UL, a global safety science organization, has announced its Cybersecurity Assurance Program (UL CAP) for industrial control systems.
Using the UL 2900-2-2 Standard, UL CAP for industrial control systems offers testable cybersecurity criteria to help assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness. UL CAP is for control system manufacturers looking for support in assessing security risks while they continue to focus on product innovation to help build safer, more secure products, as well as for OEMs, machine tool builders, system integrators, and retrofitters who want to mitigate risks by sourcing products assessed by a third party.
The UL CAP was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. The White House recently released the Cybersecurity National Action Plan (CNAP), designed to enhance cybersecurity capabilities within the US government and across the country. UL’s CAP services and software security efforts were recognized within the CNAP as a way to test and certify network-connectable devices within the Internet of Things supply chain and ecosystems especially relevant in critical infrastructures.
Asset owners from critical infrastructure can see the benefits of UL CAP as a means for evaluating the security posture of their supply chain. UL CAP offers third party support, with the UL 2900-2-2 Standard focusing on both the security of network-connectable products and systems and the vendor processes for developing and maintaining products and systems with a security focus.
UL’s evaluation of the security of industrial control systems uses UL 2900-2-2 which is within the UL 2900 series of standards that outline technical criteria for testing and evaluating the security of products and systems that are network-connectable. These standards form a baseline set of technical requirements to measure, and then elevate, the security posture of products and systems. UL 2900 is designed to evolve and incorporate additional technical criteria as the security needs in the marketplace mature.
UL 2900-2-2 Standard is intended, but not limited, to apply to the following components:
Programmable Logic Controllers (PLC)
PLC and DCS programming software/operator interfaces (HMI)
Control Server
Remote Terminal Unit (RTU)
Human-Machine Interface (HMI)
Input/Output (IO) Server
Networking Equipment for ICS Systems
Distributed Control Systems (DCS)
Historian or Data Loggers
The SCADA Server
Intelligent Electronic Devices (IED)
Data Historian
Fieldbus
Access Equipment for ICS Systems
Meeting the requirements outlined in UL 2900-2-2 Standard allows industrial control systems to be certified by UL as “UL 2900-2-2 compliant”. Additionally, since security is dynamic, UL 2900-2-2 can support the evaluation of a vendor’s processes for design, development and maintenance of secure products and systems.