As more than most software applications available today are comprised of open-source components, organizations must be especially vigilant to implement rigorous software supply chain management systems and procedures to mitigate the potential risk from third-party applications. Thus, Underwriters Laboratories (UL) has developed a set of cybersecurity standards – UL 2900-2-2 – specifically designed for industrial control systems (ICS).
The standards were developed to offer testable cybersecurity criteria for third-party software and to validate the security claims of software vendors. The goal is to help mitigate cybersecurity concerns for manufacturers, vendors, and their customers through the UL Cybersecurity Assurance Program (UL CAP) that utilizes the new UL 2900-2-2 standard for ICS. In addition, UL has ongoing research partnerships with the Department of Homeland Security (DHS ICS-CERT) and the Defense Advanced Research Projects Agency (DARPA ICS) to help mitigate industrial IoT cyber risks.
UL has a long history of developing cybersecurity standards, so the latest efforts are a matter of identifying new needs in in the ICS market. “We felt there was a need for UL to step into this space and address the risks of cybersecurity, since many of our clients are industry vendors,” Ken Modeste, global principal engineer for UL Cybersecurity, told Design News. “We’ve been involved in the space since the 1990s. In the last 10 years, it’s been growing into wireless security and IT security systems.”
The goal was to make the standards broad enough to address security in control systems across multiple industries. “One of the challenges is how to secure the supply chain – to provide a foundation of security across the board. We started looking at the fundamental problem. After polling agencies and experts, we recognized that software is the predominant cause of security,” said Modeste. “If we could address the security of software, it would be applicable to industrial systems. So, we started to do build a foundation based on software and see how we can affect the software during the security design of software.”
The Continual Update Process
Cybersecurity is always a moving target. UL built this into the standards, so they will be updated as changes in the security environment change. “We’re in a continuous feedback mode for continuous improvement. There is no silver bullet or magic way to solve the problem,” said Modeste. “In the past, people have tried for gradual solutions, but that didn’t satisfy industry. We started adding and building on the foundation in order to make it harder and harder for a bad actor to circumvent control systems.”
UL created standards that are designed to adapt to developments in the security environment, a function that is consistent with updates that software vendors provide. “The standards are continually updated. Vendors are producing products, but those products are not static. They make revisions and updates,” said Modeste. “The vendor adapts, so they roll out any new changes. We take that into consideration. We look at how to ensure your vendor is doing the due diligence.”
By adhering to the standards, users can be assured their vendors are providing ongoing updates to security. “In practice, what we’ve seen is that if the vendor adopts these standards, it becomes part of their independent best practices and shows they’re doing the right thing,” said Modeste. “The adoption of these standards demonstrates to their clients that they’re adapting and they have third-part validation of that adapting.”
Ongoing UL Cybersecurity Standards
UL began publishing standards for the ICS providers last year. “We published a series of standards in 2016. We published more this past summer. We started three years ago as we worked is an advisory the Obama Administration,” said Modeste. “We met with several agencies with the government, DHS being the biggest one. We partnered with various agencies, including DARPA. We also include several consultants and utilities.”
The standards come out of UL’s Cybersecurity Assurance Program) UL CAP, which offers third party support to allow users to evaluate both the security of network-connectable products and systems, as well as the vendor processes for developing and maintaining products and systems for security.
While the standards apply to a wide swath of industries, including medical and buildings, the core work was done for manufacturing. “The standards are focused on the manufacturing community, to help them build good design into their products,” said Modeste. “That means the vendor takes into consideration the flaws and weaknesses that a hacker may use to attack. The standards don’t specifically say they should identify and notify the user. Instead, it makes the product robust enough to product itself. The software in the products will be trained to detect and take action.”
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.
Image courtesy of Underwriters Laboratories.
|The Embedded Systems Conference (ESC) is back in Minnesota and it’s bigger than ever. Over two days, Nov. 8-9, 2017, receive in-depth education geared to drive a year’s worth of work. Uncover software design innovation, hardware breakthroughs, fresh IoT trends, product demos, and more that will change how you spend time and money on your next project. Click here to register today!|