Tech

Underwriters Laboratories rolls out Cybersecurity Assurance Program

The safety standards organization has released a new set of criteria for certifying network-connectable devices

April 5, 2016

Scientific safety organization Underwriters Laboratories, whose trademark “UL” insignia can be found adorning the labels of most modern household appliances, launched a new set of standards to assess cybersecurity in connectable devices — with the particular goal of safeguarding critical infrastructure.

The announcement Tuesday comes as technology research firm Gartner has predicted that up to 50 billion connected devices will be in use by 2020. According to Anura Fernando, Global Principal Engineer, UL, this explosive growth of the Internet of Things underscores the need for a cybersecurity baseline — something he said UL’s new Cybersecurity Assurance Program will facilitate.

“Malicious users have become all too prominent across many industry sectors,” Fernando told FedScoop. “As we looked at places where, traditionally, UL products have found themselves, it has been close to critical national infrastructure. CAP is a response to the natural evolution of technology, the unfortunate evolution of people’s behavior as they interact with that technology, and a fundamental need across the nation to protect critical infrastructure.”

UL developed CAP in response to outreach from the White House, whose Cybersecurity National Action Plan calls for a proactive solution to critical infrastructure vulnerabilities. Through collaboration with government organizations like the National Institute of Standards and Technology, as well as public-private partnerships like the Software and Supply Chain Assurance Forum, UL identified the best practices and standards that emerged across industries and compiled them into a testable set of criteria for new technology.

Although UL is known primarily for its safety testing, Fernando said that the leap to security has been ongoing.

“Many people think of us as strictly a safety company, but for many decades we’ve been dealing with a variety of aspects of security, ranging from physical security — looking at things like safes — to ATMs and embedded card chips,” he said. “With an increasing prevalence of embedded software, we’ve seen that that software has to be very carefully scrutinized and evaluated.”

According to Fernando, the launch of CAP will encourage developers to bolster their cybersecurity efforts.

“There are products going off manufacturing lines with malware already in them, or malware vulnerabilities already in them — sometimes due to the use of open source software, sometimes due to the inexperience of developers in understanding secure development lifecycle,” said Fernando. “Identifying those critical issues, making sure we have this cybersecurity baseline established where products stop going off the line with malware and vulnerabilities — that is the goal of CAP: to ensure the low hanging fruit in some of the big problem areas is tackled.”