Definition

UL 2900 is a series of standards published by UL (formerly Underwriters Laboratories), a global safety consulting and certification company. The standards present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).

Why is UL 2900 important?

UL 2900 is important because products are becoming more interconnected. And as they become more interconnected, they become more vulnerable to cyber attack. Gartner forecasts that the number of connected “things” will reach 20.8 billion by 2020.

According to a 2018 report from Trustwave, “Sixty-one percent of [organizations] surveyed who have deployed some level of IoT [Internet of Things] technology have had to deal with a security incident related to IoT.”

Each device connected to the internet is a potential attack point for cyber criminals. Attacks are becoming more sophisticated, more difficult to protect against, and costlier than ever. Security precautions for IoT devices are critical for consumers and businesses alike.


What do the UL 2900 standards cover?

Scope of UL 2900-1

UL 2900-1, the UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, was published and adopted as an ANSI (American National Standards Institute) standard in July 2017.

The UL 2900-1 standard says it “applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware” and that it describes these requirements and methods:

  1. Requirements regarding the software developer (vendor or other supply chain member) risk management process for their product.
  2. Methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses, and malware.
  3. Requirements regarding the presence of security risk controls in the architecture and design of a product.

Scope of UL 2900-2-1

UL 2900-2-1, the UL Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, was published and adopted as an ANSI standard in September 2017.

The UL 2900-2-1 standard says it “applies to the testing of network connected components of healthcare systems,” including these:

  • Medical devices
  • Accessories to medical devices
  • Medical device data systems
  • In vitro diagnostic devices
  • Health information technology
  • Wellness devices

UL 2900-2-1 was officially recognized by the FDA in June 2018. Relevant FDA guidance includes:

  • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2014)
  • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (draft from October 2018, will supersede the October 2014 edition once finalized)
  • Postmarket Management of Cybersecurity in Medical Devices (December 2016)

Scope of UL 2900-2-2

UL 2900-2-2, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, was published in March 2016. It has not been developed into a standard and published.

The outline for the future UL 2900-2-2 standard says it “applies to the evaluation of industrial control systems components,” including these:

  • Programmable logic controllers (PLC)
  • Distributed control systems (DCS)
  • Process control systems
  • Data acquisition systems
  • Historians, data loggers, and data storage systems
  • Control servers
  • SCADA servers
  • Remote terminal units (RTU)
  • Intelligent electronic devices (IED)
  • Human-machine interfaces (HMI)
  • Input/output (IO) servers
  • Fieldbuses
  • Networking equipment for ICS systems
  • Data radios
  • Smart sensors
  • Controllers and embedded system/controllers

Scope of UL 2900-2-3

UL 2900-2-3, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems, was published in August 2017. It has not been developed into a standard and published.

The outline for the future UL 2900-2-3 standard says it “applies to the evaluation of security and life safety signaling system components,” including these:

  • Alarm control units
  • Intrusion detection equipment
  • General purpose signaling units
  • Digital video equipment and systems
  • Mass notification and emergency communication / evacuation equipment and systems
  • Control servers
  • Alarm automation system software
  • Alarm receiving equipment
  • Anti-theft equipment
  • Automated teller machines
  •  Fire alarm control systems
  • Network connected locking devices
  • PSIM systems
  • Smoke control systems
  • Smoke / gas / CO detection devices
  • Audible and visual signaling devices (fire and general signaling)
  • Access control equipment and systems

What is UL CAP?

The UL Cybersecurity Assurance Program (UL CAP) is a certification program for evaluating the IoT security of network-connectable products and systems. UL CAP uses the UL 2900 series of standards. The program, according to UL, “aims to minimize [IoT] risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses.” Furthermore, “UL CAP relies upon the UL 2900 set of standards, developed with input from major stakeholders representing government, academia and industry.”


What are the benefits of UL 2900 certification?

As UL notes, “By incorporating an IoT platform that is already UL certified with your products, you can … [streamline] your product’s UL certification with less cost and faster time to market. By maximizing your security rigor with vendors that are already UL certified, you are minimizing supply chain risk and increasing trust in your brand.”

UL also lists these benefits of UL CAP:

  • Competitive advantage. A commitment to security can set your brand apart. Independent testing and certification with UL means that your IoT device has undergone a rigorous process to mitigate security flaws.
  • Risk mitigation. Cyberattacks can expose your customers to unscrupulous hackers. Take proactive steps to protect your brand from security risks.
  • Innovation. Incorporate IoT security into quality assurance programs and establish baseline security standards for partners and suppliers to follow.

Resources to manage your AppSec risk at enterprise scale