Pumping Gas

New standard provides objective approval on products’ cybersecurity
Spencer Ives

Tuesday, April 5, 2016
NORTHBROOK, Ill.—UL today announced its new Cybersecurity Assurance Program, a standard by which companies can have their products tested and verified by UL for guard against well-known cyber risks.

“[UL customers] were asking for a lot of support—as we do today from a safety perspective—in helping them address the risks associated with security,” Ken Modeste, UL’s principal engineer, security and global communications, told Security Systems News. “The program really looks at some areas where products today, and vendors today, have flaws … that are economically feasible to address [and] that cause the majority of security incidents out there.”

Modeste stressed that the program is voluntary, a way for companies to differentiate themselves with a new “CAP” designation from UL. Through UL, “You have a third-party providing some industry-accepted and validated technical criteria on how to evaluate the security of your product,” Modeste said.

UL worked with the Department of Homeland Security and the White House to develop the standard for the Cybersecurity Assurance Program.

Some of the requirements for the CAP—to become UL 2900 compliant—include testing for known vulnerabilities, malware and software weaknesses. UL also conducts penetration testing on the product—“ethical hacking,” as Modeste called it.

The standards were published March 31 and vendors can start working with UL through this program today. “Any time in Q2/Q3, we should see products coming out that are tested and certified [to this standard],” Modeste said.

UL will be discussing and promoting the program at ISC West 2016.

Another goal for UL is to “help the industry build more security awareness in its products,” Modeste said. “Our objective is really working with vendors and helping them identify the risk and the return-on-investment for these efforts. So, we expect a slow ramp up as we do that.”

UL will stay current on cyberrisks through several methods. The certification will only be valid for 12 months or as soon as the product is changed. Second, the standard limited the number of prescriptive requirements. UL also references outside sources for top cybersecurity concerns, lists which are independently kept current.