Cybersecurity is a growing concern for manufacturers of life safety and security products, and Underwriters Laboratories (UL) wants to help solve the problem. Specifically, UL seeks to work with manufacturers to up their game on cybersecurity and to certify compliance to a minimum level of cybersecurity “hygiene.”
UL cybersecurity certification
UL is a familiar brand in consumer goods and in the security and life safety markets. UL certification is sought by manufacturers in a range of product lines, from electrical goods and smoke alarms to access control and central monitoring stations. Approximately 22 billion UL marks appeared on products in 2016. In the physical security industry alone, products are certified to around 20 different standards covering access control, intrusion detection, locks, safes and vaults, software and other categories.
Now UL is working to increase the prominence of their brand in cybersecurity with the UL Cybersecurity Assurance Program (CAP). The UL 2900-1 standard, the standard that offers General Requirements for Software Cybersecurity for Network-Connectable Products, was published in 2016 and in July 2017 was published as an ANSI (American National Standards Institute) standard. The standard was developed with cooperation from end users such as the Department of Homeland Security (DHS), U.S. National Laboratories, and other industry stakeholders. UL 2900-2-3 – the standard that focuses on electronic physical security/Life Safety & Security industry, was published in September 2017.
Testing for cybersecurity weaknesses
The UL 2900 standard encompasses three main areas related to cybersecurity – software weaknesses, known vulnerabilities and risk control such as encryption, access control, passwords, remote communications, and software patches and updates. UL conducts structured penetration, fuzz testing and other tests to establish a reasonable level of confidence that a product or system has addressed cybersecurity concerns.
“Certification to the standard means that a product or system has been evaluated to a minimum level of cyber hygiene,” says Neil Lakomiak, Director of Business Development and Innovation, Building and Life Safety Technologies, for UL LLC. “It covers the ‘blocking and tackling’ that you would expect manufacturers to do. It doesn’t provide absolute assurance, but rather a level of confidence that a product has been vetted.” The certification is good for one year, and changes in products require recertification.
| UL has written more than 1,600 standards defining safety, security, quality and sustainability |
Lakomiak says applying the standard will: “create an environment where companies are starting to incorporate cybersecurity into their development processes; creating security by design. It will elevate the industry to consider cybersecurity earlier in the development process.” An overall goal of UL is to “give people peace of mind around the products and systems they use.”
Underwriters Laboratories at ASIS 2017
Companies that achieve certification can promote it as a point of differentiation in the market, although not a guarantee that a product is cybersecure. UL’s independent evaluations carry weight in the market, as reflected by the ubiquity of the UL brand, and Lakomiak contends the industry can benefit from applying the same level of testing and certification to the area of cybersecurity. He sees UL’s cybersecurity initiative as complementary to other cybersecurity measures, such as “white hat” hacking. From a standards perspective, UL’s efforts seek to complement industry efforts such as SIA, ASIS International, PSA and ONVIF.
Lakomiak was at the ASIS 2017 show in Dallas, where he met with existing manufacturer customers and potential future clients – including large and small companies in the industry – to discuss cybersecurity and the road to certification. He says many manufacturers are not yet ready for certification, in which case UL provides consultancy and advisory services to help them get there.
“A lot of companies just need help understanding what their current processes and cybersecurity posture are,” says Lakomiak. “They want help to create a roadmap to get certification. A variety of manufacturers are on the path to certification.”
Underwriters Laboratories security mission
The cybersecurity element is an extension of UL’s mission to help companies demonstrate safety, confirm compliance, deliver quality and performance, and build excellence. Lakomiak says many people mistakenly perceive UL as a quasi-governmental organisation, perhaps because UL standards are sometimes incorporated into regulations.
However, the organisation is a business and wants to operate like one by serving the needs of its manufacturer customers. “We want to have the service we provide be market-driven. We understand the pain points of manufacturers, integrators and others as they interface with technology. We want to devise programmes to help them be successful in the market. Our focus is to make our customers succeed by providing objective certification.”
To the extent that cybersecurity is a growing pain point for the physical security industry, there is a large potential role to be played by UL and many others.