The Internet of Things (IoT) is enabling more sophisticated capabilities through network-connected products and systems. As a result, electronic physical security products and systems are becoming more interconnected, connectable, and networkable. The security, performance and financial risks impacting products and services for public and private sectors and consumers alike are the key drivers to develop new safeguards in an ever-changing security threat landscape faced with growing risks.

According to many recent reports and the U.S. government, not only is there a rise in the number of cyber attacks occurring – the sophistication of them has also advanced. It is imperative that electronic physical security systems be evaluated for cybersecurity to help ensure reliability, decrease downtime, prevent damage to assets, mitigate risk, improve security, and maintain health and safety.

UL CAP is for manufacturers looking for trusted support in assessing security risks while they continue to focus on product innovation to help build safer, more secure products, as well as for owners, system integrators, and retrofitters who want to mitigate risks by sourcing products assessed by a trusted third party. The program allows vendors to concentrate on product innovation with emerging technologies and capabilities to meet the ongoing needs of the marketplace.

Practical & Scalable Cybersecurity Solution

UL can help manufacturers identify security risks in a wide range of products, such as surveillance cameras, emergency communications systems, fire alarm systems, alarm receiving systems, intrusion detection systems and access control systems.  The new UL 2900-2-3 specifications were developed in collaboration with the electronic physical security product manufacturers, asset owners, UL and other stakeholders. UL can now evaluate to these specifications as detailed in the new UL 2900-2-3 Outline of Investigation for Software Cybersecurity for Network-Connectable Products, part 2-3: Particular Requirements for Security and Life Safety Signaling Systems for manufacturers, owners, and integrators.

UL 2900-2-3 provides a standardized approach to testing, evaluation, or certification methods by which the data security-related features of electronic physical security systems are evaluated at the product level and tested for known vulnerabilities, aiming to provide a reasonable level of confidence in the absence of known vulnerabilities and software weaknesses and the presence of appropriate risk controls. The output of UL’s work will allow the manufacturer to identify methods for mitigating those risks.

UL 2900-2-3 describes a three-tiered approach to the security requirements applicable to the product with an increasing level of security for each tier.

  • Level 1 (L1) includes the foundational cybersecurity testing requirements for security risk assessment of software in products covered in the Outline of Investigation. L1 is recommended as a minimum level of assessment.
  • Level 2 (L2) includes all of the L1 assessment and testing requirements and additional supplemental requirements for security risk assessment of software in products. L2 also provides an assessment of the security capabilities of a product with knowledge of internal security controls of the product.
  • Level 3 (L3) includes L1 and L2 assessment and testing requirements and additional supplemental requirements of the vendor process and management. It also provides an assessment of security capabilities of a product with knowledge of internal security controls of the product and knowledge of the business practices of the vendor to support the lifecycle of the product.

Tests include:

  • Fuzz Testing – A technique used to discover coding errors and security loopholes in software, operating systems, or networks by inputting massive amounts of random data, called fuzz, in an attempt to make the device operate in an unintended fashion.
  • Known Vulnerability – Detecting the presence of vulnerabilities described in the National Vulnerability Database (NVD).
  • Code and Binary Analysis – source code, bytecode or binary code is analyzed without executing the code to tests for known software weaknesses
  • Risk Controls
    • Access Control and Authentication – Confirmation that user credential techniques do not provide security holes
    • Cryptography – The product shall ensure the confidentiality of all sensitive data and personally identifiable data generated, stored, used or communicated by the product, including confirmation cryptographic algorithms are certified and up to date
    • Remote Communication – ensure the integrity and authenticity of all data communicated over any remote interface
    • Software Updates – ensure SW update authenticity, SW update authorization, SW roll-back, security logging, and management of configuration data (zeroization)
  • Structured Penetration Testing – Customized penetration tests structured to the specific product being tested as it is dependent on all the previous testing (CWE’s and CVEs) and the risk assessment
  • Risk Assessment – Security risk management shall be established and documented during product design. This allows for an intermediate approach to apply the cybersecurity issues found to the specific product and how it is intended to be implemented and used. Vulnerabilities present, but not posing a cyber-risk, may be found acceptable without the need for corrections.

UL cybersecurity experts will be at ASIS 2017 (September 26-28 in Dallas, Texas) and welcome the opportunity to consult with industry stakeholders to learn about their growing cybersecurity needs and challenges and to discuss details of the program. Click HERE for more information or to schedule a conversation.

For questions, or to begin a quote, please email ULCyber@ul.com.