Power management company Eaton, Pittsburgh, recently announced a collaborative program with Underwriters Laboratories (UL), Northbrook, Ill., designed to advance cybersecurity hardening in its products. Eaton’s cybersecurity research and testing facility in Pittsburgh is the first lab approved to participate in UL’s Data Acceptance Program (DAP) for cybersecurity. The program, which is in development and available on a limited basis, aligns Eaton’s testing methodologies and data generation with the UL Cybersecurity Assurance Program (CAP) for UL Standards 2900-1 and 2900-2-2.

“As the world becomes increasingly electronic and digital, cybersecurity has to be part of our designs and leadership objectives,” said Michael Regelski, senior vice president and chief technology officer for Eaton’s electrical business. “Cybersecurity risk is not only inherent in network-connected devices, but all electronics. Anything with a microprocessor is subject to potential vulnerability.”

The company’s cybersecurity research and testing facility now has the capability to test its products with intelligence or embedded logic to the UL standards. The offshoot will be a growing portfolio of products that meet stringent specifications, regulations and consumer expectations for safe, secure power management.

“Now that our lab has been accepted into the program and verified by UL, our own internal standards have been achieved, and we will also work on bringing our other lab to the same level of compliance,” he said.

UL offers these DAP areas: Witness Test Data Program; Client Test Data Program; Third-Party Test Data Program; Total Certification Program; and The Preferred Partner Program.

Eaton’s lab is certified in the Third-Party Test Data Program.

Technology evolution

Traditional options for DAP emphasize hardware testing related to fire, shock and mechanical hazards. Because the emerging cybersecurity risks for connected products focus more on software elements, appropriate adjustments and requirements need to be made within the program to roll it out broadly for cybersecurity, according to Ken Modeste, Director of Connected Technologies at UL.

“DAP is a longstanding UL offering, predating the launch of CAP [in 2016]," Modeste said. "DAP provides a means for UL to accept externally generated test data in support of UL Mark certification. UL’s CAP aims to minimize risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses. This in turn helps reduce exploitation, address known malware, enhance security controls and expand security awareness.”

CAP, he added, uses UL 2900 standards for evaluating, assessing and certifying products through UL. UL DAP approves quality organizations to perform some of the evaluation and assessment—under UL supervision using its techniques for repeatability and reproducibility—to consider in certification.

Eaton’s Power Xpert Dashboard recently became the first power management product certified to the UL 2900-2-2 Standard for cybersecurity in industrial control systems.

There are other manufacturer’s products certified to the UL 2900 series as well as other companies pursuing assessment and certification in a range of industries, Modeste said. The most up-to-date resource to find products UL certified can be found by searching the UL Online Certifications Directory with the UL Category Code CYBR.

“UL is using the model that we successfully introduced and have used historically, and we are adapting and focusing on a limited release for our UL 2900 series of standards for CAP," Modeste said. "This limited launch is taking place with specific clients, like Eaton, that have cybersecurity laboratories; trained and competent cybersecurity staff; and quality procedures for evaluating and assessing cybersecurity in products and systems. UL evaluates these labs, staff and practices hand-in-hand with clients intending to demonstrate UL 2900 testing capabilities and skills. Eaton has established the foundational elements and has made the commitment and investment to collaborate with UL.”

The company was the first participant in UL’s launch of DAP for cybersecurity.

“As with any product that carries independent certification or claim verification, the installing contractor benefits from the knowledge and peace of mind that a product was assessed for software vulnerabilities and weaknesses against standardized, testable transparent criteria by a recognized, respected third party. This can help protect not only the end user, but also the contractor’s professional reputation,” Modeste said. 

“The world is becoming increasingly connected,” Regelski said. “Products need to be designed with cybersecurity as the first line of capability. This type of design from the ground up builds trust in the product and ensures the highest level of defense against emerging cybersecurity threats. That’s the kind of confidence we want to provide to the electrical industry.”