UPDATE: UL responds to blogger's criticism

20160224 stock mwc massive iot sign
Credit: Stephen Lawson

UPDATE: Underwriters Laboratory has requested comments, which are appended at the bottom.

Today, Underwriters Laboratory announced the UL CyberSecurity Assurance Program. I won’t call it an oxymoron, but I’m deeply worried about it. While I have faith in UL, I’m not sure if they realize the breadth and depth of what they’re getting into.

UL is the reason there are only small holes in appliances and CE gear. Why? So an average toddler can’t stick something inside and become electrocuted. UL helps product vendors have liability insurance within sane ranges. They promulgate standards that vendors are responsible to adhere to for insurance sake. Test labs do the rest, ensuring that First Article Samples (and then, perhaps subsequent production samples) of products adhere to a bevy of standards—all designed to make products safer but at least insurable.

Cybersecurity, however, is a different animal, and I have very mixed feelings about the UL CAP. Vendors must expose their design to UL to gain a UL 2900 Compliant rating. Design is a secret sauce. Product life cycles are short. Compliance will be expensive, and the expertise among UL Test Labs will have be a mixture of CS visionaries, and DEFCON anarchists.

I’ve taken Underwriter’s Laboratory to task before in these spaces at NetworkWorld. An additional caveat: I also dealt with UL in my role in QA/QC Management for major consumer electronics manufacturers, back in the 1970s. UL, consumer electronics, and I, have all come a long way since then. CE and IoT software are merging. This is what makes me really scared: UL has taken a bull the size of the Rocky Mountains by the horns.

Today, we’re faced with connectivity in a staggering variety of devices, the kind that UL has tested for varying safety qualities. They have many standards. The US FCC also mandates emissions controls for CE objects, but the ceaseless onslaught of new devices, short production runs, and fickle consumers means that test labs are behind, enforcement is lax, and devices from tea kettles to implanted defribillators have been found to be easily vulnerable to attacks and hijacks. Oh, hijack my heart, please.

UL describes in its announcement this morning, its new UL 2900 series of testable standards will “offer testable cybersecurity criteria for network connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.”

It seems so very honorable to me. Yet the announcement didn’t involve Purdue, MIT, Carnegie Mellon, Stanford, USB, or even Wabash College. Missing were the IETF, the IEEE, DHS, NSA, CIA, FBI, or even the Kokomo Police Department. Glaringly also absent were Apple, Samsung, Microsoft, Huawei, Lenovo, HPAnything, or even Radio Shack.

There was no mention of allegiances, no presence at major security conferences, no all-star advisory board, no international consortium of cybercrime experts, no pilot user program results, not even a widget-maker from Poughkeepsie that said that they thought their new cyber-something would benefit from the UL 2900 Compliant moniker.

So I want to have more faith in the standard, and UL admits to having open ears and eyes. It all reminds me of announcing a standard, and hoping everyone comes to the party. Thing is: they’re busy putting fires, even volcanoes out. The vendors are racing to keep ahead of the competition, who in turn, are wielding pick axes at each other, doing the most insanely secretive moves to both entice new customers and kill the competition.

Will UL 2900 entice them? Will they entice insurers? Will they entice me? Much remains to be seen, but I’m underwhelmed in terms of broad industrial energy in their initial announcements.

UPDATE: Underwriters Laboratory responds

Henderson: Yet the announcement didn’t involve Purdue, MIT, Carnegie Mellon, Stanford, USB, or even Wabash College. Missing were the IETF, the IEEE, DHS, NSA, CIA, FBI, or even the Kokomo Police Department. Glaringly also absent were Apple, Samsung, Microsoft, Huawei, Lenovo, HPAnything, or even Radio Shack.

UL: UL worked with DHS, NSA Idaho National Labs, GSA and FCC in the development of CAP. UL also incorporated industry representation in a pilot program before launch.

Henderson Response: The Idaho National Labs was mentioned in an interview. Note that salient non-governmental bodies mentioned above aren't represented, and although government helps set public policy, many organizations would rather not deal with government security agencies over agency past misdeeds, and a sentiment of over-arching missions.  

Henderson: “There was no mention of allegiances, no presence at major security conferences, no all-star advisory board, no international consortium of cybercrime experts, no pilot user program results, not even a widget-maker from Poughkeepsie that said that they thought their new cyber-something would benefit from the UL 2900 Compliant moniker.”

UL: UL has participated in numerous major security conferences including RSA and ICS West. Again, UL incorporated industry representation in a pilot program before launch.

Henderson Comments: A search on the world's leading search engine with the string "underwriters laboratories" and "rsac2016" yielded no results.  

Henderson: “Compliance will be expensive, and the expertise among UL Test Labs will have to be a mixture of CS visionaries, and DEFCON anarchists.”

UL: UL has acquired leading cyber expertise through the purchase of the following companies: Infoguard, Acquirer Systems, RFI Global, Witham Laboratories and Collis Holding B.V. UL also partnered for additional expertise with: First Data and Synopsys, whose testing tools were used for the CAP program. Additionally, UL has opened a cyber center in Atlanta.

Henderson Comments: None of these are the OS makers, the pen-testers, the IETF (upon whose standards the Internet is built), the major app builders, ISPs, or even Amazon AWS. Without such partners-- the infrastructure of communications-- the ability to have meaningful depth isn't strong, in my humble opinion.  

Henderson: “The ceaseless onslaught of new devices, short production runs, and fickle consumers means that test labs are behind, enforcement is lax, and devices from tea kettles to implanted defibrillators have been found to be easily vulnerable to attacks and hijacks.”

UL: UL’s certification only lasts 12 months, and companies are urged to seek regular recertification. UL will be consistently updating and adjusting the testing requirements to incorporate the latest threats. Every two to three years, the specifications will be completely revamped.

Henderson Comments: That the certification expires in 12 months becomes hazardous; a heart patient's implant doesn't/shouldn't need to be reimagined in 12months, and the public has no idea to what 12-month period salient standards are applied. Twelve months, for some vendors, is four product life cycles, end-to-end.  

Henderson: “Design is a secret sauce”,

UL: Manufacturers have trusted UL with their designs for over a century.

Henderson Comments: And we are the better for this. Yet trust in home devices like tea kettles, wireless access points, all the way to the hallowed halls of the US OPM, Anthem, Target, and a myriad others has demonstrated that even the small devices can be incredibly explosive-- in data breach terms. Would Apple submit to a laboratory whose design tenets were also fostered by the CIA, NSA, FBI-- even the FCC? It's my belief that such adoption, given design scrutiny inside a device, rather than the characteristics exhibited outside a device as is done with FCC type-acceptance, becomes a dicey game.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.