[View the Webinar] - https://electrici.mp/2v1fQlI Electric Imp CEO, Hugo Fiennes, and UL’s Director of Connected Technologies, Rachna Stegall discuss the unique demands of helping to secure the IoT — and why independent certification is even more critical in the fast-evolving world. Join us to hear Fiennes & Stegall share candid insights into why establishing an IoT Security Benchmark, such as UL 2900-2-2 Cybersecurity Certification, is critical for due diligence of edge to enterprise technologies — and the future of commercial, industrial and consumer IoT overall.

2. #impWebinars
HOUSEKEEPING ITEMS
Unmute Computer Speakers
Slides & Recording Distributed via Email
Following the Session
Please Submit Your Questions Via the Q&A Panel
Live Tweet Using #impWebinars

3. #impWebinars
WHAT WILL WE DISCUSS TODAY
1. Brief Introductions
2. Current State of IoT Security
3. Why Security Certification is Important
4. What is UL 2900-2-2? How Does it Affect IoT Moving Forward?
5. IoT Best Practices
6. Secure IoT in the Real World
7. Q&A

4. #impWebinars
TODAY’S SPEAKERS
Rachna Stegall is the Global Director of Connected Technologies – one of UL’s
newest divisions - designed to develop, support and deliver Cybersecurity
solutions including interoperability, software and functional safety, and new
associated technologies.
Global Director of Connected Technologies, UL LLC
Prior to co-founding Electric Imp, Hugo led the Apple hardware team through the
first four generations of the groundbreaking iPhone, and subsequently designed
and architected the hardware for the Nest Thermostat. Early in his career, Hugo
founded empeg, creator of the first in-car MP3 digital audio player.
CEO & Co-Founder, Electric Imp, Inc.

5. BRIEF INTRODUCTION TO
ELECTRIC IMP & UL®

6. #impWebinars
Award Winning Secure IoT. Managed Connectivity.
What We Do: Proven IoT
Deployments at Scale
We help more than 100
manufacturers and
enterprises in 105+ countries
transform the world through
the power of secure IoT
connectivity and enterprise
integrations.
Trusted by Industry Leaders Full Lifecycle,
Defense in Depth Security
1st IoT Platform UL®
2900-2-2 Certified.
Security & pen tested by
major global manufacturers
First edge IoT platform
aligned with IIC Security
Framework

7. #impWebinars
UL and the UL logo are trademarks of UL LLC © 2016. Proprietary & Confidential.
BRAND
PRESENCE
UL MARKS APPEAR on more than
22 BILLION
3OUT
O F
4U.S. CONSUMERS are FAMILIAR
WITH THE UL MARK
OF U.S. BUILT
ENVIRONMENT
AUTHORITIES
PREFER UL
92%
GLOBAL CONSUMERS
ANNUALLY WITH SAFETY MESSAGES
1 BILLION
UL WORKS TO PROTECT THE MARKET FROM COUNTERFEIT GOODS
IN 2015 ALONE, UL PARTICIPATED IN 506 SEIZURES, ELIMINATING MILLIONS OF DOLLARS OF COUNTERFEIT
PRODUCTS FROM THE MARKET
UL HAS SUPPORTED A
CENTURY OF
WORKING FOR A
SAFER WORLD
since
1894
PRODUCTS GLOBALLY
UL REACHES MORE THAN
INNOVATIONFROM ELECTRICITY TO NANOTECHNOLOGY

8. #impWebinars
UL and the UL logo are trademarks of UL LLC © 2017.
Proprietary & Confidential.
UL
EMPOWERS TRUST
IN A COMPLEX WORLD
Demonstrate
Safety
Deliver Quality &
Performance
Enhance Sustainability
Build Workplace
Excellence
Advance Societal
Wellbeing Confirm
Compliance &
Conformance
Strengthen
Security
Manage Transparency
Protect Brand
Reputation

9. CURRENT STATE OF
IOT SECURITY

10. #impWebinars
IN IOT, IT’S NOT JUST CONSUMER THAT MAKES
HEADLINES

11. Hackers are
just starting to
get interested.
0
5
10
15
20
25
defcon 18 defcon 19 defcon 20 defcon 21 defcon 22 defcon 23 defcon 24 defcon 25
iot/scada car consumer embedded
Number of IoT related sessions at the
last 7 DEFCON conferences

12. #impWebinars
COST OF SECURITY (VS COSTS OF NOT
DOING SECURITY)
Cost of IoT breaches
• Represent 13.4% of total revenues for
companies <$5 million annually
• $20 million cost for Enterprises with
$2billion+ revenues
SOURCE: Altman Vilandrie Company Survey of IoT Security Breaches, June 2017
A reputation
is a fragile
thing.

