An Underwriters Laboratories (UL) appeals panel halted a cybersecurity standard created by its own organization.
This UL appeals panel instead ruled in favor of the International Society of Automation’s (ISA) appeal against UL 2900-2-2, Standard for Software Cybersecurity for Network-Connectable Devices, Part 2-2: Particular Requirements for Industrial Control Systems.
Initially, UL was seeking approval of the document as an American National Standard, but after the appeals panel’s decision, that is now on hold.
ISA balked at UL’s standard because of overlap with the ISA/IEC 62443 series of standards on industrial automation and control systems security.
The ISA/IEC standards were developed by the ISA99 standards committee as American National Standards with simultaneous review and adoption by the Geneva-based International Electrotechnical Commission through IEC partner committee TC65.
ISA said UL failed to follow a key clause in its procedures as accredited by the American National Standards Institute (ANSI), intended to prevent duplication and overlap.
ISA’s concern was shared by leaders within IEC TC65 and by NEMA, the largest trade association of electrical equipment manufacturers in the U.S.
A NEMA letter to UL in December 2017 had formally requested that “UL withdraw UL 2900-2-2 and … focus on the adoption of the relevant parts of the ISA/IEC 62443 series of standards.”
“ISA continues to be willing to work with UL to make the UL document complementary to the ISA/IEC 62443 series,” said ISA99 co-chair Eric Cosman, an industrial cybersecurity consultant and retired Dow Chemical Engineering Fellow. “To that end, we invited UL once again to work with us as soon as the appeal decision was announced.”