UL’s Cybersecurity Assurance Program Mitigating Safety and Performance Risks

Copyright© 2016 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written permission of UL LLC. or as otherwise provided in writing.

UL CAP

Introducing Ken ModestePrincipal Engineer & Cybersecurity Technical Lead

Background

• Bachelors in Computer Science with 15 years working

experience including primary software architect for an

enterprise class security and access control system with

embedded devices and sensors communicating real

time to manage large scale software systems

At UL

• Global responsibilities for cybersecurity, interoperability and protocol compliance

Ken ModesteUnderwriters Laboratories

2

PROTECTING

PEOPLE

PLACES

PRODUCTS

CUSTOMERS IN

113COUNTRIES

INTEGRITY

COLLABORATION

COMPETITIVENESS

WORKPLACE HEATH & SAFETY

RESPONSIBLE SOURCING

FIRE SAFETY

LIFE & HEALTH SCIENCE

TRANSACTION SECURITY

10,842EMPLOYEES

159UL LABORATORY

TESTING & CERTIFICATION

FACILITIES

About UL

3

Development Approach of UL Cybersecurity

Assurance Program (UL CAP)

April - August 2015September 2015 –

February 2016March 2016

Key Activities:

May 22nd meeting with

Interagency SSCA Pre-

meeting on potential CAP

CAP Proposal Discussion

at the June 2 – 4 SSCA

Working Group meeting

Other interagency

meetings

Engaged the ICS and

Medical Devices Industry

vendors, government and

other interested

stakeholders.

Key Activities:

Leverage current industry

best practices / requirements.

1st and 2nd Draft of Outlines

for:

UL 2900 – 1 – General Requirements

for Connectable Devices;

UL 2900-2-1 –

Healthcare Devices & Systems;

UL 2900-2-2 –

Industrial Control Systems;

Pilot testing with Customers

Established ANSI PINS

Key Activities:

Ongoing engagement with

ICS & Medical Devices

Industry on requirements and

program

Ongoing engagement with

Interagency SSCA

Collaboration

Integrate feedback from pilots

into CAP

Publish the 3rd draft of UL

2900-1, 2-1, and 2-2 on

March 30, 2016

Launch CAP on April 5, 2016

UL 2900-3 Organization & Process

Testing – Under Development

4

Technical RequirementsUL’s Requirements Development Approach

Publish 2nd

Edition Requirements

Stakeholder Input

Pilot Program

Finalize and Publish 1st

Edition of CAP Requirements

ANSI Standards Process

UL 2900

• Leverage Expert Input

• Integrate learnings from

ongoing testing of

products

• Government

• Industry

• Academia

Vet technical

requirements with

• U.S. Department of

Veterans Affairs (VA)

• Idaho National

Labs & DHS – ICS-

CERT

5

Lessons Learned - Pilot Testing

• Pilot testing activities

• Known Vulnerability testing

• Static Analysis testing

• Fuzz testing

• Key Observations

• Compliance Criteria

• Turn-around time

• Tool Validation

• Breadth of Service (Security & Quality)

• Observations on Open Source

• Harmonization of definitions

6

What is the need for a Cybersecurity Assurance Program?UL CAP

Connected Technologies Growth Trends

8

As many as 50 Billion devices are expected to be connected by 2020

Gartner estimates1 that IoT product and service suppliers will generate

incremental revenue exceeding $300 billion in 2020. IDC2 forecasts that the

worldwide market for IoT solutions will grow from $1.9 trillion in 2013 to $7.1

trillion in 2020.1http://www.gartner.com/newsroom/id/26846162 http://www.forbes.com/sites/gilpress/2014/08/22/internet-of-things-by-the-numbers-market-estimates-and-forecasts/#2c5d9c292dc9

8

Data Breaches

Guidance Documents

• ISO/IEC TR 15443

• ITU-T CYBEX 1500

series • CVE / NVD

• CWE

(CWRAF/CWS

S, SANS CWE

Top 25 /

OWASP Top

10) and

CAPEC

• ISO/IEC 27000

series

• ISO/IEC 15408

• ISO/IEC DIS 20243

/O-TTPS

• FISMA

• HIPAA

• IEC 62443

• IEC 80001

• PCI

• SANS 20 CSC

• Cyber Essentials (UK)

• Top 35 mitigation strategies

(AU)

• NIST Cybersecurity

Framework & SP 800-53r4

security controls

• DHS C3 VP & CRR

• SAE AS5553 & 6174

Data Breaches 66%

Research shows that 66% of networks will have an IoT security breach breached by 2018

Unplanned Downtime

Loss of Production

Harm to Assets

Damage to Reputation

BREACH

*Source: Industry Analyst Data9

What Exists Today for Product testing

Third-Party

Programs

Cost

Rigid Requirements

Narrow Focus on Specific Industries

Lack of Product-Specific Testing

Slow Turnaround

10

UL’s Experience in Connected Technologies

Global Market Access

Thousands of Standards

Developed –Products & Systems

Trusted Relationships:Consumers, Retailers,

Government

>8,000 Skilled Engineers

>100 Skilled

Interoperability

Engineers

120+ YearsTra

dit

ion

al

Reg

ula

tory

Sa

fety

Ex

pe

rie

nc

e

Cybersecurity

20+ Years

Interoperability

Testing

20+ Years

>400 Skilled Security Engineers

Co

nn

ec

ted

Te

ch

no

log

ies

Ex

pe

rie

nc

e

Co

nn

ec

ted

Te

ch

no

log

ies

Cu

sto

me

rs

11

Testable Technical Criteria

• Transparent, repeatable, reproducible testing across

industry verticals

• Improve cyber hygiene across all industry verticals

Improved Testing

Better Security

Introducing the UL Cybersecurity Assurance ProgramUL CAP

What is UL CAP?

14

UL 2900 Standards

15

UL 2900-1Software Cybersecurity

General Product Requirements Industry Product Requirements

UL 2900-2-1Healthcare Systems

UL 2900-2-2Industrial Control

Systems

UL 2900-2-XTBD

UL 2900-3-1General Process

Requirements

General Process Requirements

UL 2900-3-2SDLC

15

UL 2900

Vulnerabilities and

Exploits

Software

Weaknesses

Security

Controls

16

UL Cybersecurity Assurance Program BenefitsUL CAP

UL CAP Helps Stakeholders

Product Manufacturers – Early adoption of the UL CAP

provides a competitive advantage in the marketplace and can

help with mitigating risk including:

• Unplanned downtime and loss of production

• Costly harm to assets

• Reputational damage

• Validation of Security Claims

Government, NGOs, Asset Owners and Retailers –

Including UL 2900 as a procurement requirement can help:

• Provide transparency and validation

• Common set of technical criteria

Insurance Companies – UL CAP provides:

• Transparency to the security posture of products

• Easy to assess cyber risk

18

Q&A

Copyright© 2016 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written permission of UL LLC. or as otherwise provided in writing.

Thank you