As more than most software applications available today are comprised of open-source components, organizations must be especially vigilant to implement rigorous software supply chain management systems and procedures to mitigate the potential risk from third-party applications. Thus, Underwriters Laboratories (UL) has developed a set of cybersecurity standards – UL 2900-2-2 – specifically designed for industrial control systems (ICS).
The standards were developed to offer testable cybersecurity criteria for third-party software and to validate the security claims of software vendors. The goal is to help mitigate cybersecurity concerns for manufacturers, vendors, and their customers through the UL Cybersecurity Assurance Program (UL CAP) that utilizes the new UL 2900-2-2 standard for ICS. In addition, UL has ongoing research partnerships with the Department of Homeland Security ( DHS ICS-CERT) and the Defense Advanced Research Projects Agency ( DARPA ICS ) to help mitigate industrial IoT cyber risks.
UL has a long history of developing cybersecurity standards, so the latest efforts are a matter of identifying new needs in in the ICS market. “We felt there was a need for UL to step into this space and address the risks of cybersecurity, since many of our clients are industry vendors,” Ken Modeste, global principal engineer for UL Cybersecurity, told Design News . “We’ve been involved in the space since the 1990s. In the last 10 years, it’s been growing into wireless security and IT security systems.”
The goal was to make the standards broad enough to address security in control systems across multiple industries. “One of the challenges is how to secure the supply chain – to provide a foundation of security across the board. We started looking at the fundamental problem. After polling agencies and experts, we recognized that software is the predominant cause of security,” said Modeste. “If we could address the security of software, it would be applicable to industrial systems. So, we started to do build a foundation based on software and see how we can affect the software during the security design of software.”
The Continual Update Process
Cybersecurity is always a moving target. UL built this into the standards, so they will be updated as changes in the security environment change. “We’re in a continuous feedback mode for continuous improvement. There is no silver bullet or magic way to solve the problem,” said Modeste. “In the past, people have tried for gradual solutions, but that didn’t satisfy industry. We started adding and building on the foundation in order to make it harder and harder for a bad actor to circumvent control systems.”
UL created standards that are designed to adapt to developments in the security environment, a function that is consistent with updates that software vendors provide. “The standards are continually updated. Vendors are producing products, but those products are not static. They make revisions and updates,” said Modeste. “The vendor adapts, so they roll out any new changes. We take that into consideration. We look at how to ensure your vendor is doing the due diligence.”
By adhering to the standards, users can be assured their vendors are providing ongoing