UL Charges for Cyber Standards, Draws Scrutiny

A lab at Underwriters Laboratories, circa 1946. The group is coming under fire for refusing to publish the details of its new cyber security testing standards. (Image courtesy of The Library of Congress.)
A lab at Underwriters Laboratories, circa 1946. The group is coming under fire for refusing to publish the details of its new cyber security testing standards. (Image courtesy of The Library of Congress.)

In-brief: Product testing firm Underwriters Laboratories drew scrutiny by charging for copies of new standards for connected devices. But security experts say the new UL standards are poised to have a big impact – especially in industries like medicine and critical infrastructure. 

Experts from Underwriters Laboratories (UL) defended the organization’s practice of charging companies several hundred dollars to obtain new quality testing standards for connected devices, saying that the fees are necessary to recoup the costs of developing the standards.

In an interview with The Security Ledger,  UL officials said that the fees were needed to defray the cost of researching and developing the new Cybersecurity Assurance Program (CAP) standards and challenged the idea that charging for the standards made them less transparent.

The for profit testing firm announced a new Cybersecurity Assurance Program (CAP) for “network-connectable products and systems” on April 5. The new standards, UL 2900-1, are widely seen applying to the vast numbers of  Internet of Things that will be coming to market. However, Underwriters Lab said it will only make the specifications available to those willing to pay the $402 to $500 fee.

That decision drew criticism from security experts. Brian Knopf of the group I Am The Cavalry told the online publication Ars Technica that the lack of transparency will prevent the security and research communities from being able to vet, audit and improve the UL standards.

Speaking to The Security Ledger on Wednesday, John Drengenberg, Consumer Safety Director at UL said that the standards are open to anyone willing to pay. “Clients who have access to our portal have access to the technical specifications,” he said. “These are foundational standards. We will entertain input from anyone with ideas on how to improve or change them.”

In a document on its web site, Underwriters Lab did provide some details on the UL 2900 standards, which have been under development for years. UL said that the product assessment for UL 2900 compliance will involve testing of various types, including scanning software executables and libraries for known vulnerabilities, static analysis of source code, fuzzing and penetration testing and testing of external interfaces.

UL’s assessment verifies whether a product’s software uses required security controls like role-based access control, secure storage of data, use of cryptography, key management and authentication to ensure the integrity and confidentiality of all data received and transmitted, and so on.

The standard is intended for a wide range of products including industrial applications and many so-called “Internet of Things” systems. Ken Modeste, the Leader for Cybersecurity Technical Services  says that the 2900 standard forms a “foundation” and that two, complimentary standards, 2900-2-1 and 2900-2-2 address specific use cases for medical and industrial control systems, respectively.

UL 2900 compliant devices will meet “minimum requirements for each of these controls,” the organization said in a statement. Modeste and Drengenberg defended the UL process as an open one, saying that Underwriters Lab worked with more than 30 security experts to develop the standards including staff at the Department of Homeland Security, the FTC, FDA and private sector experts like Mike Ahmadi, an expert on critical Systems Security who works for the firm Synopsys Software Integrity Group.

“Cyber is serious problem,” said Modeste. “Our goal, over time, is to help people who buy products have a choice of more security. We definitely want to reach out to security researchers – and ask them to reach out to us.” 

Joshua Corman, founder of the group I Am The Cavalry and an advocate for better cyber security standards, said that the tension around the fee to obtain the UL-2900 standards may be a case of mismanaged expectations on the part of the security researcher community. Corman gave UL credit for being collaborative with industry and said it has been sharing progress on the UL 2900 standards for more than a year.

He said the existence of the standards is bound to set changes in motion, especially among UL’s primary market: insurance underwriters.

“Just the presence of these standards will start the bees buzzing within the insurance industry,” Corman said. In markets like healthcare, insurers and their customers may start to use the UL certification – or the lack of it- to influence buying decisions for equipment and software.  Even a small shift like that could have profound effects on the willingness of medical device makers to start taking software security seriously, he said.

“We need to nudge people from no security culture to having some controls in place, even as we’re building out something better,” Corman said. “I see these standards as a pathway out of our current state.”

Spread the word!

2 Comments

  1. Can’t tell without actually being able to see the document(s), but the description above, sure reads like IT security for devices with human operators, and NOT the Internet of Things. Where’s Immutable Identity? Where’s application whitelisting? Where is comms security? Where do you check that it all gets monitored and managed? Doesn’t seem like it even measures up to Common Criteria and EAL4. And since the IoT takes you into the control domain, where is the actual Safety evaluation that a Safety Agency — *cough* UL — should be covering?

    • Hey – good comments. I think the answer for some of this is “its in there!” But you’re right: these are more high-level standards for connected devices than IoT specific so it’s more “use strong authentication” than “have a hardware based root of trust.” Also: I think there’s a reluctance to be too prescriptive (i.e. calling out particular technologies like app white listing) lest we end up with a UL equivalent of the PCI DSS.