UL Launches Digital Security Platform for IoT Device Makers
UL has launched a digital security framework for IoT device makers. Its SafeCyber Digital Security Platform seeks to measure development processes for their devices against industry best practices.
It also encompasses a firmware check to probe for flaws, both before launch and once they’ve been released into other IoT networks.
“The proliferation of connected devices has unlocked immense new economic potential, but it has also introduced a flurry of cybersecurity risks that can materially impact businesses,” said Jukka Makinen, managing director of the identity management and security division at UL.
“SafeCyber helps organizations holistically understand and assess risk, allowing both new and existing assets to be designed and maintained to conform with the latest cybersecurity legislation and best practices.”
Since its inception in 1894, Illinois-based UL has grown into a standards behemoth. In all, it has helped deliver some 1,600 benchmarks each designed to level the playing field for product safety, security and sustainability.
Standards supported under UL’s IoT initiative include independent benchmarks from the European Telecommunications Standard Institute, International Organization for Standardization and International Electrotechnical Commission.
UL debuted its IoT Security Rating program early last year. By enrolling in the rating scheme, device makers can receive a UL security certificate for IoT products to show customers they’ve implemented basic protections, like prompts to change default passwords or advanced security methods like machine learning.
Manufacturers can access guidance through the SafeCyber Digital Security Platform to help meet the criteria of UL’s security rating.
Into the Breach
With the Internet of Things maturing across industry verticals, security is a key concern as connected devices have extended the attack surface for cybercriminals to break into enterprise IT networks.
UL pointed to research published earlier this year by nonprofit organization Identity Theft Resource Center which suggested supply chain attacks rose by 42% in the first quarter of 2021.
Such breaches penetrate the software and hardware components used to make new IoT devices. This means each endpoint is only as good as processes used throughout the vendor’s supply chain and software ecosystem.
Across the board, there has been a surge in cybersecurity attacks on IoT in the past year. Computer service provider Kaspersky estimated in September 2021 that 1.51 billion breaches of IoT devices occurred from January through June, up from 639 million last year over the same period.
The surge has decision makers concerned. Roughly a third (33%) believe attacks on IoT devices may impact critical operations, while 26% expect IoT-generated data will violate privacy policies, according to the 2020 Thales Data Threat report.
Greater enterprise adoption of IoT during the pandemic only increases the risks involved, and with certain attacks able to jump from one network to another, the attention has moved to legislating, mandating and implementing better security protocols.
Since early this year in the U.S, the IoT Cybersecurity Improvement Act has required government agency IoT suppliers to meet a mandatory level of device security in key areas: development processes, user identity management, issuing patch updates and managing device configurations.
The Department of State is scrambling to catch perpetrators of serious cybersecurity incursions. On Nov. 4, the department said it would pay up to $10 million for information that identifies leaders in the DarkSide group, which launched a ransomware attack on oil transit route Colonial Pipeline in April.
The hack at one stage took down 45% of U.S. East Coast fuel transit capacity, having reportedly stemmed from a single stolen password in Colonial’s remote working system.