UL weighs in on cybersecurity standards for IoT

Article By : Junko Yoshida

As Underwriters Laboratories' cybersecurity standards is still in its early days, it remains to be seen how the company's Cyber Assurance Program will define commonality among cybersecurity practises.

Reactions from the Internet of Things (IoT) market were split at the wake of the launch of UL's (Underwriters Laboratories) cybersecurity standard – named 'UL 2900,' for the testing and certification of connected devices a couple of months ago.

On one hand, cybersecurity experts surmised that UL was in over its head.

After all, the safety organisation, founded 122 years ago, was originally built on safety standards for the public adoption of electricity. People worried about safety of electrical wiring.

However, plenty of people thought it high time for the well-respected organisation — a guardian of safety standards for a host of products — to weigh in on cybersecurity issues for emerging connected devices. UL proponents are hoping it can bring “adult supervision” to a deeply fragmented Internet of Things (IoT) market – where too many connected devices are designed with too little security.

Three months after the UL announcement, EE Times talked to some IoT technologists. How is UL 2900 being viewed and accepted? We also asked more about the UL 2900 standard from Ken Modeste, principal engineer of security and global communications at UL.

Despite lagging public perceptions and a discrepancy between UL’s cybersecurity goals and what UL offers today, UL intends to play an important role in the IoT community. The industry should benefit from “scientific, repeatable and reproducible criteria" for assuring quality of their products – whether applied to software, chips, components or end systems, as UL’s Modeste pointed out.

A big unknown, however, is how UL’s Cyber Assurance Program will define commonality among cybersecurity practises, at a time when device vendors are already burdened with myriad compliance requirements set forth by each vertical IoT segment.

Market traction
Right now, the UL 2900 standard is still in early days.

Daniel Cooley, senior vice president and general manager of IoT products at Silicon Labs, told us that he’s aware of the UL 2900 standard but “I haven’t dug into it yet.” His customers so far haven’t asked for UL2900 certification on Silicon Labs’ IoT processors, he explained.

However, Cooley observed, “The pendulum is swinging back.” Some customers are now “going hardcore” with security, he said, as they look for ways to build into their specs things such as encryption, cipher core and secure debugging, while others ask for code review.

Sami Nassar, vice president of cyber security solutions at NXP Semiconductors, told EE Times, “As a technology vendor, we find getting a third-party certification is always a good thing. It helps to differentiate good products from bad.”

Security by design
But Nassar provided a few cautions. Whether a connected vehicle or a smart home solution such as that of Apple’s HomeKit or Google’s Weave, “Each vertical [IoT] segment already has its own set of compliance requirements for interoperability and security.”

He stressed, “We want to encourage UL to get into security certifications.” But it won’t be easy for the group to “uniformalise” a cybersecurity standard to cut across the industries, he added. UL 2900, for now, might be useful only for products in industry pockets where compliance requirements don’t exist, he suspected.

UL relies on a publicly-available government vulnerability database – put together by NIST – to identify risks. UL helps IoT designers build secure products by avoiding the use of software or components with known vulnerabilities.

However, NXP’s Nassar stressed, “It’s more important to build security in from the get-go.” Stressing “security by design,” he added, “If you have to improve your security after a new vulnerability is exposed, you are already falling behind.”

Making any security standards genuinely effective and trusted takes time. UL 2900 is no exception.

Take the Common Criteria, for example, Nassar said. Its genesis lies in efforts that began in the 1980s, initiated by credit card companies. Its stringent security requirements became a standard to protect consumers’ secret data in ICs, explained Nassar.

It now offers a framework in which computer system users can specify their security requirements through Protection Profiles. “Some IoT vendors are aware of Common Criteria, and I know of a door-lock company who asked for an IC that’s Common Criteria certified,” Nassar said.

Building a security standard doesn’t always have to start from scratch, he noted. “You can build on what’s already proven, take it to new industries and spread it.”

EE Times spent some time with UL’s Ken Modeste so that we get to know UL and more about UL 2900. Continue here to read the interview..