Underwriters Labs (UL) is better known for its electrical safety certification programs, but in 2016, the company introduced three UL 2900 IoT security standards that defined requirements of software cybersecurity for network-connectable products.
Four years later, you may not have heard many products adhering to UL 2900, and Laurens van Oijen, IoT security solution leader at UL, recognizes that ” the UL 2900 set the bar too high for most consumer electronics/IoT companies” according to a report on CE Pro. So instead the company has launched the UL IoT Security Rating System last May with 5 levels of “security capabilities” ranking IoT devices and products with either Bronze, Silver, Gold, Platinum, or Diamond.
Those certifications are aimed to help both manufacturers and developers to improve the security of their solutions, and help consumers make better purchase decisions by knowing the level of security of IoT products by just looking at a label on the product package.
The UL IoT Security Rating System relies on baseline criteria from seven categories:
- Software Updates
- Data & Cryptography
- Logical Security
- System Management
- User Identifiable Data (Privacy Protection)
- Protocol Security
- Process and Document Requirement
which mostly align with existing regulatory frameworks’ requirements such as NISTIR 8259, ETSI TS 103 645 and CSDE C2.
Such IoT Security Ranking will become important due to the sheer number of IoT devices expected to hit the market in the next few years, but also due to regulatory changes. For example, the US states of California (Senate Bill 327) and Oregon (House Bill 2395) have new state laws set to become effective on January 1, 2020 and holding manufacturers responsible to implement “reasonable security feature(s) … designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified” in devices connected to the Internet either directly or indirectly.
More details can be found on the product page. Note that you’ll need to register with your address and telephone number to download any document on the UL website. The levels of security are described as L1… L5 in UL NCV 1376 document instead of the Bronze… Diamond labels consumers would see.
Thanks to Jon for the tip.