Genetec UL Cybersecurity Certificate (2900-2-3) Examined

By Dan Gelinas, Published Dec 19, 2018, 01:07pm EST

Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates?

Earlier in 2018, a false Hikvision cybersecurity certification announcement caused controversy. And Genetec itself has cast aspersions against its Chinese rivals as being untrustworthy. 

Now, Genetec has announced achieving UL's 2900-2-3 [link no longer available] Level 3 (L3) certification that Genetec claims "validates its resilience against cyber-attack."

genetec ul 3

However, does it really? What does it consist of? How much validation does it provide?

In this note, based on our discussions with Genetec, JCI, and UL we examine:

  • UL Overview
  • Cybersecurity certification process
  • Process for Genetec
  • Cost
  • Highest of 3 levels
  • Testing performed
  • UL's process
  • Others certificated

Executive *******

***** ** ************* *** guarantee * ******* ** 'invulnerable' *** '******** ****', the **** **** **** UL ************* ******** *********** source **** ******* ******** a ************* ****** ********** level **** ******* ************* certifications. 

*******, ** ** ****** expensive *** ****-********* ** many ************* *** *** find ** ***** *****. 

** ****, **** * video ************ ************* **** done ** (******* *** Tyco *** *********) ***** are **** *** *********. We ** *** **** how **** **** ***** work ** *** *** camera ************* **** ******** models.

UL ********

***** **** ****** *** 124 ******** ** ****** ****** as * ****** ** developing ********* *** ******* products ** **** **** they ******* ****** *** as ********. *******, ************ those ********* **** **** around ********** *** ********** elements, *** *************.

**’* ************* ********* ******* (UL ***),******** ** ****, ***** **-******* ******** against ******** **** ***** **** ****** ** cybersecurity *********. *** **** ****** ****** cybersecurity ** ********* ****** and *** ********* ********* including ***** ************ (****-*), healthcare ******* (****-*-*), *** industrial ******* ******* (****-*-*). UL ****-*-* ** **'* attempt ** "******* *****" for *** ********* ** security *********. 

Cybersecurity ************* *******

**********, *** ************* ******** of ******* ** *** product's ****** ********* '********** penetration *******', '****** **** analysis', *** '****** *** bytecode ********', ** *** excerpts **** ***** '******* of *************' ***** *****:

           

Process *** *******

 **** ***** **** ******* Lead ******** *********, ******* Chevalier [**** ** ****** available] ***** *** *******, what ** ******** *** what ** ***** *** Genetec's *********.

*******'* ********* **** *** process, ***** **** ****** 8 ******, *** *** easy, comparing ** ** "***** on *****." ** **** the ******* **** *** attention ** *** ****** cybersecurity **** ** *:

** *** * ******* process. *** ** ** trial *** **** ****** evidence *** **** **** that ********** ** **** for *** ***** *** then **** ********* ** in ***** ** *** people **** **. *** findings *** ******** ** that ****. ** *** a *** ** ********* information *** ****** **** everything *** ** ** should **. ** ******* lots ** **** *** my ***** ***** ****—** 5 ******.

***********, ********* **** **** UL ***** ********* ***************, they ********* *** ************ to Genetec for ******** *********** ** repair:

***** *** * ** employee *** *** *** advocate *** *** ******** to *** ****. ** presented **** ** ***** to ** *** ** needed ** ****** *** it ** ******* *** it ** **** ** is.

********* **** **** *** *** up ****** ** ****** some ******, ********* *********** in ******* ********* ******* operational **********:

**** **** ********* *** procedure, ** * *** to ********* ** ******* a ********* **** ** already ***, *** ****'* have ** ******* ****. They ****** *** *************. So: '**** *** **** vulnerabilities, *** *** *** going ** ******** **** and *** ****?'

********* ******* *** ******* helped ******* *******, ****** the *********** ** ********* and *** ********* ** new *****:

** ********** *** ****** exam **** ** **** using ****’* ******** **** problems. ********* ***** *** stronger ** ****** ** different ******. ** *** tried ***** ****—******************—******, *** **** *** improved **.

********* **** ****** *********** testing ****'* ****** *** that *** ** ************* means ******* **** ********** accountable:

**** **** *********** *******, you ***’* **** ** fix ********. **** **, we **** ** *** whatever ******** **** **** or ** ***’* *** the *************.

Cost *** *************

******* **** *** ***** certification ******* **** **** $50,000 ** *****, **** notable ********* ***** ** maintain ********** ** ** guidelines. ********* **** ***** that *** ************* ******* only ******* *** ******* version, ** **** ******* was ***** ** **** on ** ***** **** version—they *** ********* ********* version 6—they **** **** ** redo *** ************* ******* all **** *****.

