UL Launches Cybersecurity Assurance Program with New UL 2900 Series of Standards

UL, a global safety science organization, today announced its new Cybersecurity Assurance Program (UL CAP). UL CAP uses the new UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness. UL CAP is for vendors looking for trusted support in assessing security risks while they continue to focus on product innovation to help build safer more secure products, as well as for purchasers of products who want to mitigate risks by sourcing products validated by a trusted third party.

As cyber-attacks become more sophisticated, harder to protect against, and more costly than ever, security precautions are critical. There will be 21-50 billion connected devices by 2020, according to Gartner and other industry reports. By 2018, it is predicted that 66% of networks will have an IoT security breach*. The security and financial risks impacting products and services globally for public and private sectors and consumers alike are the key drivers to develop new safeguards in an ever-changing security threat landscape faced with growing risks.  

 “We’re aiming to support and underpin the innovative, rapidly iterating technologies that make up the Internet of Things (IoT) with a security program,” said Rachna Stegall, Director of Connected Technologies at UL. “The more devices become interconnected, the greater the potential security risks to products and services across all sectors. The Cybersecurity Assurance Program’s purpose is to help manufacturers, purchasers and end-users, both public and private, mitigate those risks via methodical risk assessments and evaluations.”

The new UL CAP was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. The White House recently released the Cybersecurity National Action Plan (CNAP), designed to enhance cybersecurity capabilities within the US government and across the country. UL’s CAP services and software security efforts were recognized within the CNAP as a way to test and certify network-connectable devices within the Internet of Things supply chain and ecosystems especially relevant in critical infrastructures, such as energy, utilities and healthcare.

Asset owners from critical infrastructure can see the benefits of UL CAP as a means for evaluating the security posture of their supply chain.  “The availability and integrity of critical infrastructure is crucial to the safety and well-being of society. A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful,” states Terrell Garren, CSO, Duke Energy.  UL CAP offers trusted third party support with the ability to evaluate both the security of network-connectable products and systems and the vendor processes for developing and maintaining products and systems with a security focus.

Asset owners know the significance of UL CAP being developed with Open Source technologies in mind as it aligns and simplifies their network-connectable products and systems, architectures, and cyber security strategies. “In the coming years, UL's role will be transformative in that it will provide cyber insurers with a common approach to evaluate and more efficiently price cyber risk for companies that adopt and promote the UL certified technologies and processes. In the short term, we expect the UL 2900 to become central to businesses delivering a more secure Internet of Things and government a more secure U.S. critical infrastructure. We believe that UL certification will carry significant weight, and differentiate our offering in the marketplace," states David Wallace Cox, President, Developer and Chief Architect at Reprivata, Corp.

UL's evaluation of security products and systems uses the UL 2900 series of standards which outline technical criteria for testing and evaluating the security of products and systems that are network-connectable. These standards form a baseline set of technical requirements to measure, and then elevate, the security posture of products and systems. UL 2900 is designed to evolve and incorporate additional technical criteria as the security needs in the marketplace mature. 

Building on the successful framework of the UL CAP pilot where initial vendors benefited from this innovative program, UL CAP can help vendors identify security risks in their products and systems and suggests methods for mitigating those risks in a wide range of industry functions, including: industrial control systems, medical devices, automotive, HVAC, lighting, smart home, appliances, alarm systems, fire systems, building automation, smart meters, network equipment, and consumer electronics. For increased flexibility for specific market requirements, vendors can select the UL CAP services best suited for their current needs.

Meeting the requirements outlined in the UL 2900 series of standards allows a product or system to be certified by UL as “UL 2900 compliant”. Additionally, since security is dynamic, UL 2900 can support the evaluation of a vendor’s processes for design, development and maintenance of secure products and systems.