UL Develops Standard for ICS Cybersecurity Assurance

By Sid Snitkin


Summary - Industrial Cybersecurity

Managing the cybersecurity of industrial plants and infrastructure has never been more challenging. Targeted attacks by nation states and cyber sscs1.JPGcriminals are on the rise. Sophisticated attack methods and malware are overcoming perimeter defenses, giving attackers wide access to controllers and sensors. As TRISIS[1] illustrates, plants cannot even trust that their safety systems are protected from cyber-attacks. Companies need to take proactive precautions to mitigate cyber risk within industrial control systems.   Preparedness can limit the likelihood of an attack by identifying and addressing vulnerabilities before they can be exploited.

Thw industrial internet of things (IIoT) adds fuel to this fire. Companies are deploying new devices throughout their plants to improve asset maintenance and optimize operational performance. However, any malware or flawed security mechanisms that may be present in these devices represents a potential threat to plant security. Connecting devices to cloud-based analytics programs opens additional pathways for external attacks. Companies need to take steps to secure IIoT devices from latent malware and use robust security controls that align with industry best practices.

Recently, ARC Advisory Group discussed these challenges with executives from UL, a well-known global safety science organization that provides advisory, testing, and certification services. UL, which has been active in the industrial space for over 120 years, recently published the UL 2900 Series of Standards that offers testable cybersecurity criteria for IIoT devices. These incorporate guidelines from a variety of well-known standards. UL 2900-2-2, specifically designed for industrial control systems, aligns with IEC 62443 criteria.

End Users Rely on Third-party Review to Help Ensure Secure Operations

Most industrial organizations recognize their security-related risks and the associated threats to process safety and productivity. have also accepted the need to invest in a comprehensive cybersecurity strategy encompassing the essential elements of people, processes, and technology. But confusion over the expectations and requirements of shareholders, industry associations, and regulatory bodies can stall these efforts.

Many owner/operators rely largely on third parties to address their cybersecurity concerns. While this helps address resource and expertise gaps, it is essential that the chosen service providers understand and apply the most appropriate industry and regional requirements.

Assessing the security of new system components and IIoT devices is an additional challenge. Companies currently trust that the manufacturers have development processes that help ensure security in all hardware and software. Independent third-party testing and/or auditing can help validate this trust. Purchasing products from companies that have certified compliance to industry-developed and recognized industrial cybersecurity standards is both prudent and a recommended best practice.

UL 2900 Series of Standards

UL is well known and has well-established expertise and advisory capabilities in safety science, standards development, testing, and certification. UL 2900, a series of standards for cybersecurity, addresses the testing and certification requirements for products and processes as well as specific industry systems.

According to UL, the organization’s subject matter experts developed the UL 2900 standard with input from major government, academic, and industry stakeholders. Their goal was to create a standard with broad-based coverage of security issues and support for many different industrial sectors. A key challenge was to ensure that it reflected the requirements of many different industrial cybersecurity standards and guidance documents in use today. For example, UL 2900-2-2 applies some security criteria from IEC 62443 for product testing and process validation. UL 2900 sections were published as national standards in both the US and Canada (ANSI/SCC) in July 2017.

UL 2900 Spans Broad Range of Industrial Cybersecurity Requirements and Products sscs2.JPG

UL 2900 covers product security with general and industry-specific software cybersecurity requirements. Current coverage includes industrial control systems, healthcare systems, and building security controls. Work continues to expand the standard for building automation and energy management.

Manufacturers can use UL 2900 cybersecurity certifications to validate internal processes and products as well as manage the supply chain security of components they integrate into their products. Supply chain risks are a particularly daunting challenge for manufacturers today as they increasingly leverage third-party software components. These companies need a way to identify, assess, and correct vulnerabilities in all product components before they are integrated into systems. They also need a means to stay abreast of any new threats that emerge.

UL Cybersecurity Assurance Program

The UL Cybersecurity Assurance Program (UL CAP) was created to help industrial end users and product manufacturers minimize cybersecurity risks through standardized, testable criteria for assessing software vulnerabilities and weaknesses. UL CAP was launched in June 2015, when the company established a task group to evaluate the complexities and challenges associated with cyber risks. This group developed the specifications which have since become the testable technical criteria of the UL 2900 Series of Standards.

Programs such as the UL Cybersecurity Assurance Program (UL CAP) minimize risk for manufacturers by helping ensure that software is secure and remains secure throughout its use. By deploying consistent testable criteria, companies can begin to reduce exploitation, address known malware, enhance security controls and expand security awareness; all essential steps for conducting business in today’s connected world.

UL CAP Includes Broad Range of Testing and Certification Services for Industrial Cybersecurity sscs3.JPG


UL CAP includes a range of services to help manufacturers stay abreast of industrial cybersecurity developments and sustain the security of their products and systems. UL provides advisory, testing and certification services for UL 2900 as well as IEC 62443.


Control system cybersecurity is a key concern for managers in every industrial organization. While cybersecurity is an ever-moving target, requiring suppliers to certify the security of their products and development practices can help alleviate many concerns. Engaging with an experienced third party for these evaluations can help manufacturers save time and resources.

Procurement security requirements based on balanced criteria, like UL 2900, can help owner/operators ease the burden on suppliers in meeting these demands and expand the purchasing pool. Finally, cybersecurity guidelines provided to vendors can help to streamline the process of establishing a reliable supply chain.

ARC Advisory Group clients can view the complete report at ARC Main Client Portal or at ARC Office 365 Client Portal

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Keywords: Industrial Cybersecurity, IIoT, Cybersecurity Compliance, UL 2900, ARC Advisory Group.

Engage with ARC Advisory Group