The Industrial Internet of Things (IIoT), also known as Industry 4.0, is connecting modern manufacturing equipment and machinery across networks and the Internet. While the operational advantages of this digital awakening are clear to see, there are many unseen cybersecurity risks that now need to be addressed.

According to many recent reports and the U.S. government, not only is there a rise in the number of cyber attacks occurring – the sophistication of them has also advanced.  It is imperative that industrial control systems are evaluated for cybersecurity to help ensure reliability, decrease downtime, prevent damage to assets, mitigate risk and improve security.

With our extensive expertise in software, hardware and interoperability, UL can help mitigate these concerns for manufacturers, vendors and their customers through our UL Cybersecurity Assurance Program (UL CAP) that utilizes the new UL 2900-2-2 standard for ICS.

UL CAP offers trusted third party support with the ability to evaluate both the security of network-connectable products and systems as well as the vendor processes for developing and maintaining products and systems with a security focus.  The program allows vendors to concentrate on product innovation with emerging technologies and capabilities to meet the ongoing needs of the marketplace.

For increased flexibility, vendors can select the UL CAP services for factory automation and industrial control systems best suited for their current needs:

  • Testing security criteria based on UL 2900-2-2 cybersecurity standard or specified requirements
  • Testing leading to certification based on UL 2900-2-2 cybersecurity standard
  • Evaluation and risk assessment of vendor processes for developing and maintaining security products and systems
  • Training in security readiness for product design and sourcing third party components

Why Choose UL CAP for ICS

The UL CAP was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. In fact, the UL CAP services and software security efforts are recognized within the U.S. White House Cybersecurity National Action Plan (CNAP) as a way to test and certify network-connectable devices within the IoT supply chain.

Early adoption of the UL CAP provides a competitive advantage by differentiation in the marketplace and can help to mitigate risk due to potential consequences of a cyberattack including:

  • Unplanned downtime and loss of production
  • Costly harm to assets
  • Reputational damage

As a third-party provider we reinforce a customer’s objective commitment to safety excellence, helping build buyer confidence through UL certification on products and systems.

Practical & Scalable Cybersecurity Solution

Manufacturers and system integrators can now earn customer confidence in the cyber readiness of both their organizational security practices and system security with a scalable option that fits their needs.  To align with cybersecurity strategies, IEC 62443 series provides criteria to develop the rigor around secure processes and product development.  For product testing and validation, UL 2900-2-2 is designed to apply the aligned security criteria from IEC 62443 to products and systems. They can create brand differentiation and strengthen product preference with UL’s practical and scalable cybersecurity advisory, testing and certification solutions.  Through the implementation of criteria within IEC 62443 or UL 2900-2-2, it is possible to reinforce brand trust through cybersecurity market leadership.

Take advantage of the flexibility of UL’s cybersecurity assurance solutions that align with organizational strategies and available resources.  Demonstrate organizational or system cybersecurity through one or more of the following:

  • Customized Product Testing
  • Organizational Process IEC 62443-2-4
  • System Development IEC 62443-3-3
  • Product Development IEC 62443-4-1
  • Product Testing & Validation UL 2900-2-2

Why UL?

The facts
  • Science and knowledge-based company
  • Offering transparency through measurements and standards
  • Independent and trusted entity
  • Inside-out and outside-in approach from security development to testing
  • Experience in embedded SW security
  • Providing a complete offering, focusing on both product security as well as secure software development processes
The benefits
  • Protecting you business based on science, technology and SW/application security expertise. Basis of measurement founded on facts/science
  • Offering confidence regarding your efforts to manage cybersecurity risks, giving you a competitive advantage
  • Complete risk management offering find, fix, and prevent services
  • Saving time and money by focusing on protecting the most critical parts of the business first

ICS Product Testing Deliverables

Meeting the requirements outlined in the UL 2900-2-2 series of standards enables a product or system to be certified by UL as “UL 2900 compliant” receiving a certificate.  Additionally, testing security criteria based on requirements in UL 2900-2-2 or customer specified requirements receive a test report.

Service Deliverable
Certification Certificate of compliance to UL 2900-2-2 and/or IEC 62443
Testing Test report based on some or all of UL 2900-2-2, IEC 62443 or customer specified requirements
Advisory For both UL 2900 Standard for industrial control systems and/or IEC 62443:

  • Understand UL 2900 and/or IEC 62443
  • Understand best practices for identifying and mitigating risk associated with software vulnerabilities in ICS

For questions please contact ULCyber@ul.com