to be built-in during the design stage.
IMDA is seeking views on the usefulness and clarity of the Guide, and whether the coverage of the Guide is sufficient, in particular:
- Baseline Recommendations: The Baseline Recommendations section lists a set of proposed essential steps that could be taken by various parties at the deployment and operating phases to ensure a core level of security in IoT devices and networks. IMDA is seeking feedback on the usefulness of the security measures given in the Baseline Recommendation section of the Guide, and whether they are adequate and relevant.
- Threat modelling checklist: Threat modelling is a systematic approach to identify and understand potential vulnerabilities and threats in a system, prioritise them, and thereafter identify suitable risk-mitigation techniques to address them. The approach to threat modelling in the Guide is structured in the form of a checklist, which offers an organised way for system developers to examine if they have been following essential steps. IMDA is inviting comments on the usefulness, clarity and adequacy of the threat modelling checklist proposed in the Guide.
- Vendor disclosure checklist: Uses of IoT span across almost all sectors today and many of these IoT users are traditionally not well versed with cybersecurity matters. Hence, it is assessed to be beneficial to provide these users with a checklist, allowing them to use it as a guide for the procurement of IoT systems, i.e. to scope the vendor disclosure checklist as part of the tender submission requirement. IMDA would like feedback on the usefulness and adequacy of the proposed vendor disclosure checklist in the Guide and the items listed within.
- Informative annexes: Annex A to the Guide introduces the security concepts used in the Guide for a holistic approach to identify and mitigate the threats and vulnerabilities of IoT systems. Annex B to the Guide provides a case study on Home Control System that demonstrates the application of the recommendations in the Guide. IMDA would like views on the usefulness of these information annexes.
- Certification scheme: IMDA seeks feedback on the proposed introduction of a certification scheme for IoT devices to be deployed in Singapore and whether the certification should be voluntary or mandatory.
With the rapid evolution of technologies and threats, the Guide will be updated accordingly in response to changes.
The following materials are available on the IMDA website www.imda.gov.sg:
- IMDA media release
- Consultation paper on IoT Cyber Security Guide
- IoT Cyber Security Guide
- Annex A to IoT Cyber Security Guide
- Annex B to IoT Cyber Security Guide