Vulnerabilities / Threats
4/5/2016
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CyberUL Launched For IoT, Critical Infrastructure Device Security

Much-anticipated UL (Underwriters Laboratories) cybersecurity certification program kicks off.

Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks now have an official UL (Underwriters Laboratories) certification program – for cybersecurity.

UL today rolled out its anticipated—and voluntary--Cybersecurity Assurance Program (UL CAP), which uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. The UL CAP was created in conjunction with the White House, the US Department of Homeland Security, industry, and academia, and falls under President Obama’s recently unveiled Cybersecurity National Action Plan (CNAP) as a way of testing and certifying networked devices in IoT and critical infrastructure.

Akin to the vaunted UL seal affixed to consumer appliances and other electrical equipment, the UL CAP certification can be used as a procurement tool for critical infrastructure buyers as well as consumers and businesses buying IoT equipment. UL will test the products against its new 2900 series of IoT security standards.

But don’t look for the UL seal on your car, home router or ICS system just yet. “What the vendor will get from us is a UL certification” if its products pass a series of vulnerability assessments and penetration tests by UL, says Ken Modeste, principal engineer of security and global communications at UL. “We’re not providing a UL mark as yet on the products.”

IoT and industrial security concerns have escalated in the wake of continuous discoveries of glaring vulnerabilities in both consumer and ICS/SCADA systems over the past few years, many with public safety ramifications. And with an estimated 21- to 50 billion connected devices to come online by 2020, according to Gartner and other industry analysis, the stakes are getting higher every day.

UL CAP certifications are good for 12 months and then the product must get recertified by UL, “unless you made changes in that product within that timeframe,” which also would require recertification, Modeste says.

“This [certification] will mitigate risks in these products, and [it’s] also helping [buyers] with guidance as they go out and source products. It shows vendors are doing due diligence for security” in their network-connected products, Modeste says.

Everything from smart TVs and home routers in the consumer product sector to HVAC and lighting systems and fire alarms in the building automation sector to medical devices in hospitals, as well as ICS/SCADA equipment in utility networks, now can be tested for the UL cybersecurity certification.

“This really started three- to four years ago when appliance vendors started approaching us and saying you helped us a lot mitigate risks from [physical] safety, we want you to do that from a security perspective” as well, Modeste recalls.

The White House, meanwhile, has been exploring a UL "seal" model for IoT security over the past year, culminating with the CNAP’s call for a program to test and certify networked IoT devices. Michael Daniel, special assistant to the President and the nation's cybersecurity coordinator, last year in an interview with Dark Reading, said the Obama administration saw an Underwriters Laboratories-type certification model a good fit for driving vendors to secure their increasingly Internet-connected consumer products.

"We are very much interested in voluntary models" for this, Daniel said in that interview. "A nonprofit consortium that would rate products … I find that model very intriguing and similar in the development" of IoT security and safety, he said.

UL’s IoT certification isn’t the only game in town, however: the Online Trust Alliance (OTA)’s IoT Trust Framework is set of specifications for IoT manufacturers to help them build security and privacy into connected consumer devices, with the goal of becoming a global certification program. The OTA’s framework for IoT security came out of an industry working group with members from Microsoft, Symantec, Target, and home security system vendor ADT, and calls for unique passwords, end-to-end encryption of personal and sensitive information, and patching and update mechanisms, among other things.

The supply chain is at the core of the issue of IoT security, according to Craig Spiezle, executive director and president of OTA, and that’s what his organization’s framework aims to remedy.

UL’s Modeste says supply chain security assurance is one of several elements in UL’s certification program.

UL CAP: Phase One

The UL program in its first phase focuses mainly on “core competencies” for secure devices, such as ensuring known vulnerabilities are found and patched in the devices, or if not, that they come with appropriate exploit mitigations, Modeste says.

Authentication, access, encryption, and software updates also are part of the criteria for certification in phase one. “We looked at what we thought were some of the major areas where security incidents occur, over consistent flaws in a products that could easily be remediated. What we did avoid [in the first phase] are some of the more difficult security concepts that would entail cost-prohibitive efforts,”  he says.

There are specific standards for medical devices as well as for industrial control systems, he says.

“In future phases ... we will have more rigid and much more strenuous requirements,” he says, such as more secure code in the supply chain, for instance.

UL will issue its first cybersecurity certifications in the third quarter of this year.

“A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful,” Terrell Garren, CSO at Duke Energy, said in a statement.

Related Content:

 

Interop 2016 Las VegasFind out more about IoT security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
8/11/2016 | 7:54:07 PM
Awesome
the average consumer has needed something like this for a long time. static analysis, fuzzing, and algorithms open to the pub (hopefully); I'm just happy it seems to have a good direction at the helm (Mudge, etc.)
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.