Monday November 19, 2018
UL and CPSC Staffers Discuss Challenge of IoT Across Differing Products
Handling the Internet of Things (IoT) across a diversity of products was a main theme of discussion November 14 between CPSC staff and UL representatives. Indeed, UL currently has a strategy of setting broad expectations for safety and then moving into the STP level to apply the guidelines to particular product areas, explained Thomas Blewitt, VP and chief technical officer at UL. He was referring to UL 5500, Standard for Safety for Remote Software Updates. He added that despite overlap, UL is dealing with security separately.
For example, the scope of UL 5500 explicitly states that it does not cover "functional SECURITY such as premises, physical, and other similar SECURITY purposes" (UL emphasis). Conversely, UL 2900-1, Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, asserts, "This standard does not contain requirements regarding functional testing of a product. This means this standard contains no requirements to verify that the product functions as designed."
When asked by CPSC Electrical Engineering Director Andrew Trotta if the approach involves seeking out particular STPs for action, Blewitt explained that a general notice has gone to the standards panels, and the hope is that many will "self-select." However, if UL sees specific needs unaddressed, it will be more proactive in prompting work.
A second UL approach is that safety should be assured at the product level. This involves the fact that IoT-related hazards might not exist when a unit comes out of a factory, but software changes could create the risks much later. One element of protecting against unwanted or faulty updates is good identification management. A product not only will need to know what entities to contact and how, it will need to authenticate their identities. Further, there will need to be levels of authorization, depending on the download. For example, the manufacturer would have the OK to update the software of an oven, but a recipe provider would not.
More generally, said Blewitt, UL is trying to ensure a coherent approach across industries and avoid a "hodgepodge" of different ideas. But that must be balanced with the need to avoid stifling innovation, he added. A related idea is recognizing the varying levels of risks for different products. He used the example of a lightbulb versus circuit breaker. The latter not working correctly after a software update has greater safety consequences while also being less obvious.
Meanwhile, UL Senior Government Affairs Specialist Karen Grunstra sought an update on CPSC's IoT activities, especially following the workshop on the issue last spring (PSL, 5/21/18) at the agency's headquarters. Patty Adair, director of CPSC's Risk Management Group, pointed to the project in the FY2019 operating plan to inform the commission on the status. She was unsure of the timing of a report, but suggested that the later in the year it comes out, the more substance it will contain.
Adair also explained that CPSC received many stakeholder comments (PSL, 5/21/18 and 7/9/18), and those will play in the report. However, as there is no rulemaking, CPSC is not required to respond to them directly.
Rik Khanna, CPSC fire protection engineer, added that CPSC also is looking IoT and home heating devices. That work is very preliminary, identifying "what is out there."
Other items that came out of the meeting, included: