UL CAP UL’s Cybersecurity Assurance Program · Development Approach of UL Cybersecurity Assurance...
Transcript of UL CAP UL’s Cybersecurity Assurance Program · Development Approach of UL Cybersecurity Assurance...
UL’s Cybersecurity Assurance Program Mitigating Safety and Performance Risks
Copyright© 2016 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written permission of UL LLC. or as otherwise provided in writing.
UL CAP
Introducing Ken ModestePrincipal Engineer & Cybersecurity Technical Lead
Background
• Bachelors in Computer Science with 15 years working
experience including primary software architect for an
enterprise class security and access control system with
embedded devices and sensors communicating real
time to manage large scale software systems
At UL
• Global responsibilities for cybersecurity, interoperability and protocol compliance
Ken ModesteUnderwriters Laboratories
2
PROTECTING
PEOPLE
PLACES
PRODUCTS
CUSTOMERS IN
113COUNTRIES
INTEGRITY
COLLABORATION
COMPETITIVENESS
WORKPLACE HEATH & SAFETY
RESPONSIBLE SOURCING
FIRE SAFETY
LIFE & HEALTH SCIENCE
TRANSACTION SECURITY
10,842EMPLOYEES
159UL LABORATORY
TESTING & CERTIFICATION
FACILITIES
About UL
3
Development Approach of UL Cybersecurity
Assurance Program (UL CAP)
April - August 2015September 2015 –
February 2016March 2016
Key Activities:
May 22nd meeting with
Interagency SSCA Pre-
meeting on potential CAP
CAP Proposal Discussion
at the June 2 – 4 SSCA
Working Group meeting
Other interagency
meetings
Engaged the ICS and
Medical Devices Industry
vendors, government and
other interested
stakeholders.
Key Activities:
Leverage current industry
best practices / requirements.
1st and 2nd Draft of Outlines
for:
UL 2900 – 1 – General Requirements
for Connectable Devices;
UL 2900-2-1 –
Healthcare Devices & Systems;
UL 2900-2-2 –
Industrial Control Systems;
Pilot testing with Customers
Established ANSI PINS
Key Activities:
Ongoing engagement with
ICS & Medical Devices
Industry on requirements and
program
Ongoing engagement with
Interagency SSCA
Collaboration
Integrate feedback from pilots
into CAP
Publish the 3rd draft of UL
2900-1, 2-1, and 2-2 on
March 30, 2016
Launch CAP on April 5, 2016
UL 2900-3 Organization & Process
Testing – Under Development
4
Technical RequirementsUL’s Requirements Development Approach
Publish 2nd
Edition Requirements
Stakeholder Input
Pilot Program
Finalize and Publish 1st
Edition of CAP Requirements
ANSI Standards Process
UL 2900
• Leverage Expert Input
• Integrate learnings from
ongoing testing of
products
• Government
• Industry
• Academia
Vet technical
requirements with
• U.S. Department of
Veterans Affairs (VA)
• Idaho National
Labs & DHS – ICS-
CERT
5
Lessons Learned - Pilot Testing
• Pilot testing activities
• Known Vulnerability testing
• Static Analysis testing
• Fuzz testing
• Key Observations
• Compliance Criteria
• Turn-around time
• Tool Validation
• Breadth of Service (Security & Quality)
• Observations on Open Source
• Harmonization of definitions
6
What is the need for a Cybersecurity Assurance Program?UL CAP
Connected Technologies Growth Trends
8
As many as 50 Billion devices are expected to be connected by 2020
Gartner estimates1 that IoT product and service suppliers will generate
incremental revenue exceeding $300 billion in 2020. IDC2 forecasts that the
worldwide market for IoT solutions will grow from $1.9 trillion in 2013 to $7.1
trillion in 2020.1http://www.gartner.com/newsroom/id/26846162 http://www.forbes.com/sites/gilpress/2014/08/22/internet-of-things-by-the-numbers-market-estimates-and-forecasts/#2c5d9c292dc9
8
Data Breaches
Guidance Documents
• ISO/IEC TR 15443
• ITU-T CYBEX 1500
series • CVE / NVD
• CWE
(CWRAF/CWS
S, SANS CWE
Top 25 /
OWASP Top
10) and
CAPEC
• ISO/IEC 27000
series
• ISO/IEC 15408
• ISO/IEC DIS 20243
/O-TTPS
• FISMA
• HIPAA
• IEC 62443
• IEC 80001
• PCI
• SANS 20 CSC
• Cyber Essentials (UK)
• Top 35 mitigation strategies
(AU)
• NIST Cybersecurity
Framework & SP 800-53r4
security controls
• DHS C3 VP & CRR
• SAE AS5553 & 6174
Data Breaches 66%
Research shows that 66% of networks will have an IoT security breach breached by 2018
Unplanned Downtime
Loss of Production
Harm to Assets
Damage to Reputation
BREACH
*Source: Industry Analyst Data9
What Exists Today for Product testing
Third-Party
Programs
Cost
Rigid Requirements
Narrow Focus on Specific Industries
Lack of Product-Specific Testing
Slow Turnaround
10
UL’s Experience in Connected Technologies
Global Market Access
Thousands of Standards
Developed –Products & Systems
Trusted Relationships:Consumers, Retailers,
Government
>8,000 Skilled Engineers
>100 Skilled
Interoperability
Engineers
120+ YearsTra
dit
ion
al
Reg
ula
tory
Sa
fety
Ex
pe
rie
nc
e
Cybersecurity
20+ Years
Interoperability
Testing
20+ Years
>400 Skilled Security Engineers
Co
nn
ec
ted
Te
ch
no
log
ies
Ex
pe
rie
nc
e
Co
nn
ec
ted
Te
ch
no
log
ies
Cu
sto
me
rs
11
Testable Technical Criteria
• Transparent, repeatable, reproducible testing across
industry verticals
• Improve cyber hygiene across all industry verticals
Improved Testing
Better Security
Introducing the UL Cybersecurity Assurance ProgramUL CAP
What is UL CAP?
14
UL 2900 Standards
15
UL 2900-1Software Cybersecurity
General Product Requirements Industry Product Requirements
UL 2900-2-1Healthcare Systems
UL 2900-2-2Industrial Control
Systems
UL 2900-2-XTBD
UL 2900-3-1General Process
Requirements
General Process Requirements
UL 2900-3-2SDLC
15
UL 2900
Vulnerabilities and
Exploits
Software
Weaknesses
Security
Controls
16
UL Cybersecurity Assurance Program BenefitsUL CAP
UL CAP Helps Stakeholders
Product Manufacturers – Early adoption of the UL CAP
provides a competitive advantage in the marketplace and can
help with mitigating risk including:
• Unplanned downtime and loss of production
• Costly harm to assets
• Reputational damage
• Validation of Security Claims
Government, NGOs, Asset Owners and Retailers –
Including UL 2900 as a procurement requirement can help:
• Provide transparency and validation
• Common set of technical criteria
Insurance Companies – UL CAP provides:
• Transparency to the security posture of products
• Easy to assess cyber risk
18
Q&A
Copyright© 2016 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written permission of UL LLC. or as otherwise provided in writing.
Thank you