A while back I had the opportunity to chat with Ken Modeste, Director of Connected Technologies at UL, and I wanted to capture some of my takeaways from that conversation.
I had the conversation as part of the media at Blackhat 2018.
Here are some of the questions I asked:
- What is the mission of UL at this point?
- How does that relate to cyber?
- How are you different from other organizations with similar charters?
- Are you looking to do anything in the consumer space?
- What projects are currently going on that you’re excited about?
First, let me say that I just thoroughly enjoyed speaking with Ken. It’s rare that I agree with someone so much on the topic of securing connected devices.
His big thing on the soul of the company was this:
We’re try to build foundations that can grow.”, which I think is exactly the right note to hit.
Ken Modeste, UL
Some of his other quotes:
You don’t wan to come up with a standard that’s 500 pages that becomes purely academic.
Standards need have to have testable criteria.
…and he was quick to point out:
Test, not audit. You can audit an organization, and a process, but you can’t audit a product, you have have to validate and test the product.
Multiple areas within UL
One of the things we talked about was the structure of UL itself, where he explained there are several groups.
- CyberSecurity (Industrial, consumer)
- UL CAP (cybersecurity cap)
The worst issues
I then asked Ken what he thought the worst issues were affecting connected devices, which I was curious about because I run the OWASP IoT Security project.
He gave a list that resonated quite strongly with me.
- Weak or known credentials
- Secure communication
- No backdoors
- Security configuration
He had an interesting point about this on Twitter as well, saying:
If you called these devices unsafe instead of insecure, you might have better results.
Ultimately what I like best about Ken is that he’s optimistic about the future.
He said that while there’s a propensity for nation states to cause some hiccups, he’s happy with how fast we seem to be adapting to problems.
He believes strongly that the best way forward is to link things to safety, because that’s something people understand.
As my final question I asked him how close are we to having a connected device safety rating on a product in the store?
He said that the problem with consumer goods is that people (companies) don’t want to cut into their small margin, and asked further if consumers would pay more for a 4 rating vs. a 3.
He prefers a binary approach to ratings instead, such as saying something more like, “X product is UL Approved”.
Don’t give the customer work, just tell them they can buy it or not.
100% agree on that, but I think there’s some room as well for a nutrition label, so maybe the answer is to have both.
Anyway, it was an enjoyable conversation with Ken, and I have honestly slept better knowing that people like him are spending their days working on this problem.
You can find Ken on LinkedIn, and on Twitter.