Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

checkLoop 1checkLoop 2checkLoop 3
4/5/2016
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

‘CyberUL’ Launched For IoT, Critical Infrastructure Device Security

Much-anticipated UL (Underwriters Laboratories) cybersecurity certification program kicks off.

Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks now have an official UL (Underwriters Laboratories) certification program – for cybersecurity.

UL today rolled out its anticipated—and voluntary--Cybersecurity Assurance Program (UL CAP), which uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. The UL CAP was created in conjunction with the White House, the US Department of Homeland Security, industry, and academia, and falls under President Obama’s recently unveiled Cybersecurity National Action Plan (CNAP) as a way of testing and certifying networked devices in IoT and critical infrastructure.

Akin to the vaunted UL seal affixed to consumer appliances and other electrical equipment, the UL CAP certification can be used as a procurement tool for critical infrastructure buyers as well as consumers and businesses buying IoT equipment. UL will test the products against its new 2900 series of IoT security standards.

But don’t look for the UL seal on your car, home router or ICS system just yet. “What the vendor will get from us is a UL certification” if its products pass a series of vulnerability assessments and penetration tests by UL, says Ken Modeste, principal engineer of security and global communications at UL. “We’re not providing a UL mark as yet on the products.”

IoT and industrial security concerns have escalated in the wake of continuous discoveries of glaring vulnerabilities in both consumer and ICS/SCADA systems over the past few years, many with public safety ramifications. And with an estimated 21- to 50 billion connected devices to come online by 2020, according to Gartner and other industry analysis, the stakes are getting higher every day.

UL CAP certifications are good for 12 months and then the product must get recertified by UL, “unless you made changes in that product within that timeframe,” which also would require recertification, Modeste says.

“This [certification] will mitigate risks in these products, and [it’s] also helping [buyers] with guidance as they go out and source products. It shows vendors are doing due diligence for security” in their network-connected products, Modeste says.

Everything from smart TVs and home routers in the consumer product sector to HVAC and lighting systems and fire alarms in the building automation sector to medical devices in hospitals, as well as ICS/SCADA equipment in utility networks, now can be tested for the UL cybersecurity certification.

“This really started three- to four years ago when appliance vendors started approaching us and saying you helped us a lot mitigate risks from [physical] safety, we want you to do that from a security perspective” as well, Modeste recalls.

The White House, meanwhile, has been exploring a UL "seal" model for IoT security over the past year, culminating with the CNAP’s call for a program to test and certify networked IoT devices. Michael Daniel, special assistant to the President and the nation's cybersecurity coordinator, last year in an interview with Dark Reading, said the Obama administration saw an Underwriters Laboratories-type certification model a good fit for driving vendors to secure their increasingly Internet-connected consumer products.

"We are very much interested in voluntary models" for this, Daniel said in that interview. "A nonprofit consortium that would rate products … I find that model very intriguing and similar in the development" of IoT security and safety, he said.

UL’s IoT certification isn’t the only game in town, however: the Online Trust Alliance (OTA)’s IoT Trust Framework is set of specifications for IoT manufacturers to help them build security and privacy into connected consumer devices, with the goal of becoming a global certification program. The OTA’s framework for IoT security came out of an industry working group with members from Microsoft, Symantec, Target, and home security system vendor ADT, and calls for unique passwords, end-to-end encryption of personal and sensitive information, and patching and update mechanisms, among other things.

The supply chain is at the core of the issue of IoT security, according to Craig Spiezle, executive director and president of OTA, and that’s what his organization’s framework aims to remedy.

UL’s Modeste says supply chain security assurance is one of several elements in UL’s certification program.

UL CAP: Phase One

The UL program in its first phase focuses mainly on “core competencies” for secure devices, such as ensuring known vulnerabilities are found and patched in the devices, or if not, that they come with appropriate exploit mitigations, Modeste says.

Authentication, access, encryption, and software updates also are part of the criteria for certification in phase one. “We looked at what we thought were some of the major areas where security incidents occur, over consistent flaws in a products that could easily be remediated. What we did avoid [in the first phase] are some of the more difficult security concepts that would entail cost-prohibitive efforts,”  he says.

There are specific standards for medical devices as well as for industrial control systems, he says.

“In future phases ... we will have more rigid and much more strenuous requirements,” he says, such as more secure code in the supply chain, for instance.

UL will issue its first cybersecurity certifications in the third quarter of this year.

“A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful,” Terrell Garren, CSO at Duke Energy, said in a statement.

Related Content:

 

Interop 2016 Las VegasFind out more about IoT security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
8/11/2016 | 7:54:07 PM
Awesome
the average consumer has needed something like this for a long time. static analysis, fuzzing, and algorithms open to the pub (hopefully); I'm just happy it seems to have a good direction at the helm (Mudge, etc.)
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...
checkLoop 4