UL IoT Security Rating System Ranks IoT Devices Security from Bronze to Diamond

Underwriters Labs (UL) is better known for its electrical safety certification programs, but in 2016, the company introduced three UL 2900 IoT security standards that defined requirements of software cybersecurity for network-connectable products.

Four years later, you may not have heard many products adhering to UL 2900, and Laurens van Oijen, IoT security solution leader at UL, recognizes that ” the UL 2900 set the bar too high for most consumer electronics/IoT companies” according to a report on CE Pro. So instead the company has launched the UL IoT Security Rating System last May with 5 levels of “security capabilities” ranking IoT devices and products with either Bronze, Silver, Gold, Platinum, or Diamond.

UL IoT Security RatingThose certifications are aimed to help both manufacturers and developers to improve the security of their solutions, and help consumers make better purchase decisions by knowing the level of security of IoT products by just looking at a label on the product package.

The UL IoT Security Rating System relies on baseline criteria from seven categories:

  • Software Updates
  • Data & Cryptography
  • Logical Security
  • System Management
  • User Identifiable Data (Privacy Protection)
  • Protocol Security
  • Process and Document Requirement

which mostly align with existing regulatory frameworks’ requirements such as NISTIR 8259, ETSI TS 103 645 and CSDE C2.

UL IoT Security Rating - DCMS, NIST, ETSI, CSDE
Click to Enlarge

Such IoT Security Ranking will become important due to the sheer number of IoT devices expected to hit the market in the next few years, but also due to regulatory changes. For example, the US states of California (Senate Bill 327) and Oregon (House Bill 2395) have new state laws set to become effective on January 1, 2020 and holding manufacturers responsible to implement “reasonable security feature(s) … designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified” in devices connected to the Internet either directly or indirectly.

More details can be found on the product page. Note that you’ll need to register with your address and telephone number to download any document on the UL website. The levels of security are described as L1… L5 in UL NCV 1376 document instead of the Bronze… Diamond labels consumers would see.

Thanks to Jon for the tip.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard
Notify of
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
4 years ago

My opinion of UL just tanked. UNIX philosophy: do 1 thing well is good advice.

Jon Smirl
4 years ago

UL is a collection of many different testing labs. Each UL lab can only do about 10% of all possible tests. There is a master lab for each standard which certifies the secondary labs. It is like a franchising model with regular recertification from the master lab to ensure the secondary labs are doing their jobs. In this case existing cyber security firms may become certified by the originating UL lab to do this testing. I would not dismiss this as useless, before this came out there weren’t very many accessible security standards. The purpose of UL testing and giving… Read more »

4 years ago

Is there a robustness rating or adversary model associated with each of the levels L1-L5?

Khadas VIM4 SBC