UL panel upholds ISA appeal of UL cybersecurity standard
An appeal panel formed by Underwriters Laboratories (UL) has ruled in favor of an ISA appeal against a UL cybersecurity standard. ISA's appeal was brought against UL 2900-2-2, Standard for Software Cybersecurity for Network-Connectable Devices, Part 2-2: Particular Requirements for Industrial Control Systems, for which UL was seeking approval as an American National Standard. ISA's successful appeal means the UL standard will not gain that status at this time.
ISA's appeal was driven by an underlying principle of standards development-to avoid burdening users with overlapping and duplicating standards from different standards developers. Based on reviews by cybersecurity experts, ISA was concerned about UL overlap with the ISA/IEC 62443 series of standards, which are developed by the ISA99 standards committee as American National Standards with simultaneous review and adoption by the Geneva-based International Electrotechnical Commission (IEC). ISA99 draws on the input of cybersecurity experts from across the globe in developing the widely used standards, which are applicable to all industry sectors and critical infrastructure.
ISA's successful appeal asserted that UL failed to follow a key clause in the UL accredited standards procedures that is intended to prevent duplication and overlap. Prior to the appeal, UL had acknowledged that it missed earlier opportunities to identify potential overlap and duplication.
Without approval as an American National Standard, the UL standard will not be eligible to become an internationally recognized standard through the IEC. IEC leaders from TC65, the primary IEC committee working with ISA99, had previously indicated that the UL standard would have a very low chance of achieving that status in any event.
The ISA/IEC 62443 series is cited throughout the U.S. NIST Cybersecurity Framework. In late 2018, the United Nations Economic Commission for Europe confirmed it will integrate the ISA/IEC 62443 series in its Common Regulatory Framework on Cybersecurity, which will serve as an official UN policy position statement for Europe.
For information on the ISA/IEC 62443 standards and related training and learning resources, contact Eliana Brazda, ISA Standards, email@example.com.