13. #impWebinars
SOURCE: Altman Vilandrie Company Survey of IoT Security Breaches, June 2017
IN IOT, THERE IS ROI FOR SECURITY.
Business Value of IoT Security
Companies that did not experience
a security incursion have invested
65% more on IoT security than
those who have been breached.

14. WHY THIRD PARTY
CERTIFICATION IS IMPORTANT

15. #impWebinars
Guidance Documents
• ISO/IEC TR 15443
• ITU-T CYBEX 1500
series
• CVE / NVD
• CWE
(CWRAF/CWSS,
SANS CWE Top
25 / OWASP Top
10) and CAPEC
• ISO/IEC 27000 series
• ISO/IEC 15408
• ISO/IEC DIS 20243
/O-TTPS
• FISMA
• HIPAA
• IEC 62443
• IEC 80001
• PCI
• SANS 20 CSC
• Cyber Essentials (UK)
• Top 35 mitigation strategies
(AU)
• NIST Cybersecurity Framework
& SP 800-53r4 security controls
• DHS C3 VP & CRR
• SAE AS5553 & 6174
Data Breaches 66%
International Data Corporation (IDC) Research shows that 66% of networks will be
breached by 2018
28% to 47% of organizations have
experienced IoT-related breaches
(Source: Forrester/CISCO)
70% of IoT devices are
vulnerable to attack
(Source:HP)
In 2016, the average consolidated
total cost of a data breach was $4M
USD
(Source: 2016 Ponemon Study)
BREACH
CURRENT CYBER RISKS

16. #impWebinars
• Technical Testable Criteria
• Objective Evidence
• Transparent Security Posture
• Validate Security Claims
• Demonstrate Product Security
• Market Differentiation
• Brand Trust
• Manage Security Risk
WHY THIRD PARTY CERTIFICATION IS IMPORTANT

17. WHAT IS UL 2900-2-2?
HOW WILL IT AFFECT IOT
MOVING FORWARD?

18. #impWebinars
UL CYBERSECURITY ASSURANCE PROGRAM
A standards-based program to evaluate the cybersecurity posture of SOFTWARE
in network-connectable products, aiming to provide a reasonable level of
confidence in the absence of vulnerabilities and software weaknesses and the
presence of appropriate risk controls
standards-based SOFTWARE
confidence vulnerabilities software weaknesses
risk controls
network-connectable products

19. #impWebinars
YOUR REPORT AND/OR
CERTIFICATION
CYBERSECURITY SOLUTIONS
TESTING
YOUR NETWORK
CONNECTABLE PRODUCT
AND/OR SYSTEM
AUTOMOTIVE LIGHTING SMART HOME HVAC BUILDING
AUTOMATION
APPLIANCES ALARM
SYSTEMS
SMART
METERS
MEDICAL
DEVICES
FIRE
SYSTEMS
INDUSTRIAL
CONTROL SYSTEMS
loT
NETWORK-CONNECTABLE PRODUCTS & SYSTEMS
UL CAP Solutions
TRAINING SERVICES
ADVISORY SERVICES
REVIEW SERVICES
Submit product or system
for discrete testing
(One or more individual
tests)
Submit product or system
for certification testing
(All tests)
• Fuzz Testing
• Known Vulnerabilities
• Code & Binary Analysis
• Access Control & Authentication
• Cryptography
• Remote Communication
• Software Updates
• Structured Penetration Testing
TESTING SERVICES
Test
Report
Certificate
KEY TAKEAWAYS: RISK MITIGATION INNOVATION COMPETITIVE ADVANTAGE

20. #impWebinars
UL 2900-2-2 FOR INDUSTRIAL
APPLICATIONS

21. #impWebinars
• Programmable Logic Controllers (PLC)
• Distributed Control Systems (DCS)
• Process control systems
• Historians, data loggers & data storage systems
• Control servers
• SCADA servers
• Remote Terminal Units (RTU)
• Human-Machine Interfaces (HMI)
• Input/Output (IO) servers
• Fieldbuses
• Networking equipment for ICS systems
• Smart sensors
• Controllers
• Embedded system/controllers
Fuzz Testing
Known Vulnerability
Code & Binary
Analysis
Access Control &
Authentication
Cryptography
Remote
Communication
Software Updates
Risk Assessment
Structured Pen
Testing
UL 2900-2-2
>
EXAMPLE PRODUCTS

