A Trusted Brand Comes to Cyber

Eighty-one days before his trip to Dallas, John F. Kennedy sat for a televised interview with Walter Cronkite. Transcripts and pictures of this meeting are easily found on the Internet. Both are seated casually in business suits on lawn chairs under an unusually bright Hyannis sun. Mr. Cronkite, as always, looks confident and trustworthy as he starts the interview with a tough question for the President about civil rights. Americans at the time listened to Walter Cronkite.

Today, sadly, we have no such uniformly-accepted spokesperson. Instead, we are subjected to reams of fake news articles on our Facebook feeds, and to the well-earned public disgrace of seemingly trustworthy journalists like Charlie Rose. The sad fact is that Americans have no contemporary Walter Cronkite speaking to us honestly about important situations such as Vietnam: “It is increasingly clear to this reporter . . .”

On the surface, one could certainly draw parallels between this societal lack of trust and the challenges of developing confidence in the cyber security of our systems. That is, there is no trusted, authoritative source – no Cyber Cronkite, if you will – who can speak confidently to the security and trustworthiness of a given system. Instead, we are forced to turn to the alchemy of quadrants and waves, which are little more than paid propaganda.

Last week, however, I spent time with an executive who gives me hope. Rachna Stegall is Global Director of Connected Technologies for UL. She was kind enough to share with me an overview of UL, which was founded in 1894 by MIT engineer William Henry Merrill Jr. to help assess electrical fire risks for the World’s Fair in Chicago. UL’s mission is to work for a safer world through hazard-based science and engineering to help ensure the safety of products in our home and work environments.

While listening to Ms. Stegall explain the history of UL, I couldn’t resist going around my office in search of those little stickers. Within minutes, I counted twelve – mostly on portable lamps. And at that moment, it hit me that UL has likely been the most trusted brand in technology for many decades. I mean, it was UL testing the shields and laminates on the TVs our parents used to watch Cronkite interview Kennedy. We’ve all literally grown up with UL protecting us.

Such realization is important, because UL has now entered the cyber security game – and this should come as no surprise. My office lamps, for example, are dumb today, but I am quite certain that in the blink of an eye, they will have IPv6 addresses and will connect to the router in my home for maintenance and monitoring. (You can buy smart lamps now – I just haven’t gotten around to it. And I suspect you are in the same boat, which is why UL has taken notice.)

“As a trusted partner to industry for over a century,” Ms. Stegall explained, “we are uniquely qualified to advise, educate, test, inspect, and certify the safety aspects of commercial products and systems. And increasingly, this testing implies focus on cyber security, because the products in our homes and offices are now connected to each other or to the Internet. A new UL 2900 series of standards provides testable criteria, and we use this, along with other industry accepted best practices, as the basis for assessing security hygiene.”

I asked Ms. Stegall how they go about their cyber certifications – and her answer was simple but powerful: “UL does it right,” she said. Their certification process, she explained, involves a thorough process of cyber security testing, analysis, review, and risk determination. They employ experts who take their time going through a careful, hands-on, expert review of a given product. I took three pages of notes on the details of the process. It is impressive.

I asked her about the UL business model, and it was obvious that the original mission culture from William Henry Merrill Jr. hasn’t subsided. She explained that they do everything they can to keep their operating costs low, and to offer customers a varying degree of risk options. “Our goal is not to be transactional,” she said, “but rather to create meaningful engagements that over time improve the safety and security of products in use across society.” Wow.

Here is my advice: If you sell a product with a connected or cyber component – and this can range from remote monitoring over the Internet, to an embedded processor for enhanced operation – then you would be doing your team a massive favor to be in touch with UL. Ask them to explain their cyber advisory, testing, and certification process, and ask them to share the UL 2900 standard. (By the way, all UL standards are either publicly available for purchase or made available as part of their service offering to customers.)

But you’d better act quickly: When I asked Ms. Stegall about the fee structure for UL services, I quickly did some math in my head. That is, the high value of the product test, evaluation, and certification one gets from UL, integrated across a seemingly low price tag, makes me wonder why manufacturers don’t fire their test teams and hire UL instead! (Look, I know this is not the UL mission, but I’m just saying . . .)

At a time when we have no more Walter Cronkites, there’s no reason why we can’t celebrate a century-old, trusted technology brand. I mean, who knows? . . . perhaps the UL people can help tip the security balance back for all these products and systems that seem to get hacked as quickly as they are deployed. So, go ahead and give Rachna Stegall and the UL team a call today, and please share with us your experiences.