Highest ** * ******

******* ******** *** ******* of *** * ******, which ******** ********** **** levels * *** * as **** ** ** assessment ** ******** ************ of *** ******* **** knowledge ** ******** ******** controls *** ** ******** practices ** ******* *** lifecycle ** *** *******, as *** ********* ******* from **'* ******* ** Investigation *** *** *************:

Testing *********

******* ******** **** **** documentation ********* ******** *********** analysis ** *** ****, explaining:

**** ********* **** *** software *** *** ** determine ** ******** **** source ********** *** ****. If **** *** **** then ** ***** ** determine *** ******* *** then ***** ** *** if **** ******* *** known ***************.

*****, ** ***** *************** of ***** ******* *** previously *******:

*** ******** ****—***** ****—** *** **** ****** used ** *** ********. Their **** ** *** I **** ***** ***** of *****************. ** ***** ****** that ***** **** ****’* flag. *** ************ ******** of ****** ***** **** false ******** *** * small ****** **** **** positive.

*** ***** ** *** scan ** ********* ** reflected ** *** ******* graphic *****:

**** **'* ***** ********** potential ***************, *** ******* was ******* ** *******'* attention *** **** **** given * ****** ** respond, ** ** **** redacted *******:

Others ************

*** *** ******** ** ******* *** UL ****-*-* ****** **** **** ***** VideoEdge ******** **** ******** Dynamics.

*** **** *** ******* process *** ****-*-* ** was ********:

***** **** ** ******* UL2900-2-3 ***** * ** was * ******** ****** of *******, ******* *** policies. *** ******* **** of *** ******** ** all *** **** ****** to ** ********. 

***********, *** **** **** the ************* ******** ** assurance ** ********* **** a ************ ******* *** doing ***** **** ** secure *** **** ********* could ***** **** *** their ********:

**’* ** *********. ** assures **** *** ************ is ***** ***** **** to **** **** ******** are ********* ************ *** mitigates *****. ** *** industry, ** ****** * level ******* ***** *** end ***** *** ******* designers, *** *** *** trust **** * ** CAP ********* ******* ***** the ************ ** ****** cybersecurity *********. ***** ***** cybersecurity ************** *** *********, the ** ****-*-* ********** standard ** ******** ** electronic ******** ******** ********.

*** *** ******* *** currently *** **** ******** companies ** ** ******* 2900-2-3

***** ******** * ***** ****** (outside *** ******** ********) that have **** **** ****** certificated (*** **** ** ** logged **** ** ******* IQ ** *** *** list ** **** ****** certificated *********) ** **** level ***** **** ****-*-*.

Vote / ****

Comments (14)

Avatar

Dan Gelinas

IPVM | 12/19/18 08:26pm

Please note: This story has been updated to include the followint input from JCI, which was the first manufacturer to achieve the UL2900-2-3 L3 listing.

 

JCI said the vetting process for 2900-2-3 L3 was thorough:

Being that we pursued UL2900-2-3 Level 3 it was a thorough review of product, process and policies. The arduous side of the endeavor is all the work needed to be prepared. 

Furthermore, JCI said that the certification provided an assurance to customers that a certificated company was doing their part be secure and that customers could trust them and their products:

It’s an assurance. It assures that the manufacturer is doing their part to make sure products are developed thoughtfully and mitigates risks. To our industry, it offers a level playing field for end users and systems designers, who can now trust that a UL CAP certified product meets the requirements of robust cybersecurity standards. While other cybersecurity certifications are available, the UL 2900-2-3 compliance standard is specific to electronic physical security products.

Undisclosed #1

12/19/18 11:18pm

I think it is a good thing, that at least someone is trying to implement a baseline standardization and processes for certifying a service/hardware from dev to production. However there is no pre coded software that will block an unknown attack, being unknown means it is unique, fresh and definitely not patched. This UL cert is only a launch pad, once you are up there outside of the atmosphere where there is no updates to a static one time certification, good luck. The false sense of security is not driven in layman's terms for the end user/corporation looking to hurry up and buy. This cert is a drop in the bucket however if they start advertising as if their platform is magically immune to the dynamic people that love to watch systems fail, well they have another thing coming. As far as JCI, I just laughed, first of all VE is already Suse, perhaps some perl, mongo, docker and apache. All the nerds already know how to hardened *nix systems, I can see the one standing in the back cubical murmuring hey boss, if we tweak this we can get this certification. Ezpz.

In a nutshell lets pay more ssa, more ipc license, more ul cert costs and definitely inform our customers each year just how secure they are.

Security is a living breathing entity where the white hats are static and the black hats are dynamic. That is what makes it work.

Yours Truly,  UD1

Avatar

Sean Nelson

Nelly's Security
12/20/18 02:48am

This is great! If hikvision passed this, would they be as cyber secure as genetec?

