For more information, call 1-877-UL-HELPS, e-mail: ULCyber@ul.com or visit www.ul.com/cybersecurity

The Industrial Internet of Things (IIoT), Industry 4.0, is enabling more sophisticated capabilities through network-connected products and systems. As a result, industrial control systems are becoming more interconnected and connectable, including networkable. According to many recent industry reports and the U.S. government, there have been significant increases in attacks that penetrate industrial control systems. So, the cybersecurity of software is becoming critically important for the safety, privacy and performance of these systems. Verifying against known vulnerabilities and exploitable weaknesses in software can help prevent systems from becoming susceptible to cyber attacks.

UL Cybersecurity Assurance Program (UL CAP)for Industrial Control Systems (ICS)UL CAP addresses ICS security concerns using testing, evaluation & certification

E N E R G Y & P O W E R T E C H N O L O G I E S

UL CAP uses the new UL 2900-2-2 Standard to offer testable cybersecurity criteria for Industrial Control Systems (ICS) to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.

Why evaluate your ICS for cybersecurity?Not only is there a rise in the number of cyber attacks occurring, the sophistication of them has also advanced. With the imminent increase in connecting devices to networks, it is imperative that industrial control systems are evaluated for cybersecurity to help ensure reliability, decrease downtime, prevent damage to assets, mitigate risk, improve security, and maintain health and safety.

UL CAP for ICSUL CAP offers trusted third party support with the ability to evaluate both the security of network-connectable products and systems as well as the vendor processes for developing and maintaining products and systems with a security focus. The program allows vendors to concentrate on product innovation with emerging technologies and capabilities to meet the ongoing needs of the marketplace. For increased flexibility, vendors can select the UL CAP services best suited for their current needs.

ICS products will be tested, evaluated and certified to UL 2900-2-2, Standard for Software Cybersecurity for Network-Connectable Devices. This standard describes Part 2-2 as: Particular Requirements for Industrial Control Systems (ICS) describes the method by which the security-related features of industrial control system components are evaluated at the product level and tested for known vulnerabilities while also establishing a minimum set of verification activities intended to reduce the likelihood of zero day vulnerabilities that may affect the component.

UL and the UL logo are trademarks of UL LLC © 2016

For more information, call 1-877-UL-HELPS, e-mail: ULCyber@ul.com or visit www.ul.com/cybersecurity

UL cybersecurity services for ICS include:• Testing security criteria based on UL 2900-2-2 or specified requirements• Certification to UL 2900-2-2 cybersecurity standards• Evaluation and risk assessment of vendor processes for developing and maintaining security products and systems• Training in security readiness for product design and sourcing third party components

• Programmable Logic Controllers (PLC)• PLC and DCS programming software/operator

interfaces (HMI)• Control Server• Remote Terminal Unit (RTU)

• Human-Machine Interface (HMI)• Input/Output (IO) Server• Networking Equipment for ICS Systems• Distributed Control Systems (DCS)• Historian or Data Loggers

• The SCADA Server• Intelligent Electronic Devices (IED)• Data Historian• Fieldbus• Access Equipment for ICS Systems

Why Choose UL?

The UL CAP was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. In fact, the UL CAP services and software security efforts are recognized within the U.S. White House Cybersecurity National Action Plan (CNAP) as a way to test and certify network-connectable devices within the IoT supply chain.

Early adoption of the UL CAP provides a competitive advantage by differentiation in the marketplace and can help with mitigating risk due to potential consequences of a cyber attack including:

ICS Product Testing Deliverables Meeting the requirements outlined in the UL 2900-2-2 series of standards enables a product or system to be certified by UL as “UL 2900 compliant” receiving a certificate. Additionally, testing security criteria based on requirements in UL 2900-2-2 or customer specified requirements receive a test report.

Service

Certification

Testing

Training

Deliverable

Certificate of compliance to UL 2900-2-2 indicating UL 2900 compliant

Test report based on some or all of UL 2900-2-2 requirements or customer specified requirements

UL 2900 Standard for industrial control systems Best practices for identifying and mitigating risk associated with software vulnerablitiies in ICS

UL 2900-2-2 Standard is intended, but not limited, to apply to the following components:

• Unplanned downtime and loss of production

• Costly harm to assets • Reputational damage

101.01.0416.EN.EPT