UL now wants to be ubiquitous in cybersecurity, including medical devices and industrial controls
The company that pioneered safety certification for electrical devices at the end of the 19th century and went on to represent a reassuring stamp of approval in the 20th century has quietly begun to issue cybersecurity certifications for networked software.
Underwriters Laboratories, or UL as most people know from its ubiquitous logo, launched its Cybersecurity Assurance Program last year, publishing its 2900 standard that covers the security of software for network-connectable devices and special supplements with additional requirements particular to medical devices and industrial control systems.
The requirements were drafted with the help of academics, industry experts and government officials — including federal “three-letter agencies” — UL Principal Engineer for Medical Software and Systems Anura S. Fernando told CyberScoop. The feds “provided us with some direction on what they’d like to see improved from a cybersecurity national posture point of view,” he said.
According to a UL factsheet, its 2900 series of standards tests and evaluate products based on the following criteria:
- Fuzz testing of products to identify zero day vulnerabilities over all interfaces.
- Evaluation of known vulnerabilities on products that have not been patched using the Common Vulnerability Enumerations (CVE) schema.
- Identification of the effects of known malware on products.
- Static source code analysis for software weaknesses identified by Common Weakness Enumerations, or CWE.
- Static binary analysis for software weaknesses identified by CWE, open source software and third party libraries.
- Specific security controls identified for use in products that reduce the security risk associated with:
• Access control and authentication on products.
• Cryptography used in products.
• Remote communications to products.
• Software updates on products.
• Decommissioning of products. - Structured penetration testing of products based on flaws identified in other tests.
- Risk assessment of product security mitigation designed into products.
Only a handful of products have been certified so far — among them, an ICS component, a smart TV and an encrypted information-sharing program. But Fernando said UL has recently been tweaking the CAP.
“This year we’ve had to get much more tactical about it …. what is it that the manufacturers need? What is it that the hospitals need? What is it that the component vendors need, who are selling products that might end up in medical devices? … How do we deal with [these different requirements] across multiple sectors?” he said.
Also in the mix: A Cooperative Research and Development Agreement, or CRADA, signed with the U.S. Department of Veterans’ Affairs last year.
VA will give UL’s researchers the chance to observe digitally connected medical devices in use, and the data will aid the 122 year-old standards-setting for-profit develop an “end-to-end” picture of how best to manage the cybersecurity risks inherent in the coming internet of medical things.
As part of their work, Fernando says, UL engineers have been comparing some existing VA cybersecurity acquisition requirements to the 2900 requirements, and to the requirements laid down for vendors by the Defense Department — and other parts of the government.
One constant complaint from vendors trying to sell to the federal government, Fernando notes is that”It’s difficult to deal with multiple sets of requirements.”
“There some alignment” between agencies, “but also some divergence.” The UL study will identify how the various requirements differ from each other — a precursor to ensuring that they line up better in future.