iothackerdangerthreat100623164orig

UL takes on cybersecurity testing and certification

Underwriters Laboratories (UL) today announced a new Cybersecurity Assurance Program (CAP) that uses a new set of standards to test network-connected products for software vulnerabilities.

The new UL certification will be for both vendors of Internet of Things (IoT) products and for buyers of products who want to mitigate risks.

The testing standards were developed as part of a voluntary program involving industry officials as well as academics and the U.S. government.

President Obama's broad Cybersecurity National Action Plan, released in February, details a long-term strategy to improve cybersecurity awareness and protections. Obama's plan specifically notes that UL worked with the Department of Homeland Security to develop CAP to test and certify networked devices "whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure it has been certified to meet security standards."

UL also noted that CAP will also be used to test and certify IoT devices within critical infrastructures such as energy and utilities, as well as healthcare.

UL CAP will evaluate both the security of network-connectable product and sytems as well as the processes used by vendors for developing and maintaining the security of products and systems.

Ken Modeste, leader of cybersecurity technical services at UL, said in an interview that the CAP standards have been tested in pilot programs with several vendors since last September to "make sure we have repeatable, reproducible criteria" for quality assurance.

"The challenge of solving cybersecurity is a long game and there's no silver bullet for it," Modeste said.

He said part of the value of CAP will be to help software and equipment makers include all the many patches and updates from third parties and open-source providers that are used in an application or software product used with a device.

One cause of security breaches is that patches don't always migrate to finished products, he added. The list of software elements used in finished products "hasn't advanced as much as it has with hardware, where you know where it is sourced and comes from and you can identify when a source has a flaw in it."

UL's CAP will rely on a publicly-available government vulnerability database kept by the National Institutes of Standards and Technology that tracks and enumerates product vulnerability worldwide and is updated daily. It has a multitude of product lists, including desktop and mobile platforms. It also lists flaws and patches and identifies which version of software has a patch to address a specific security flaw.

Using the NIST database will make the UL CAP program economically feasible to run, Modeste said.

Pricing for the UL testing is still being developed, but will vary depending on whether a product is a thermostat or an MRI machine, he added.

"It will be economically reasonable," he said. "The point is for the software vendor to go to the purchaser and say, 'I've done this due diligence from this trusted party.'"

UL, an independent company, has been providing safety-focused advice, including testing and certifications, in the sciences for more than 120 years; it has 67,000 clients.

IDG Insider

PREVIOUS ARTICLE

« IoT tech goes from planning stage to execution

NEXT ARTICLE

5 burning questions about AMD's Bristol Ridge chips »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech

Poll

Do you think your smartphone is making you a workaholic?