If Underwriters Laboratories (UL) fills a security certification gap, will anyone care? This is often the problem for a product or service that has been well-established. If it branches out into a new area people either won’t notice, or they just won’t believe this is something the entity is capable of doing. It doesn’t have anything to do with facts, it has to do with perceptions. We have a strong idea of what UL does, and it isn’t security.
However, UL has actually put together a pretty decent validation program, which is the only program that even attempts to wrap around what could be an Internet of Things (IoT) nightmare for IT.
Let’s talk about UL’s Cybersecurity Assurance Program (CAP) to certify security products in an IoT world and help CIOs sleep at night.
IoT is a security nightmare
We talk quite a bit about how wonderful it will be to have everything connected largely by completely ignoring what a security nightmare the result is likely to be. Sensors, cameras, equipment, HVAC systems, even elevators and cars are all supposed to be increasingly more connected and much of this stuff can’t run security software.
This means the data coming from these things can be taken or corrupted, they can be remote controlled and sometimes forced to catastrophically fail.
For instance a few years back McAfee showcased it could take an Android phone and remotely take it over causing it to overheat and cook itself to death. Chrysler was showcased badly as the firm that forgot to keep their infotainment and driving systems separate resulting in a hacker showcasing they could remotely take over the car.
And with networked products all it takes in one of the thousands of connected devices to be breached to give an attacker access to the network. They can then use the one thing they hacked to take over a bunch of other stuff.
This means every single IoT device has to be certified, and when you’re talking small devices there really isn’t anyone better equipped to deal with the problem than UL.
UL security certification
Currently, UL CAP has three levels of certification.
Product Testing is UL 2900-1. It’s where they look at specific products and test them to make sure they can resist a set number and types of attack. Industry Product Testing UL2900-2x is where they add on tests specific to healthcare and industrial controls, which need a greater depth of protection for compliance (additional industries will be added as this program expands). And Organizational Process Testing 2900-3 is where they look at the process surrounding the products to make sure it is secure as well.
Sign up for CIO Asia eNewsletters.