The document discusses the risks of IoT devices and the need for improved security practices. It notes that many applications contain inherited vulnerabilities from reused components and fail to meet basic security standards. The document outlines UL's new 2900 security certification for network-connected products which evaluates vendors' risk management processes and requires documentation of a product's design, use, vulnerabilities, and security controls.

1. Boosting IoT protection:
An enterprise risk
imperative
Christian Beckner
Senior Director, Retail
Technology
National Retail Federation
Moderator
Neil Lakomiak
Business Development Director
Underwriters Laboratories Inc.
Steve Welk
Senior Director, Loss
Prevention
Barnes & Noble College
Bookstores Inc.
Bernell Zorn
Manager of Program
Management
Nordstrom

2. 2
The Problem
*Source: WhiteHat Security 2018 Application Security Statistics Report
Nearly 70% of every application is comprised of reusable software components, resulting in
“inherited vulnerabilities”
85% of mobile apps violated one or more of the OWASP Mobile Top 10.
As more organizations embrace agile DevOps processes, more applications are being
released faster than ever.
The quicker applications are released, particularly those that
are comprised of reusable components, the faster more vulnerabilities are introduced.
Software development is as much about developing new code as it is embedding third-party
components and leveraging existing APIs.

3. 3
The Risks
• Cybersecurity
• Interoperability
• Performance
• Privacy
• Safety

4. 4
*Source: WhiteHat Security 2018 Application Security Statistics Report

5. 5
How an Attack Works
RISK
THREAT
OPPORTUNITY VULNERABILITY
Nation States
Professional Activity
Hobbyists
Insiders/Employees
Inadequate Security Attributes
Hard Coded Passwords
Improper Installation
Poorly Written Code
Building
Access Control
Control Center Control
The Attacker:
A Flaw:
The Asset to be
Appropriated:

6. 6
UL 2900 Scope
1 Scope
1.1 This standard applies to network-connectable products that shall be
evaluated and tested for vulnerabilities, software weaknesses, and malware.
1.2 This standard describes:
a) Requirements regarding the vendor's risk
management process for their product.
b) Methods by which a product shall be
evaluated and tested for the presence of
vulnerabilities, software weaknesses, and
malware.
c) Requirements regarding the presence of
security risk controls in the architecture and
design of a product.

7. 7
UL 2900 Contents
INTRODUCTION
1. Scope
2. Normative References
3. Glossary
DOCUMENTATION OF PRODUCT, PRODUCT
DESIGN AND PRODUCT USE
4. Product Documentation
5. Product Design Documentation
6. Documentation for Product Use
RISK CONTROLS & RISK MANAGEMENT
7. General
8. Access Control, User Authentication and
User Authorization
9. Remote Communication
10. Cryptography
11. Product Management
12. Vendor Product Risk Management Process
VULNERABILITIES AND EXPLOITS
13. Known Vulnerability Testing
14. Malware Testing
15. Malformed Input Testing (Fuzz Testing)
16. Structured Penetration Testing
SOFTWARE WEAKNESSES
17. Software Weakness Analysis
18. Static Source Code Analysis
19. Static Binary and Byte Code Analysis
APPENDICES
A1. Sources for Software Weaknesses
B1. Requirements for Secure Mechanisms for
Storing Sensitive Data and Personally
Identifiable Data
C1. Requirements for Security Functions

8. 8
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
Everyone & No One

9. 9
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
Vendors
• Cybersecurity is a significant investment – how will costs be offset – are customers willing
to pay higher prices?
• How are you managing cyber risk, while using open source code?
• Vendors don’t control the whole ecosystem in which their products are deployed. Where
does accountability start and stop?
• What do vendors have to lose?: Brand reputation, credibility, financial loss from potential
recalls/penalties, C-level positions.
• What do vendors have to gain?: differentiation, brand value, risk mitigation, avoid being
forced by overly-burdensome regulation, ability to benefit from emerging business models

10. 10
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
Resellers/Integrators
• Need to seek out, understand, be educated on cybersecurity and
responsible to the end-user
• Avoid integrating/selling technology that has not been vetted

11. 11
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
End User
• Needs to be educated
• Know what questions to ask of vendors and integrators
• Be prepared to pay for cybersecurity
• Develop and follow a robust security maintenance process

12. 12
Some Questions Integrators, Installers, End-Users
Should be Asking About IoT Security:
1.) Are penetration tests performed by a third party? How often? Most recent?
2.) Is a formal security program in place? How is security addressed as part of the
product development lifecycle?
3.) How is access control, authentication and authorization handled?
4.) How is data protected at rest and in transit?
5.) Are there suggested prevention measures for the end-user? What are the
expectations of the integrator and end-user for security?
6.) What is your process for addressing discovered vulnerabilities?