Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/5/2016
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

‘CyberUL’ Launched For IoT, Critical Infrastructure Device Security

Much-anticipated UL (Underwriters Laboratories) cybersecurity certification program kicks off.

Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks now have an official UL (Underwriters Laboratories) certification program – for cybersecurity.

UL today rolled out its anticipated—and voluntary--Cybersecurity Assurance Program (UL CAP), which uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. The UL CAP was created in conjunction with the White House, the US Department of Homeland Security, industry, and academia, and falls under President Obama’s recently unveiled Cybersecurity National Action Plan (CNAP) as a way of testing and certifying networked devices in IoT and critical infrastructure.

Akin to the vaunted UL seal affixed to consumer appliances and other electrical equipment, the UL CAP certification can be used as a procurement tool for critical infrastructure buyers as well as consumers and businesses buying IoT equipment. UL will test the products against its new 2900 series of IoT security standards.

But don’t look for the UL seal on your car, home router or ICS system just yet. “What the vendor will get from us is a UL certification” if its products pass a series of vulnerability assessments and penetration tests by UL, says Ken Modeste, principal engineer of security and global communications at UL. “We’re not providing a UL mark as yet on the products.”

IoT and industrial security concerns have escalated in the wake of continuous discoveries of glaring vulnerabilities in both consumer and ICS/SCADA systems over the past few years, many with public safety ramifications. And with an estimated 21- to 50 billion connected devices to come online by 2020, according to Gartner and other industry analysis, the stakes are getting higher every day.

UL CAP certifications are good for 12 months and then the product must get recertified by UL, “unless you made changes in that product within that timeframe,” which also would require recertification, Modeste says.

“This [certification] will mitigate risks in these products, and [it’s] also helping [buyers] with guidance as they go out and source products. It shows vendors are doing due diligence for security” in their network-connected products, Modeste says.

Everything from smart TVs and home routers in the consumer product sector to HVAC and lighting systems and fire alarms in the building automation sector to medical devices in hospitals, as well as ICS/SCADA equipment in utility networks, now can be tested for the UL cybersecurity certification.

“This really started three- to four years ago when appliance vendors started approaching us and saying you helped us a lot mitigate risks from [physical] safety, we want you to do that from a security perspective” as well, Modeste recalls.

The White House, meanwhile, has been exploring a UL "seal" model for IoT security over the past year, culminating with the CNAP’s call for a program to test and certify networked IoT devices. Michael Daniel, special assistant to the President and the nation's cybersecurity coordinator, last year in an interview with Dark Reading, said the Obama administration saw an Underwriters Laboratories-type certification model a good fit for driving vendors to secure their increasingly Internet-connected consumer products.

"We are very much interested in voluntary models" for this, Daniel said in that interview. "A nonprofit consortium that would rate products … I find that model very intriguing and similar in the development" of IoT security and safety, he said.

UL’s IoT certification isn’t the only game in town, however: the Online Trust Alliance (OTA)’s IoT Trust Framework is set of specifications for IoT manufacturers to help them build security and privacy into connected consumer devices, with the goal of becoming a global certification program. The OTA’s framework for IoT security came out of an industry working group with members from Microsoft, Symantec, Target, and home security system vendor ADT, and calls for unique passwords, end-to-end encryption of personal and sensitive information, and patching and update mechanisms, among other things.

The supply chain is at the core of the issue of IoT security, according to Craig Spiezle, executive director and president of OTA, and that’s what his organization’s framework aims to remedy.

UL’s Modeste says supply chain security assurance is one of several elements in UL’s certification program.

UL CAP: Phase One

The UL program in its first phase focuses mainly on “core competencies” for secure devices, such as ensuring known vulnerabilities are found and patched in the devices, or if not, that they come with appropriate exploit mitigations, Modeste says.

Authentication, access, encryption, and software updates also are part of the criteria for certification in phase one. “We looked at what we thought were some of the major areas where security incidents occur, over consistent flaws in a products that could easily be remediated. What we did avoid [in the first phase] are some of the more difficult security concepts that would entail cost-prohibitive efforts,”  he says.

There are specific standards for medical devices as well as for industrial control systems, he says.

“In future phases ... we will have more rigid and much more strenuous requirements,” he says, such as more secure code in the supply chain, for instance.

UL will issue its first cybersecurity certifications in the third quarter of this year.

“A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful,” Terrell Garren, CSO at Duke Energy, said in a statement.

Related Content:

 

Interop 2016 Las VegasFind out more about IoT security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
8/11/2016 | 7:54:07 PM
Awesome
the average consumer has needed something like this for a long time. static analysis, fuzzing, and algorithms open to the pub (hopefully); I'm just happy it seems to have a good direction at the helm (Mudge, etc.)
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.