1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULMARCH 30, 20161UL 2900-2-1Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for NetworkConnectable Components of Healthcare S
2、ystemsIssue Number: 1March 30, 2016Summary of TopicsWith the increasing threat of cyber-attacks affecting safety-criticalproducts and service infrastructure, the UL 2900 outlines aim to provide aminimum set of requirements that developers of network connectedproducts can pursue to establish a baseli
3、ne of protection against knownvulnerabilities and a minimum set of security risk controls to considerrelative to their existing overall product risk assessments.This outline describes the method by which the security risk controls ofhealthcare system components shall be evaluated and tested for know
4、nvulnerabilities, software weaknesses and malware while also establishinga minimum set of verification activities intended to reduce the likelihoodof exploitable weaknesses that could be vectors of zero day vulnerabilitiesthat may affect the component.The product shall be subjected to: Vulnerability
5、 and exploitation assessment; Software Weakness Testing (e.g. via Malformed Input Testing,weakness evaluation, etc.); Targeted exploits to compromise risk control functionality (e.g.via Structured Penetration Testing); and Targeted exploits for privilege escalation (e.g. via StructuredPenetration Te
6、sting).Thus the requirements of this outline focus on promoting a “defense-in-depth” strategy aimed at reducing the likelihood of a malicious userfinding vulnerabilities at communication interfaces, reducing thelikelihood of a malicious user accessing critical aspects of the productwhen a vulnerabil
7、ity is found, and reducing the likelihood of a malicioususer increasing their level of access to other products or system assets incase of a successful breach.UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULULs Outlines of Investigation are co
8、pyrighted by UL. Neither a printed norelectronic copy of an Outline of Investigation should be altered in any way. All ofULs Outlines of Investigation and all copyrights, ownerships, and rights regardingthose Outlines of Investigation shall remain the sole and exclusive property of UL.COPYRIGHT 2016
9、 UNDERWRITERS LABORATORIES INC.UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULCONTENTSINTRODUCTION1 Scope .42 Normative References .43 Glossary .5DOCUMENTATION FOR PRODUCT, PROCESSES, AND USE4 Product Documentation 75 Process Documentation 76
10、 Documentation for Product Use .76.1 Safety-related security considerations for product use .76.2 Instructions 7SECURITY CONTROLS7 General 88 Access Control, User Authentication, and User Authorization .89 Remote Communication .810 Cryptography 811 Product Management .8PRODUCT ASSESSMENT12 Safety-Re
11、lated Security Risk Management 812.1 Risk analysis 812.2 Risk evaluation .1012.3 Risk control 1012.4 Coverage of Security Analysis and Testing 1113 Vulnerability and Exploitation Assessment .1414 Software Weakness Analysis .1415 Targeted Exploits and Structured Penetration Testing .15ORGANIZATIONAL
12、ASSESSMENT16 Lifecycle Security Processes .1616.1 Quality management processes 1616.2 Procurement Process .1616.3 Procurement Risk Management Process 1716.4 Product Update Release and Patch Management Process 1716.5 Decommissioning Process .1716.6 Packing and Shipment 17MARCH 30, 2016 UL 2900-2-1 3U
13、L COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULINTRODUCTIONNote: This Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part2-1: Particular Requirements for Network Connectable Components of Healthcare Syste
14、ms, is to be usedin conjunction with the Outline of Investigation for Software Cybersecurity for Network-ConnectableProducts, Part 1: General Requirements, UL 2900-1. The requirements for network connectablecomponents of healthcare systems are contained in this part 2 outline and UL 2900-1. Requirem
15、ents ofthis Part 2 outline, where stated, amend the requirements of UL 2900-1. Where a particular subclause ofUL 2900-1 is not mentioned in UL 2900-2-1, the UL 2900-1 subclause applies.1 Scope1.1 This security evaluation outline applies to the testing of network connected components of healthcaresys
16、tems. It applies to, but is not limited to, the following key components:a) Medical devices;b) Accessories to medical devices;c) Medical device data systems;d) In vitro diagnostic devices;e) Health information technology; andf) Wellness devices.2 Normative References2.1 The Outline of Investigation
17、for Software Cybersecurity for Network-Connectable Products, Part 1:General Requirements, UL 2900-1, shall be applied as specified in this outline.2.2 The Standard for Medical Devices Application of Risk Management to Medical Devices, ISO14971:2007, shall be applied as specified in this outline.2.3
