In 2017, UL published the Cybersecurity Assurance Program (CAP) standards series, UL 2900, specifically for network-connected physical security products. The standard assesses a product’s software vulnerabilities and weaknesses and reviews its exposure to exploitation and known malware.
UL Technology & Security Director Andrew Jamieson joins the conversation to discuss UL’s cybersecurity efforts, among other topics relevant to the channel.
The interview first appeared in CE Pro's sister publication Security Sales & Integration.
For readers who may not be familiar with the CAP standards, can you explain why UL’s focus is on product certification opposed to standards that help enterprises protect their data and IT systems from cyber breaches?
UL helps innovators create safer, more secure products and technologies to enable their safe adoption by partnering with industry/manufacturers to navigate the growing complexities across the supply chain — from compliance and regulatory issues to trade challenges and market access.
UL enables trust and vital end-to-end security designed for our interconnected world. We possess a unique expertise in developing security frameworks, structuring security programs for IT and interconnected ecosystems through to security, evaluations and verification.
We enable businesses to implement innovations without compromising on security which will maintain customer trust whilst increasing market access.
UL already works with various standards, such as ISO27001 and PCI DSS, that are designed to assist and assess companies overall security posture with regards to IT security. The Cybersecurity Assurance Program, and the UL2900 standards that underpin it, have been more specifically designed to address a market need for increased security in IoT systems, and allow for vendors of these systems to demonstrate the value they have put into securing their products and services.
Put more simply, UL does not believe that the world needs another IT security standard or security assessment process; however, it is our firm belief that the world does indeed need an increased focus on IoT security.
What is UL’s position in terms of the potential for systems integrators to share liability with manufacturers and end users when IoT systems are hacked?
Certainly integration of IoT systems can be an important part of either securing, or rendering insecure, IoT systems. We’ve seen in the past that providing for insecure remote access to IoT systems can leave companies open for attack and compromise, and as UL we would strongly suggest that companies do their research and due diligence on any third parties they are using to install or maintain IoT systems.
However, the issue of liability is a complex one. Where the installer has been clearly negligent in regards to security there is a case to be made around liability, but also that requires the installer to understand the security needs of a product or system during the install and for the system to support such secure install options.
This is why vendors of systems should ensure they have sufficient documentation and guidance to assist the installer in their process, and the installer should ensure they obtain and follow this guidance.
Ultimately, it’s hard to point to any one party and say that security is entirely their responsibility or in reverse say that any party involved does not have some role to play in ensuring the secure installation and use of IoT systems.
Can you identify a top challenge or two that both integrators and end users face with the convergence of cyber and physical security?
The primary challenge that is faced at the moment by integrators and end users is identifying the security level and maturity of systems they are installing or using. At this point in time there is little to differentiate a secure system from an insecure system, or to assist purchasers in understanding how long a system may be maintained after purchase.
The industry needs to get to a point where purchase decisions can be made inclusive of the relevant information about the security of a product or service, in the same way safety is used in vehicles, electrical power consumption, etc.
This is not to say that there should not also be a minimum baseline for security that all products must meet as well. These are the two challenges — setting that minimum bar and allowing for differentiation of products and services that choose to invest in exceeding that bar.
In 2017, the FCC called for manufacturers to include cybersecurity in the initial design of all products. Where are we today regarding regulatory concerns generally in the security industry?
There is actually a lot of movement worldwide with governments looking at ways they can help drive an increase in the security of the products and services provided to their constituents. The EU has a framework for introducing various requirements for IoT security assessment, and the U.K. recently released a set of security baselines for these systems.
The U.S. is also looking to how they can meet these needs, with legislation in California being the first to pass mandating minimum levels of security for IoT systems and the Cybersecurity Improvement Act that has been proposed at the federal level.
I’ll give you some key factors for industry success:
- Reliance on market driven mechanisms, risk management-based framework, internationally aligned
- Rooted in public-private collaboration to encourage economic activity while ensuring security
- Flexible and adaptable to encourage innovation
- Aim to alleviate regulatory uncertainties by aggregating industry regulatory standards and guidance documents, and best practices
How is UL collaborating with the Department of Homeland Security to manage cyber risks across the software supply chain? What fruits is this collaboration bearing?
UL aims to identify and manage risk associated with the global ICT supply chain and related third-party risk. Public-private partnership is the underlying foundation of successful critical infrastructure protection.
Both government and industry partners possess unique core competencies that add value to the partnership. Successful prevention, response, mitigation, and recovery efforts are severely degraded without the full participation of government and industry partners.
UL has a long history of collaborating with the U.S. Federal government, including the Department of Homeland Security and other government agencies and officials on critical infrastructure protection.