Subscriber Discussion

UL Cybersecurity Assurance Program - Is This Good For Physec?

JB
Josh Bylsma
Nov 30, 2017
BLUEmark Technologies

UL is now offering a Cybersecurity Assurance Program (CAP), also known as UL 2900 Standard. While it appears to be more focused on consumer IoT products, do you think there would be value of the UL 2900 listing in PhySec industry? 

https://services.ul.com/service/ul-cybersecurity-assurance-program-ul-cap/?ind=Cybersecurity

Some PhySec news outlets are reporting this a good thing. Manufactures would be able to add UL 2900 as another certification. However, is UL the proper place to be testing against cyber security threats, specifically as it relates to the PhySec industry? 

 

JH
John Honovich
Nov 30, 2017
IPVM

Dahua would be the first company to get UL2900 certified, then bashis would find another backdoor a month later. I am kidding, maybe, I hope...

In terms of its value:

There is clearly some value for manufacturers with poor cyber security track records (e.g., Dahua, Hikvision). They can pay some money to get some 3rd party validation that they can wave.

One unknown is how much it costs both in terms of time and money. It seems to be on a per product basis, which for an industry that has dozens or hundreds of camera models could be very costly:

Related, I am curious how UL will verify / track firmware changes where new vulnerabilities may be introduced.

Also, what kind of liability does this pose for UL? Both financially and reputation wise? Seems risky to vouch for something so hard to verify / easy to miss vulnerabilities.

Overall, I am skeptical of adoption for this. Outside of UL's 'standardization' in electrical matters, their other standards tend to be ignored. Recall UL Standard For Cameras? UL2802 Is Effectively Dead

We have been tracking this for some time but given those issues have ignored it until and unless we see some manufacturer make a push around this.

Josh, what do you think?

(1)
UE
Undisclosed End User #1
Dec 01, 2017

Make software security measurable, comparable and transparent

How you will manage that?

Note, I was planning to comment a lot from the URL given above, but it mostly sale-talks, so let's go into the few points of facts which i find relevant.

Verify and validate the absence of known vulnerabilities, weaknesses, and known malware in products and the effective implementation of security controls

Isn't the 'unknown' more interesting to know? (known is simply known)

Coding flaws, defects, and bugs are a main cause for easily exploitable software vulnerabilities.

No shit?

By identifying and exposing vulnerabilities, especially during development, this can significantly reduce or eliminate security risks in products’ and systems’ software, ideally before deployment.

Reverse engineering in R&D?

The Product or System Assessment involves testing, including:

.....

Ok, so there are some reverse engineering after all, not bad.

Therefore, and in addition, a Product or System Assessment verifies a product’s software is in compliance with required security controls. These security controls may include but not be limited to role-based access control, secure data storage, cryptography, key management, authentication, integrity and confidentiality of all data received and transmitted.

Ah, you want to sell IDS/IPS (Intrusion Detection System/Intrusion Protection System) 

The UL 2900 Standard contains minimum requirements on each of these controls. The Standard contains requirements for the vendor or manufacturer to design the security controls in such a way that they demonstrably satisfy the security needs of the product. Also, the Standard describes testing and verification requirements for collecting evidence that the designed security controls are implemented.

https://www.emergogroup.com/tags/ul-2900

Medical device and healthcare networking cybersecurity standard.. And?

 

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions