Genetec UL Cybersecurity Certificate (2900-2-3) Examined

By: Dan Gelinas, Published on Dec 19, 2018

Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates?

Earlier in 2018, a false Hikvision cybersecurity certification announcement caused controversy. And Genetec itself has cast aspersions against its Chinese rivals as being untrustworthy. 

Now, Genetec has announced achieving UL's 2900-2-3 [link no longer available] Level 3 (L3) certification that Genetec claims "validates its resilience against cyber-attack."

genetec ul 3

However, does it really? What does it consist of? How much validation does it provide?

In this note, based on our discussions with Genetec, JCI, and UL we examine:

  • UL Overview
  • Cybersecurity certification process
  • Process for Genetec
  • Cost
  • Highest of 3 levels
  • Testing performed
  • UL's process
  • Others certificated

******* * ******* ** cybersecure *** ****** * major ******* *** ******** companies. *** *** *********** are ***** ************?

******* ** ****, ****** ********* ************* ************* announcement****** ***********. ********** ****** *** **** aspersions ******* *** ******* rivals** ***** *************. 

***,******************* ***********'* ****-*-* [**** ** longer *********] ***** * (L3) ************* **** ******* claims "********* *** ********** against *****-******."

genetec ul 3

*******, **** ** ******? What **** ** ******* of? *** **** ********** does ** *******?

** **** ****, ***** on *** *********** **** Genetec, ***, *** ** we *******:

  • ** ********
  • ************* ************* *******
  • ******* *** *******
  • ****
  • ******* ** * ******
  • ******* *********
  • **'* *******
  • ****** ************

[***************]

Executive *******

***** ** ************* *** guarantee * ******* ** 'invulnerable' *** '******** ****', the **** **** **** UL ************* ******** *********** source **** ******* ******** a ************* ****** ********** level **** ******* ************* certifications. 

*******, ** ** ****** expensive *** ****-********* ** many ************* *** *** find ** ***** *****. 

** ****, **** * video ************ ************* **** done ** (******* *** Tyco *** *********) ***** are **** *** *********. We ** *** **** how **** **** ***** work ** *** *** camera ************* **** ******** models.

UL ********

***** **** ****** *** 124 ******** ** ****** ****** as * ****** ** developing ********* *** ******* products ** **** **** they ******* ****** *** as ********. *******, ************ those ********* **** **** around ********** *** ********** elements, *** *************.

**’* ************* ********* ******* (UL ***),******** ** ****, ***** **-******* ******** against ******** **** ***** **** ****** ** cybersecurity *********. *** **** ****** ****** cybersecurity ** ********* ****** and *** ********* ********* including ***** ************ (****-*), healthcare ******* (****-*-*), *** industrial ******* ******* (****-*-*). UL ****-*-* ** **'* attempt ** "******* *****" for *** ********* ** security *********. 

Cybersecurity ************* *******

**********, *** ************* ******** of ******* ** *** product's ****** ********* '********** penetration *******', '****** **** analysis', *** '****** *** bytecode ********', ** *** excerpts **** ***** '******* of *************' ***** *****:

           

Process *** *******

 **** ***** **** ******* Lead ******** *********, ******* Chevalier [**** ** ****** available] ***** *** *******, what ** ******** *** what ** ***** *** Genetec's *********.

*******'* ********* **** *** process, ***** **** ****** 8 ******, *** *** easy, comparing ** ** "***** on *****." ** **** the ******* **** *** attention ** *** ****** cybersecurity **** ** *:

** *** * ******* process. *** ** ** trial *** **** ****** evidence *** **** **** that ********** ** **** for *** ***** *** then **** ********* ** in ***** ** *** people **** **. *** findings *** ******** ** that ****. ** *** a *** ** ********* information *** ****** **** everything *** ** ** should **. ** ******* lots ** **** *** my ***** ***** ****—** 5 ******.

***********, ********* **** **** UL ***** ********* ***************, they ********* *** ************ to Genetec for ******** *********** ** repair:

***** *** * ** employee *** *** *** advocate *** *** ******** to *** ****. ** presented **** ** ***** to ** *** ** needed ** ****** *** it ** ******* *** it ** **** ** is.

********* **** **** *** *** up ****** ** ****** some ******, ********* *********** in ******* ********* ******* operational **********:

**** **** ********* *** procedure, ** * *** to ********* ** ******* a ********* **** ** already ***, *** ****'* have ** ******* ****. They ****** *** *************. So: '**** *** **** vulnerabilities, *** *** *** going ** ******** **** and *** ****?'

********* ******* *** ******* helped ******* *******, ****** the *********** ** ********* and *** ********* ** new *****:

** ********** *** ****** exam **** ** **** using ****’* ******** **** problems. ********* ***** *** stronger ** ****** ** different ******. ** *** tried ***** ****—******************—******, *** **** *** improved **.

********* **** ****** *********** testing ****'* ****** *** that *** ** ************* means ******* **** ********** accountable:

**** **** *********** *******, you ***’* **** ** fix ********. **** **, we **** ** *** whatever ******** **** **** or ** ***’* *** the *************.

Cost *** *************

******* **** *** ***** certification ******* **** **** $50,000 ** *****, **** notable ********* ***** ** maintain ********** ** ** guidelines. ********* **** ***** that *** ************* ******* only ******* *** ******* version, ** **** ******* was ***** ** **** on ** ***** **** version—they *** ********* ********* version 6—they **** **** ** redo *** ************* ******* all **** *****.

Highest ** * ******

******* ******** *** ******* of *** * ******, which ******** ********** **** levels * *** * as **** ** ** assessment ** ******** ************ of *** ******* **** knowledge ** ******** ******** controls *** ** ******** practices ** ******* *** lifecycle ** *** *******, as *** ********* ******* from **'* ******* ** Investigation *** *** *************:

Testing *********

******* ******** **** **** documentation ********* ******** *********** analysis ** *** ****, explaining:

**** ********* **** *** software *** *** ** determine ** ******** **** source ********** *** ****. If **** *** **** then ** ***** ** determine *** ******* *** then ***** ** *** if **** ******* *** known ***************.

*****, ** ***** *************** of ***** ******* *** previously *******:

*** ******** ****—***** ****—** *** **** ****** used ** *** ********. Their **** ** *** I **** ***** ***** of *****************. ** ***** ****** that ***** **** ****’* flag. *** ************ ******** of ****** ***** **** false ******** *** * small ****** **** **** positive.

*** ***** ** *** scan ** ********* ** reflected ** *** ******* graphic *****:

**** **'* ***** ********** potential ***************, *** ******* was ******* ** *******'* attention *** **** **** given * ****** ** respond, ** ** **** redacted *******:

Others ************

*** *** ******** ** ******* *** UL ****-*-* ****** **** **** ***** VideoEdge ******** **** ******** Dynamics.

*** **** *** ******* process *** ****-*-* ** was ********:

***** **** ** ******* UL2900-2-3 ***** * ** was * ******** ****** of *******, ******* *** policies. *** ******* **** of *** ******** ** all *** **** ****** to ** ********. 

***********, *** **** **** the ************* ******** ** assurance ** ********* **** a ************ ******* *** doing ***** **** ** secure *** **** ********* could ***** **** *** their ********:

**’* ** *********. ** assures **** *** ************ is ***** ***** **** to **** **** ******** are ********* ************ *** mitigates *****. ** *** industry, ** ****** * level ******* ***** *** end ***** *** ******* designers, *** *** *** trust **** * ** CAP ********* ******* ***** the ************ ** ****** cybersecurity *********. ***** ***** cybersecurity ************** *** *********, the ** ****-*-* ********** standard ** ******** ** electronic ******** ******** ********.

*** *** ******* *** currently *** **** ******** companies ** ** ******* 2900-2-3

***** ******** * ***** ****** (outside *** ******** ********) that have **** **** ****** certificated (*** **** ** ** logged **** ** ******* IQ ** *** *** list ** **** ****** certificated *********) ** **** level ***** **** ****-*-*.

Vote / ****

Comments (14)

****** ****: **** ***** has **** ******* ** include *** ********* ***** from ***, ***** *** the ***** ************ ** achieve *** ******-*-* ** listing.

 

*** **** *** ******* process *** ****-*-* ** was ********:

***** **** ** ******* UL2900-2-3 ***** * ** was * ******** ****** of *******, ******* *** policies. *** ******* **** of *** ******** ** all *** **** ****** to ** ********. 

