If Underwriters Laboratories (UL) fills a security certification gap, will anyone care? This is often the problem for a product or service that has been well-established. If it branches out into a new area people either won’t notice, or they just won’t believe this is something the entity is capable of doing. It doesn’t have anything to do with facts, it has to do with perceptions. We have a strong idea of what UL does, and it isn’t security.
However, UL has actually put together a pretty decent validation program, which is the only program that even attempts to wrap around what could be an Internet of Things (IoT) nightmare for IT.
Let’s talk about UL’s Cybersecurity Assurance Program (CAP) to certify security products in an IoT world and help CIOs sleep at night.
IoT is a security nightmare
We talk quite a bit about how wonderful it will be to have everything connected largely by completely ignoring what a security nightmare the result is likely to be. Sensors, cameras, equipment, HVAC systems, even elevators and cars are all supposed to be increasingly more connected and much of this stuff can’t run security software.
This means the data coming from these things can be taken or corrupted, they can be remote controlled and sometimes forced to catastrophically fail.
For instance a few years back McAfee showcased it could take an Android phone and remotely take it over causing it to overheat and cook itself to death. Chrysler was showcased badly as the firm that forgot to keep their infotainment and driving systems separate resulting in a hacker showcasing they could remotely take over the car.
And with networked products all it takes in one of the thousands of connected devices to be breached to give an attacker access to the network. They can then use the one thing they hacked to take over a bunch of other stuff.
This means every single IoT device has to be certified, and when you’re talking small devices there really isn’t anyone better equipped to deal with the problem than UL.
UL security certification
Currently, UL CAP has three levels of certification.
Product Testing is UL 28000-1. It’s where they look at specific products and test them to make sure they can resist a set number and types of attack. Industry Product Testing UL2900-2x is where they add on tests specific to healthcare and industrial controls, which need a greater depth of protection for compliance (additional industries will be added as this program expands). And Organizational Process Testing 29000-3 is where they look at the process surrounding the products to make sure it is secure as well.
For those industries covered, I’d advise that all three certifications be kept in place.
The gap in CAP
A lot of the products that go through testing like this are patchable either in software or firmware. However, the one missing piece appears to be a rigorous auditing process so that if an exposure is introduced post certification the certification can be removed until the problem is corrected. Otherwise the owner of the product is likely to believe the product is still safe when it may not be.
That’s the problem with patchable products, any testing applies only to the product as it existed when the product was tested, as soon as it is patched the certification may no longer be valid and entire classes of these products to get patched often. On the other hand, things like sensors and cameras rarely get patched so they should remain relatively consistent with the certification and they likely represent the highest volume of devices expected to be deployed.
For complex products like cars, which can have in-line component swaps and manufacturing patches, a certification process like this may not even work reliably without aggressive spot audits. Recall that VW was able to get around the smog certification for their diesel engines and only got caught by accident.
CAP is a huge step in the right direction
Overall this UL CAP program is a huge step in the right direction and the only process I’ve seen so far that even comes close to addressing the coming nightmare of IoT devices, which individually have to be made secure. Fortunately, the hub approach, which is becoming far more common particularly with enterprises where the devices are maintained on an isolated network and only connect through a secure hub, does mitigate a lot of the problem only if you can be sure the isolated network doesn’t get breached. However, with wireless devices in particular, that often isn’t the case.
Personally, were it me, I’d make darn sure that IoT security landed on someone else’s desk and, if I couldn’t do that, I’d take a hard look at this UL certification process and make it a requirement. At least then, when you have a breach -- and you will have a breach -- you can argue you were prudent in your approach.
Something to noodle on this weekend.