UL 2900-2-2
Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems

DETAILS
Edition Number:1SCC Approved:--
Edition Date:2016-03-30DOD Approved: --
Price Code:AANSI Approved: --
Type:outline

  • SCOPE

    1 Scope

    1.1 This security evaluation outline applies to the evaluation of industrial control systems components. It applies to, but is not limited to, the following products:

    a)    Programmable Logic Controllers (PLC);

    b)    Distributed Control Systems (DCS);

    c)    Process control systems;

    d)    Data acquistion systems;

    e)    Historians, data loggers and data storage systems;

    f)    Control servers;

    g)    SCADA servers;

    h)    Remote Terminal Units (RTU);

    i)    Intelligent Electronic Devices (IED);

    j)    Human-Machine Interfaces (HMI);

    k)    Input/Output (IO) servers;

    l)    Fieldbuses;

    m)    Networking equipment for ICS systems;

    n)    Data radios;

    o)    Smart sensors;

    p)    Controllers; and

    q)    Embedded system/controllers.

    1.2 This outline does not contain any requirements regarding functional testing of products unless where expressly specified.

    1.3 This outline also describes requirements for the product risk management process carried out by the vendor of the product, including a list of security controls that the product (or the vendor, as applicable) shall comply with unless a risk assessment done by the vendor shows that the risk of not implementing one of these security controls is acceptable.

  • TABLE OF CONTENTS
    Expand All

    • Outline Title Page
    • Table of Contents
      • Body
        • INTRODUCTION
          • 1 Scope
          • 2 Normative References
          • 3 Glossary
        • DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE
          • 4 Product Documentation
          • 5 Product Design Documentation
          • 6 Documentation for Product Use
        • RISK CONTROLS
          • 7 General
          • 8 Access Control, User Authentication and User Authorization
          • 9 Remote Communication
          • 10 Cryptography
          • 11 Product Management
        • RISK MANAGEMENT
          • 12 Vendor Product Risk Management Process
        • VULNERABILITIES AND EXPLOITS
          • 13 Known Vulnerability Testing
          • 14 Malware Testing
          • 15 Malformed Input Testing
            • 15.1 General
            • 15.2 Malformed input test I
            • 15.3 Malformed input test II
          • 16 Structured Penetration Testing
        • SOFTWARE WEAKNESS ANALYSIS
          • 17 Software Weakness Analysis
          • 18 Static Code Analysis
          • 19 Static Binary and Byte Code Analysis