UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification. But there's a problem: UL's refusal to share the text of the new standard leaves some experts wondering if UL knows what they're doing.
When Ars requested a copy of the UL 2900 docs to take a closer look at the standard, UL (formerly known as Underwriters Laboratories) declined, indicating that if we wished to purchase a copy—retail price, around £600/$800 for the full set—we were welcome to do so. Independent security researchers are also, we must assume, welcome to become UL retail customers.
"It's very concerning," Brian Knopf of I Am The Cavalry, a group of security researchers focused on public safety issues, told Ars. "Without transparency, the research community cannot help improve or audit the standards." As Ars has previously reported, Knopf is leading an effort to develop a five-star cybersecurity rating system for IoT devices.