New IoT security certification aims to make the world safer

Underwriters Laboratories new Cybersecurity Assurance Program (CAP) looks to certify Internet of Things products. Columnist Rob Enderle writes that these CAP certification will improve IoT security and help CIOs sleep better at night.

If Underwriters Laboratories (UL) fills a security certification gap, will anyone care? This is often the problem for a product or service that has been well-established. If it branches out into a new area people either won’t notice, or they just won’t believe this is something the entity is capable of doing. It doesn’t have anything to do with facts, it has to do with perceptions. We have a strong idea of what UL does, and it isn’t security.

However, UL has actually put together a pretty decent validation program, which is the only program that even attempts to wrap around what could be an Internet of Things (IoT) nightmare for IT.

Let’s talk about UL’s Cybersecurity Assurance Program (CAP) to certify security products in an IoT world and help CIOs sleep at night.

IoT is a security nightmare

We talk quite a bit about how wonderful it will be to have everything connected largely by completely ignoring what a security nightmare the result is likely to be. Sensors, cameras, equipment, HVAC systems, even elevators and cars are all supposed to be increasingly more connected and much of this stuff can’t run security software.

This means the data coming from these things can be taken or corrupted, they can be remote controlled and sometimes forced to catastrophically fail.

For instance a few years back McAfee showcased it could take an Android phone and remotely take it over causing it to overheat and cook itself to death. Chrysler was showcased badly as the firm that forgot to keep their infotainment and driving systems separate resulting in a hacker showcasing they could remotely take over the car.

[ Related: Chrysler recalls 1.4M cars that were vulnerable to remote hacking; Corvette hack is one more reason to be wary of connected cars ]

And with networked products all it takes in one of the thousands of connected devices to be breached to give an attacker access to the network. They can then use the one thing they hacked to take over a bunch of other stuff.

This means every single IoT device has to be certified, and when you’re talking small devices there really isn’t anyone better equipped to deal with the problem than UL.

UL security certification

Currently, UL CAP has three levels of certification.

Product Testing is UL 28000-1. It’s where they look at specific products and test them to make sure they can resist a set number and types of attack. Industry Product Testing UL2900-2x is where they add on tests specific to healthcare and industrial controls, which need a greater depth of protection for compliance (additional industries will be added as this program expands). And Organizational Process Testing 29000-3 is where they look at the process surrounding the products to make sure it is secure as well.

For those industries covered, I’d advise that all three certifications be kept in place.

The gap in CAP

A lot of the products that go through testing like this are patchable either in software or firmware. However, the one missing piece appears to be a rigorous auditing process so that if an exposure is introduced post certification the certification can be removed until the problem is corrected. Otherwise the owner of the product is likely to believe the product is still safe when it may not be.

That’s the problem with patchable products, any testing applies only to the product as it existed when the product was tested, as soon as it is patched the certification may no longer be valid and entire classes of these products to get patched often. On the other hand, things like sensors and cameras rarely get patched so they should remain relatively consistent with the certification and they likely represent the highest volume of devices expected to be deployed.

For complex products like cars, which can have in-line component swaps and manufacturing patches, a certification process like this may not even work reliably without aggressive spot audits. Recall that VW was able to get around the smog certification for their diesel engines and only got caught by accident.

[ Related: Nearly a million illegal tons of smog resulted from VW's diesel cars ]

CAP is a huge step in the right direction

Overall this UL CAP program is a huge step in the right direction and the only process I’ve seen so far that even comes close to addressing the coming nightmare of IoT devices, which individually have to be made secure. Fortunately, the hub approach, which is becoming far more common particularly with enterprises where the devices are maintained on an isolated network and only connect through a secure hub, does mitigate a lot of the problem only if you can be sure the isolated network doesn’t get breached. However, with wireless devices in particular, that often isn’t the case.

Personally, were it me, I’d make darn sure that IoT security landed on someone else’s desk and, if I couldn’t do that, I’d take a hard look at this UL certification process and make it a requirement. At least then, when you have a breach -- and you will have a breach -- you can argue you were prudent in your approach.

Something to noodle on this weekend.

Join the CSO newsletter!

Error: Please check your email address.

More about AssuranceRecall

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rob Enderle

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts