Underwriters Laboratories launches cybersecurity program

May 18, 2016
Program offers testable cybersecurity criteria for network-connectable products and systems

Underwriters Laboratories announced on April 5 the launch of its new Cybersecurity Assurance Program (UL CAP), which uses its new UL 2900 standards. The program offers testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.

UL CAP is for vendors looking for support in assessing security risks, so they can focus on product innovations to build safer, more secure products. It's also for purchasers of products, who want to mitigate risks by sourcing products validated by a third party.

Asset owners of critical infrastructures see the benefits of UL CAP as way to evaluate the security of their supply chain. “The availability and integrity of critical infrastructure is crucial to the safety and well-being of society," adds Terrell Garren, CSO of Duke Energy. "A comprehensive program that measures critical systems against a common set of reliable security criteria is helpful.”

Meeting the requirements outlined in the UL 2900 series of standards allows a product or system to be certified by UL as “UL 2900 compliant.” Also, since security threats and solutions are dynamic, UL 2900 can support evaluation of a vendor’s processes for design, development and maintenance of secure products and systems. Building on the successful framework of the UL CAP pilot where initial vendors benefited from this innovative program, UL CAP can help vendors identify security risks in their products and systems and suggests methods for mitigating those risks in a wide range of industry functions, including: industrial control systems, medical devices, automotive, HVAC, lighting, smart home, appliances, alarm systems, fire systems, building automation, smart meters, network equipment, and consumer electronics.


“We’re aiming to support and underpin the innovative, rapidly iterating technologies that make up the Internet of Things (IoT) with a security program,” says Rachna Stegall, director of connected technologies at UL. “The more devices become interconnected, the greater the potential security risks to products and services across all sectors. UP CAP's purpose is to help manufacturers, purchasers and end-users, both public and private, mitigate those risks via methodical risk assessments and evaluations.”

UL CAP was developed with input from major stakeholders representing the U.S. government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. The White House recently released the Cybersecurity National Action Plan (CNAP), designed to enhance cybersecurity capabilities within the U.S. government and nationwide. UL’s CAP services and software security efforts were recognized by CNAP as a way to test and certify network-connectable devices within IoT supply chains and ecosystems, especially in critical infrastructures such as energy, utilities and healthcare.

UL's evaluation of security products and systems uses UL 2900, which outlines technical criteria for testing and evaluating the security of products and systems that are network-connectable. These standards form a baseline set of technical requirements to measure, and then elevate, the security posture of products and systems. UL 2900 is designed to evolve and incorporate additional technical criteria as the security needs in the marketplace mature.