Cybersecurity is a growing concern for manufacturers of life safety and security products, and Underwriters Laboratories (UL) wants to help solve the problem. Specifically, UL seeks to work with manufacturers to up their game on cybersecurity and to certify compliance to a minimum level of cybersecurity “hygiene.”

UL Cybersecurity Certification

UL is a familiar brand in consumer goods and in the security and life safety markets. UL certification is sought by manufacturers in a range of product lines, from electrical goods and smoke alarms to access control and central monitoring stations. Approximately 22 billion UL marks appeared on products in 2016. In the physical security industry alone, products are certified to around 20 different standards covering access control, intrusion detection, locks, safes and vaults, software and other categories.

Now UL is working to increase the prominence of their brand in cybersecurity with the UL Cybersecurity Assurance Program (CAP). The UL 2900-1 standard, the standard that offers General Requirements for Software Cybersecurity for Network-Connectable Products, was published in 2016 and in July 2017 was published as an ANSI (American National Standards Institute) standard. The standard was developed with cooperation from end users such as the Department of Homeland Security (DHS), U.S. National Laboratories, and other industry stakeholders. UL 2900-2-3 – the standard that focuses on electronic physical security/Life Safety & Security industry, was published in September 2017.

Testing For Cybersecurity Weaknesses

The UL 2900 standard encompasses three main areas related to cybersecurity – software weaknesses, known vulnerabilities and risk control such as encryption, access control, passwords, remote communications, and software patches and updates. UL conducts structured penetration, fuzz testing and other tests to establish a reasonable level of confidence that a product or system has addressed cybersecurity concerns.

“Certification to the standard means that a product or system has been evaluated to a minimum level of cyber hygiene,” says Neil Lakomiak, Director of Business Development and Innovation, Building and Life Safety Technologies, for UL LLC. “It covers the ‘blocking and tackling’ that you would expect manufacturers to do. It doesn’t provide absolute assurance, but rather a level of confidence that a product has been vetted.” The certification is good for one year, and changes in products require recertification.

UL global network of scientific and advisory experts
UL has written more than 1,600 standards defining safety, security, quality and sustainability

Lakomiak says applying the standard will: “create an environment where companies are starting to incorporate cybersecurity into their development processes; creating security by design. It will elevate the industry to consider cybersecurity earlier in the development process.” An overall goal of UL is to “give people peace of mind around the products and systems they use.”

Underwriters Laboratories At ASIS 2017

Companies that achieve certification can promote it as a point of differentiation in the market, although not a guarantee that a product is cybersecure. UL’s independent evaluations carry weight in the market, as reflected by the ubiquity of the UL brand, and Lakomiak contends the industry can benefit from applying the same level of testing and certification to the area of cybersecurity. He sees UL’s cybersecurity initiative as complementary to other cybersecurity measures, such as “white hat” hacking. From a standards perspective, UL’s efforts seek to complement industry efforts such as SIA, ASIS International, PSA and ONVIF.

Lakomiak was at the ASIS 2017 show in Dallas, where he met with existing manufacturer customers and potential future clients – including large and small companies in the industry – to discuss cybersecurity and the road to certification. He says many manufacturers are not yet ready for certification, in which case UL provides consultancy and advisory services to help them get there.

“A lot of companies just need help understanding what their current processes and cybersecurity posture are,” says Lakomiak. “They want help to create a roadmap to get certification. A variety of manufacturers are on the path to certification.”

Underwriters Laboratories Security Mission

The cybersecurity element is an extension of UL’s mission to help companies demonstrate safety, confirm compliance, deliver quality and performance, and build excellence. Lakomiak says many people mistakenly perceive UL as a quasi-governmental organization, perhaps because UL standards are sometimes incorporated into regulations.

However, the organization is a business and wants to operate like one by serving the needs of its manufacturer customers. “We want to have the service we provide be market-driven. We understand the pain points of manufacturers, integrators and others as they interface with technology. We want to devise programs to help them be successful in the market. Our focus is to make our customers succeed by providing objective certification.”

To the extent that cybersecurity is a growing pain point for the physical security industry, there is a large potential role to be played by UL and many others.

Download PDF version

Author Profile

Larry Anderson Editor, SecurityInformed.com

An experienced journalist and long-time presence in the US security industry, Larry is SecurityInformed.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SecurityInformed's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Has The Gap Closed Between Security Fiction And Security Reality?
Has The Gap Closed Between Security Fiction And Security Reality?

Among its many uses and benefits, technology is a handy tool in the fantasy world of movie and television thrillers. We all know the scene: a vital plot point depends on having just the right super-duper gadget to locate a suspect or to get past a locked door. In movies and TV, face recognition is more a super power than a technical function. Video footage can be magically enhanced to provide a perfect image of a license plate number. We have all shaken our heads in disbelief, and yet, our industry’s technical capabilities are improving every day. Are we approaching a day when the “enhanced” view of technology in movies and TV is closer to the truth? We asked this week’s Expert Panel Roundtable: How much has the gap closed between the reality of security system capabilities and what you see on TV (or at the movies)?

