How UL IoT Safety Rating Helps Manufacturers Demonstrate Cybersecurity Responsibility
Since the official launch in 2019, UL has tested a variety of IoT products, including kitchen appliances, smart bulbs, smart TVs and security cameras.
Demand for connected IoT products is expected to exceed $10B by 2024, and the global smart home market is expected to be valued at $138B by 2023. But if the smart home is deemed as vulnerable to hacking, will it stunt that predicted growth?
The government aren’t sitting around waiting to find out. Indeed, both California (Senate Bill 327) and Oregon (House Bill 2395) have instituted new state laws effective as of Jan. 1, 2020 that hold U.S. manufacturers responsible for adding “reasonable security features” in devices or physical objects that are able to connect to the internet directly or indirectly.
UL’s IoT Security Rating aims to help manufacturers demonstrate cybersecurity posture in preparation for upcoming regulations.
The rating system sets some baseline criteria in seven categories:
- Software updates
- Data protection
- Communication Security
- Privacy Protection
- Logical Security (the composition of the software)
- System Management
- Processes (how the manufacturer identifies potential new vulnerabilities)
At 125 years old, UL has historically been a fire and electrical safety rating organization, but that changed in 2012 when UL acquired some testing companies rooted in the automatic payments industry. That acquisition led to the creation of UL 2900, the group’s cybersecurity assurance program.
“But we found that the UL 2900 set the bar too high for most consumer electronics/IoT companies,” admits Laurens van Oijen, IoT security solution leader at UL. “Most IoT products are built around network connectivity and not security-related issues, especially from a design perspective. In fact, we have discovered that the majority of IoT manufacturers have a lot to learn in terms of cybersecurity.”
Van Oijen says those manufacturers need guidance on core security principles and the “must-have security features” that should be built into products. UL’s new IoT Security Rating solution evaluates critical security features of connected products against common attack practices and known IoT vulnerabilities.
“It is ironic that consumers assume any products they buy are safe and secure, but that is often not the case. We want to make security more transparent to consumers,” he adds.
Since the official launch in May 2019, UL has tested a variety of products to the IoT Safety Rating System, including kitchen appliances, smart bulbs, smart TVs, and security cameras. The company is in the midst of testing its first wearables IoT product now.
Companies can earn one of five designations that each have a fixed set of requirements: Bronze, silver, gold, platinum or diamond. The company can place a UL Verified Mark on the product to show its designation.
Van Oijen says typically a manufacturer will aim for a certain designation level to achieve and that is the criteria that UL test against. Others will just submit the product and see where it rates. If a product fails, UL lets manufacturers take it back, upgrade it and resubmit if they wish.
“We tested one product that you could literally tell the manufacturer had never considered cybersecurity in the design and development of the product. Other products do well,” he commented.
Overall, the UL IoT Safety Rating can help manufacturers differentiate themselves in the crowded IoT/consumer electronics world.
Editor’s Note: This story first ran on Security Sales & Integration’s sister publication CE Pro.