Avatar

Daniel Tyrrell

In reply to Sean Nelson | 12/27/18 03:47pm

I feel like some people are maybe re-acting to you as if you were a troll, but technically speaking I believe you would be right.

Is that not the point of UL? Meeting the certification criteria means you should be at least as good as the others who've met the criteria.

But I don't believe HIK Vision would go through with this.

Avatar

Sean Nelson

Nelly's Security
In reply to Daniel Tyrrell | 12/27/18 03:51pm

They should. Would be slap in the face "ish". One could take it 2 ways:

- Hikvision is just as cyber secure as Genetec
- Genetec is just as cyber secure as Hikvision (possibly less because Hikvision is not only UL certified, but they also have a road show)

John Honovich

IPVM | In reply to Sean Nelson | 12/27/18 03:54pm

- Genetec is just as cyber secure as Hikvision (possibly less because Hikvision is not only UL certified, but they also have a road show)

Oh, Sean, you're the best!

Since Hikvision seemingly aims to have every cybersecurity certificate, sure, let them do it. At least, this one comes with some form of actual product testing.

The UL certification, though, only looks for common flaws / issues, so while it's good for 'coding errors' as Hikvision like to say, it would be very unlikely to find any deliberate backdoors that they may place for their owner, the Chinese government.

What do you think about a certification for being 'free of authoritarian government control'?

Avatar

Sean Nelson

Nelly's Security
In reply to John Honovich | 12/27/18 04:04pm

Sounds like the response one would get from a Hik-hater.

 

If Genetec gets the certification, they are brilliant, locked down, the fort knox of cyber security.

If Hikvision gets the certification, they still possibly theoretically have super secret back doors put there by xi himself, that aim to abuse the rights of humans and spy on booger picking americans. Not to mention their machine learning equipment is probably going to spawn the Matrix.

John Honovich

IPVM | In reply to Sean Nelson | 12/27/18 04:11pm

If Genetec gets the certification, they are brilliant, locked down, the fort knox of cyber security.

Lol, do you even read the article or just come here to troll for your partner Hikvision?

Contrary to your accusation, here is what we said about Genetec's certification:

While no certification can guarantee a product is 'invulnerable' nor 'backdoor free', the fact that this UL certification includes significant source code testing provides a significantly higher confidence level than generic cybersecurity certifications.

Your claim then is silly, at best:

If Hikvision gets the certification, they still possibly theoretically have super secret back doors put there by xi himself

UL cannot and does not vouch for products being back door free. If Genetec wanted to put in a backdoor that UL could not find, they could. If Hikvision wanted to put in a backdoor that UL could not find, they could. 

The difference is - one is a private Canadian company who supports democracy and the free world and the other is controlled by an authoritarian government who simultaneously conducts cyberespionage and runs concentration camps. The later is your business partner.

Avatar

Sean Nelson

Nelly's Security
In reply to John Honovich | 12/27/18 04:19pm

Genetec wanted to put in a backdoor that UL could not find, they could. If Hikvision wanted to put in a backdoor that UL could not find, they could.

I totally agree with you that Cyber-Securily speaking, theoretically Hikvision and Genetec are the same strength wise.

John Honovich

IPVM | In reply to Sean Nelson | 12/27/18 05:10pm

I totally agree with you that Cyber-Securily speaking, theoretically Hikvision and Genetec are the same strength wise.

Wow, that is some fine trolling. For the record, that is clearly not my position.

Let's be more productive:

  • I've emailed Hikvision asking them if they are in process of getting this UL certification. If or when they respond I will update here.
  • If Hikvision gains this certification, we will post a positive article about / on Hikvision as it speaks to some clear level of cybersecurity work.
  • It will not eliminate the ownership / control problem but it will certainly be helpful especially in ensuring that last year's backdoor does not happen again.
Avatar

Fabian Muyawa

LONTECH SYSTEMS
IPVMU Certified | 12/27/18 01:23pm

Genetec is indeed serious with Cybersecurity as seen in process they have undergone to achieve this level. This is encouraging. 

Undisclosed Integrator #2

01/02/19 01:41pm

Soon all manufctuers and even in integrators with thier internal business process as well as with thier installation in the field are going to be required to meet a level of auditable cyber security standards to do business with certain customers...............nice to see UL bring creditability to the cyber security compliance opportunity 

Undisclosed Manufacturer #3

02/15/19 03:21pm

We have tried to contact UL via their form with no response... any suggestions?

Avatar

Dan Gelinas

IPVM | In reply to Undisclosed Manufacturer #3 | 02/15/19 03:43pm

I've reached out to my contact at UL and will get back to you soon, UM#3.

Read this IPVM report for free.

This article is part of IPVM's 6,728 reports, 907 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports