Skip to main content
Welcome to the cutting edge of safety science—Learn more about our rebrand.
  • Feature Story

Improving Interoperability, Quality and Security for Industrial Control Systems


January 25, 2017

Remember the 1990 “Die Hard” movie where the air traffic control tower at Washington’s Dulles International Airport was hacked? At the time it seemed far-fetched. However with the emergence of the Internet of Things (IoT), this scenario could happen today. The more devices and systems connect through the Internet, the greater the chances cybercriminals can find vulnerabilities to infiltrate systems such as these and cause major havoc. In fact, Symantec reports that in 2015 there were one million web attacks each day.

These vulnerabilities occur because system administrators focus on function rather than security. In fact, Symantec claims that nearly 75 percent of all legitimate websites have unpatched vulnerabilities, putting everyone at risk. Technology is more susceptible to security flaws and it goes beyond websites. It affects infrastructure via network-connected products – most notably industrial control systems (ICS).This means it is possible for critical infrastructure, including electricity, water treatment, natural gas, food manufacturing, and air traffic, to be compromised.

According to the National Institute of Standards and Technology, most ICS began as proprietary, stand-alone collections of hardware and software that were protected from external threats. Now they are made up of widely available software applications and internet-enabled devices that increase vulnerability, posing threats to human health and safety, the environment, and business and government operations.

“Many of these vulnerabilities exist when organizations focus more on product features and functionality over security. Security needs to be built in from the very beginning of product development,” says Radhika Chaturvedi, UL Business Development Manager, UL Energy & Power Technologies. “These systems need to be more secure and tailored to a company’s individual needs. Software developers also need to be trained in secure coding practices.”

Cybersecurity is a critical issue in the United States and standards are needed to help mitigate risk. This is why UL created the ICS Cybersecurity Assurance Program (CAP). It allows engineers to identify vulnerabilities and make necessary security adjustments to the code. UL’s ICS CAP provides an organization with the ability to evaluate a network’s connectable products and systems, along with vendor processes.

The U.S. White House Cybersecurity National Action Plan (CNAP) is implementing a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, and maintain public safety, and (safeguard) economic and national security. It also empowers Americans to take better control of their digital security. CNAP recognizes UL’s CAP services and software security efforts as a way to test and certify network-connectable devices within the IoT supply chain and ecosystems, something relevant in critical infrastructures such as energy, utilities and healthcare.

UL 2900: Software Cybersecurity for Network-Connectable Products is a series of cybersecurity standards covering products including ICS, which provides a foundational set of requirements so manufacturers can establish baseline protections with a minimum set of security risk controls and documentation. This program helps to reduce overall product risk.

“We need to do a better job of improving the cyber-hygiene of products and raise the bar on security to minimize the risk of security breaches. Once we have this understanding, we can build this into the lifecycle of the product,” says Chaturvedi.

Chaturvedi says there is need to improve communication and education when it comes to ICS systems. UL’s ICS CAP and the UL 2900 series of standards allow flexibility across the spectrum; so identifying the vulnerabilities will help to mitigate cyberattacks and limit unplanned downtime and loss of production, costly harm to assets, and reputational damage.