Setting the standards for cybersecurity

Due to the current state of cybersecurity hygiene across multiple industry sectors, manufacturers often inadvertently allow for critical vulnerabilities and weaknesses in product software to go unaddressed.

05/06/2016


Underwriters Laboratories (UL) is helping manufacturers assess cybersecurity risks through the launch of the UL Cybersecurity Assurance Program (UL CAP). Based on the new UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products, UL said in a press release that UL CAP will help companies "Assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls, and increase security awareness."

CFE Media discussed the new standards and the current status of cybersecurity in manufacturing, with Anura Fernando, principal engineer of medical software and systems interoperability at UL.

CFE Media: Describe the UL Cybersecurity Assurance Program. What are your primary goals in launching the program?

Fernando: UL CAP is a UL certification program, based on the UL 2900 series of standards, which allow manufacturers to demonstrate that they have met a baseline of cybersecurity hygiene by satisfying the repeatable, testable requirements of:

  • UL 2900-1 (Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements)
  • UL 2900-2-1 (Outline for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare Systems), and
  • UL 2900-2-2 (Outline for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Industrial Control Systems).

CFE Media: How serious is the issue of cybersecurity in manufacturing? And where are the threats coming from?

Fernando: The cybersecurity threats are very serious in manufacturing. The products being addressed in the first published parts of UL 2900 include key areas of our nation's critical infrastructure such as energy production and healthcare. The threats come from both those seeking to gain personal economic gains as well as nation states seeking to gain geopolitical advantage.

CFE Media: What do manufacturers in particular and network managers in general overlook when it comes to cybersecurity?

Fernando: Due to the current state of cybersecurity hygiene across multiple industry sectors, manufacturers often inadvertently allow for critical vulnerabilities and weaknesses in product software to go unaddressed. In some cases, they may even allow malware to exist in products coming off of production lines, unbeknownst to them. When such products are integrated into larger systems, the integrators and network managers are often unaware of these vulnerabilities within their systems until it is too late.

CFE Media: Are there some best practices manufacturers should adopt when explaining these threats to employees and outside vendors?

Fernando: There are many good practices for cybersecurity hygiene that can be found in a variety of standards and guidance documents such as the National Institute of Standards and Technology (NIST), Cybersecurity Framework, the FDA guidance documents on both pre- and post-market cybersecurity, and the UL 2900 standards, to name a few.

CFE Media: Moore's Law talks about the exponential growth of computing power. Are we facing a similar growth in dealing with cybersecurity?

Fernando: Computer security (i.e. cybersecurity) is clearly a function of the capabilities afforded to products by virtue of the cost-effective availability of computing power. Therefore, as computing power continues to grow, product capabilities will be increasingly enhanced by software, and unless good cybersecurity hygiene practices start to be "baked in" to all of the software-dependent products and processes now, may very well lead to commensurate increases in vulnerabilities and attack vectors.



Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
July/Aug
GAMS preview, 2018 Mid-Year Report, EAM and Safety
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
May 2018
Electrical standards, robots and Lean manufacturing, and how an aluminum packaging plant is helping community growth.
April 2018
2017 Product of the Year winners, retrofitting a press, IMTS and Hannover Messe preview, natural refrigerants, testing steam traps
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
August 2018
Choosing an automation controller, Lean manufacturing
February 2018
Setting internal automation standards

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Material Handling
This digital report explains how everything from conveyors and robots to automatic picking systems and digital orders have evolved to keep pace with the speed of change in the supply chain.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me