The news may have come and gone without a ton of fanfare, but March 27, 2018, might be the day the security industry looks back on as the watershed moment when the cybersecurity of the products that dealers and integrators install every day could actually be measured and certified.
On March 27, Johnson Controls announced that its American Dynamics VideoEdge NVR became the first product to be officially certified as meeting the Underwriters Laboratories (UL) 2900 standard for cybersecurity. The NVR platform underwent a series of evaluations based on UL 2900-2-3, a new standard developed specifically for the electronic physical security industry that assesses a product’s software vulnerabilities and weaknesses and reviews its exposure to exploitation and known malware.
“UL is filling a gap by providing third-party validation of the cybersecurity claims made on various product types,” says William Brown, senior engineering manager, Cyber Protection Program, Building Technologies & Solutions, Johnson Controls. “As organizations take cybersecurity more seriously, they often find themselves without the expertise or tools to truly validate manufacturer claims. This certification from UL provides independent evidence that our commitment to product cybersecurity, guided by our Cyber Protection program, is real and that we are serious about providing secure solutions.”
The road to the first UL 2900-certified security product is not as long as you might think; in fact, the first edition of the UL Standard for Software Cybersecurity for Network-Connectable Products (UL 2900-1) was published as an American National Standards Institute (ANSI) standard in early July – just 10 months ago. Odds are that many more products are coming down the pipeline, as vendors struggle to assure both channel partners and their end-customers that IP products are indeed cyber-secure.
The Need for Trust
Security vendors are fooling themselves if they think IP product security is not an issue among their integrator and other channel partners; in fact, many of them are clamoring for something they can “hang their hats on” when it comes to assurance of a product’s cybersecurity. After all, integrators may be just as liable for a data breach stemming from a vulnerable product as the end-user whose network it resides on.
“The recent influx of high-profile data breaches has led to our executive team to really evaluate our manufacturing partners to ensure their philosophies match our internal ideas on securing hardware,” says Tim Cook, Managing Partner of Security 101 – Ohio, a 2018 SD&I Fast50 company. “This obviously led to us declining to work with certain manufacturers and strengthening our relationship with others.”
“Cybersecurity has been the main driver of major change decisions in 2017, and this applies to vendors, manufacturers and even clients,” says Armando Perez, President of Hoosier Security. “We have evaluated a dozen solutions for one of our verticals and have narrowed it down to two simply on the cybersecurity requirements.”
Many vendors have taken internal steps to improve and publicize their products’ cybersecurity assurance – there are too many to list – however, Johnson Controls Security Products is the first to offer a third-party guarantee via standard. “The development of standardized, testable cybersecurity criteria by an organization such as UL, the preeminent security and life safety certification organization, provides a level playing field for end-users and systems designers, who can now trust that a UL CAP certified product meets robust cybersecurity standards,” Brown says.
“Clients we are working with right now see this as a differentiator,” explains Neil Lakomiak, Business Development Director for UL’s Building & Life Safety Technologies division. “These companies are really invested in cybersecurity – they are going out and either acquiring companies or investing in lots of talent in this area, and are really investing to get their products up to snuff with some of the established standards that are out there.”
Having an independent trusted third party perform assessments on connected products and on the vendors that manufacture, install, operate and maintain those products is obviously something that integrators can use.
“We are providing a variety of different services,” Lakomiak explains. “We brought this to market thinking that certification would be the big drive, but we are learning that very few companies are ready or even prepared for the certification process. Believe it or not, right now most of what we provide is advisory services and testing.”
Being that IP technologies are still relatively young in the security industry – analog is still a thing on the ISC West show floor, for example – cybersecurity has not been much of a concern until now, Lakomiak says. “We are learning that this industry is way behind on cybersecurity, which, of course, is ironic,” he says. “But with so many more products being integrated together via IP connection, it raises the cyber risk even more.”
What is UL 2900?
UL 2900 – which includes three different versions covering different types of products, both in the security industry and outside of it – is the basis for UL’s Cybersecurity Assurance Program (UL CAP), a suite of solutions that assess software vulnerabilities and weaknesses, reduce exploitation, address known malware, review security controls and enhance security awareness.
UL CAP was developed in 2016 with input from stakeholders representing the U.S. federal government, academia and various industries to elevate the security measures deployed in the critical infrastructure supply chain.
