We’re all familiar with Underwriters Lab, and we’re used to seeing the UL symbol on the cord tag of our electrical appliances. But things electrical – which were just being introduced when UL was founded in 1894 – have given way to things electronic. And (depending on who you’re listening to) sooner or later, everything electronic (including all those UL-labeled appliances) will end up as part of the Internet of Things (IoT).
Earlier in the year, the UL published a cybersecurity standard “for the testing and certification of connection devices.” UL 2900 aims to address what has been one of the more significant barriers to wider spread IoT adoption: security.
While some have welcomed UL jumping in with their Cyber Assurance Program – they believe that it’s useful to have a third party certification available in this arena – there’s concern that there are already so many security requirements established by vertical industry segment, that there’s really no room to adopt a truly common set of standards.
EE Times last week published in interesting article on this, including a Q&A session they had with UL, and I thought it would be interesting to pull out some of the highlights. (All material in quotes in this post comes also comes from the EE Times article, which can be found here.)
- UL has been in the security space for more than two deca
des, and have been dealing with cybersecurity for the past decade, so they have some experience and credibility in the area. (UL was the organization that developed FIPS 140 (The Federal Information Processing Standards used by the US Government.
- They decided to create their Cyber Assurance Program (CAP) once the saw the security problems were emerging in areas beyond traditional IT. They saw that “risks are spreading out into HVAC, automotive, lighting, factory automation and medical fields” – i.e., the IoT world. CAP was in response to this, and – more directly – to a request from the Department of Homeland Security to “develop testable security criteria, through which UL can test, validate, authenticate and certify networked devices.”
- This is the testing they do: “Software used within products – ranging from chips to components and systems. We look at existing vulnerabilities, defects and patches known to third-party vendors. We test to discover coding errors and security loopholes in software, operating systems or networks. We see how a system accesses remote devices and do software updates. We offer structured penetration testing regimen, and see if we can plug those holes. We define flaws and weaknesses and provide scientific repeatable and reproducible testing criteria.”
- Of interest: they’ll test automotive components, but not vehicles themselves. Too much of the data they’ need belongs to the automotive industry, and is not available through NIST, which is the database they use for information on vulnerabilities.
Those are some of the highlights. If you’re building an IoT application (other than a connected vehicle) and you think UL certification might be useful, check out the full article, or take a look at UL.com.