***********, *** **** **** the ************* ******** ** assurance ** ********* **** a ************ ******* *** doing ***** **** ** secure *** **** ********* could ***** **** *** their ********:

**’* ** *********. ** assures **** *** ************ is ***** ***** **** to **** **** ******** are ********* ************ *** mitigates *****. ** *** industry, ** ****** * level ******* ***** *** end ***** *** ******* designers, *** *** *** trust **** * ** CAP ********* ******* ***** the ************ ** ****** cybersecurity *********. ***** ***** cybersecurity ************** *** *********, the ** ****-*-* ********** standard ** ******** ** electronic ******** ******** ********.

* ***** ** ** a **** *****, **** at ***** ******* ** trying ** ********* * baseline *************** *** ********* for ********** * *******/******** from *** ** **********. However ***** ** ** pre ***** ******** **** will ***** ** ******* attack, ***** ******* ***** it ** ******, ***** and ********** *** *******. This ** **** ** only * ****** ***, once *** *** ** there ******* ** *** atmosphere ***** ***** ** no ******* ** * static *** **** *************, good ****. *** ***** sense ** ******** ** not ****** ** ******'* terms *** *** *** user/corporation ******* ** ***** up *** ***. **** cert ** * **** in *** ****** ******* if **** ***** *********** as ** ***** ******** is ********* ****** ** the ******* ****** **** love ** ***** ******* fail, **** **** **** another ***** ******. ** far ** ***, * just *******, ***** ** all ** ** ******* Suse, ******* **** ****, mongo, ****** *** ******. All *** ***** ******* know *** ** ******** *nix *******, * *** see *** *** ******** in *** **** ******* murmuring *** ****, ** we ***** **** ** can *** **** *************. Ezpz.

** * ******** **** pay **** ***, **** ipc *******, **** ** cert ***** *** ********** inform *** ********* **** year **** *** ****** they ***.

******** ** * ****** breathing ****** ***** *** white **** *** ****** and *** ***** **** are *******. **** ** what ***** ** ****.

***** *****,  ***

**** ** *****! ** hikvision ****** ****, ***** they ** ** ***** secure ** *******?

* **** **** **** people *** ***** **-****** to *** ** ** you **** * *****, but *********** ******** * believe *** ***** ** right.

** **** *** *** point ** **? ******* the ************* ******** ***** you ****** ** ** least ** **** ** the ****** ***'** *** the ********.

*** * ***'* ******* HIK ****** ***** ** through **** ****.

**** ******. ***** ** slap ** *** **** "ish". *** ***** **** it * ****:

- ********* ** **** as ***** ****** ** Genetec
- ******* ** **** as ***** ****** ** Hikvision (******** **** ******* Hikvision ** *** **** UL *********, *** **** also **** * **** show)

- ******* ** **** as ***** ****** ** Hikvision (******** **** ******* Hikvision ** *** **** UL *********, *** **** also **** * **** show)

**, ****, ***'** *** best!

***** ********* ********* **** to **** ***** ************* certificate, ****, *** **** do **. ** *****, this *** ***** **** some **** ** ****** product *******.

*** ** *************, ******, only ***** *** ****** flaws / ******, ** while **'* **** *** 'coding ******' ** ********* like ** ***, ** would ** **** ******** to **** *** ********** backdoors **** **** *** place *** ***** *****, the ******* **********.

**** ** *** ***** about * ************* *** being '**** ** ************* government *******'?

****** **** *** ******** one ***** *** **** a ***-*****.

 

** ******* **** *** certification, **** *** *********, locked ****, *** **** knox ** ***** ********.

** ********* **** *** certification, **** ***** ******** theoretically **** ***** ****** back ***** *** ***** by ** *******, **** aim ** ***** *** rights ** ****** *** spy ** ****** ******* americans. *** ** ******* their ******* ******** ********* is ******** ***** ** spawn *** ******.

** ******* **** *** certification, **** *** *********, locked ****, *** **** knox ** ***** ********.

***, ** *** **** read *** ******* ** just **** **** ** troll *** **** ******* Hikvision?

******** ** **** **********, here ** **** ** said ***** *******'* *************:

***** ** ************* *** guarantee * ******* ** 'invulnerable' *** '******** ****', the **** **** **** UL ************* ******** *********** source **** ******* ******** a ************* ****** ********** level **** ******* ************* certifications.

