UL and Cybersecurity – Who Knew?

It’s very possible that you have spent your entire career in the building electronic security business and never associated UL with anything other than that little UL-in-a-circle sticker that shows up on electronic system components.  Or, you may have spent your entire career in the IT security world and have never given UL a second thought.  Well, that may very likely change in the near future – for both groups.  Systems today are powered by software and software introduces security concerns that UL is addressing in an ever-growing way.

UL’s stated purpose is to “help companies demonstrate safety, confirm compliance, enhance sustainability, manage transparency, deliver quality and performance, strengthen security, protect brand reputation, build workplace excellence, and advance societal wellbeing.”  In today’s world, that statement necessarily includes cybersecurity protection so that’s what they are doing.

Brilliance Security Magazine had the distinct pleasure of sitting down with Ken Modeste, Director of Connected Technologies at UL, and Todd Lira, Application and Project Resource Manager at UL, to discuss UL and cybersecurity.  They explained that “The concept of safety in the 1950s was that you didn’t want something to catch fire and electrocute you.  Now it has expanded significantly.  Safety now is about your personal data and IP systems in that you don’t want a bunch of cameras that can be used to attack another system.”  We learned that UL has a whole new set of standards being developed to address cybersecurity threats.

Ken and Todd bristle a little at the idea that this is a new area for UL because, well, they know better.  Ken explained that “UL has been doing cybersecurity since the 1990s.  We started getting into cybersecurity at the same time we started getting heavily into wireless and interoperability.  We started acquiring companies that have these capabilities in the mid-2000s, but these companies had been involved in the Payment Card Industry (PCI) world since 1994 or 1995.”

The platform for which UL’s cybersecurity efforts and standards are built is called the UL Cybersecurity Assurance Program.  “The UL Cybersecurity Assurance Program (UL CAP) aims to minimize risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses. This, in turn, helps reduce exploitation, address known malware, enhance security controls and expand security awareness.” their website explains.

The series of standards applicable to cybersecurity is the UL2900 Cybersecurity for Network-Connectable Products series.

UL2900-1 was published as an ANSI (American National Standards Institute) standard in July 2017.  It applies to network-connectable products that are to be evaluated and tested for vulnerabilities, software weaknesses, and malware.  It describes the requirements regarding the software developer risk management process for their product.  It also covers methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses, and malware.  Finally, it lists requirements regarding the presence of security risk controls in the architecture and design of a product.

Realizing that some industries have nuances to them that won’t adapt well to the generalized 2900-1 standard, UL has started creating  2900-2-X standards that are industry specific.  For example, 2900-2-1 covers healthcare and wellness systems.  2900-2-2 is for industrial control systems and 2900-2-3 is for building electronic security systems.

UL 2900-2-3, the most applicable to this article, is not yet an ANSI standard.  It is currently moving through the consensus process.  The standards development process can be quite arduous.  If you are interested in learning more, see the video below.

Even the challenges of the standards consensus process are not enough to stymie some manufacturers.  On March 27, 2018, Johnson Control’s American Dynamics brand announced that their VideoEdge Network Video Recorder was the first product to attain UL2900-2-3 cybersecurity readiness certification.  Once the “big boys” start to lay claim to this UL certification, the race will be on and most of the industry will clamor to make the same claims.

But what about the well known UL-in-a-circle sticker?  Ken says, “we don’t have a physical mark on the product.”  He went on to explain that in the fast-moving world of cybersecurity it is anticipated that certified products will require re-certification, at least a quick-check, to make sure they are not vulnerable to new threats.  Device level pen-testing is part of the certification process.  Ken postulated that “I would think that five years from now things would have evolved to a system level certification.”

“In the industrial controls space, the idea of certifying installers is starting to get some traction,” Ken said.  Only time will tell whether or not the building electronic security market will want to adopt that model as well.

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine