UL expands from electronics tester to security certifier

You know it's a good thing when you see UL on a wall wart, but does it matter on your next firewall? Here's what we know about UL's new Cybersecurity Assurance Program.

Image: iStock

Underwriters Laboratories, known for its UL logo that appears on consumer electronics, is expanding its IT services to include security certifying for networking and telecommunication gear.

The idea didn't come from thin air. For the past decade, UL quietly offered security evaluation services to industries such as banking, with about 500 employees who provide everything from risk analysis to penetration testing, explained Ken Modeste, leader for cybersecurity technical services.

"What we're doing now is expanding that presence to several other verticals," such as healthcare and industrial controls, Modeste said.

UL, in Northbrook, Ill., published three standards called the UL-2900 series on March 30, 2016. The standards' tables of contents are online, while purchasing the full documents costs $225-$250 each.

Modeste explained how the certification process will work. Security vendors that seek certification will have to send their products to UL testers, which costs anywhere from $50,000-$150,000. If a certification is granted, then it is valid for 12 months. However, the process doesn't end there.

"Penetrating testing is a big part of it," Modeste said. "The vendor has to have a process to patch their product... we actually have a requirement that in the event of finding a vulnerability they have to contact us immediately," he said. If flaws are patched expeditiously, then UL will revoke the certification, he added.

SEE: Tech Pro Research's Network Security Policy

Sean Martin, a consultant with IT security expertise, said he's skeptical that enterprise purchasers will be interested in whether a product has UL certification.

"Generally, I don't think people care, the same way they don't go buy a light at Home Depot and check to make sure the label on there says UL listed," he said, in Los Angeles. Government standards such as the Evaluation Assurance Level are already established and widely respected, he added.

Modeste acknowledged that it could be challenging for IT vendors to explain the certification's value to their own customers. "It's a tough thing to start off. We also expect that our adoption will take some time," he noted.

UL is planning to talk more about the new service, which it's calling Cybersecurity Assurance Program, on April 26, 2016 in an online presentation.

Also see

By Evan Koblentz

Evan became a technology reporter during the dot-com boom of the late 1990s. He published a book, "Abacus to smartphone: The evolution of mobile and portable computers" in 2015 and is executive director of Vintage Computer Federation, a 501(c)3 non-p...