Cybersecurity is a growing concern for manufacturers of life safety and security products, and Underwriters Laboratories (UL) wants to help solve the problem. Specifically, UL seeks to work with manufacturers to up their game on cybersecurity and to certify compliance to a minimum level of cybersecurity “hygiene.”

UL cybersecurity certification

UL is a familiar brand in consumer goods and in the security and life safety markets. UL certification is sought by manufacturers in a range of product lines, from electrical goods and smoke alarms to access control and central monitoring stations. Approximately 22 billion UL marks appeared on products in 2016. In the physical security industry alone, products are certified to around 20 different standards covering access control, intrusion detection, locks, safes and vaults, software and other categories.

Now UL is working to increase the prominence of their brand in cybersecurity with the UL Cybersecurity Assurance Program (CAP). The UL 2900-1 standard, the standard that offers General Requirements for Software Cybersecurity for Network-Connectable Products, was published in 2016 and in July 2017 was published as an ANSI (American National Standards Institute) standard. The standard was developed with cooperation from end users such as the Department of Homeland Security (DHS), U.S. National Laboratories, and other industry stakeholders. UL 2900-2-3 – the standard that focuses on electronic physical security/Life Safety & Security industry, was published in September 2017.

Testing for cybersecurity weaknesses

The UL 2900 standard encompasses three main areas related to cybersecurity – software weaknesses, known vulnerabilities and risk control such as encryption, access control, passwords, remote communications, and software patches and updates. UL conducts structured penetration, fuzz testing and other tests to establish a reasonable level of confidence that a product or system has addressed cybersecurity concerns.

“Certification to the standard means that a product or system has been evaluated to a minimum level of cyber hygiene,” says Neil Lakomiak, Director of Business Development and Innovation, Building and Life Safety Technologies, for UL LLC. “It covers the ‘blocking and tackling’ that you would expect manufacturers to do. It doesn’t provide absolute assurance, but rather a level of confidence that a product has been vetted.” The certification is good for one year, and changes in products require recertification.

UL global network of scientific and advisory experts
UL has written more than 1,600 standards defining safety, security, quality and sustainability

Lakomiak says applying the standard will: “create an environment where companies are starting to incorporate cybersecurity into their development processes; creating security by design. It will elevate the industry to consider cybersecurity earlier in the development process.” An overall goal of UL is to “give people peace of mind around the products and systems they use.”

Underwriters Laboratories at ASIS 2017

Companies that achieve certification can promote it as a point of differentiation in the market, although not a guarantee that a product is cybersecure. UL’s independent evaluations carry weight in the market, as reflected by the ubiquity of the UL brand, and Lakomiak contends the industry can benefit from applying the same level of testing and certification to the area of cybersecurity. He sees UL’s cybersecurity initiative as complementary to other cybersecurity measures, such as “white hat” hacking. From a standards perspective, UL’s efforts seek to complement industry efforts such as SIA, ASIS International, PSA and ONVIF.

Lakomiak was at the ASIS 2017 show in Dallas, where he met with existing manufacturer customers and potential future clients – including large and small companies in the industry – to discuss cybersecurity and the road to certification. He says many manufacturers are not yet ready for certification, in which case UL provides consultancy and advisory services to help them get there.

“A lot of companies just need help understanding what their current processes and cybersecurity posture are,” says Lakomiak. “They want help to create a roadmap to get certification. A variety of manufacturers are on the path to certification.”

Underwriters Laboratories security mission

The cybersecurity element is an extension of UL’s mission to help companies demonstrate safety, confirm compliance, deliver quality and performance, and build excellence. Lakomiak says many people mistakenly perceive UL as a quasi-governmental organisation, perhaps because UL standards are sometimes incorporated into regulations.

However, the organisation is a business and wants to operate like one by serving the needs of its manufacturer customers. “We want to have the service we provide be market-driven. We understand the pain points of manufacturers, integrators and others as they interface with technology. We want to devise programmes to help them be successful in the market. Our focus is to make our customers succeed by providing objective certification.”

To the extent that cybersecurity is a growing pain point for the physical security industry, there is a large potential role to be played by UL and many others.

Download PDF version

Author Profile

Larry Anderson Editor,

An experienced journalist and long-time presence in the US security industry, Larry is's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Government institutions should utilise VSaaS for an integrated video surveillance system
Government institutions should utilise VSaaS for an integrated video surveillance system

Video surveillance as a service (VSaaS) is not just for commercial organisations. Federal, state and local governments can also realise benefits from the technology—and use it to deliver an integrated video surveillance system that addresses some of their unique security needs. Video Surveillance as a Service (VSaaS) What is VSaaS? Simply stated, it’s a cloud-based video surveillance solution that is packaged and delivered as a service over the internet. The price varies depending on the features of your plan (i.e. number of cameras, amount of storage, software features, etc.), and you pay a monthly subscription price to use it. How does it work? Internet Protocol (IP) cameras are installed at site locations, and the video is captured and streamed to a service provider’s data center via an internet connection. The video management software (VMS) runs on backend infrastructure provided by the service provider’s cloud. All video processing is done in the cloud, and all that is required to view the footage is an internet-connected device and a web browser. Retail, health care, education, and transportation all benefit from the flexibility and architecture of VSaas Growing VSaaS providers Solution providers such as Axis Communications, Genetec, and G4S among many others offer VSaaS solutions, and the market is growing. According to IHS Markit, the market is expected to reach $2.3 billion in 2021. VSaaS is a solution with cross-industry appeal. Retail, health care, education, and transportation all benefit from the flexibility and architecture of the solution. But how does VSaaS address the surveillance needs of government institutions? Geographic coverage and access To protect cities and towns, law enforcement must watch over widespread geographic areas. Their work involves monitoring and policing many different neighborhoods, buildings, garages, parks, and walking paths—basically anywhere there is property or people to protect. They rely on video surveillance to help them keep these environments safe. But it’s more than local law enforcement officers who use video footage. From local city officials to federal and state law enforcement agencies, many other people, at times, need access to video footage captured by city surveillance cameras. Centralised remote monitoring How does VSaaS help? VSaaS enables the installation of cameras throughout cities and communities and stream footage to a central location via the Internet. Because the system is centralised, it eliminates the need to manage a lot of different standalone DVRs or NVRs, which enables organisations to monitor a large area from a remote command center. VSaaS enables the installation of cameras throughout cities and communities and stream footage to a central location via the Internet Plus, anyone with proper credentials can access the footage from an Internet-connected device—whether that be a smartphone, laptop, desktop, or tablet. That makes it easier for multiple agencies to work together, which in turn can improve communication and response time to incidents. Budget concerns and flexibility Tight budgets are normal in government. As a result, it’s often a challenge to procure capital for new technology purchases—and that sometimes leads to underfunded projects and difficulty upgrading old technology. VSaaS changes the expense model. It allows you to shift from a capital expenditure (CapEx) model, where large capital funding is required to purchase equipment, to an operational expenditure (OpEx) model, where the costs of the solution become an operating expense. Since the cameras, installation, storage, and software are packaged into a service, you don’t need a large capital outlay up front—you simply pay a predictable expense every month. VSaaS provides the capability for you to increase storage capacity when you need it Feature and storage capacity upgrade features VSaaS also makes it easier to upgrade old technology. When new technology becomes available, you can upgrade to it as part of the service. You no longer have to stick with old technology because of capital budget restrictions. Instead, you can upgrade to better cameras and management software features as they become available. The same is true for storage capacity. As camera resolution increases, the amount of data captured also increases. In addition, with the evolution of smart city technology and big data analytics, video data has become more valuable. As a result, there is a need not only to store more data but also to keep that data accessible for a longer period of time. VSaaS provides the capability for you to increase storage capacity when you need it. You can scale to accommodate growth, and since the storage is delivered as part of the service, you can leverage the “pay for use” model to manage your costs. On-premise storage or hybrid Where should surveillance video be stored? It’s an important question. After all, government entities must always comply with data privacy laws and handle data properly to ensure it can be used as evidence if needed. As a result, officials may prefer to be selective about where they store video data. In fact, the concern over regulatory requirements and security and privacy issues, according to Gartner, will lead governments to implement private cloud at twice the rate of public cloud through 2021. The provider’s ability to store large amounts of data cost-effectively makes VSaaS possible That’s not necessarily a show-stopper when it comes to video surveillance. Some VSaaS providers offer hybrid options. Plus, one of the things that makes VSaaS possible is the provider’s ability to store large amounts of data cost-effectively. Because service providers can manage their storage infrastructures economically, they can offer their service at an attractive price. Multi-tier storage infrastructure In a way, government institutions (as well as commercial organisations) can do the same thing. If a government entity—for example, a small municipality—wanted to store their data on-premise or implement a hybrid configuration, they could solve some of their video storage challenges by implementing a multi-tier storage infrastructure similar to what a VSaaS provider might use to provide the actual service. A multi-tier storage infrastructure uses different storage media—disk, object storage, tape, and cloud—and combines them to deliver the total capacity needed while balancing performance and cost. The diagram below is an illustration of a multi-tier infrastructure: As the diagram shows, storage capacity grows using lower cost forms of media as volume and long-term retention requirements change. Files are moved between tiers based on user-defined policies. When the policies are met, the files are moved to a lower cost tier. Some file systems allow for multiple copies be written at ingest which not only minimises the traffic of moving files across the network, but also provides much needed data protection through a second copy on a lower-cost tier. This scenario enables you to optimise the amount of high-performance media in your infrastructure and lower the long-term cost of retaining files. VSaaS offers many benefits for government institutions and commercial organisations alike Choice of implementations VSaaS offers many benefits for government institutions and commercial organisations alike. But not every implementation has the same needs or requirements. The good news is, when it comes to video surveillance solutions, you have options. You can leverage the benefits of VSaaS, in either a public cloud or hybrid scenario, depending on the service provider. Or if your needs dictate, you can achieve some of the same capacity and cost-saving benefits you would get from a VSaaS solution by implementing an on-premise solution based on a centralised VMS system and multi-tier storage. The choice is yours.

