UL IoT Security Rating System Ranks IoT Devices Security from Bronze to Diamond

Underwriters Labs (UL) is better known for its electrical safety certification programs, but in 2016, the company introduced three UL 2900 IoT security standards that defined requirements of software cybersecurity for network-connectable products.

Four years later, you may not have heard many products adhering to UL 2900, and Laurens van Oijen, IoT security solution leader at UL, recognizes that ” the UL 2900 set the bar too high for most consumer electronics/IoT companies” according to a report on CE Pro. So instead the company has launched the UL IoT Security Rating System last May with 5 levels of “security capabilities” ranking IoT devices and products with either Bronze, Silver, Gold, Platinum, or Diamond.

UL IoT Security RatingThose certifications are aimed to help both manufacturers and developers to improve the security of their solutions, and help consumers make better purchase decisions by knowing the level of security of IoT products by just looking at a label on the product package.

The UL IoT Security Rating System relies on baseline criteria from seven categories:

  • Software Updates
  • Data & Cryptography
  • Logical Security
  • System Management
  • User Identifiable Data (Privacy Protection)
  • Protocol Security
  • Process and Document Requirement

which mostly align with existing regulatory frameworks’ requirements such as NISTIR 8259, ETSI TS 103 645 and CSDE C2.

UL IoT Security Rating - DCMS, NIST, ETSI, CSDE
Click to Enlarge

Such IoT Security Ranking will become important due to the sheer number of IoT devices expected to hit the market in the next few years, but also due to regulatory changes. For example, the US states of California (Senate Bill 327) and Oregon (House Bill 2395) have new state laws set to become effective on January 1, 2020 and holding manufacturers responsible to implement “reasonable security feature(s) … designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified” in devices connected to the Internet either directly or indirectly.

More details can be found on the product page. Note that you’ll need to register with your address and telephone number to download any document on the UL website. The levels of security are described as L1… L5 in UL NCV 1376 document instead of the Bronze… Diamond labels consumers would see.

Thanks to Jon for the tip.

Support CNX Software - Donate via PayPal or become a Patron on Patreon
Advertisements

3
Leave a Reply

avatar
2 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
SureshJay Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Jay
Guest
Jay

My opinion of UL just tanked. UNIX philosophy: do 1 thing well is good advice.

Jon Smirl
Member

UL is a collection of many different testing labs. Each UL lab can only do about 10% of all possible tests. There is a master lab for each standard which certifies the secondary labs. It is like a franchising model with regular recertification from the master lab to ensure the secondary labs are doing their jobs. In this case existing cyber security firms may become certified by the originating UL lab to do this testing.

I would not dismiss this as useless, before this came out there weren’t very many accessible security standards. The purpose of UL testing and giving a classification like gold/silver is to enable the rates for cyber security insurance to be set more easily.

Say a company buys all bronze stuff or unrated stuff for their network. Their cyber insurance rates are going to be higher than someone who buys all Diamond rated.

Suresh
Guest
Suresh

Is there a robustness rating or adversary model associated with each of the levels L1-L5?

Advertisements