Underwriters Laboratories (UL) today announced a new Cybersecurity Assurance Program (CAP) that uses a new set of standards to test network-connected products for software vulnerabilities.
The new UL certification will be for both vendors of Internet of Things (IoT) products and for buyers of products who want to mitigate risks.
The testing standards were developed as part of a voluntary program involving industry officials as well as academics and the U.S. government.
President Obama's broad Cybersecurity National Action Plan, released in February, details a long-term strategy to improve cybersecurity awareness and protections. Obama's plan specifically notes that UL worked with the Department of Homeland Security to develop CAP to test and certify networked devices "whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure it has been certified to meet security standards."
UL also noted that CAP will also be used to test and certify IoT devices within critical infrastructures such as energy and utilities, as well as healthcare.
UL CAP will evaluate both the security of network-connectable product and sytems as well as the processes used by vendors for developing and maintaining the security of products and systems.
Ken Modeste, leader of cybersecurity technical services at UL, said in an interview that the CAP standards have been tested in pilot programs with several vendors since last September to "make sure we have repeatable, reproducible criteria" for quality assurance.
"The challenge of solving cybersecurity is a long game and there's no silver bullet for it," Modeste said.
He said part of the value of CAP will be to help software and equipment makers include all the many patches and updates from third parties and open-source providers that are used in an application or software product used with a device.
One cause of security breaches is that patches don't always migrate to finished products, he added. The list of software elements used in finished products "hasn't advanced as much as it has with hardware, where you know where it is sourced and comes from and you can identify when a source has a flaw in it."
UL's CAP will rely on a publicly-available government vulnerability database kept by the National Institutes of Standards and Technology that tracks and enumerates product vulnerability worldwide and is updated daily. It has a multitude of product lists, including desktop and mobile platforms. It also lists flaws and patches and identifies which version of software has a patch to address a specific security flaw.
Using the NIST database will make the UL CAP program economically feasible to run, Modeste said.
Pricing for the UL testing is still being developed, but will vary depending on whether a product is a thermostat or an MRI machine, he added.
"It will be economically reasonable," he said. "The point is for the software vendor to go to the purchaser and say, 'I've done this due diligence from this trusted party.'"
UL, an independent company, has been providing safety-focused advice, including testing and certifications, in the sciences for more than 120 years; it has 67,000 clients.