UL develops cybersecurity standard

Sophisticated attack methods and malware are overcoming perimeter defences, giving attackers wide access to controllers and sensors. Plants cannot trust that their safety systems are protected from cyber-attacks. Companies need to take proactive precautions to mitigate cyber risk within industrial control systems. Preparedness can limit the likelihood of an attack by identifying and addressing vulnerabilities before they can be exploited.

The industrial internet of things (IIoT) adds fuel to this fire. Companies are deploying new devices throughout their plants to improve asset maintenance and optimise operational performance. However, any malware or flawed security mechanisms that may be present in these devices represents a potential threat to plant security. Connecting devices to cloud-based analytics programs opens additional pathways for external attacks. Companies need to take steps to secure IIoT devices from latent malware and use robust security controls that align with industry best practices.

Recently, the ARC Advisory Group discussed these challenges with executives from UL, a well-known global safety science organisation that provides advisory, testing, and certification services. UL, which has been active in the industrial space for over 120 years, recently published the UL 2900 Series of Standards that offers testable cybersecurity criteria for IIoT devices. These incorporate guidelines from a variety of well-known standards. UL 2900-2-2, specifically designed for industrial control systems, aligns with IEC 62443 criteria.

Experts from UL have developed the UL 2900 standard with input from major government, academic, and industry. Their goal was to create a standard with broad-based coverage of security issues and support for many different industrial sectors. A key challenge was to ensure that it reflected the requirements of many different industrial cybersecurity standards and guidance documents in use today. For example, UL 2900-2-2 applies some security criteria from IEC 62443 for product testing and process validation.