The UL 2900 series of standards, often referred to as the UL 2900 Framework, was developed by Underwriters Laboratories (UL) to provide a basis for evaluating and certifying the security of connected products. This series focuses on assessing the software vulnerabilities and weaknesses in network-connectable devices, considering both the product and the organizational environment.
Definition and purpose
The UL 2900 Framework's primary goal is to provide comprehensive and consistent criteria for evaluating the cybersecurity measures implemented in network-connectable products and systems. By offering a set of standardized criteria, the framework aids organizations in building security into their products from the outset and ensures that consumers and businesses can trust the connected products they use.
The governing body for the UL 2900 series is Underwriters Laboratories (UL), a global safety certification company.
The most recent edition was released in July 2017.
The UL 2900 Framework is designed to be applicable to all network-connectable devices across various industries. There are specific editions tailored for certain sectors, such as:
- UL 2900-1: General requirements applicable to all network-connectable devices.
- UL 2900-2-1: Specific requirements for network-connectable components of healthcare and wellness systems.
- UL 2900-2-2: Specific requirements for industrial control systems.
Controls and requirements
The UL 2900 series typically covers areas like:
- Software Weakness Evaluation: Identification of known software vulnerabilities.
- Control System and Data Confidentiality: Protecting data integrity and confidentiality.
- Software and Firmware Updates: Ensuring security throughout the product's lifecycle.
- Authentication and Access Control: Restricting unauthorized access.
- Electronic Security Perimeter(s): Implementing security zones and conduits.
- Product Documentation: Providing necessary information to users for secure deployment.
The standard also involves evaluations like penetration testing, risk assessments, and analysis of potential security vulnerabilities.
Please refer to the official UL 2900 documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
Evaluation and testing to the UL 2900 series involve both assessment of documentation and hands-on testing of the actual product to determine if it meets the listed criteria.
Once a product achieves UL 2900 certification, there may be follow-up assessments to ensure continued compliance, especially if there are significant changes to the product. The exact frequency might be determined based on the agreement between UL and the product manufacturer.
The duration of the audit varies based on the complexity of the product, the extent of its network-connectable features, and the specific requirements of the UL 2900 edition being applied. The evaluation could range from weeks to months.