• United States




New IoT security certification aims to make the world safer

May 20, 20165 mins
CybercrimeInternet of ThingsSecurity

Underwriters Laboratories new Cybersecurity Assurance Program (CAP) looks to certify Internet of Things products. Columnist Rob Enderle writes that these CAP certification will improve IoT security and help CIOs sleep better at night.

iot ts
Credit: Thinkstock

If Underwriters Laboratories (UL) fills a security certification gap, will anyone care? This is often the problem for a product or service that has been well-established. If it branches out into a new area people either won’t notice, or they just won’t believe this is something the entity is capable of doing. It doesn’t have anything to do with facts, it has to do with perceptions. We have a strong idea of what UL does, and it isn’t security.  

However, UL has actually put together a pretty decent validation program, which is the only program that even attempts to wrap around what could be an Internet of Things (IoT) nightmare for IT.

Let’s talk about UL’s Cybersecurity Assurance Program (CAP) to certify security products in an IoT world and help CIOs sleep at night.

IoT is a security nightmare

We talk quite a bit about how wonderful it will be to have everything connected largely by completely ignoring what a security nightmare the result is likely to be. Sensors, cameras, equipment, HVAC systems, even elevators and cars are all supposed to be increasingly more connected and much of this stuff can’t run security software.  

This means the data coming from these things can be taken or corrupted, they can be remote controlled and sometimes forced to catastrophically fail.

[ MORE: Security and the Internet of Things – are we repeating history? ]

For instance a few years back McAfee showcased it could take an Android phone and remotely take it over causing it to overheat and cook itself to death. Chrysler was showcased badly as the firm that forgot to keep their infotainment and driving systems separate resulting in a hacker showcasing they could remotely take over the car.  

And with networked products all it takes in one of the thousands of connected devices to be breached to give an attacker access to the network. They can then use the one thing they hacked to take over a bunch of other stuff.

This means every single IoT device has to be certified, and when you’re talking small devices there really isn’t anyone better equipped to deal with the problem than UL.

UL security certification

Currently, UL CAP has three levels of certification.

Product Testing is UL 28000-1. It’s where they look at specific products and test them to make sure they can resist a set number and types of attack. Industry Product Testing UL2900-2x is where they add on tests specific to healthcare and industrial controls, which need a greater depth of protection for compliance (additional industries will be added as this program expands).   And Organizational Process Testing 29000-3 is where they look at the process surrounding the products to make sure it is secure as well.  

For those industries covered, I’d advise that all three certifications be kept in place.

The gap in CAP

A lot of the products that go through testing like this are patchable either in software or firmware. However, the one missing piece appears to be a rigorous auditing process so that if an exposure is introduced post certification the certification can be removed until the problem is corrected. Otherwise the owner of the product is likely to believe the product is still safe when it may not be.  

That’s the problem with patchable products, any testing applies only to the product as it existed when the product was tested, as soon as it is patched the certification may no longer be valid and entire classes of these products to get patched often. On the other hand, things like sensors and cameras rarely get patched so they should remain relatively consistent with the certification and they likely represent the highest volume of devices expected to be deployed.

For complex products like cars, which can have in-line component swaps and manufacturing patches, a certification process like this may not even work reliably without aggressive spot audits. Recall that VW was able to get around the smog certification for their diesel engines and only got caught by accident.  

[ Related: Nearly a million illegal tons of smog resulted from VW’s diesel cars ]

CAP is a huge step in the right direction

Overall this UL CAP program is a huge step in the right direction and the only process I’ve seen so far that even comes close to addressing the coming nightmare of IoT devices, which individually have to be made secure. Fortunately, the hub approach, which is becoming far more common particularly with enterprises where the devices are maintained on an isolated network and only connect through a secure hub, does mitigate a lot of the problem only if you can be sure the isolated network doesn’t get breached. However, with wireless devices in particular, that often isn’t the case.  

Personally, were it me, I’d make darn sure that IoT security landed on someone else’s desk and, if I couldn’t do that, I’d take a hard look at this UL certification process and make it a requirement. At least then, when you have a breach — and you will have a breach — you can argue you were prudent in your approach.

Something to noodle on this weekend.  


Rob Enderle is president and principal analyst of the Enderle Group, a forward looking emerging technology advisory firm. With more than 25 years’ experience in emerging technologies, he provides regional and global companies with guidance in how to better target customer needs with new and existing products; create new business opportunities; anticipate technology changes; select vendors and products; and identify best marketing strategies and tactics.

In addition to IDG, Rob currently writes for USA Herald, TechNewsWorld, IT Business Edge, TechSpective, TMCnet and TGdaily. Rob trained as a TV anchor and appears regularly on Compass Radio Networks, WOC, CNBC, NPR, and Fox Business.

Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group. While there he worked for and with companies like Microsoft, HP, IBM, Dell, Toshiba, Gateway, Sony, USAA, Texas Instruments, AMD, Intel, Credit Suisse First Boston, GM, Ford, and Siemens.

Before Giga, Rob was with Dataquest covering client/server software, where he became one of the most widely publicized technology analysts in the world and was an anchor for CNET. Before Dataquest, Rob worked in IBM’s executive resource program, where he managed or reviewed projects and people in Finance, Internal Audit, Competitive Analysis, Marketing, Security, and Planning.

Rob holds an AA in Merchandising, a BS in Business, and an MBA, and he sits on the advisory councils for a variety of technology companies.

Rob’s hobbies include sporting clays, PC modding, science fiction, home automation, and computer gaming.

The opinions expressed in this blog are those of Rob Enderle and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author