18、The Standard for Medical Devices Quality Management Systems Requirements for RegulatoryPurposes, ISO 13485:2003, shall be applied as specified in this outline.2.4 The Standard for Medical Device Software Software Life Cycle Processes, IEC 62304:2006, shallbe applied as specified in this outline.MARC
19、H 30, 2016UL 2900-2-14UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3 Glossary3.1 AUTHENTICATION The process of verifying the identity of an entity.3.2 AUTHORIZATION The process of giving an entity permission to access or manipulate the prod
20、uct,or the property that an entity has such permission.3.3 BYTECODE Instructions and/or data that are created from source code as an intermediate stepbefore generating binary code. Bytecode is independent of a specific processor architecture and istypically handled by a virtual machine or interprete
21、r.3.4 COMMON VULNERABILITY SCORING SYSTEM (CVSS) Specified in ITU-T X.1521, the CVSS isa publicly available resource providing a means for prioritizing vulnerabilities in terms of exploit potential.3.5 COMMON WEAKNESS SCORING SYSTEM (CWSS) Specified in ITU-T X.1525, the CWSS is apublicly available r
22、esource providing a means for prioritizing CWEs based on their technical impact, easeof attack, and other factors.3.6 CONFIDENTIALITY The property that data, information or software is not made available ordisclosed to unauthorized individuals, entities, or processes.3.7 EXPLOIT An input or action d
23、esigned to take advantage of a weakness (or multiple weaknesses)and achieve a negative technical impact.NOTE: The existence of an exploit targeting a weakness is what makes that weakness a vulnerability.3.8 EXTERNAL INTERFACE An interface of the product that is designed to potentially allow access t
24、oan entity outside the product; for example user interfaces, remote interfaces, local interfaces, wirelessinterfaces and file inputs.3.9 FILE A collection of data or program instructions stored as a unit with a single name.3.10 INTEGRITY The property of data, information or software not having been
25、improperly modified.3.11 KNOWN VULNERABILITY A vulnerability described in the National Vulnerability Database (NVD).NOTE: The NVD is accessible at https:/nvd.nist.gov.3.12 MALFORMED INPUT TESTING A black-box testing technique used to reveal softwareweaknesses and vulnerabilities in a product by trig
26、gering them with invalid or unexpected inputs on theexternal interfaces of the product.3.13 MALWARE Software designed with malicious intent to disrupt normal function, gather sensitiveinformation, and/or access other connected systems.3.14 NETWORK A collection of nodes and telecommunication links, a
27、llowing connected devices,software etc. to exchange data and communicate.MARCH 30, 2016 UL 2900-2-1 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.15 PENETRATION TESTING A mechanism of evaluation of a product to exploit vulnerabilities and
28、weaknesses discovered in the vulnerability assessment phase.3.16 PRODUCT The network-connectable device, software or system under test.3.17 RISK The potential for harm or damage, measured as the combination of the likelihood ofoccurrence of that harm or damage and the impact of that harm or damage.3
29、.18 RISK ANALYSIS The systematic use of available information to identify threats and to estimaterisk.3.19 RISK CONTROL Any action taken or feature implemented to reduce risk.3.20 RISK MANAGEMENT Systematic application of management policies, procedures and practicesto the tasks of analyzing, evalua
30、ting, controlling and monitoring risk.3.21 SECURITY The state of having acceptable levels of confidentiality, integrity, authenticity and/oravailability of product data and/or functionality.3.22 SENSITIVE DATA Sensitive data is any critical security parameter that can compromise the useand security
31、of the product such as passwords, keys, seeds for random number generators, authenticationdata.3.23 SOFTWARE All pre-loaded data which creates, affects, and/or modifies the functionality of theproduct. This includes, but is not limited to, firmware, scripts, initialization files, pre-compiled code a
32、ndinterpreted code. This does not include software preloaded and programmed in an IC chip for smallfunctions that require physical access and removal of the IC chip for reprogramming.3.24 SOFTWARE WEAKNESS A mistake in the architecture, design, coding, build process orconfiguration of software in th
33、e product, that may render the product vulnerable to a security exploit.3.25 STATIC ANALYSIS A process in which source code, bytecode or binary code is analyzed withoutexecuting the code.3.26 THREAT A potentially successful attack, involving an adversary utilizing specific techniques andresources to
