UL SUBJECT 2900-2-3-2017 UL Outline for Investigation Software Cybersecurity for Network- Connectable Products Part 2-3 Particular Requirements for Security and Life Safety Signali.pdf

1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULAugust 11, 20171UL 2900-2-3Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security andLife Safety Signaling SystemsIss

2、ue Number: 1August 11, 2017Summary of TopicsWith the increasing threat of cyber-attacks affecting security andlife-safety-critical products and service infrastructure, the proposed UL2900 series of Outline of Investigations aim to provide a foundational setof requirements that manufacturers of netwo

3、rk connectable products usedin security and life safety signaling systems can pursue to establish abaseline of protection against known vulnerabilities and a foundational setof cyber security risk controls to consider relative to their existing overallproduct risk assessments. The objective is to pr

4、ovide a Outline ofInvestigation for testing products that implements established securitydesign principles into the testing regimen.The proposed first edition of the Outline of Investigation for SoftwareCybersecurity for Network-Connectable Products, Part 2-3: ParticularRequirements for Security and

5、 Life Safety Signaling Systems, UL 2900-2-3,describes requirements regarding the vendors risk management processfor products used in security and life safety signaling systems ; methodsby which a products software shall be evaluated and tested for thepresence of vulnerabilities, software weaknesses

6、malware; andrequirements regarding the establishment and testing of security riskcontrols in the architecture and design of a product. The requirementsleverage the requirements of the Standard for Software Cybersecurity forNetwork-Connectable Products, Part 1: General Requirements, UL 2900-1,with ad

7、ditional requirements that take into consideration security andlife safety signaling systems context, environment, reliability, and safetyconcerns.ULs Outlines of Investigation are copyrighted by UL LLC. Neither a printed norelectronic copy of an Outline of Investigation should be altered in any way

8、. All ofULs Outlines of Investigation and all copyrights, ownerships, and rights regardingthose Outlines of Investigation shall remain the sole and exclusive property of ULLLC.COPYRIGHT 2017 UL LLCUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM

9、ULAUGUST 11, 2017UL 2900-2-32No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULCONTENTSINTRODUCTION1 Scope .52 Normative References .63 Glossary .64 General 6DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE5 Product D

10、ocumentation 76 Product Design Documentation .77 Documentation for Product Use .7RISK CONTROLS8 General 89 Access Control, User Authentication and User Authorization .910 Remote Communication .1011 Sensitive Data .1012 Product Management .10RISK MANAGEMENT13 Vendor Product Risk Management Process 11

11、VULNERABILITIES AND EXPLOITS14 Known Vulnerability Testing 1215 Malware Testing 1216 Malformed Input Protocol Testing (also reference Appendix D) .1217 Structured Penetration Testing .13SOFTWARE WEAKNESS ANALYSIS18 Software Weakness Analysis .1419 Static Code Analysis 1420 Static Binary and Bytecode

12、 Analysis 1421 Organizational Assessment 15APPENDIX AA1 Sources for Software Weaknesses .A1APPENDIX BB1 Requirements for Secure Mechanisms for Storing Sensitive Data and Personally IdentifiableInformation B1AUGUST 11, 2017 UL 2900-2-3 3UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION

13、ORDISTRIBUTION WITHOUT PERMISSION FROM ULAPPENDIX CC1 Requirements for Security Functions .C1APPENDIX DD1 Level 1 Malformed Input Protocol List D1AUGUST 11, 2017UL 2900-2-34UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULINTRODUCTIONNote: This

14、 Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part2-3: Particular Requirements for Security and Life Safety Signaling Systems refers to the Standard forSoftware Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1.1 Scope1.1

15、 This security evaluation Outline of Investigation applies to the evaluation of security and life safetysignaling system components. It applies to, but is not limited to, the following products:a) Alarm Control Unitsb) Intrusion Detection Equipmentc) General Purpose Signaling Unitsd) Digital Video E

16、quipment and Systemse) Mass Notification and Emergency Communication / Evacuation Equipment and Systemsf) Control servers;g) Alarm Automation System Softwareh) Alarm Receiving Equipmenti) Anti- theft Equipmentj) Automated Teller Machinesk) Fire Alarm Control Systemsl) Network Connected Locking Devic

17、esm) PSIM Systemsn) Smoke Control Systemso) Smoke / Gas / CO Detection Devicesp) Audible and Visual Signaling Devices (fire and general signaling)q) Access Control Equipment and Systems1.2 This Outline of Investigation does not contain general requirements that are intended to addressfunctional test

18、ing of the product unless expressly specified.AUGUST 11, 2017 UL 2900-2-3 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL1.3 This Outline of Investigation also describes requirements for the product risk management processcarried out by the

19、vendor of the product, including a list of security controls that the product (or the vendor,as applicable) shall comply with unless a risk assessment done by the vendor shows that the risk of notimplementing one of these security controls is acceptable.2 Normative References2.1 All references are f

20、or the current published version of the document unless stated otherwise.Normative References are included in Section 2 of the Standard for Cybersecurity for Network-Connectable Products, Part1: General Requirements, UL 2900-1.3 GlossaryGlossary Terms are included in Section 3 of the Standard for Cy

21、bersecurity for Network- ConnectableProducts, Part1: General Requirements, UL 2900-1.4 General4.1 This Outline of Investigation comprises of levels of security requirements that are applicable to theproduct with an increasing level of security for higher levels. The levels and their description are

22、definedin Table 4.1.Table 4.1Level DescriptionL1 Includes foundational cybersecurity testing requirements for security risk assessment of software in products covered in thisOutline of Investigation.Provides assessment of general security capabilities of a product with limited knowledge of the inter

