UL 2900 is a series of standards published by UL (formerly Underwriters Laboratories), a global safety consulting and certification company. The standards present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).
UL 2900 is important because products are becoming more interconnected. And as they become more interconnected, they become more vulnerable to cyber attack. Gartner forecasts that the number of connected “things” will reach 20.8 billion by 2020.
According to a 2018 report from Trustwave, “Sixty-one percent of [organizations] surveyed who have deployed some level of IoT [Internet of Things] technology have had to deal with a security incident related to IoT.”
Each device connected to the internet is a potential attack point for cyber criminals. Attacks are becoming more sophisticated, more difficult to protect against, and costlier than ever. Security precautions for IoT devices are critical for consumers and businesses alike.
UL 2900-1, the UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, was published and adopted as an ANSI (American National Standards Institute) standard in July 2017.
The UL 2900-1 standard says it “applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware” and that it describes these requirements and methods:
UL 2900-2-1, the UL Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, was published and adopted as an ANSI standard in September 2017.
The UL 2900-2-1 standard says it “applies to the testing of network connected components of healthcare systems,” including these:
UL 2900-2-1 was officially recognized by the FDA in June 2018. Relevant FDA guidance includes:
UL 2900-2-2, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, was published in March 2016. It has not been developed into a standard and published.
The outline for the future UL 2900-2-2 standard says it “applies to the evaluation of industrial control systems components,” including these:
UL 2900-2-3, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems, was published in August 2017. It has not been developed into a standard and published.
The outline for the future UL 2900-2-3 standard says it “applies to the evaluation of security and life safety signaling system components,” including these:
The UL Cybersecurity Assurance Program (UL CAP) is a certification program for evaluating the IoT security of network-connectable products and systems. UL CAP uses the UL 2900 series of standards. The program, according to UL, “aims to minimize [IoT] risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses.” Furthermore, “UL CAP relies upon the UL 2900 set of standards, developed with input from major stakeholders representing government, academia and industry.”
As UL notes, “By incorporating an IoT platform that is already UL certified with your products, you can … [streamline] your product’s UL certification with less cost and faster time to market. By maximizing your security rigor with vendors that are already UL certified, you are minimizing supply chain risk and increasing trust in your brand.”
UL also lists these benefits of UL CAP: