Setting the standards for cybersecurity

Due to the current state of cybersecurity hygiene across multiple industry sectors, manufacturers often inadvertently allow for critical vulnerabilities and weaknesses in product software to go unaddressed.

By CFE Media, Anura Fernando May 6, 2016

Underwriters Laboratories (UL) is helping manufacturers assess cybersecurity risks through the launch of the UL Cybersecurity Assurance Program (UL CAP). Based on the new UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products, UL said in a press release that UL CAP will help companies "Assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls, and increase security awareness."

CFE Media discussed the new standards and the current status of cybersecurity in manufacturing, with Anura Fernando, principal engineer of medical software and systems interoperability at UL.

CFE Media: Describe the UL Cybersecurity Assurance Program. What are your primary goals in launching the program?

Fernando: UL CAP is a UL certification program, based on the UL 2900 series of standards, which allow manufacturers to demonstrate that they have met a baseline of cybersecurity hygiene by satisfying the repeatable, testable requirements of:

  • UL 2900-1 (Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements)
  • UL 2900-2-1 (Outline for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare Systems), and
  • UL 2900-2-2 (Outline for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Industrial Control Systems).

CFE Media: How serious is the issue of cybersecurity in manufacturing? And where are the threats coming from?

Fernando: The cybersecurity threats are very serious in manufacturing. The products being addressed in the first published parts of UL 2900 include key areas of our nation’s critical infrastructure such as energy production and healthcare. The threats come from both those seeking to gain personal economic gains as well as nation states seeking to gain geopolitical advantage.

CFE Media: What do manufacturers in particular and network managers in general overlook when it comes to cybersecurity?

Fernando: Due to the current state of cybersecurity hygiene across multiple industry sectors, manufacturers often inadvertently allow for critical vulnerabilities and weaknesses in product software to go unaddressed. In some cases, they may even allow malware to exist in products coming off of production lines, unbeknownst to them. When such products are integrated into larger systems, the integrators and network managers are often unaware of these vulnerabilities within their systems until it is too late.

CFE Media: Are there some best practices manufacturers should adopt when explaining these threats to employees and outside vendors?

Fernando: There are many good practices for cybersecurity hygiene that can be found in a variety of standards and guidance documents such as the National Institute of Standards and Technology (NIST), Cybersecurity Framework, the FDA guidance documents on both pre- and post-market cybersecurity, and the UL 2900 standards, to name a few.

CFE Media: Moore’s Law talks about the exponential growth of computing power. Are we facing a similar growth in dealing with cybersecurity?

Fernando: Computer security (i.e. cybersecurity) is clearly a function of the capabilities afforded to products by virtue of the cost-effective availability of computing power. Therefore, as computing power continues to grow, product capabilities will be increasingly enhanced by software, and unless good cybersecurity hygiene practices start to be "baked in" to all of the software-dependent products and processes now, may very well lead to commensurate increases in vulnerabilities and attack vectors.