23、nal security controls of theproduct. L1 is recommended as a minimum level of assessment.L2 Includes L1 assessment and testing requirements and additional supplemental requirements for security risks assessment ofsoftware in products.Provides assessment of security capabilities of a product with know

24、ledge of internal security controls of the product.L3 Includes L1 and L2 assessment and testing requirements and additional supplemental requirements of the vendor processand management.Provides assessment of security capabilities of a product with knowledge of internal security controls of the prod

25、uct andknowledge of the business practices of the vendor to support the lifecycle of the product.4.2 The product shall comply with the clauses identified in the tables of each section of this Outline ofInvestigation per the Level intended. The level intended will be marked with an X per the applicab

26、leclause. Where an X is not applied, the clause is not mandatory for the Level.AUGUST 11, 2017UL 2900-2-36UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULDOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE5 Product DocumentationTable 5.1C

27、lause L1 L2 L35.1 The product shall comply with:Product Documentation, Section 4.1(e), of the Standard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.X5.2 The product shall comply with:Product Documentation, Section 4.1 of the Standard forSoftware C

28、ybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.X6 Product Design DocumentationTable 6.1Clause L1 L2 L36.1 The product shall comply with:Product Design Documentation, Section 5.1 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: Ge

29、neral Requirements, UL 2900-1.X7 Documentation for Product UseTable 7.1Clause L1 L2 L37.1 The product shall comply with:Documentation for Product Use, Section 6.1 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.2 The product shall

30、comply with:Documentation for Product Use, Section 6.2 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.3 The product shall comply with:Documentation for Product Use, Section 6.3 of the Standardfor Software Cybersecurity for Network

31、-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.4 The product shall comply with:Documentation for Product Use, Section 6.4 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.5 The product shall comply with:Documentatio

32、n for Product Use, Section 6.5 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.6 The product shall comply with:Documentation for Product Use, Section 6.6 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Par

33、t 1: General Requirements, UL 2900-1.XAUGUST 11, 2017 UL 2900-2-3 7Table 7.1 Continued on Next PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULTable 7.1 Continued7.7 The product shall comply with:Documentation for Product Use, Section 6.7

34、of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.8 The product shall comply with:Documentation for Product Use, Section 6.8 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2

35、900-1.X7.9 The product shall comply with:Documentation for Product Use, Section 6.9 of the Standardfor Software Cybersecurity for Network-ConnectableDevices, Part 1: General Requirements, UL 2900-1.X7.10 The product shall comply with:Documentation for Product Use, Section 6.10 of theStandard for Sof

36、tware Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL2900-1.XRISK CONTROLS8 GeneralTable 8.1Clause L1 L2 L38.1 The product shall comply with:Risk Controls - General, Section 7.1.1 of the Standard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: Genera

37、l Requirements, UL 2900-1.X8.2 The product shall comply with:Risk Controls - General, Section 7.1.2 of the Standard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.X8.3 The product shall comply with:Risk Controls - General, Section 7.1.3 of the Stand

38、ard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.XAUGUST 11, 2017UL 2900-2-38UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL9 Access Control, User Authentication and User AuthorizationTable

39、 9.1Clause L1 L2 L39.1 The product shall comply with:Access Control, User Authentication and User Authorization,Section 8.1 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.2 The product shall comply with:Access Control, User Authen

40、tication and User Authorization,Section 8.2 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.3 The product shall comply with:Access Control, User Authentication and User Authorization,Section 8.3 of the Standard for Software Cyberse

41、curity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.4 The product shall comply with:Access Control, User Authentication and User Authorization,Section 8.4 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9

42、.5 The product shall comply with:Access Control, User Authentication and User Authorization,Section 8.5 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.6 The product shall comply with:Access Control, User Authentication and User Au

43、thorization,Section 8.6 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.7 The product shall comply with:Access Control, User Authentication and User Authorization,Section 8.7 of the Standard for Software Cybersecurity forNetwork-Co

44、nnectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.8 The product shall comply with:Access Control, User Authentication and User Authorization,Section 8.8 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.X9.9 The product shall

45、 comply with:Access Control, User Authentication and User Authorization,Section 8.9 of the Standard for Software Cybersecurity forNetwork-Connectable Devices, Part 1: GeneralRequirements, UL 2900-1.XAUGUST 11, 2017 UL 2900-2-3 9UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRI

46、BUTION WITHOUT PERMISSION FROM UL10 Remote CommunicationTable 10.1Clause L1 L2 L310.1 The product shall comply with:Remote Communication, Section 9.1 of the Standard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.X11 Sensitive DataTable 11.1Clause L

47、1 L2 L311.1 The product shall comply with:Sensitive Data, Section 10.1 of the Standard for SoftwareCybersecurity for Network-Connectable Devices, Part 1:General Requirements, UL 2900-1. (Possibly split apart bystorage (L1) versus everything else.)X11.2 The product shall comply with:Sensitive Data, S

48、ection 10.2 of the Standard for SoftwareCybersecurity for Network-Connectable Devices, Part 1:General Requirements, UL 2900-1.X11.3 The product shall comply with:Sensitive Data, Section 10.3 of the Standard for SoftwareCybersecurity for Network-Connectable Devices, Part 1:General Requirements, UL 29

49、00-1.X11.4 The product shall comply with:Sensitive Data, Section 10.4 of the Standard for SoftwareCybersecurity for Network-Connectable Devices, Part 1:General Requirements, UL 2900-1.X12 Product ManagementTable 12.1Clause L1 L2 L312.1 The product shall comply with:Product Management, Section 11.1 of the Standard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.X12.2 The product shall comply with:Product Management, Section 11.2 of the Standard forSoftware Cybersecurity for Network-Connectable Devices,Part 1: General Requirements