Vulnerabilities / Threats

4/5/2016
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CyberUL Launched For IoT, Critical Infrastructure Device Security

Much-anticipated UL (Underwriters Laboratories) cybersecurity certification program kicks off.

Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks now have an official UL (Underwriters Laboratories) certification program – for cybersecurity.

UL today rolled out its anticipated—and voluntary--Cybersecurity Assurance Program (UL CAP), which uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. The UL CAP was created in conjunction with the White House, the US Department of Homeland Security, industry, and academia, and falls under President Obama’s recently unveiled Cybersecurity National Action Plan (CNAP) as a way of testing and certifying networked devices in IoT and critical infrastructure.

Akin to the vaunted UL seal affixed to consumer appliances and other electrical equipment, the UL CAP certification can be used as a procurement tool for critical infrastructure buyers as well as consumers and businesses buying IoT equipment. UL will test the products against its new 2900 series of IoT security standards.

But don’t look for the UL seal on your car, home router or ICS system just yet. “What the vendor will get from us is a UL certification” if its products pass a series of vulnerability assessments and penetration tests by UL, says Ken Modeste, principal engineer of security and global communications at UL. “We’re not providing a UL mark as yet on the products.”

IoT and industrial security concerns have escalated in the wake of continuous discoveries of glaring vulnerabilities in both consumer and ICS/SCADA systems over the past few years, many with public safety ramifications. And with an estimated 21- to 50 billion connected devices to come online by 2020, according to Gartner and other industry analysis, the stakes are getting higher every day.

UL CAP certifications are good for 12 months and then the product must get recertified by UL, “unless you made changes in that product within that timeframe,” which also would require recertification, Modeste says.

“This [certification] will mitigate risks in these products, and [it’s] also helping [buyers] with guidance as they go out and source products. It shows vendors are doing due diligence for security” in their network-connected products, Modeste says.

Everything from smart TVs and home routers in the consumer product sector to HVAC and lighting systems and fire alarms in the building automation sector to medical devices in hospitals, as well as ICS/SCADA equipment in utility networks, now can be tested for the UL cybersecurity certification.

“This really started three- to four years ago when appliance vendors started approaching us and saying you helped us a lot mitigate risks from [physical] safety, we want you to do that from a security perspective” as well, Modeste recalls.

The White House, meanwhile, has been exploring a UL "seal" model for IoT security over the past year, culminating with the CNAP’s call for a program to test and certify networked IoT devices. Michael Daniel, special assistant to the President and the nation's cybersecurity coordinator, last year in an interview with Dark Reading, said the Obama administration saw an Underwriters Laboratories-type certification model a good fit for driving vendors to secure their increasingly Internet-connected consumer products.

"We are very much interested in voluntary models" for this, Daniel said in that interview. "A nonprofit consortium that would rate products … I find that model very intriguing and similar in the development" of IoT security and safety, he said.

UL’s IoT certification isn’t the only game in town, however: the Online Trust Alliance (OTA)’s IoT Trust Framework is set of specifications for IoT manufacturers to help them build security and privacy into connected consumer devices, with the goal of becoming a global certification program. The OTA’s framework for IoT security came out of an industry working group with members from Microsoft, Symantec, Target, and home security system vendor ADT, and calls for unique passwords, end-to-end encryption of personal and sensitive information, and patching and update mechanisms, among other things.

The supply chain is at the core of the issue of IoT security, according to Craig Spiezle, executive director and president of OTA, and that’s what his organization’s framework aims to remedy.

UL’s Modeste says supply chain security assurance is one of several elements in UL’s certification program.

UL CAP: Phase One

The UL program in its first phase focuses mainly on “core competencies” for secure devices, such as ensuring known vulnerabilities are found and patched in the devices, or if not, that they come with appropriate exploit mitigations, Modeste says.

Authentication, access, encryption, and software updates also are part of the criteria for certification in phase one. “We looked at what we thought were some of the major areas where security incidents occur, over consistent flaws in a products that could easily be remediated. What we did avoid [in the first phase] are some of the more difficult security concepts that would entail cost-prohibitive efforts,”  he says.

There are specific standards for medical devices as well as for industrial control systems, he says.

“In future phases ... we will have more rigid and much more strenuous requirements,” he says, such as more secure code in the supply chain, for instance.

UL will issue its first cybersecurity certifications in the third quarter of this year.

“A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful,” Terrell Garren, CSO at Duke Energy, said in a statement.

Related Content:

 

Interop 2016 Las VegasFind out more about IoT security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
8/11/2016 | 7:54:07 PM
Awesome
the average consumer has needed something like this for a long time. static analysis, fuzzing, and algorithms open to the pub (hopefully); I'm just happy it seems to have a good direction at the helm (Mudge, etc.)
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17208
PUBLISHED: 2018-09-19
Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell me...
CVE-2018-17205
PUBLISHED: 2018-09-19
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not ex...
CVE-2018-17206
PUBLISHED: 2018-09-19
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.
CVE-2018-17207
PUBLISHED: 2018-09-19
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
CVE-2017-2855
PUBLISHED: 2018-09-19
An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HT...