UL panel upholds ISA appeal of UL cybersecurity standard

April 25, 2019
Appeal prevents UL 2900-2-2 status as an American National Standard

An appeals panel formed by Underwriters Laboratories (UL) has ruled in favor of the International Society of Automation (ISA) in an appeal against UL 2900-2-2, Standard for Software Cybersecurity for Network-Connectable Devices, Part 2-2: Particular Requirements for Industrial Control Systems. UL was seeking approval of the document as an American National Standard, but ISA’s successful appeal prevents that status at this time.

ISA’s appeal was driven by an underlying goal in standards development—to avoid burdening users with overlapping and duplicating standards. ISA was specifically concerned about overlap with the widely used ISA/IEC 62443 series of standards on industrial automation and control systems security. The ISA/IEC standards are developed by the ISA99 standards committee as American National Standards with simultaneous review and adoption by the Geneva-based International Electrotechnical Commission through IEC partner committee TC65. With more than 900 members, ISA99 draws on the input of cybersecurity experts across the globe in developing the standards, which are applicable to all industry sectors and critical infrastructure.

ISA’s successful appeal asserted that UL failed to follow a key clause in its procedures as accredited by the American National Standards Institute (ANSI), intended to prevent duplication and overlap. ISA’s concern was shared by many, including leaders within IEC TC65 and by NEMA, the largest trade association of electrical equipment manufacturers in the United States. A NEMA letter to UL in December 2017 had formally requested that “UL withdraw UL 2900-2-2 and … focus on the adoption of the relevant parts of the ISA/IEC 62443 series of standards.”

Prior to the appeal, "UL acknowledged that it had missed earlier opportunities to identify potential overlap and duplication," said Charley Robinson, Director of ISA Standards. “However, UL declined an offer from ISA to drop the appeal if UL would agree to work with ISA99 to conduct a detailed gap analysis and comparison in order to revise UL 2900-2-2 to remove overlaps and make it truly complementary to the ISA/IEC 62443 series.” Had UL accepted the invitation, he added, it could have avoided a finding that the Appeals Panel failed “to find strong evidence of a good faith effort made by UL to collaborate and resolve duplication as required by ANSI once potential duplication was identified.”

“ISA continues to be willing to work with UL to make the UL document complementary to the ISA/IEC 62443 series,” said long-time ISA99 co-chair Eric Cosman, an industrial cybersecurity consultant and retired Dow Chemical Engineering Fellow. “To that end, we invited UL once again to work with us as soon as the appeal decision was announced.”

Without approval as an American National Standard, the UL document is unlikely to achieve international standard status through the IEC. IEC TC65 leaders had previously made clear that the UL document would have little chance of achieving that status in any event, as in their view it would violate a long-standing IEC principle of “one standard, one test -- accepted everywhere.” That principle is vitally important to both end-user and supplier companies that sell and operate in multiple countries.

In contrast, the ISA/IEC 62443 standards are recognized and applied by companies and organizations across the globe. The standards are cited throughout the US NIST Cybersecurity Framework, and are being integrated into the Common Regulatory Framework on Cybersecurity of the United Nations Economic Commission for Europe, which will establish a common legislative basis for cybersecurity practices within the massive EU trade markets.