Given the rampant cyberattacks against IoT devices, including IP cameras and NVRs, stakeholders across the supply chain should become more knowledgeable of the threats facing them and act accordingly to reduce these risks. One way to do this is follow established security best practices, including product testing and certification.
Given the rampant cyberattacks against IoT devices, including IP cameras and NVRs, stakeholders across the supply chain should become more knowledgeable of the threats facing them and act accordingly to reduce these risks. One way to do this is follow established security best practices, including product testing and certification.
That’s the main point raised by
UL. The organization is known as a leader in developing standards and certifying products used in fire extinguishing, detection and annunciation systems. But it has also entered into the area of cybersecurity.
“For the last several years, UL has been helping to mitigate cybersecurity risk through the UL Cybersecurity Assurance Program (UL CAP). This program aims to minimize risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses. This in turn helps reduce exploitation, address known malware, enhance security controls and expand security awareness,” said Neil Lakomiak, Director of Business Development and Innovation at UL. “Our entry into cybersecurity was a result of requests from our clients and recognition of this growing risk. UL’s mission is to promote safe living and working environments for people, and we believe mitigating cybersecurity risk aligns well with our mission.”
More and more, cyberattacks have become real dangers that can affect the everyday life. The recent Devil’s Ivy scare as well as last year’s DDoS attacks are vivid examples of this. Against this backdrop, stringent security requirements are urged by the private and public sectors alike. The US Federal Communications Commission, for example, is now proposing that IoT equipment suppliers implement “security by design” practices to build cybersecurity into their products before marketing them.
“The FCC advocating for cyber accountability sends a strong signal to the marketplace that there is a growing expectation that a minimum standard of care has been exercised for products and systems to address cyber hygiene. Cybersecurity is a shared responsibility, and a breach can be the result of the technology, the people using the technology or the processes an organization has in place (or lack thereof) to mitigate this risk,” Lakomiak said. “End-users, specifiers, integrators and those purchasing network connected products should have a reasonable level of confidence that the products are absent of known vulnerabilities and software weaknesses and present of risk controls such as encryption, user authentication and robust software update process.”
According to Lakomiak, UL can play a significant role in this regard. “UL CAP relies upon the UL 2900 set of standards, developed with input from major stakeholders representing government, academia and industry. In August of 2017, the UL 2900-2-3 standard for Software Cybersecurity for Network- Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems was published. UL 2900-2-3 offers testable cybersecurity criteria to help assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness to help mitigate risk,” he said. “In conjunction with publishing these new cybersecurity standards, UL provides training, advisory services, testing and certification for cybersecurity.”
Lakomiak also provided the following tips for vendors and SIs. “Vendors would be advised to enable authentication, use proper encryption algorithms, implement proper security configuration/risk controls, limit the type of access that is permitted (e.g. physical, remote, closed network, etc.), implement robust password requirements (including requiring the user to change the default password), incorporate specific protection against dictionary/brute force attacks and consider having their products evaluated by third parties to industry standards,” he said. “Systems integrators/users would be advised to follow the guidelines provided through the NIST and OWASP websites in conjunction with looking for products and systems that have been evaluated to the UL 2900-2-3 standard.”