How UL IoT Safety Rating Helps Manufacturers Demonstrate Cybersecurity Responsibility

Since the official launch in 2019, UL has tested a variety of IoT products, including kitchen appliances, smart bulbs, smart TVs and security cameras.

How UL IoT Safety Rating Helps Manufacturers Demonstrate Cybersecurity Responsibility

As the demand for smart home equipment continues to grow, it will be vital for manufacturers to make sure their particular device is not the weak link in terms of cybersecurity. But how will integrators and their clients know which devices are secure and which are not? That question is why Underwriters Labs (UL) launched its IoT Safety Rating System back in May of this year.

Demand for connected IoT products is expected to exceed $10B by 2024, and the global smart home market is expected to be valued at $138B by 2023. But if the smart home is deemed as vulnerable to hacking, will it stunt that predicted growth?

The government aren’t sitting around waiting to find out. Indeed, both California (Senate Bill 327) and Oregon (House Bill 2395) have instituted new state laws effective as of Jan. 1, 2020 that hold U.S. manufacturers responsible for adding “reasonable security features” in devices or physical objects that are able to connect to the internet directly or indirectly.

UL’s IoT Security Rating aims to help manufacturers demonstrate cybersecurity posture in preparation for upcoming regulations.

The rating system sets some baseline criteria in seven categories:

  • Software updates
  • Data protection
  • Communication Security
  • Privacy Protection
  • Logical Security (the composition of the software)
  • System Management
  • Processes (how the manufacturer identifies potential new vulnerabilities)

At 125 years old, UL has historically been a fire and electrical safety rating organization, but that changed in 2012 when UL acquired some testing companies rooted in the automatic payments industry. That acquisition led to the creation of UL 2900, the group’s cybersecurity assurance program.

“But we found that the UL 2900 set the bar too high for most consumer electronics/IoT companies,” admits Laurens van Oijen, IoT security solution leader at UL. “Most IoT products are built around network connectivity and not security-related issues, especially from a design perspective. In fact, we have discovered that the majority of IoT manufacturers have a lot to learn in terms of cybersecurity.”

Van Oijen says those manufacturers need guidance on core security principles and the “must-have security features” that should be built into products. UL’s new IoT Security Rating solution evaluates critical security features of connected products against common attack practices and known IoT vulnerabilities.

“It is ironic that consumers assume any products they buy are safe and secure, but that is often not the case. We want to make security more transparent to consumers,” he adds.

Since the official launch in May 2019, UL has tested a variety of products to the IoT Safety Rating System, including kitchen appliances, smart bulbs, smart TVs, and security cameras. The company is in the midst of testing its first wearables IoT product now.

Companies can earn one of five designations that each have a fixed set of requirements: Bronze, silver, gold, platinum or diamond. The company can place a UL Verified Mark on the product to show its designation.

Van Oijen says typically a manufacturer will aim for a certain designation level to achieve and that is the criteria that UL test against. Others will just submit the product and see where it rates. If a product fails, UL lets manufacturers take it back, upgrade it and resubmit if they wish.

“We tested one product that you could literally tell the manufacturer had never considered cybersecurity in the design and development of the product. Other products do well,” he commented.

Overall, the UL IoT Safety Rating can help manufacturers differentiate themselves in the crowded IoT/consumer electronics world.


Editor’s Note: This story first ran on Security Sales & Integration’s sister publication CE Pro.

About the Author

Contact:

Jason Knott is Chief Content Officer for Emerald Expositions Connected Brands. Jason has covered low-voltage electronics as an editor since 1990, serving as editor and publisher of Security Sales & Integration. He joined CE Pro in 2000 and serves as Editor-in-Chief of that brand. He served as chairman of the Security Industry Association’s Education Committee from 2000-2004 and sat on the board of that association from 1998-2002. He is also a former board member of the Alarm Industry Research and Educational Foundation. He has been a member of the CEDIA Business Working Group since 2010. Jason graduated from the University of Southern California. Have a suggestion or a topic you want to read more about? Email Jason at jason.knott@emeraldexpo.com

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters