If there's consensus on anything regarding the Internet of Things, it's that the industry needs to settle on standards as quickly as possible. An emerging row between UL, the prominent safety standards organization, and a group of security researchers is an example of the opposite potentially happening, as Ars Technica reports:
UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification. But there's a problem: UL's refusal to freely share the text of the new standard with security researchers leaves some experts wondering if UL knows what they're doing.
When Ars requested a copy of the UL 2900 docs to take a closer look at the standard, UL (formerly known as Underwriters Laboratories) declined, indicating that if we wished to purchase a copy—retail price, around £600/$800 for the full set—we were welcome to do so. Independent security researchers are also, we must assume, welcome to become UL retail customers.
"It's very concerning," Brian Knopf of I Am The Cavalry, a group of security researchers focused on public safety issues, told Ars. "Without transparency, the research community cannot help improve or audit the standards."
Ken Modeste, UL's chief of cybersecurity technical services, defended the company's position. “Our whole mission is public safety,” he told Ars. “We’ve been here since 1894. We want to help industry and the public to choose safe products.”
Modeste also told Ars that "numerous" government and industry bodies have reviewed the standard and helped develop it, and the goal is to give vendors "some repeatable and reproducible way" to determine their products meet minimum requirements.
There's some reason to be concerned about UL's position, but it's not necessarily the end of the world, nor does it target the most important tasks for IoT moving forward, says Constellation Research VP and principal analyst Steve Wilson.
"On the one hand, confidential security standards are silly, and certification criteria must be open," Wilson says. "But on the other hand, people shouldn't put too much stock in certification. Most are box-ticking exercises. What the IoT really needs is high reliability compact embedded OSes and much, much more attention to software quality."
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.