34、 take advantage of specific vulnerabilities or lack of risk controls within a product.3.27 TRUSTED PLATFORM MODULE An international standard that defines the requirements for adedicated microprocessor with requirements for storage of cryptographic keys used to secure physicalproducts and the softwar
35、e contained.3.28 USER A person or process using a product or accessing it over one of its external interfaces.3.29 VENDOR The manufacturer, reseller or supplier of a product, which takes final responsibility forthe cybersecurity of that product towards the purchaser and/or user and which submits tha
36、t product fortesting according to this outline.MARCH 30, 2016UL 2900-2-16UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.30 VULNERABILITY A software weakness found in the product for which an exploit may exist, suchthat it can be directly us
37、ed by an attacker.DOCUMENTATION FOR PRODUCT, PROCESSES, AND USE4 Product Documentation4.1 Product documentation shall meet the requirements of the Outline of Investigation for SoftwareCybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, except asnoted in the claus
38、es below.5 Process Documentation5.1 Process documentation shall meet the requirements of the Outline of Investigation for SoftwareCybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, except asnoted in the clauses below.6 Documentation for Product Use6.1 Safety-rel
39、ated security considerations for product use6.1.1 Intended use of the product as indicated in the Risk Management File (RMF)6.1.1.1 The products intended use statement shall indicate essential performance that may be impactedby security breach.6.1.2 Environment in which the product is intended to be
40、 used6.2.1.1 The products indications for use statement shall identify security capabilities and constraintsrelative to assumptions regarding the environment within which it is intended to be operated.6.2 Instructions6.2.1 Instructions on means to over-ride security measures when necessary for patie
41、nt safety per12.4.1.7 and 12.4.2.6 shall be communicated to intended stakeholders securely and as described in theRisk Management File.MARCH 30, 2016 UL 2900-2-1 7UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULSECURITY CONTROLS7 General7.1 Th
42、e product shall comply with the requirements of the Outline of Investigation for SoftwareCybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 7,except as noted in the clauses below.8 Access Control, User Authentication, and User Authorization8.1 The product
43、 shall comply with the requirements of the Outline of Investigation for SoftwareCybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 8,except as noted in the clauses below.9 Remote Communication9.1 The product shall comply with the remote communication requ
44、irements of the Outline of Investigationfor Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1,Section 9, except as noted in the clauses below.10 Cryptography10.1 The product shall comply with the cryptography requirements of the Outline of Investigation
45、forSoftware Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1,Section 10, except as noted in the clauses below.11 Product Management11.1 The product shall comply with the product management requirements of the Outline of Investigationfor Software Cybersecurity fo
46、r Network-Connectable Devices, Part 1: General Requirements, UL 2900-1,Section 11, except as noted in the clauses below.PRODUCT ASSESSMENT12 Safety-Related Security Risk Management12.1 Risk analysis12.1.1 The product shall comply with the applicable requirements of the Standard for Medical Devices A
47、pplication of Risk Management to Medical Devices, ISO 14971, or the Outline of Investigation forSoftware Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1,Section 12, Vendor Product Risk Management Process.NOTE: Information Technology network risks per the Stand
48、ard for Application of Risk Management forIT-Networks Incorporating Medical Devices Part 1: Roles, Responsibilities and Activities, IEC 80001-1,should be considered as part of product risk management.MARCH 30, 2016UL 2900-2-18UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBU
49、TION WITHOUT PERMISSION FROM UL12.1.2 A risk management file shall be constructed in accordance with the Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971, risk management process, and it shallspecifically include the following elements with regard to security:a) Security risk analysis;NOTE: The security risk analysis should consider defense-in-depth also known as layer ofprotection analysis (LOPA)1.b) Security risk evaluation;c) Security risk control;NOTE: Securi
