Cybersecurity Assurance Program From UL

Life safety and electronic physical security systems can now be assessed for cyber risk against industry-specific requirements.

The electronic physical security industry now has a dedicated Cybersecurity Assurance Program (UL CAP) from UL. Using the new UL 2900-2-3 Standard, UL CAP for electronic physical security systems offers testable cyber security criteria to help assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls, and increase security awareness. UL CAP is for manufacturers looking for trusted support in assessing security risks while they continue to focus on product innovation to help build safer, more secure products, as well as for owners, system integrators, and retrofitters who want to mitigate risks by sourcing products assessed by a trusted third party.

Cybersecurity Assurance Program
Photo: UL

The Internet of Things (IoT) is enabling more sophisticated capabilities through network-connected products and systems. As a result, electronic physical security products are becoming more interconnected, connectable, and networkable. The security, performance, and financial risks impacting products and services for public and private sectors and consumers alike are the key drivers to develop new safeguards in an ever-changing security threat landscape faced with growing risks.

“The electronic physical security market is the cornerstone of safety and security in facilities and organizations. Cyber risks in this space are an important factor to address in securing a facility,” said Rachna Stegall, global director of Connected Technologies at UL. “UL believes that our UL CAP services can provide specifications that are repeatable, reproducible, and measurable with objective evidence that can support a manufacturer’s claim of security assurance in such an important component of an owner’s facility.”

The new specifications were developed in collaboration with the electronic physical security product manufacturers, asset owners, UL and other stakeholders. UL can now evaluate to these specifications as detailed in the new UL 2900-2-3 Outline of Investigation for Software Cybersecurity for Network-Connectable Products, part 2-3: Particular Requirements for Security and Life Safety Signaling Systems for manufacturers, owners, and integrators. UL can help manufacturers identify security risks in a wide range of products, such as surveillance cameras, emergency communications systems, fire alarm systems, alarm receiving systems, intrusion detection systems and access control systems. The output of UL’s work will allow the manufacturer to identify methods for mitigating those risks.

Meeting the technical requirements outlined in UL 2900-2-3 allows electronic physical security products and systems to be certified by UL. Additionally, since security is dynamic, UL 2900-2-3 can support the evaluation of a manufacturer’s process for design, development and maintenance of secure products and systems. UL 2900-2-3 provides a tiered approach to the security requirements applicable to the product with an increasing level of security for each tier. Specifics of the tests that can be performed can be found here.