What is UL 2900?

UL 2900 is important because products are becoming more interconnected. And as they become more interconnected, they become more vulnerable to cyber attack. Statista forecasts that the number of connected “things” will reach 31 billion by 2025.

According to a 2024 report, “22% of organizations have had a serious or business-disrupting IoT security incident in the past 12 months”

Each device connected to the internet is a potential attack point for cyber criminals. Attacks are becoming more sophisticated, more difficult to protect against, and costlier than ever. Security precautions for IoT devices are critical for consumers and businesses alike.

Scope of UL 2900-1

UL 2900-1, the UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, was published and adopted as an ANSI (American National Standards Institute) standard in July 2017.

The UL 2900-1 standard says it “applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware” and that it describes these requirements and methods:

1. Requirements regarding the software developer (vendor or other supply chain member) risk management process for their product.
2. Methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses, and malware.
3. Requirements regarding the presence of security risk controls in the architecture and design of a product.

UL 2900-2-1, the UL Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, was published and adopted as an ANSI standard in September 2017.

The UL 2900-2-1 standard says it “applies to the testing of network connected components of healthcare systems,” including these:

• Medical devices
• Accessories to medical devices
• Medical device data systems
• In vitro diagnostic devices
• Health information technology
• Wellness devices

UL 2900-2-1 was officially recognized by the FDA in June 2018. Relevant FDA guidance includes:

• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2014)
• Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (draft from October 2018, will supersede the October 2014 edition once finalized)
• Postmarket Management of Cybersecurity in Medical Devices (December 2016)

UL 2900-2-2, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, was published in March 2016. It has not been developed into a standard and published.

The outline for the future UL 2900-2-2 standard says it “applies to the evaluation of industrial control systems components,” including these:

• Programmable logic controllers (PLC)
• Distributed control systems (DCS)
• Process control systems
• Data acquisition systems
• Historians, data loggers, and data storage systems
• Control servers
• SCADA servers
• Remote terminal units (RTU)
• Intelligent electronic devices (IED)
• Human-machine interfaces (HMI)
• Input/output (IO) servers
• Fieldbuses
• Networking equipment for ICS systems
• Data radios
• Smart sensors
• Controllers and embedded system/controllers

UL 2900-2-3, the UL Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems, was published in August 2017. It has not been developed into a standard and published.

The outline for the future UL 2900-2-3 standard says it “applies to the evaluation of security and life safety signaling system components,” including these:

• Alarm control units
• Intrusion detection equipment
• General purpose signaling units
• Digital video equipment and systems
• Mass notification and emergency communication / evacuation equipment and systems
• Control servers
• Alarm automation system software
• Alarm receiving equipment
• Anti-theft equipment
• Automated teller machines
•  Fire alarm control systems
• Network connected locking devices
• PSIM systems
• Smoke control systems
• Smoke / gas / CO detection devices
• Audible and visual signaling devices (fire and general signaling)
• Access control equipment and systems

The UL Cybersecurity Assurance Program (UL CAP) is a certification program for evaluating the IoT security of network-connectable products and systems. UL CAP uses the UL 2900 series of standards. The program, according to UL, “aims to minimize [IoT] risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses.” Furthermore, “UL CAP relies upon the UL 2900 set of standards, developed with input from major stakeholders representing government, academia and industry.”

As UL notes, “By incorporating an IoT platform that is already UL certified with your products, you can … [streamline] your product’s UL certification with less cost and faster time to market. By maximizing your security rigor with vendors that are already UL certified, you are minimizing supply chain risk and increasing trust in your brand.”

UL also lists these benefits of UL CAP:

• Competitive advantage. A commitment to security can set your brand apart. Independent testing and certification with UL means that your IoT device has undergone a rigorous process to mitigate security flaws.
• Risk mitigation. Cyberattacks can expose your customers to unscrupulous hackers. Take proactive steps to protect your brand from security risks.
• Innovation. Incorporate IoT security into quality assurance programs and establish baseline security standards for partners and suppliers to follow.