What is UL 2900?
Security and Connectivity for the IoT Edge
What is UL 2900?
UL 2900 is a series of standards developed as part of UL’s Cybersecurity Assurance Program for assessing product weaknesses, vulnerabilities, and security risks controls. The standards present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).
Why is UL 2900 Important?
According to a 2018 report from Trustwave, “Sixty-one percent of [organizations] surveyed who have deployed some level of IoT [Internet of Things] technology have had to deal with a security incident related to IoT.”
Every connected device provides a potential target to be attacked by cyber criminals. Attacks are becoming more sophisticated, more difficult to protect against, and with regulation and compliance issues – costlier than ever. Taking a proactive approach to IoT security is critical for consumers and businesses alike.
What do the UL 2900 standards cover?
UL 2900-1, the UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, was published and adopted as an ANSI (American National Standards Institute) standard in July 2017. While not a lengthy document, it is used to evaluate and test network-connected devices for security vulnerabilities, software weaknesses and malware. The document describes the following Requirements and Methods :
- Requirements regarding the software developer (vendor or other supply chain member) risk management process for their product.
- Methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses, and malware.
- Requirements regarding the presence of security risk controls in the architecture and design of a product.
UL 2900-2-1, the UL Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, was published and adopted as an ANSI standard in September 2017.
The standard applies to the testing of network connected components of healthcare systems including these:
- Medical devices
- Accessories to medical devices
- Medical device data systems
- In vitro diagnostic devices
- Health information technology
- Wellness devices
UL 2900-2-1 was officially recognized by the FDA in June 2018.
UL 2900-2-2, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, was published in March 2016. It has not been developed into a standard and published.
The standard applies to the evaluation of industrial control systems components including these:
- Programmable logic controllers (PLC)
- Distributed control systems (DCS)
- Process control systems
- Data acquisition systems
- Historians, data loggers, and data storage systems
- Control servers
- SCADA servers
- Remote terminal units (RTU)
- Intelligent electronic devices (IED)
- Human-machine interfaces (HMI)
- Input/output (IO) servers
- Networking equipment for ICS systems
- Data radios
- Smart sensors
- Controllers and embedded system/controllers
UL 2900-2-3, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems, was published in August 2017. It has not been developed into a standard and published.
The outline for UL 2900-2-3 standard says it applies to the evaluation of security and life safety signaling system components including these:
- Alarm control units
- Intrusion detection equipment
- General purpose signaling units
- Digital video equipment and systems
- Mass notification and emergency communication / evacuation equipment and systems
- Control servers
- Alarm automation system software
- Alarm receiving equipment
- Anti-theft equipment
- Automated teller machines
- Fire alarm control systems
- Network connected locking devices
- PSIM systems
- Smoke control systems
- Smoke / gas / CO detection devices
- Audible and visual signaling devices (fire and general signaling)
- Access control equipment and systems