UL 2900-2-3 Helps Mitigate IoT Cybersecurity Risk
Smart electric meters, commercial security cameras, process sensors and ATMs make up a fraction of the devices connected to the internet of things (IoT).
According to Gartner, Inc., a business research and advisory organization, 8.4 billion connected “things” will be in use in 2017 with an expected 20.4 billion by 2020. The exponential growth of IoT devices, such as smart TVs, digital cable boxes, smart meters and security cameras, offers business to business (B2B) and business to consumer (B2C) users numerous opportunities such as responsive services, enhanced experiences and convenience, to name a few.
For electronic physical security systems, the IoT allows organizations to remotely monitor, identify and respond to safety and security issues. Digital keys can be quickly changed, for example, to limit or allow access, adding an extra layer of security to the system.
But with interconnected technology comes cyberthreats in the form of phishing, worms, bots, ransomware and malware techniques used by attackers who manipulate vulnerabilities within network administration software and operating systems.
What’s at stake?
Symantec, in its 2017 Internet Security Threat Report, offers these sobering statistics from its analysis of 2016 data:
- 1 in 2,596 emails contained phishing attempts
- 357 million new malware variants introduced
- 6 million bots
- 229 thousand web attacks blocked, on average, per day
- IoT devices were attacked on average once every two minutes
To put the numbers into context, an October 2016 attack made headlines when hacked cameras led to a massive distributed denial of service (DDOS) attack against websites like Amazon, Twitter, Spotify, Yelp, Netflix and Reddit. An army of botnets, known as Mirai, wreaked havoc by either knocking the targeted websites offline or severely decreasing a site’s operational bandwidth.
News articles reported that the traffic was drawn from multiple types of IoT devices, including unsecured routers, DVRs and cameras. Connected devices like these are used as a backdoor to hack into legitimate networks, acting as a ready platform for individuals, groups and even states, to launch large-scale, botnet/DDOS incidents.
Security by design
The Federal Communications Commission (FCC) warned IoT manufacturers in early 2017 to address cybersecurity risks soon or face more government oversight and mandatory regulations.
At the center of the issue are DDOS attacks by botnets such as Mirai and a growing scrutiny of unsecured channels that can be easily intercepted by hackers. Many manufacturers produce devices that are simple to “break” as shown by New York State’s investigation into the QuickLock Padlock and QuickLock Doorlock sold by SafeTech in Utah.
The FCC proposed in its Cybersecurity Risk Reduction White Paper (January 18, 2017) the implementation of intelligent cyber design practices, such as authentication safeguards and adherence to best practices, prior to a product’s release. The FCC prefers to utilize collaborative private/public partnerships, but adds that “the Commission has the tools available to make adjustments to restore the balance if necessary.”
The solution
To help improve the security of critically connected electronic physical security systems, UL 2900-2-3, the newest addition to the UL 2900 series of cybersecurity standards, developed with industry input, provides a foundational set of cybersecurity performance and evaluation requirements that manufacturers of network connectable products can use to establish a baseline of cyberprotection against known vulnerabilities, weaknesses and malware.
UL’s Cybersecurity Assurance Program (UL CAP) can now test and evaluate a product’s software for the presence of malware, vulnerabilities and weaknesses, and certify the product’s software architecture and design to the specifications enumerated in the Outline of Investigation.
Electronic physical security infrastructures include emergency communications systems, fire alarm systems, alarm receiving systems, automated teller machine systems, access control systems, surveillance cameras, DVRs, NVRs and the like.
For UL 2900-2-3, a three-tiered security approach was developed with an increasing level of security for each tier. Tests include fuzz testing, known vulnerability detection, code and binary analysis, risk control analysis, structured penetration testing and security risk controls assessment.
Level 1 (L1) includes the foundational cybersecurity testing requirements for security risk assessment of software in products covered in the Outline of Investigation. L1 is recommended as a minimum level of assessment.
Level 2 (L2) includes all of the L1 assessment and testing requirements and additional supplemental requirements for security risk assessment of software in products. L2 also provides an assessment of the security capabilities of a product with knowledge of internal security controls of the product.
Level 3 (L3) includes L1 and L2 assessment and testing requirements and additional supplemental requirements of the vendor process and management. It also provides an assessment of security capabilities of a product with knowledge of internal security controls of the product and knowledge of the business practices of the vendor to support the lifecycle of the product.
In today’s connected world, the variety of devices available offer numerous points of entry for cyberattacks. Now is the time for software developers and manufacturers to understand a system’s vulnerabilities and to harden their product against attack. UL 2900-2-3 can help ensure the performance and reliability of a product’s software to decrease downtime and mitigate cyber risks.
Originally published at https://www.ul.com/inside-ul/ul-2900-2-3-helps-mitigate-iot-cybersecurity-risk/
