For those industries covered, I’d advise that all three certifications be kept in place.
The gap in CAP
A lot of the products that go through testing like this are patchable either in software or firmware. However, the one missing piece appears to be a rigorous auditing process so that if an exposure is introduced post certification the certification can be removed until the problem is corrected. Otherwise the owner of the product is likely to believe the product is still safe when it may not be.
That’s the problem with patchable products, any testing applies only to the product as it existed when the product was tested, as soon as it is patched the certification may no longer be valid and entire classes of these products to get patched often. On the other hand, things like sensors and cameras rarely get patched so they should remain relatively consistent with the certification and they likely represent the highest volume of devices expected to be deployed.
For complex products like cars, which can have in-line component swaps and manufacturing patches, a certification process like this may not even work reliably without aggressive spot audits. Recall that VW was able to get around the smog certification for their diesel engines and only got caught by accident.
CAP is a huge step in the right direction
Overall this UL CAP program is a huge step in the right direction and the only process I’ve seen so far that even comes close to addressing the coming nightmare of IoT devices, which individually have to be made secure. Fortunately, the hub approach, which is becoming far more common particularly with enterprises where the devices are maintained on an isolated network and only connect through a secure hub, does mitigate a lot of the problem only if you can be sure the isolated network doesn’t get breached. However, with wireless devices in particular, that often isn’t the case.
Personally, were it me, I’d make darn sure that IoT security landed on someone else’s desk and, if I couldn’t do that, I’d take a hard look at this UL certification process and make it a requirement. At least then, when you have a breach -- and you will have a breach -- you can argue you were prudent in your approach.
Something to noodle on this weekend.
Sign up for CIO Asia eNewsletters.