For every consumer electronic device I have, I wonder how effective its cybersecurity is, especially when I read news headlines such as "Amazon Ring hacker accesses camera in child's room." The hacker could see, hear and talk to a little girl. So, it's clear, a minimum amount of cybersecurity at home, as well as on the plant floor and in the control panel, is a requirement.
According to the news article, a "spokesperson" stated that Ring's overall security was not compromised. Really? I would have unplugged the camera, and the family did.
Clearly the best defense is to not become a target, and no one should have to worry about being attacked. Fortunately, it is possible to learn how not to become a target and a great way to do that as a manufacturer or integrator is to get a UL IoT Security Rating. It's the minimum required.
Whether it's consumer tech products or industrial control systems, the demand for a reliable and secure IoT connection is required. I talked with Gonda Lamberink, cybersecurity senior business development manager at UL about UL's newest safety baseline for manufacturers and retailers in the cybersecurity industry.
According to UL, it is the first organization to offer conformity assessment for all key security frameworks and a consumer labeling system to convey the level of security protection provided to connected products. UL’s new IoT Security Rating solution evaluates critical security features of connected products against common attack practices and known IoT vulnerabilities, to help make product security transparent and accessible to consumers through UL’s Verified Mark.
Lamberink focuses on identifying customer needs in IoT security and develop new opportunities for UL providing IoT advisory, testing, compliance and solutions primarily in consumer, commercial and industrial IoT, but there are other verticals such as automotive or smart mobility and healthcare.
I used to work at a UL508 panel shop, and this UL mark is a great label to place on a control panel. It shows it's a quality and safe panel. What UL has seen over the past several years is an increasing interest in cybersecurity coming from manufacturers across the board as any device with wireless connectivity is a potential target for cybersecurity hackers. Over the past couple years there has been an increasing focus on preventing large-scale attacks, such as denial of service using botnet.
All manufacturing facilities and control system integrators must include at least a minimum amount of security. It's not just security for critical infrastructure in an industrial complex but across the board down to the device level, which is what UL has created with its new IoT Security Rating.
"This IoT Security Rating provides a suitable and purposeful solution that meets a baseline level of security," says Lamberink. "While it doesn't promise an exhaustive level of security on a product, it looks for must have minimum security features that any product should have."
UL initially focused its attention on the consumer products market as there are few alternatives to do a security assessment. However, the security priorities should be clear—all products or systems in the industrial control space must consider security in the design.
It's a vast market place in need of cybersecurity. "There are more and less mature manufacturers when it comes to security," says Lamberink. "Industry leaders have very well developed cybersecurity methods and have been doing it for years. There are those who are not even aware yet of cybersecurity or don't know where to begin. In many cases, there are many products where security is lacking—it's low-hanging fruit for hackers."
The UL IoT Security Rating is a leveled approach with five levels from absolute minimum baseline to increasing levels of requirements. "There is a need for an absolute floor and a need for manufacturers to start differentiating with UL labels for different levels," says Lamberink.
This UL rating can potentially apply to industrial control panels. However, some of the end customers in the industrial market may have security requirements that go beyond our highest ratings. Because of that, UL provides certification for other security solutions including IEC 62443, a series of standards to address and mitigate security vulnerabilities in industrial automation and control systems. It also works with OEMs to manage its supply chain complexity and security across the board.
The bottom line is control systems need cybersecurity. The IoT Security Rating requirements are published in UL MCV 1376, which documents the five tested and certified secure-by-design levels of security capabilities that can be applied to many applications. It documents the many base line options for verification of security capabilities such as software updates, data and cryptography, logical security, system management, customer identifiable data, protocol security, and process and documentation.
"UL has also published a whitepaper titled IoT Security Top 20 Design Principles,” says Lamberink. "Most of these principles have been translated into the requirements for the formal IoT Security Rating assessment. It's a good source for a quick summary of must-have security practices and principles."
Transparent, measurable cybersecurity is the direction UL is pushing the market. Communicating that security capability in a seamless manor through a UL Security Rating label to is a good way to communicate security to the marketplace. It's also a good way to market security capability of a product or control system and something to look for when specifying one.