UL sets new standards for the cybersecurity of products, software and infrastructures

Cyber attacks with large-scale effects will soon become a regular part of business life. Within this environment, it is highly recommended to firmly entrench cybersecurity within the corporate culture and to establish a continuous monitoring of the IoT landscape.

The successful hacking of a driving Jeep Cherokee is considered to have been the wake-up call for the entire automotive industry. In the summer of 2015, two security researchers took control of a driving Jeep by gaining access through a vulnerability in the vehicle’s infotainment system. They were able to control the door locking system, brakes and acceleration. The researchers then demonstrated this using a driver who had been made aware of the situation. The driver slowly lost control of the vehicle and ended up in a ditch on the side of the road. FiatChrysler had to recall 1.4 million vehicles to provide a software update.

This case made it evident: the manifold practiced methods of first developing a solution and then subsequently implementing security concepts, is risky business. With the sheer number of devices, their distribution and accessibility, the Internet of Things is placing entirely different requirements on IT security. The comprehensive networking and integrated, standardized applications make it easier for hackers to breach systems.

Cyber attacks with large-scale effects will soon become a regular part of business life. Some attacks and simulations performed today point in this direction and show that IoT devices can be networked in the same way as computers. Therefore, if millions of IoT devices such as webcams, can be manipulated and interconnected into a platform, then they can launch a DDoS (Distributed-Denial-of-Service) attack with a major potential for damage.

Entrench cybersecurity in the corporate culture

In this environment, a sound approach is critical: establishing an awareness for security throughout the company. All relevant stakeholders in the company must be involved to ensure a new cooperation between occupational safety (Safety), data privacy (Privacy) and information security (Cybersecurity).

To keep an overview, even today responsible IT managers need to continuously monitor their IoT landscape and their processes so that they can react in case either the IoT components or the security situation changes.

The UL Cybersecurity Assurance Program (UL CAP) was created in order to manage security risks. It operates on the basis of standardized criteria to discover and evaluate software vulnerabilities. That helps to reduce exploits, combat known malware, expand the security controls and increase the overall security awareness.

UL CAP is based on the UL 2900 Series of Standards, which were developed through the support of interest groups representing governments, universities and industry. Both UL CAP as well as the UL 2900 Series of Standards are based on the long-term expertise of UL in the segments safety science, development of standards, audits and certifications. Our engineers continuously test new IoT products and systems and research processes in order to efficiently remove vulnerabilities.

UL offers cybersecurity solutions for the following areas:

• Appliances and HVAC/R
• Consumer technology
• Industry control systems
• Alarm, security and protection systems
• Illumination
• Medicine
• Robotics
• Software product assessment and validation
• Software and user security

Industry 4.0 requires dynamic safety processes

For the creation of new protective measures in a constantly changing landscape of threats, transparency is also decisive. An e-book published by UL demonstrates how transparency can be realized. The book discusses the Cybersecurity Assurance Program and application of the UL 2900 standards for industrial control systems.

In addition, the e-book offers an overview of the general cyber risks of critical infrastructure risks and explains why it is important to validate the safety and integrity of the software supply chain. Furthermore, you will learn what steps are required in order to reduce potential software vulnerabilities.

Download cybersecurity white paper

Top 20 design principles for IoT safety

On the one hand, we have industrial corporations and on the other we have the manufacturers of new IoT consumer products, which are now being used as a launching platform for cyber attacks. The UL White Paper is useful to both sides. It contains the “Top 20 Design Principles for IoT Security” (available in English). These should be considered if you build an IoT device.

It was originally intended for manufacturers of IoT products. However, those companies who network their production platform to the Internet principally also build IoT devices that must be protected. This is not a comprehensive list – there are more than 20 starting points. Furthermore, the list is not a guarantee for security – you could implement every one of the 20 points listed and still have a security problem. Because today cybersecurity must be viewed holistically and is best entrenched in the corporate culture.