UL 2900-2-3 2020-01 PDF

Full title and description

UL 2900-2-3 — Standard for Safety: Software Cybersecurity for Network‑Connectable Products, Part 2‑3: Particular Requirements for Security and Life Safety Signaling Systems. First edition dated January 31, 2020; defines cybersecurity evaluation and testing requirements for software used in life‑safety and electronic physical security systems (access control, intrusion detection, fire and alarm systems, surveillance, mass notification, etc.).

Abstract

UL 2900-2-3 provides a product‑focused cybersecurity evaluation framework and test criteria for network‑connectable life‑safety and physical security signaling system components. The standard requires identification and disposition of vulnerabilities, detection of known malware, assessment of software weaknesses, and verification of security risk controls and vendor processes. A tiered assessment model (Levels 1–3) increases test depth and vendor process requirements. The objective is repeatable, testable evidence that software has been evaluated for common attack vectors and that appropriate controls and lifecycle practices are in place.

General information

• Status: Active / ANSI/CAN adoption (national standard listing available).
• Publication date: First edition dated 31 January 2020 (Ed. 1‑2020).
• Publisher: Underwriters Laboratories (UL) — published as UL / ANSI/CAN joint designation for North American use.
• ICS / categories: Information Technology / IT security; common ICS codes associated: 35.030, 35.110, 35.240.x (IT security / electronic security systems).
• Edition / version: Edition 1 (Ed. 1‑2020).
• Number of pages: 26 pages (PDF/print release metadata for Ed. 1‑2020).

Scope

The standard applies to software in network‑connectable security and life safety signaling system components, including but not limited to alarm control units, intrusion detection systems, digital video equipment and recorders, mass notification and emergency communications systems, fire alarm control systems, alarm receiving equipment, access control systems and networked locking devices, PSIM systems, smoke/gas detection, and related control servers and automation software. It focuses on software security evaluation and vendor product risk‑management processes rather than functional performance testing.

Key topics and requirements

• Tiered security assessment model (Level 1 baseline → Level 2 deeper product/internal testing → Level 3 adds vendor process and lifecycle assessments).
• Vulnerability and known‑malware detection, disposition and remediation evidence (including vulnerability scanning and known‑malware checks).
• Software weakness analysis and code/binary review, including fuzzing and malformed‑input testing.
• Structured penetration testing and exploit validation against the product attack surface.
• Security risk control requirements for architecture and design (authentication, encryption, secure update, logging/monitoring, fail‑safe update handling, supply‑chain controls).
• Requirements for vendor product risk‑management processes and lifecycle practices (threat modelling, patching/updates, incident response and decommissioning handling of sensitive data).

Typical use and users

Manufacturers and developers of electronic physical security and life safety products (surveillance cameras, NVR/DVRs, access control panels and locks, alarm control units, fire alarm systems, mass notification systems, ATM/security terminal equipment) use this standard to evaluate and demonstrate product cybersecurity. System integrators, owners/operators, procurement teams and certification bodies also rely on UL 2900‑2‑3 test reports or UL CAP listings to inform sourcing and risk management decisions.

Related standards

Related documents and frameworks commonly referenced with UL 2900‑2‑3 include UL 2900‑1 (General Requirements for Software Cybersecurity for Network‑Connectable Products), UL 2900‑2‑1 (healthcare/network‑connected medical components), ISO/IEC 62443 (industrial network and system security), NIST cybersecurity guidance (framework and IoT/device guidance), and consumer IoT baselines such as ETSI EN 303 645. UL CAP testing and ANSI/CAN adoption align UL 2900 work with regional regulatory and conformity processes.

Keywords

UL 2900‑2‑3; software cybersecurity; network‑connectable products; life safety signaling; physical security systems; vulnerability testing; malware detection; penetration testing; security risk controls; UL CAP; ANSI/CAN.

FAQ

Q: What is this standard?

A: UL 2900‑2‑3 is a UL cybersecurity standard (Part 2‑3 of the UL 2900 family) that defines testable cybersecurity evaluation criteria and vendor process requirements for software used in life‑safety and electronic physical security signaling systems. It is published as Ed. 1‑2020.

Q: What does it cover?

A: It covers software vulnerability and malware detection, software‑weakness analysis (including fuzzing and code/binary review), structured penetration testing, and a set of required security risk controls and vendor lifecycle processes (patching, incident response, secure updates, logging, supply‑chain controls) tailored for security and life‑safety products. The standard uses a three‑level assessment model to scale depth of testing.

Q: Who typically uses it?

A: Product manufacturers/developers, test labs, certification bodies, system integrators, and procurement/asset owners in industries deploying access control, surveillance, fire and alarm systems, mass notification and other life‑safety signaling technologies.

Q: Is it current or superseded?

A: The document referenced here is the first edition dated 31 January 2020 (Ed. 1‑2020) and is the active UL 2900‑2‑3 edition in UL/ANSI/CAN listings; it replaced earlier outline/2017 material and has been made available as a published UL/ANSI/CAN standard. Users should confirm the publisher’s site or national standards store for any corrections or later amendments.

Q: Is it part of a series?

A: Yes — UL 2900 is a family of cybersecurity standards. Part 1 covers general requirements (UL 2900‑1); Part 2 contains product‑category specific requirements (e.g., 2‑1 for healthcare, 2‑3 for security and life‑safety signaling). The family is used together: Part 2 documents ordinarily reference and build on Part 1 requirements.

Q: What are the key keywords?

A: Cybersecurity, UL 2900, network‑connectable, vulnerability testing, malware detection, penetration testing, life safety, physical security, risk management, UL CAP.