BCDVideo Signs OEM Deal With Dell EMC: Positive Impact For Surveillance Storage
BCDVideo Signs OEM Deal With Dell EMC: Positive Impact For Surveillance Storage

In a significant move for the video security market, BCDVideo has announced that it is set to become Dell EMC’s OEM partner in the video surveillance space. For nearly a decade, the Chicago-based company has been known as a key OEM partner of Hewlett Packard Enterprise (HPE), providing storage and networking technology to security integrators on a global scale. This latest partnership will allow BCDVideo to take their offerings to the next level. BCDVideo Vice President Tom Larson spoke to SecurityInformed.com to discuss the reasoning behind the deal, and how the program will benefit partners, integrators, and end-users alike. Expanding BCDVideo's Product Offering For BCDVideo, the HPE OEM program has been widely acknowledged as a success, allowing the company to leverage a globally recognized brand and provide high-quality, reliable solutions across video networking and access control. Nevertheless, explains Larson, HPE server solutions are primarily suited to large-scale enterprise projects, and are therefore unable to accommodate for the growth in small- and medium-sized surveillance applications. The global collaboration with Dell EMC will allow BCDVideo to open up a broader product offering, building on success in the larger enterprise market to offer tailored solutions to SMEs. Our aim is to look at all best of breed technology to serve the video surveillance marketplace, and that means multiple partnerships” Support For Integrators By leveraging Dell EMC’s sophisticated digital storage platforms, BCDVideo will now be able to offer a more cost-effective solution to integrators, without sacrificing the resilience and IT-level service that BCDVideo is known for. With access to Dell EMC’s expansive global sales and technical teams, the company hopes to expand its reach, all-the-while providing partners with around-the-clock technical support and a five-year on-site warranty. Customers should be reassured that BCDVideo will continue to offer HPE platforms, service, and support. “Our aim is to look at all best-of-breed technology to serve the video surveillance marketplace, and that means multiple partnerships,” says Larson.  “The addition of Dell EMC to our portfolio is a major win for BCDVideo, for Dell EMC, and for our integrators.” The global collaboration with Dell EMC will allow BCDVideo to open up a broader product offering Meeting Surveillance Market Demands At the technology level, assures Larson, Dell EMC’s server offering is well suited to handle the increasing video resolution and growing camera count demanded by the surveillance industry. At the larger end of the spectrum, the company’s Isilon Scale-Out NAS solution can handle tens of petabytes of data, making it ideal for large-scale security applications such as city-wide surveillance and airport security. Dell EMC storage solutions are already proving successful at major international airports including Dubai and Abu Dhabi, each with a camera count in the 1000s.Dell EMC and BCDVideo together are ensuring our customers get the right solutions designed for the surveillance market” For Dell EMC, the new partnership means the ability to expand on this success in the enterprise market, leveraging BCDVideo’s surveillance expertise and high-level customer service to offer tailored solutions for lower-volume applications. Since its inception, BCDVideo has differentiated itself in the security space by providing a high level of IT service to integrators making the transition to IP systems. By combining resources, the partners will be able to service VMS and analytics companies, software vendors, and access control providers, as well as traditional business integrators. Ken Mills, General Manager Dell EMC Surveillance, explains: “Surveillance storage is not just about capacity, it is also about performance and reliability. Dell EMC and BCDVideo together are ensuring our customers get the right solutions designed for the surveillance market.” Accomodating For Growth BCDVideo is well placed to accommodate this anticipated growth. Last year, the company opened a new 51,000-square-foot global headquarters in Illinois, home to 90 separate stations within their Innovation Center where each system is customised according to integrator needs. The new facility allows for expanding business with new and existing partners in the security market.

How To Prepare For Active Shooter Incidents | Infographic
How To Prepare For Active Shooter Incidents | Infographic

This Active Shooter infographic summarises information about trends among active shooter incidents, and outlines how an organization can develop a plan before tragedy occurs, including:   Statistics on the numbers and types of recent active shooter incidents. A profile of common traits among active shooters. How to prepare beforehand, and what to do when the police arrive. How organizational planning ensures maximum preparedness. Pre-attack indicators to look for. Be sure to share this information with coworkers and managers. Awareness is key to preventing active shooter incidents, and to minimising their tragic consequences. When sharing this infographic on your website, please include attribution to  SecurityInformed.com More resources for active shooter preparedness: How hospitals can prepare for active shooter attacks Six steps to survive a mass shooting Technologies to manage emergency lockdowns  How robots can check for active shooters  Background checks to minimise insider threats Gunfire detection technologies for hospitals, retail and office buildings 21 ways to prevent workplace violence in your organisation Non-invasive security strategies for public spaces