22. #impWebinars
UL 2900-2-2
Internet
ERP Systems
Manufacturing and
Engineering Systems
Plant Floor
Branch
Offices
Branch
Factories
Customers
Supply Chain
Systems
Machining
Assets
Programmable Logic
Controllers (PLCs)
Factory Network
Infrastructure
UL 2900-2-2 PROGRAM SCOPE EXAMPLE
UL 2900-2-2 is written specifically to address product
ecosystems in the industrial control system vertical

23. Leverage Electric Imp’s Certification to
Save Time and Resources:
• By incorporating an IoT platform that
is already UL certified with your
products, you can leverage the UL
Certified Software Implementation
Solution by streamlining your
product’s UL certification with less
cost and faster time to market.
• Find out which platforms are already
UL certified by searching the UL
Online Certifications Directory with
the UL Category Code CYBR.
UL 2900-2-2 SOFTWARE IMPLEMENTATION SOLUTION
23

24. IOT SECURITY
WHY CERTIFIED SECURE
IS SO IMPORTANT

25. #impWebinars
BIG PICTURE: SECURITY IS CRUCIAL TO IOT
“Security is a special challenge for IoT.
IoT systems operate across the public internet; are deployed outside of the physical control
of the organization; may remain in place in critical systems for 10 to 20 years; and may control
critical infrastructure, or be capable of coordinated attacks on other systems.
Furthermore, IoT developers are focused on business
problems and may not have a strong security perspective. The
devices themselves may lack critical hardware capabilities for securing their operation against
attack. Securing IoT requires a balance of protecting against long- term devastation and
accelerating value generation… “
Internet of Things Primer for 2017

26. #impWebinars
WHAT DOES A “STRONG SECURITY PERSPECTIVE” MEAN?
UNDERSTANDING…
… need for Defense in Depth
… devices need to be able to be updated
without end user involvement
… no application is safe.
These are nodes. They are valuable to someone.

27. #impWebinars
POINTS OF
INTEGRATION ARE
OFTEN WHERE
VULNERABILITIES LIE.
Multiple suppliers, release schedules, nuanced
integrations and lack of cohesive testing

28. #impWebinars
SECURE IOT IS FOR A LIFETIME
(of your connected product, that is)
• Devices in the
field for years or
even decades
• A compromise
may be invisible
but dangerous
Credit: Happiest Midns http://www.happiestminds.com/Insights/internet-of-things/

29. #impWebinars
IN IOT SECURITY, NO REASON TO REINVENT THE WHEEL
• Root of trust using FIPS140-2 HSMs
(OS signing)
• Every chip provisioned with unique
secrets at time of manufacture
• Privilege separation: application has
no access to keys
• Certificate secured communications
• OTA upgrades of both OS and
application: consensual or forced
Credit: Spencer Lewis - http://www.spencerclewis.com/2016/04/reinventing-the-wheel/

30. #impWebinars
TIMING? YOU COULD WAIT FOR GOVERNMENT
MANDATES ….
Worldwide Threat Assessment of the
US Intelligence Community
Senate Select Committee on Intelligence

31. #impWebinars
… OR GET STARTED
NOW WITH
CONFIDENCE
• Certification delivers
cybersecurity due
diligence
• Ongoing testing is
defense against evolving
(and increasing) security
threats

32. SECURE IOT IN THE REAL WORLD
WINNING AWARDS IN
REGULATED MARKETS

33. #impWebinars

34. #impWebinars
ELECTRIC IMP: UL 2900-2-2 CYBERSECURITY CERTIFIED
This image cannot
currently be
displayed.
imp Authorized
Hardware
impOS
™
impCloud
™
BlinkUp
™
impFactory
™
impSecure
™
IoT Platform Stack
HARDWARE
DEVICE MGMT
CONNECTIVITY
APP ENABLEMENT
CLOUD
DATA
SECURITY
impCloud
™

35. #impWebinars
HOW TO WORK WITH US
SECURE IOT EDGE TO ENTERPRISE CONNECT TO LEARN MORE
Get started at:
electricimp.com/docs/gettingstarted/
Connect at:
ul.com/cybersecurity
Reach out to us to learn more ulcyber@ul.com
OR visit www.ul.com/cybersecurity
FREE DEVELOPER ACCOUNT
IoT QUICKSTART FAMILY FOR PROTOTYPING
• impExplorer™ Kits
• impAccelerator™ Solution Kits
• Electric Imp Breakout Boards