What are the most valuable features of cloud security?
What are the most valuable features of cloud security?

Cloud computing has been around since the turn of the millennium. Over the years, the concept of storing and accessing programs over the Internet (instead of using an on-premises computer system) has grown in almost every realm of business. Some might say the physical security industry has come late to the party, delayed in some instances by (misguided?) concerns about cybersecurity of cloud systems. The bandwidth needed to transfer video to the cloud has also been a challenge. We asked this week’s Expert Panel Roundtable: What features of Cloud-based software-as-a-service (SaaS) are the most valuable to the average user?

Smart access control is essential to the future of smart cities
Smart access control is essential to the future of smart cities

Throughout the UK there are many examples of smart city transformation, with key industries including transport, energy, water and waste becoming increasingly ‘smart’. A smart city is a one that uses information and communication technologies to increase operational efficiency, share information with the public and improve both the quality of government services and resident welfare. Smart access is an important step forward in providing technologically advanced security management and access solutions to support the ambitions of smart cities and their respectively smart industries. Explaining smart access If we used the standard definition of smart, it would be to use technology to monitor, control and manage access, but the technology must be adapted to both the physical and management characteristics of smart cities. Smart access is an important step forward in providing advanced security management and access solutions to support the ambitions of smart cities For example, it would not make sense to install an iris biometric sensor at an isolated water storage tank, which is out in the open and may not even have electrical power. Nor would a permissions management system work, one that does not let you update permissions simply and easily and cannot be customised. With high volumes of people entering and exiting different areas of the city, it is important to be able to trace who has been where, when and for how long. Advanced software suites can provide access to all operations performed by users, including a complete audit trail. This information is often used by business owners or managers for audits, improvements or compliance. When initiating a new access control system it is important that the supplier and customer work together to understand: Who can enter a secure area Where in the building each individual has access to When an individual can enter a secure area How an individual will gain access to a secure area This information can be crucial in the event of a security breach, enabling investigators to find out who was the last known key holder in the building and what their movements were whilst there. Installing an electronic lock does not require electrical power or batteries, much less a connection to send information Modernising locks and keys Installing an electronic lock does not require electrical power or batteries, much less a connection to send information, which means that it can be installed on any door as you would a mechanical lock without maintenance requirements. Permissions are stored within an intelligent key. If you have authorisation for that lock, it will open. If you don’t, you won’t be allowed to enter and all of the activity carried out by the key will be recorded. You can update permissions from a computer or using an app on a mobile phone at the time of access, which will update the key's permissions via Bluetooth. This allows shortened validity periods, constrains movements to be in line with company access policy and removes travel and fixed authoriser costs. This then delivers increased flexibility and higher levels of security. Remote access control utilities Access rights can be set at any time and on any day, and if required can allow access on just one specific occasion Using an app improves access control by updating access rights in real time with the Bluetooth key. It also provides notification of lost keys, joint management of access schedules, protection of isolated workers and much more. Combined with new technological solutions, an app allows contextual information to be sent, such as on-site presence, duration of an operation, authorisations and reporting of anomalies. Access rights can be set at any time and on any day, and if required can allow access on just one specific occasion, for example to repair a failure. Access can be restricted to enable entry only during working hours, for example. Permissions can be granted for the amount of time required, which means that if permission is requested to access a site using a mobile app, the company should be able to access it, for example, in the next five minutes. Once this time has passed, the permission expires and, if a key is lost or it is stolen, they will not be able to access the site. The rules for granting permissions are infinite and easily customisable, and the system is very efficient when they are applied; as a result, the system is flexible and adapted to suit company processes and infrastructures. Using an app improves access control by updating access rights in real time with the Bluetooth key Finding applications to create solutions In many cases, companies themselves find new applications for the solution, such as the need to obtain access using two different keys simultaneously to prevent a lone worker from accessing a dangerous area. The software that manages access makes it smart. It can be used from a web-based access manager or through personalised software that is integrated within a company's existing software solution, to automatically include information, such as the employee's contractual status, occupational risk prevention and the existence of work orders. In some companies, the access management system will help to further improve service levels by integrating it with the customer information system, allowing to link it for instance with alarms managers, intrusion managers or HR processes. With over one million access points currently secured worldwide, this simple and flexible solution will play a strategic role in the future of security.