The Internet of Things (IoT) is enabling more sophisticated capabilities through network-connected products and systems. As a result, electronic physical security products and systems are becoming more interconnected, connectable, and networkable. The security, performance and financial risks impacting products and services for public and private sectors and consumers alike are the key drivers to develop new safeguards in an ever-changing security threat landscape faced with growing risks.
According to many recent reports and the U.S. government, not only is there a rise in the number of cyber attacks occurring – the sophistication of them has also advanced. It is imperative that electronic physical security systems be evaluated for cybersecurity to help ensure reliability, decrease downtime, prevent damage to assets, mitigate risk, improve security, and maintain health and safety.
UL CAP is for manufacturers looking for trusted support in assessing security risks while they continue to focus on product innovation to help build safer, more secure products, as well as for owners, system integrators, and retrofitters who want to mitigate risks by sourcing products assessed by a trusted third party. The program allows vendors to concentrate on product innovation with emerging technologies and capabilities to meet the ongoing needs of the marketplace.
For increased flexibility, vendors can select the UL CAP services for electronic physical security systems best suited for their current needs:
- Testing security criteria based on UL 2900-2-3 cybersecurity standard or specified requirements
- Testing leading to certification based on UL 2900-2-3 cybersecurity standard
- Evaluation and risk assessment of vendor processes for developing and maintaining security products and systems
- Training in security readiness for product design and sourcing third-party components
Why Choose UL CAP for Life Safety and Physical Security
The UL CAP was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. In fact, the UL CAP services and software security efforts are recognized within the U.S. White House Cybersecurity National Action Plan (CNAP) as a way to test and certify network-connectable devices within the IoT supply chain.
Early adoption of the UL CAP provides a competitive advantage in the marketplace and can help with mitigating risk including:
- Unplanned downtime and loss of production
- Costly harm to assets
- Reputational damage
As a third-party provider, we reinforce a customer’s objective commitment to safety excellence, helping build buyer confidence through UL certification on products and systems.
Practical & Scalable Cybersecurity Solution
UL can help manufacturers identify security risks in a wide range of products, such as surveillance cameras, emergency communications systems, fire alarm systems, alarm receiving systems, intrusion detection systems and access control systems. The new UL 2900-2-3 specifications were developed in collaboration with the electronic physical security product manufacturers, asset owners, UL and other stakeholders. UL can now evaluate to these specifications as detailed in the new UL 2900-2-3 Outline of Investigation for Software Cybersecurity for Network-Connectable Products, part 2-3: Particular Requirements for Security and Life Safety Signaling Systems for manufacturers, owners, and integrators.
UL 2900-2-3 provides a standardized approach to testing, evaluation, or certification methods by which the data security-related features of electronic physical security systems are evaluated at the product level and tested for known vulnerabilities, aiming to provide a reasonable level of confidence in the absence of known vulnerabilities and software weaknesses and the presence of appropriate risk controls. The output of UL’s work will allow the manufacturer to identify methods for mitigating those risks.
UL 2900-2-3 describes a three-tiered approach to the security requirements applicable to the product with an increasing level of security for each tier.
- Level 1 (L1) includes the foundational cybersecurity testing requirements for security risk assessment of software in products covered in the Outline of Investigation. L1 is recommended as a minimum level of assessment.
- Level 2 (L2) includes all of the L1 assessment and testing requirements and additional supplemental requirements for security risk assessment of software in products. L2 also provides an assessment of the security capabilities of a product with knowledge of internal security controls of the product.
- Level 3 (L3) includes L1 and L2 assessment and testing requirements and additional supplemental requirements of the vendor process and management. It also provides an assessment of security capabilities of a product with knowledge of internal security controls of the product and knowledge of the business practices of the vendor to support the lifecycle of the product.
- Fuzz Testing – A technique used to discover coding errors and security loopholes in software, operating systems, or networks by inputting massive amounts of random data, called fuzz, in an attempt to make the device operate in an unintended fashion.
- Known Vulnerability – Detecting the presence of vulnerabilities described in the National Vulnerability Database (NVD).
- Code and Binary Analysis – source code, bytecode or binary code is analyzed without executing the code to tests for known software weaknesses
- Risk Controls
- Access Control and Authentication – Confirmation that user credential techniques do not provide security holes
- Cryptography – The product shall ensure the confidentiality of all sensitive data and personally identifiable data generated, stored, used or communicated by the product, including confirmation cryptographic algorithms are certified and up to date
- Remote Communication – ensure the integrity and authenticity of all data communicated over any remote interface
- Software Updates – ensure SW update authenticity, SW update authorization, SW roll-back, security logging, and management of configuration data (zeroization)
- Structured Penetration Testing – Customized penetration tests structured to the specific product being tested as it is dependent on all the previous testing (CWE’s and CVEs) and the risk assessment
- Risk Assessment – Security risk management shall be established and documented during product design. This allows for an intermediate approach to apply the cybersecurity issues found to the specific product and how it is intended to be implemented and used. Vulnerabilities present, but not posing a cyber-risk, may be found acceptable without the need for corrections.
Electronic Physical Security System Product Evaluation Deliverables
|Training||UL 2900-2-3 Standard for Life Safety and Physical Security Systems. Best practices for identifying and mitigating risk associated with software vulnerabilities in life safety and physical security systems|
|Advisory||Summary of UL meeting and action items|
|Gap Analysis||Assessment of the current product specifications to the UL 2900-2-3 criteria|
|Testing||Test report based on some or all of UL 2900-2-3 requirements or customer specified requirements|
|Certification||“UL 2900-2-3 compliant” meeting all requirements|
For questions and to get started with a quote, please contact ULCyber@ul.com.