What do the UL 2900 standards cover?
Scope of UL 2900-1
UL 2900-1, the UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, was published and adopted as an ANSI (American National Standards Institute) standard in July 2017.
The UL 2900-1 standard says it “applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware” and that it describes these requirements and methods:
- Requirements regarding the software developer (vendor or other supply chain member) risk management process for their product.
- Methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses, and malware.
- Requirements regarding the presence of security risk controls in the architecture and design of a product.
Scope of UL 2900-2-1
UL 2900-2-1, the UL Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, was published and adopted as an ANSI standard in September 2017.
The UL 2900-2-1 standard says it “applies to the testing of network connected components of healthcare systems,” including these:
- Medical devices
- Accessories to medical devices
- Medical device data systems
- In vitro diagnostic devices
- Health information technology
- Wellness devices
UL 2900-2-1 was officially recognized by the FDA in June 2018. Relevant FDA guidance includes:
Scope of UL 2900-2-2
UL 2900-2-2, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, was published in March 2016. It has not been developed into a standard and published.
The outline for the future UL 2900-2-2 standard says it “applies to the evaluation of industrial control systems components,” including these:
- Programmable logic controllers (PLC)
- Distributed control systems (DCS)
- Process control systems
- Data acquisition systems
- Historians, data loggers, and data storage systems
- Control servers
- SCADA servers
- Remote terminal units (RTU)
- Intelligent electronic devices (IED)
- Human-machine interfaces (HMI)
- Input/output (IO) servers
- Networking equipment for ICS systems
- Data radios
- Smart sensors
- Controllers and embedded system/controllers