SINGAPORE – 13 MAR 2020
The Infocomm Media Development Authority (“IMDA”) today launched a public consultation to specify security requirements for home routers sold in Singapore.
The increased proliferation of networked intelligent devices in homes such as web cameras and baby monitors has translated to higher risks of cyber-attacks that leverage such devices. Some of these devices have little or weak protection against cyber-attacks and are vulnerable to unauthorised access by malicious actors.
Residential Gateways (“RG”), commonly known as home routers, are often the first entry point as they form the key bridge between the Internet and residents’ home networks.
To provide a safer and more secure Internet experience for users, and to strengthen the resilience of Singapore’s telecommunications networks, the Infocomm Media Development Authority (“IMDA”) today launched a public consultation to seek views from the industry and public on a new Technical Specification (“IMDA TS RG-SEC”) that will set out the minimum requirements for RGs.
Together with CSA’s Cybersecurity Labelling Scheme (CLS), this effort will raise the cybersecurity standards of IoT devices in Singapore. This will improve baseline standards for such devices and will be a pre-requisite for CSA’s cybersecurity label. Other jurisdictions are also evaluating similar requirements. Japan will be imposing similar requirements from April 2020, and the United Kingdom has also recently begun evaluating such requirements.
Public Consultation
IMDA is inviting views on the following key requirements:
- Tightening password administration through mandating no default login passwords, and requiring minimum password strength for RG;
- Securing default settings to better manage and control access to the RG, such as switching off unsecured Wi-Fi Protected Setup (“WPS”), and switching on the firewall by default;
- Strengthening RG administration, in particular the applicability of maintaining secure communication protocols such as SSH or HTTPS for device management interfaces to the RG; and
- Updating RGs automatically with the latest firmware.
IMDA has also engaged key RG manufacturers including Linksys and TP-Link, and also telecommunication service providers, who have expressed support for IMDA’s initiative to strengthen the security of home routers. Through these industry engagements, IMDA notes that some equipment manufacturers have already incorporated similar requirements in newer models of home routers. IMDA expects mainstream models will continue to remain affordable as new equipment compliant with IMDA’s requirements is launched.
To allow time for the industry to comply with the new technical requirements, the proposed changes will be effective six months after the finalised standards come into effect. Additionally, previously-approved home routers can continue to be sold until one year after the finalised standards come into effect. IMDA expects TS RG-SEC compliant RGs to be available from as early as end 2020, and all RGs sold in Singapore will be compliant by Q3 2021.
Residents will not need to change their home routers. When residents next upgrade their RGs, they are advised to look for RGs compliant with IMDA’s cybersecurity requirements, which will be affixed with a compliance label, for better protection. A list of approved RGs will also be available on IMDA website for verification by consumers prior to purchase.
IMDA will take in industry and public comments before finalising the requirements.
More information is available on Security Requirements for Residential Gateways page. All submissions for the public consultation must reach IMDA by 12 noon on 10 April 2020.
.webp)