Underwriters Labs (UL) is better known for its electrical safety certification programs, but in 2016, the company introduced three UL 2900 IoT security standards that defined requirements of software cybersecurity for network-connectable products.
Four years later, you may not have heard many products adhering to UL 2900, and Laurens van Oijen, IoT security solution leader at UL, recognizes that ” the UL 2900 set the bar too high for most consumer electronics/IoT companies” according to a report on CE Pro. So instead the company has launched the UL IoT Security Rating System last May with 5 levels of “security capabilities” ranking IoT devices and products with either Bronze, Silver, Gold, Platinum, or Diamond.
Those certifications are aimed to help both manufacturers and developers to improve the security of their solutions, and help consumers make better purchase decisions by knowing the level of security of IoT products by just looking at a label on the product package.
The UL IoT Security Rating System relies on baseline criteria from seven categories:
- Software Updates
- Data & Cryptography
- Logical Security
- System Management
- User Identifiable Data (Privacy Protection)
- Protocol Security
- Process and Document Requirement
which mostly align with existing regulatory frameworks’ requirements such as NISTIR 8259, ETSI TS 103 645 and CSDE C2.
Such IoT Security Ranking will become important due to the sheer number of IoT devices expected to hit the market in the next few years, but also due to regulatory changes. For example, the US states of California (Senate Bill 327) and Oregon (House Bill 2395) have new state laws set to become effective on January 1, 2020 and holding manufacturers responsible to implement “reasonable security feature(s) … designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified” in devices connected to the Internet either directly or indirectly.
More details can be found on the product page. Note that you’ll need to register with your address and telephone number to download any document on the UL website. The levels of security are described as L1… L5 in UL NCV 1376 document instead of the Bronze… Diamond labels consumers would see.
Thanks to Jon for the tip.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
My opinion of UL just tanked. UNIX philosophy: do 1 thing well is good advice.
UL is a collection of many different testing labs. Each UL lab can only do about 10% of all possible tests. There is a master lab for each standard which certifies the secondary labs. It is like a franchising model with regular recertification from the master lab to ensure the secondary labs are doing their jobs. In this case existing cyber security firms may become certified by the originating UL lab to do this testing.
I would not dismiss this as useless, before this came out there weren’t very many accessible security standards. The purpose of UL testing and giving a classification like gold/silver is to enable the rates for cyber security insurance to be set more easily.
Say a company buys all bronze stuff or unrated stuff for their network. Their cyber insurance rates are going to be higher than someone who buys all Diamond rated.
Is there a robustness rating or adversary model associated with each of the levels L1-L5?