**** ***** **** ** silly, ** ****:

** ********* **** *** certification, **** ***** ******** theoretically **** ***** ****** back ***** *** ***** by ** *******

** ****** *** **** not ***** *** ******** being **** **** ****. If ******* ****** ** put ** * ******** that ** ***** *** find, **** *****. ** ********* wanted ** *** ** a ******** **** ** could *** ****, **** could. 

*** ********** ** - one ** * ******* Canadian ******* *** ******** democracy *** *** **** world *** *** ***** is ********** ** ** authoritarian ********** *** ************** conducts ************** *** **** concentration *****. *** ***** is **** ******** *******.

******* ****** ** *** in * ******** **** UL ***** *** ****, they *****. ** ********* wanted ** *** ** a ******** **** ** could *** ****, **** could.

* ******* ***** **** you **** *****-******** ********, theoretically ********* *** ******* are *** **** ******** wise.

* ******* ***** **** you **** *****-******** ********, theoretically ********* *** ******* are *** **** ******** wise.

***, **** ** **** fine ********. *** *** record, **** ** ******* not ** ********.

***'* ** **** **********:

  • *'** ******* ********* ****** them ** **** *** in ******* ** ******* this ** *************. ** or **** **** ******* I **** ****** ****.
  • ** ********* ***** **** certification, ** **** **** a ******** ******* ***** / ** ********* ** it ****** ** **** clear ***** ** ************* work.
  • ** **** *** ********* the ********* / ******* problem *** ** **** certainly ** ******* ********** in ******** **** **** year's ******** **** *** happen *****.

******* ** ****** ******* with ************* ** **** in ******* **** **** undergone ** ******* **** level. **** ** ***********. 

**** *** *********** *** even ** *********** **** thier ******** ******** ******* as **** ** **** thier ************ ** *** field *** ***** ** be ******** ** **** a ***** ** ********* cyber ******** ********* ** do ******** **** ******* customers...............nice ** *** ** bring ************* ** *** cyber ******** ********** *********** 

** **** ***** ** contact ** *** ************* ** ********... *** suggestions?

*'** ******* *** ** my ******* ** ** and **** *** **** to *** ****, **#*.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Genetec Security Center 5.9 Release Examined on Feb 06, 2020
Genetec released the next major version of Security Center, less than a year after version 5.8. This also follows no Genetec major releases in...
Security Sales Course January 2020 - Last Chance on Jan 02, 2020
Notice: This is the last chance to register for the course. This sales course is customized for the current needs and challenges specific to...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Beware African 50,000 IP Camera Contract Scam on Jul 12, 2019
A “Nigerian Prince” scam for the video surveillance market is going around. You, or at least we, could be lucky enough to be the single bidder for...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and branding itself as a "COVID 19 - AI BASED NON CONTACT THERMAL...
JCI Coronavirus Cuts on Mar 31, 2020
JCI has made coronavirus cuts, the company told employees in an email that IPVM has reviewed. Inside this note, we examine the cuts made, the...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door operators to fight the spread of coronavirus. This delivers...
Video Surveillance Business 101 on Mar 30, 2020
This report explains the fundamental elements of the video surveillance business for those new to the industry. This is part of our Video...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection systems being marketed for coronavirus, as an explosion of such devices...
Worsen: Integrators Hit Even Harder By Coronavirus on Mar 30, 2020
Integrator's problems have worsened over the past 2 weeks, according to new IPVM survey results. Inside this report, we share statistics and...
Pivot3 Mass Layoffs on Mar 27, 2020
Pivot3 has conducted mass layoffs, the culmination of grand hopes, a quarter of a billion dollars in VC funding, and multiple failures to gain...
Athena CEO Criticizes 'Deplorable' 'Nitpicking', IPVM Refutes on Mar 27, 2020
UPDATE: NBC News Report Cites IPVM On Coronavirus 'Fever Detection' Cameras Athena Security's CEO Lisa Falzone has strongly objected to IPVM's...
Hikvision Admits Sanctions Harming Its Financial Performance on Mar 27, 2020
While Hikvision initially downplayed being sanctioned for human rights abuses, the company is now admitting a significant impact in a new PRC...