Underwriters Laboratories has launched a Cybersecurity Assurance Program (UL CAP), which uses the organization’s UL 2900 series of standards as testable cybersecurity criteria. The goal is to assess software vulnerabilities for network-connectable products and systems. UL CAP was designed to detect weaknesses, minimize exploitation, address known malware, review security controls, and increase security awareness.
UL CAP was created for vendors who were seeking trusted support in assessing security risks as they build connected products, as well as for purchasers of products who want to mitigate risks by sourcing products validated by a trusted third party. UL CAP is also designed to help insurance companies determine cybersecurity risk. UL launched the certification program during first week of April.
Cyber attacks can pop up from anywhere.
The certification was originally prompted by vendors who wanted a blessing for their connected products and systems. Other entities such as insurance companies soon followed.
“When we started looking at this and how we would do cybersecurity evaluation, we started out working with manufactures. They asked us to look at their challenges, which is similar to their safety evaluations,” Ken Modeste, principal engineer at UL, told Design News. “As we started engaging more and more stakeholders, insurance companies started reaching out with the same concerns. They wanted a third-party organization to determine their risk. They were looking for ways to vet the standards.”
To determine effective cybersecurity protection, UL runs the companies’ products through a number of tests. “In working with the vendor or the manufacturer, we identified about 8 or 9 testing assurances around software products,” said Modeste. “The vendor or manufacturer can have an assessment done that includes penetration testing to evaluate vulnerability to hacking. UL offers them repeatable criteria to make adjudications.”
Stay Secure. Learn more about managing cyber security and hacking in the world of smart plants, sensor-rich IoT, and more at Industry 4.0: Smart Manufacturing, part of Atlantic Design & Manufacturing Expo. June 16 in New York. Register here for the event, hosted by Design News’ parent company UBM. Enter promo NY16DN for a FREE Expo pass & 20% off Industry 4.0 Conference.
To obtain certification, the vendor or manufacturer has to succeed through all of the testing. “We look at how the vendor or manufacturer lives up to all of the criteria in order to obtain certification,” said Modeste. “We assess the requirements and we produce the results. If they meet all of the criteria, then we issue them a certificate.”
Certification for 12 Months Only
As cyber attacks become more sophisticated, harder to protect against, and more costly, security precautions become critical. The tech industry predicts there will be 21-50 billion connected devices by 2020. Gartner predicts that 66% of networks will have an IoT security breach by 2018.
UL limits the certification to 12 months. UL believes that after 12 months, a software product will have morphed into something new that requires further testing. “The certificate has a length of 12 months. Most software has a lifespan of 6 to 18 months. So we chose 12 months, knowing that after that the software would need to add new attributes. After 12 months, we would assess any new vulnerabilities,” said Modeste. “At the end of the year, the vendor comes back for a new evaluation. If in the process the vendor experienced multiple vulnerabilities and they introduced new items into their software, then we do a full re-evaluation.”
UL sees cybersecurity as a more difficult assessment than product safety. The problem with cybersecurity, is the hacker works to cloak the attack. “With safety, you can see what would make a product unsafe. With cybersecurity, you have actors who attack from hiding. We look at the software to see where all of the software is routed from and track how they avoid vulnerabilities,” said Modeste. “If new vulnerabilities are introduced, we look at how the vendor addresses that new threat. That’s part of the process. We look at their patch process and see how they monitor and assess new vulnerabilities and how they would resolve them.”
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.