‘CyberUL’ Launched For IoT, Critical Infrastructure Device Security

Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks now have an official UL (Underwriters Laboratories) certification program – for cybersecurity.

UL today rolled out its anticipated—and voluntary--Cybersecurity Assurance Program (UL CAP), which uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. The UL CAP was created in conjunction with the White House, the US Department of Homeland Security, industry, and academia, and falls under President Obama’s recently unveiled Cybersecurity National Action Plan (CNAP) as a way of testing and certifying networked devices in IoT and critical infrastructure.

Akin to the vaunted UL seal affixed to consumer appliances and other electrical equipment, the UL CAP certification can be used as a procurement tool for critical infrastructure buyers as well as consumers and businesses buying IoT equipment. UL will test the products against its new 2900 series of IoT security standards.

But don’t look for the UL seal on your car, home router or ICS system just yet. “What the vendor will get from us is a UL certification” if its products pass a series of vulnerability assessments and penetration tests by UL, says Ken Modeste, principal engineer of security and global communications at UL. “We’re not providing a UL mark as yet on the products.”

IoT and industrial security concerns have escalated in the wake of continuous discoveries of glaring vulnerabilities in both consumer and ICS/SCADA systems over the past few years, many with public safety ramifications. And with an estimated 21- to 50 billion connected devices to come online by 2020, according to Gartner and other industry analysis, the stakes are getting higher every day.

UL CAP certifications are good for 12 months and then the product must get recertified by UL, “unless you made changes in that product within that timeframe,” which also would require recertification, Modeste says.

“This [certification] will mitigate risks in these products, and [it’s] also helping [buyers] with guidance as they go out and source products. It shows vendors are doing due diligence for security” in their network-connected products, Modeste says.

Everything from smart TVs and home routers in the consumer product sector to HVAC and lighting systems and fire alarms in the building automation sector to medical devices in hospitals, as well as ICS/SCADA equipment in utility networks, now can be tested for the UL cybersecurity certification.

“This really started three- to four years ago when appliance vendors started approaching us and saying you helped us a lot mitigate risks from [physical] safety, we want you to do that from a security perspective” as well, Modeste recalls.

The White House, meanwhile, has been exploring a UL "seal" model for IoT security over the past year, culminating with the CNAP’s call for a program to test and certify networked IoT devices. Michael Daniel, special assistant to the President and the nation's cybersecurity coordinator, last year in an interview with Dark Reading, said the Obama administration saw an Underwriters Laboratories-type certification model a good fit for driving vendors to secure their increasingly Internet-connected consumer products.

"We are very much interested in voluntary models" for this, Daniel said in that interview. "A nonprofit consortium that would rate products … I find that model very intriguing and similar in the development" of IoT security and safety, he said.

UL’s IoT certification isn’t the only game in town, however: the Online Trust Alliance (OTA)’s IoT Trust Framework is set of specifications for IoT manufacturers to help them build security and privacy into connected consumer devices, with the goal of becoming a global certification program. The OTA’s framework for IoT security came out of an industry working group with members from Microsoft, Symantec, Target, and home security system vendor ADT, and calls for unique passwords, end-to-end encryption of personal and sensitive information, and patching and update mechanisms, among other things.

The supply chain is at the core of the issue of IoT security, according to Craig Spiezle, executive director and president of OTA, and that’s what his organization’s framework aims to remedy.

UL’s Modeste says supply chain security assurance is one of several elements in UL’s certification program.

UL CAP: Phase One

The UL program in its first phase focuses mainly on “core competencies” for secure devices, such as ensuring known vulnerabilities are found and patched in the devices, or if not, that they come with appropriate exploit mitigations, Modeste says.

Authentication, access, encryption, and software updates also are part of the criteria for certification in phase one. “We looked at what we thought were some of the major areas where security incidents occur, over consistent flaws in a products that could easily be remediated. What we did avoid [in the first phase] are some of the more difficult security concepts that would entail cost-prohibitive efforts,”  he says.

There are specific standards for medical devices as well as for industrial control systems, he says.

“In future phases ... we will have more rigid and much more strenuous requirements,” he says, such as more secure code in the supply chain, for instance.

UL will issue its first cybersecurity certifications in the third quarter of this year.

“A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful,” Terrell Garren, CSO at Duke Energy, said in a statement.

Related Content:

Find out more about IoT security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.