As part of UL CAP, UL provides audits and guidance for cybersecurity compliance and support, as well as planning and design services to companies looking to protect their brand and business operations. Additionally, UL CAP includes security readiness training for product design and sourcing third-party components; product and network testing, including fuzz testing, vulnerability assessment, code analysis, penetration testing and malware testing; and of course, product and process certification to the UL 2900 Standard.
“The program allows vendors to concentrate on product innovation with emerging technologies and capabilities to meet the ongoing needs of the marketplace,” UL says on its website.
The standard is broken into three categories. UL 2900-1 applies to “network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware.” This includes risk management of the product’s development by a vendor, as well as testing procedures.
UL 2900-2-2 applies to the evaluation of industrial control systems components, including Programmable Logic Controllers (PLCs); SCADA servers; data storage systems; networking equipment for ICS systems; smart sensors and more. In February 2018, Eaton’s Power Xpert Dashboard became the first power management product certified to the UL 2900-2-2 standard.
While industrial control systems are actually a specialty for some security integrators, UL 2900-2-3 is the standard most applicable to the greater security industry; in fact, UL 2900-3 covers virtually every IP-based security product you could have found on the ISC West show floor, including:
- Alarm control units;
- Intrusion detection equipment;
- General purpose signaling units;
- Digital video equipment and systems;
- Mass notification and emergency communications/evacuation equipment;
- Control servers;
- Alarm automation system software;
- Alarm receiving equipment;
- Anti- theft equipment;
- Fire alarm control systems;
- Network-connected locking devices;
- PSIMs;
- Smoke control systems;
- Smoke, gas and CO detection devices;
- Audible and visual signaling devices (fire and general); and
- Access control equipment and systems.
UL 2900 will continue to evolve to incorporate additional technical criteria as the security needs in the marketplace mature.
How Testing and Certification Works
UL developed its testing and certification process with help from a variety of stakeholders that included Andrew Lanning, Chair of PSA Security Network’s Cyber Committee; Joe Gittens, Director of Standards for the Security Industry Association (SIA); and members of ASIS.
According to Lakomiak, UL looks at products and software for known vulnerabilities, using the wide variety of available vulnerability databases. In addition, experts looking at products and software “get down to the code level to see if there are weaknesses that somebody could exploit,” Lakomiak explains.
There are structured penetration tests, where experts use software and other tools to do their best to simply try and hack into a product. The products are evaluated on how passwords are handled – making sure the product is designed so it has a secure way to verify and authenticate a user. “We look at things like forcing the user to reset the default password and how the data is protected,” Lakomiak adds. “We want to see if the data is encrypted when it is stored on the device and/or if it is encrypted when it sends the data somewhere else.”
Malware is also a major aspect of the testing. “A lot of manufacturers, because of the pressures of getting to market quickly, use open source code,” Lakomiak says. “That is fine, but sometimes open source code has malware or it might be changed over time. If manufacturers don’t have a mechanism to track that, there may be some vulnerability created.”
Additionally, the process evaluates the vendor’s software updates and patches and how they are pushed out in an easy way for end-users (or integrators) to perform those updates.
The Roadmap
Obviously, with just one UL2900-2-3 product officially certified, the industry still has a long way to go. “I feel like we are just getting started,” Lakomiak admits. “I am surprised that so few companies were really ready for certification, so I think there will need to be a lot of training and education, and a lot of baseline testing to get products up to speed to meet some of these basic cybersecurity protections.”
Lakomiak says that the road to certification begins with helping clients understand the gaps in the products they have, and then those vendors will go back and work with consultants or other experts to address those gaps. Then, they come back and have it reassessed.
“The path to certification for some of these companies is probably a year or less, but many have a longer path,” Lakomiak says. “We are talking about rethinking huge blocks of firmware and code.
“What we have done that is different (than ISO in Europe or the NIST Cyber Security Framework) is to provide a platform that is a repeatable and reproducible way to evaluate a product,” Lakomiak adds. “It is rigorous, but not impossible. If someone were to go through the standard, I think they would probably realize that these are all reasonable things that we need to be doing as an industry. It is going to be a couple years for a lot of this to congeal.”
To learn more about the UL Cybersecurity Assurance Program and 2900 standards, please visit https://industries.ul.com/cybersecurity. Paul Rothman is Editor in Chief of Security Dealer & Integrator (SD&I) magazine. Access the current issue, full archives and subscribe at www.secdealer.com.
