UL 2900-2-3
Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems

DETAILS
Edition Number:1SCC Approved:--
Edition Date:2017-08-11DOD Approved: --
Price Code:AANSI Approved: --
Type:outline

  • SCOPE

    1 Scope

    1.1 This security evaluation Outline of Investigation applies to the evaluation of security and life safety signaling system components. It applies to, but is not limited to, the following products:

    a)    Alarm Control Units

    b)    Intrusion Detection Equipment

    c)    General Purpose Signaling Units

    d)    Digital Video Equipment and Systems

    e)    Mass Notification and Emergency Communication / Evacuation Equipment and Systems

    f)    Control servers;

    g)    Alarm Automation System Software

    h)    Alarm Receiving Equipment

    i)    Anti- theft Equipment

    j)    Automated Teller Machines

    k)    Fire Alarm Control Systems

    l)    Network Connected Locking Devices

    m)    PSIM Systems

    n)    Smoke Control Systems

    o)    Smoke / Gas / CO Detection Devices

    p)    Audible and Visual Signaling Devices (fire and general signaling)

    q)    Access Control Equipment and Systems

    1.2 This Outline of Investigation does not contain general requirements that are intended to address functional testing of the product unless expressly specified.

    1.3 This Outline of Investigation also describes requirements for the product risk management process carried out by the vendor of the product, including a list of security controls that the product (or the vendor, as applicable) shall comply with unless a risk assessment done by the vendor shows that the risk of not implementing one of these security controls is acceptable.

  • TABLE OF CONTENTS
    Expand All

    • Outline Title Page
    • Table of Contents
      • Body
        • INTRODUCTION
          • 1 Scope
          • 2 Normative References
          • 3 Glossary
          • 4 General
        • DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE
          • 5 Product Documentation
          • 6 Product Design Documentation
          • 7 Documentation for Product Use
        • RISK CONTROLS
          • 8 General
          • 9 Access Control, User Authentication and User Authorization
          • 10 Remote Communication
          • 11 Sensitive Data
          • 12 Product Management
        • RISK MANAGEMENT
          • 13 Vendor Product Risk Management Process
        • VULNERABILITIES AND EXPLOITS
          • 14 Known Vulnerability Testing
          • 15 Malware Testing
          • 16 Malformed Input Protocol Testing (also reference Appendix )
          • 17 Structured Penetration Testing
        • SOFTWARE WEAKNESS ANALYSIS
          • 18 Software Weakness Analysis
          • 19 Static Code Analysis
          • 20 Static Binary and Bytecode Analysis
          • 21 Organizational Assessment
    • APPENDIX A
    • APPENDIX B
    • APPENDIX C
    • APPENDIX D